183 64 52MB
English Pages 779 Year 2020
Preventing Identity Crime: Identity Theft and Identity Fraud
Preventing Identity Crime: Identity Theft and Identity Fraud An Identity Crime Model and Legislative Analysis with Recommendations for Preventing Identity Crime
By
Syed R. Ahmed
LEIDEN | BOSTON
Library of Congress Cataloging-in-Publication Data Names: Ahmed, Syed R. (writer on identity theft), author Title: Preventing identity crime: identity theft and identity fraud : an identity crime model and legislative analysis with recommendations for preventing identity crime / by Syed R. Ahmed. Description: Leiden ; Boston : Brill Nijhoff, 2020. | Includes bibliographical references and index. Identifiers: LCCN 2019055570 (print) | LCCN 2019055571 (ebook) | ISBN 9789004395961 (hardback) | ISBN 9789004395978 (ebook) Subjects: LCSH: Identity theft–Law and legislation. Classification: LCC K5223 .A36 2020 (print) | LCC K5223 (ebook) | DDC 332.024–dc23 LC record available at https://lccn.loc.gov/2019055570 LC ebook record available at https://lccn.loc.gov/2019055571
Typeface for the Latin, Greek, and Cyrillic scripts: “Brill”. See and download: brill.com/brill-typeface. isbn 978-9 0-0 4-3 9596-1 (hardback) isbn 978-9 0-0 4-3 9597-8 (e-book) Copyright 2020 by Koninklijke Brill NV, Leiden, The Netherlands. Koninklijke Brill NV incorporates the imprints Brill, Brill Hes & De Graaf, Brill Nijhoff, Brill Rodopi, Brill Sense, Hotei Publishing, mentis Verlag, Verlag Ferdinand Schöningh and Wilhelm Fink Verlag. All rights reserved. No part of this publication may be reproduced, translated, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission from the publisher. Authorization to photocopy items for internal or personal use is granted by Koninklijke Brill NV provided that the appropriate fees are paid directly to The Copyright Clearance Center, 222 Rosewood Drive, Suite 910, Danvers, MA 01923, USA. Fees are subject to change. This book is printed on acid-free paper and produced in a sustainable manner.
Contents
Preface ix Acknowledgements xi List of Illustrations xii
1
The Problem of Identity Crime 1
2
What is Identity? 24 Introduction 24 2.1 When We Say “Identity,” What Do We Mean? 25 2.2 Identity –Dictionary Definitions 26 2.3 Identity Properties and Attributes 28 2.4 Identity –the Psychological View 31 2.5 Identity –the Philosophical View 33 2.6 Identity –the Legal View 34 2.7 Means of Verifying Legal Identity 40 2.8 Digital Identity 41 2.9 Conclusion 44
3
Identity Crime Framework and Model: Five Components of Identity Crime and the Different Illegal Methods of Acquiring and Using Identity Information and Documents 46 Introduction 46 3 .1 Clarification of Terms: Identity Theft, Identity Fraud, and Identity Crime 47 3 .2 Goal of Identity Crimes 54 3 .3 The Identity Crime Framework 55 3 .4 Identity Crime Framework 57 3 .5 Five Components of Identity Crime Model 62 3 .6 Techniques and Strategies Used for Illegal Acquisition 66 3 .7 Producing and Manipulating Identity Information and Documents 99 3 .8 Transfer – Identity Trafficking 107 3 .9 Possession 113 3 .10 Use –Criminals’ Goals and the Kinds of Crimes They Commit When Using Acquired Information or Documents 114 3 .11 Conclusion 186
vi Contents 4
Threat Agents and the Impact of Identity Crime 187 Introduction 187 4 .1 Identity Crime Threat Assessment Model and Threat Agent Identification and Analysis 187 4 .2 The Impact of Identity Crime 205 4 .3 Costs of Identity Crime by Use 227 4 .4 Conclusion 234
5
International Trends in Addressing Identity Crime 236 Introduction 236 5.1 International Organizations 236 5.2 Conclusion 250
6
Identity Crime Legislation in the United States, Canada, Australia and the United Kingdom 252 Introduction 252 Part A: United States Statutes 6 A.1 Introduction 254 6 A.2 Identity-Crime-Specific Statutes 269 6 A.3 Identity-Crime-Related Statutes 296 6 A.4 Civil Statutes to Prevent Identity Crimes and Recover Identity 322 6 A.5 State Statutes 349 Part B: Canadian Statutes 6 B.1 Introduction 404 6 B.2 Analysis of Canada’s Identity Crime Statutes and Related Statutes 407 6 B.3 Criminal Code 408 6 B.4 Privacy Act 433 6 B.5 Personal Information Protection and Electronic Documents Act 436 6 B.6 Changes Recommended by Concerned Organizations 440 Part C: Australia 6 C .1 Introduction 444 6 C .2 National Identity Security Strategy 452 6 C .3 Federal System –State and Territorial Laws 454 6 C .4 Australian Criminal Code 456 6 C .5 Financial Transaction Reports Act 1988 472 6 C .6 Travel Document Offenses 473 6 C .7 Privacy Act 1988 481 6 C .8 South Australia’s Identity Crime Provisions 484
Contents
vii
6 C .9 Queensland’s Identity Crime Provisions 488 6 C .10 New South Wales’ Crimes Act 1900 490 6 C .11 Tasmania’s Computer Fraud Statute 494 Part D: United Kingdom Statutes 6 D.1 Introduction 497 6 D.2 Analysis of the U.K.’s Identity-Crime-Related Statutes 499 6 D.3 Identity Cards Act 2006 502 6 D.4 Fraud Act 2006 509 6 D.5 Theft Act 1968 513 6 D.6 Computer Misuse Act 1990 516 6 D.7 Forgery and Counterfeiting Act 1981 518 6 D.8 Data Protection Act 1998 521 6 D.9 Conclusion 533 7
Identity Crime Prevention and Impact Minimization Strategy 543 Introduction 543 7 .1 Proposed Approaches to Identity Crime Prevention 545 7 .2 Developing an International Identity Crime Treaty 547 7 .3 Developing Identity Information and Documents with Real Time Authentication and Verification 547 7 .4 Authentication 548 7 .5 Business Policies 551 7 .6 Consumer Education 559 7 .7 Consumer Actions 561 7 .8 Foundation Documents 562 7 .9 Medical Identity Crime Prevention 563 7 .10 Victim Cooperation 564 7 .11 Offenders 565 7 .12 Law Enforcement Policies 568 7 .13 Government Policies 573 7 .14 Information Sharing 574 7 .15 International Collaboration and Efforts 575 7 .16 Public-Private Partnerships 578 7 .17 Data Protection through Technology 580 7 .18 Training Programs and Initiatives 583 7 .19 Meeting the Challenges of Identity Fraud Prevention 585 7 .20 Evaluating Identity Crime Prevention and Impact Minimization Techniques 586 7 .21 Conclusion 587 7 .22 Appendix: Table of Identity Crime Prevention and Impact Minimization Techniques 588
viii Contents 8
Privacy, Anonymity, and Identity Crime 601 Introduction 601 8.1 The Identity Crime Privacy Model 604 8.2 Fair Information Practices (fip s) 609 8.3 Privacy Taxonomies 618 8.4 Personally Identifiable Information (pii) 624 8.5 Data Mining 626 8.6 Privacy-Enhancing Technologies (pet s) 634 8.7 Anonymity 649 8.8 Anonymization 658 8.9 Data Loss and Data Loss Prevention (dlp) 663 8.10 The Identity Crime Prevention Model and Privacy by Design 666 8.11 Conclusion 668
9
Convention on Identity Crime 670 Introduction 670 9 .1 Preamble 673 9 .2 Chapter i –Use of Terms 677 9.3 Chapter ii –Measures To Be Taken at the National Level 681 9 .4 Chapter iii –International Cooperation 690 9 .5 Chapter iv –Final Provisions 698
10
Conclusion 703
Appendix 1: Table of Cases 709 Appendix 2: Table of Statutes 712 Bibliography 727 Index 746
Preface Identity crime is the fastest growing crime in the United States and other countries around the world, yet it lacks its own identity: there is no universally accepted definition, little understanding of what the crime is or should be, and no legal framework placing the crime into a coherent and effective grouping of criminal sanctions. Because the crime is little understood, most of the world does not have laws focusing on identity crime, even though the crime is committed in almost every country. Only the United States and Canada have sets of laws, under the rubrics “identity theft” and “identity fraud,” that specifically address identity crime. Even with these laws, the number of identity crime victims is steadily increasing. This book tackles head-on the various facets of what is needed to deal with identity crime on an international scale. The strategy of the book proceeds as follows: First, the meaning of “identity” is addressed and a range of personal information and documents that might inform or define one’s identity are surveyed. Second, the need for a universal definition of identity crime is examined. To arrive at a workable definition of identity crime, a framework and an Identity Crime Model (idcm) are created to identify five principal components of identity crime. idcm visually represents the unique Identity Crime Framework. It provides a new way of analyzing the acts that constitute identity crime. It shows every facet of the crime and provides a comprehensive list of frauds and other crimes that identity criminals commit. idcm is a paradigm shift from the traditional methodology for looking at Identity Crimes. Until now this crime has been understood and represented as a linear incident with a start, middle and an end. The idcm illustrates the true essence of this crime, which by nature, is circular and can continue in a never-ending loop. Third, techniques and strategies for acquiring personal information and documents are covered, including the acquisition of physical items and data theft techniques that rely on computer technology. A comparison of identity- related frauds with generic fraud is performed, revealing the unique features of the former. Different types of identity-related frauds are discussed in detail, including identity-related frauds. Fourth, an identity crime threat agent assessment is performed. Threat agent assessment is useful for both prevention and correction purposes. The author assembles different variables that directly or indirectly affect all threat agents. However, the total elimination of identity crime is impossible in the real world, so the impact that identity crimes have upon the individuals and
x Preface organizations that are victimized by such crimes is studied. Due to the lack of any models to understand the true impact of various identity crimes a model is developed for understanding the identity crime impact –based on each of type of identity crime separately. Fifth, a review of the actions taken by a variety of international and regional organizations to combat identity crimes is presented. Additionally, worldwide statutes and treaties pertinent to identity crime are evaluated. Specific statutes are analyzed, as defined by several different nations, that pertain to identity. Some are identity-crime-specific such as identity theft and identity fraud statutes in Canada and United States. The others are merely identity- crime-related, such as general fraud and theft statutes. Included in this study are four countries: United States, Canada, Australia, and the United Kingdom. Sixth, this book scrutinizes identity crime prevention. Most efforts to prevent identity crime or minimize the impact of identity crime, while laudable, are uncoordinated and do not go far enough in developing a strategy to prevent identity crime. Therefore, a broader framework is created by the author that can be used to evaluate the various prevention strategies. A list of different methods to prevent identity crime is presented, and a model is developed to evaluate these methods to determine which ones offer the highest success rates. Seventh, the Identity Crime Privacy Model is developed to show the interaction between privacy, anonymity, and identity crime. Traditional approaches attempt to reduce identity crime by providing less and less privacy. The Model suggests that it is possible to achieve a reduction in identity crime by enhancing privacy and leveraging the benefits of anonymity, while recognizing that absolute privacy and total anonymity can only lead to an environment in which there can be no exchange of information at all. Eight, the author examines the need for an international convention to deal with identity crime. The international community will continue to experience a rise in identity crime, and no matter how much progress the various nations and regional organizations make in dealing with identity crime, there is still a need for an international convention that presents genuinely common rules and guidelines to deal with a genuinely international problem. Accordingly, the draft text of an international convention on identity crime is proposed. The substantive law in the convention is based on the Identity Crime Model and the resulting definition of identity crime proposed in this book.
Acknowledgements In the name of God, the compassionate, the merciful, I thank you Uzma, my amazing wife, for teaching me how to love and how to live my life. Without her support, understanding and encouragement, I wouldn’t be the person I am. I owe my life, my achievements and accomplishments to her. We went through times of struggle and financial hardships to make this book happen. To my two boys, Rayan and Arsh, Baba loves you. To my mother, Nasira, a remarkable woman –I miss you. My mother was a victim of identity crime and the culprits responsible for this were known to us. I witnessed firsthand the devastation it can cause in someone’s life and it sparked an interest in me. At the time, there were very limited resources and scholarly content available to us on this subject matter, so I started to work towards getting my PhD, specializing in identity crime prevention and laws on a global scale. To my grandfather, Rashid Akhter Nadvi, for teaching me about dedication and perseverance. He spent hours writing his books and made sure I was right by him every hour focusing on my studies. This book is only complete because of two individuals, Professor Munro and Professor Burns, who kept on pushing me to tackle this extremely difficult and uncharted subject matter. I owe a debt of gratitude to Dr. Munro for his priceless feedback on this book. He is my mentor, my first reader and my first critic. Thank you to the United Nations, U.S. Justice Department, Federal Bureau Investigation, Canadian, United Kingdom & Australian Justice department and Columbia Law School for providing me the resources and research tools. Lastly, the most important people in my life and biggest supporters, Joel and my 3 beautiful sisters, Asma, Sadaf and Mahvish –I love you.
Illustrations Figures 1 2 3 4 5 6 7
Chart showing the increases in, and impact of identity crimes 3 Identity crimes related to one another 59 Risk impact/probability chart 191 The four costs of identity crime 210 Type of crime 216 Identity crime privacy model 605 Concepts of identity crime, privacy and anonymity: interdependencies and overlap 648
Tables 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Credit card fraud (based on total complaints filed) 117 Types of bank fraud in 2006–2008 126 Loan fraud (based on the total complaints) 130 Phone or utilities fraud (based on the total numbers of complaints filed) 153 Indiana phone or utilities fraud 154 Ohio phone or utilities fraud 154 Impacts of identity crime 208 U.S. identity crime related statutes 258 Identity crime California 2009 350 Identity crime California 2008 351 Identity crime Texas 2009 361 Identity crime Texas 2008 362 Identity crime New York 2009 371 Identity crime New York 2008 372 Identity crime Florida 2009 384 Identity crime Florida 2008 385 Identity crime Illinois 2009 393 Identity crime Illinois 2008 393 Canada’s identity crime statutes and related statutes 409 Australian identity crime statutes and related statutes 446 South Australian identity crime statute 485 Queensland’s identity crime statute 488
newgenprepdf
Illustrations 23 24 25 26 27
U.K. identity crime related statutes 499 Comparison of hew and oecd privacy principles 611 Versions of fip s by year 614 Privacy goals 621 Potential privacy violations 621
xiii
c hapter 1
The Problem of Identity Crime Identity crime is the fastest growing crime in the United States1 and other countries around the world,2 yet it lacks its own identity because there is no universally accepted definition,3 little understanding of what constitutes the 1 Identity theft is America’s fastest –growing crime, U.S. Postal Inspector Service, https:// postalinspectors.uspis.gov/investigations/MailFraud/fraudschemes/mailtheft/IdentityTheft.aspx (last visited March 24, 2010). A marketing research firm, Javelin Strategy & Research, has published its “2010 Identity Fraud Survey Report” showing that instances of identity fraud continue to rise, driven by new accounts fraud (using someone else’s identity information, or the identity of a fictitious person, to open a new account in the name of that person), although the costs to each affected consumer have decreased. Robert Vamosi et al., Javelin Strategy & Research, 2010 Identity Fraud Survey Report: Identity Fraud Continues to Rise – New Accounts Fraud Drives Increase; Consumer Costs at an All – Time Low (Feb. 2010), available at https://www.javelinstrategy. com/research/brochures/Brochure-170. 2 UK Identity Crime Statistics: In the United Kingdom, it has been estimated that over 100,000 people per year are affected by identity crime, costing the UK economy nearly £1.7 billion annually. Is Identity Fraud Serious?, cifas, http://www.cifas.org.uk/is_identity_fraud_serious (last visited Oct. 30, 2012). In 2009, 2010, and 2011, over 100, 000 cases of confirmed fraud per year were recorded by members of the U.K’s Credit Fraud Avoidance System. Id. Australian Identity Crime Statistics: “Identity crime has been extensively reported as the fastest growing crime type globally, costing the Australian economy somewhere between $ 1.6B and $3B per annum. Queensland Police Identity Crime Symposium, Policing with Intelligence, http://policingwithintelligence.blogspot.com/2009/08/queensland-police- identity-crime.html (last visited Oct. 30. 2012). And, 20% of Australians have experienced identity crime. 20% of Australians Have Experienced Identity Crime, Veda (Oct. 1, 2009), http://www.veda.com.au/news-and-media/article.dot?id=506838. Canadian Identity Crime Statistics: According to the results of a survey, “6.5% of Canadian adults, or almost 1.7 million people, were the victim of some kind of identity fraud in the 2008. These victims spent over 20 million hours and more than $150 million to resolve problems associated with these frauds.” Susan Sproule & Norm Archer, Measuring Identity Theft in Canada: 2008 Consumer Survey, McMaster eBusiness Research Center, http://www.business. mcmaster.ca/IDTDefinition/WP23%20exec%20summ.htm (last visited Mar. 24, 2010) (discussing the results of a 2008 survey of Canadian consumers conducted by the McMaster eBusiness Research Centre (MeRC) on behalf of the Ontario Research Network on Electronic Commerce (ornec)). The Canadian Council of Better Business Bureaus estimates that identity theft costs the Canadian economy approximately $2.5 billion per year. Chapter 3: e-Readiness, Canadian e-Business Initiative, Industry Canada (Sept. 2004), http://www.ic.gc.ca/ eic/site/ecic-ceac.nsf/eng/gv00503.html. 3 According to National District Attorneys Association (ndaa), “imprecise and varying definitions of identity crime” are a key challenge faced by ndaa members when trying to prosecute
© Koninklijke Brill NV, Leiden, 2020 | DOI:10.1163/9789004395978_002
2 chapter 1 crime, and no legal framework placing the crime into a coherent and effective grouping of criminal sanctions.4 Because so little is understood about identity crime, most of the world’s nations do not have laws specifically addressing identity crime, despite the fact that the crime is committed in almost every country. Only the United States and Canada have statues directly addressing identity crime, under the rubrics “identity theft” and, in Canada, “identity fraud.”5 However, even with these laws in place, the number of victims of identity crime is steadily increasing in those countries.6 Official codifications of U.S. law include identity crime within the broad category of crimes involving “fraud and false statements.”7 Similarly, in Canada, identity crime laws are categorized under “fraudulent transactions relating to contracts and trade.”8 However, these identity-crime-specific statutes specify criminal acts that were never considered when the generic fraud laws were adopted, such as producing an identification or authentication feature without
4
5 6
7 8
identity crime cases. Overview, IDSafety, http://www.theiacp.org/investigateid/preparing- for-successful-prosecution/ (last visited Oct. 30, 2012). A U.N. Commission on Crime Prevention and Criminal Justice draft report provided a long list of conclusions and recommendations based on its work. They essentially consisted of the following: Further work is needed in gathering, analyzing and disseminating information about fraud and identity-related crime. While, in the case of economic fraud, most states have clear legislative definitions and offenses, these are not detailed enough to enable research into specific types, trends and patterns involving international schemes, organized crime, or how communication technologies are used in order to commit such fraud. U.N. Secretary-General, Comm’n on Crime Prevention and Criminal Justice, International Cooperation in the Prevention, Investigation, Prosecution, and Punishment of Fraud, the Criminal Misuse and Falsification of Identity and Related Crimes [Draft 1 Short Version], 10–12, U.N. Doc. E/CN.15/2007/8 (2007), available at https://www.unodc.org/unodc/en/organized-crime/ identity-related-crime.html. As for identity-related crime, much less is known, and work must be done to allow for: A standard classification framework for offenses and activities; Estimations of the costs of fraud, with input from national experts on money laundering and appropriate commercial associations; Gathering of information about identity-related crime as a distinct problem in its own right, and in the context of related criminal activities. For a detailed discussion, see Chapter 6 (“identity-related crime Legislation in the United States, Canada, Australia and the United Kingdom”) and Chapter 6, Part A (“American identity crime statutes”). A 2010 survey by Javelin Strategy & Research found that the number of identity crime victims in the United States in 2009 was 11.1 million, which was up 12 percent from 2008. Vamosi et al., supra note 1. The amount of damage done by such fraud was $54 billion, which increased 12.5 percent from 2008. Id. 18 U.S.C. ch. 47 (2006). Criminal Code, R.S.C., 1985, c. C-46, part X (Can.).
The Problem of Identity Crime
3
f igure 1 Chart showing the increases in, and impact of identity crimes *Past years dollars figures have been adjusted for inflation using the Consumer Price Index (CPI-U) issued by the Bureau of Labor Statists. ftp://ftp.bls.gov/pub/special.requests/cpl/cpiai.txtaccessed12/14/2009. **Based on US population estimates (age 18 and over), http://www.census.gov/ popest/estimates.php accessed January 01/11/10. ***2006, 2007, 2008, and 2009 dollar cost estimates have been smoothed using three-year averaging.
lawful authority,9 or possessing such a document or feature with knowledge that it was produced without lawful authority.10 The generic fraud statutes, on the other hand, target only some of the acts that constitute the components of identity crime,11 and may be too general to be seen as prohibiting many of the acts constituting identity crime. The most common phrase used to describe identity crime is “identity theft” and, to a lesser extent, “identity fraud.” While theft and fraud are a part of identity crime, they each only describe a part of the whole, namely, taking the identity information and using the identity information to deceive someone. However, identity crime is identity theft and identity fraud and more. In order to take effective action to end such crimes, one must view identity crime as any crime in which identity information or documents are the target of criminals, the object of criminal activity, or the tools to commit a further crime.12 “Identity
9 10 11 12
18 U.S.C. § 1028(a)(1) (2006). Id. § 1028(a)(6). These components are the basis for the Identity Crime Model and Legal Analysis found in Chapter 3. See Bert-Jaap Koops and Ronald Leenes, ID Theft, ID Fraud and/or ID-related Crime. Definitions Matter, Datenschutz und Datensicherheit (“Privacy & Security”) 30 (2006) 9, 553–56.
4 chapter 1 crime” may thus be defined as knowingly acquiring, manipulating, producing, transferring, possessing, or using identity information or documents in order to commit a fraud, or to commit other unlawful activities.13 “Identity crime” includes the use of document features that serve to authenticate documents,14 and the use of specialized tools to create fraudulent identities.15 “Identity crime” is a relatively new term. The United Nations’ Commission on Crime Prevention and Criminal Justice has discussed the term “identity crime,” saying that it covers all forms of illicit conduct involving identity, including identity theft and identity fraud, and calling it a “forward-looking usage” that most states have not yet adopted.16 Commentators have said that current nomenclature “imprecisely label[s]an identity crime ‘theft’ when it meets traditional requirements for, and may be more accurately described as, fraud[.] [By doing so], we undermine the definitions of both fraud and theft.”17 While the phrase “identity theft” is in common parlance, it has not been widely used in statutes, although it is now contained in the statutes of both the United States and Canada –and each country uses the term differently from the other. 13
14
15
16 17
See Chapter 3 for detailed discussion. “Identity” is a broad term, but some U.S. statutes have narrowed it to pertain to specific personal information and documents, and the scope of this work is limited to crimes involving such information and documents. See, e.g., 18 U.S.C. § 1028(d)(7) (stating that the term “means of identification” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any (A) name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (B) unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (C) unique electronic identification number, address, or routing code; or (D) telecommunication identifying information or access device.); Cal. Penal Code § 530.55(b) (West 2009); Criminal Code, R.S., 1985, c. C-46, s. 402.1 (Can.). See 18 U.S.C. § 1028(d)(1) (“The term ‘authentication feature’ means any hologram, watermark, certification, symbol, code, image, sequence of numbers or letters, or other feature that either individually or in combination with another feature is used by the issuing authority on an identification document, document-making implement, or means of identification to determine if the document is counterfeit, altered, or otherwise falsified.”). See id. § 1028(d)(2) (“The term ‘document–making implement’ means any implement, impression, template, computer file, computer disc, electronic device, or computer hardware or software that is specifically configured or primarily used for making an identification document, a false identification document, or another document-making implement.”). Criminal and Legal Affairs Subgroup, G8 Lyon-Roma Anti-Crime and Terrorism Group, Essential Elements of Criminal Laws to Address Identity-related Crime 3 (Feb. 2009) [hereinafter “Essential Elements”]. Michael J. Stephan, Shane Pennington, Guha Krishnamurthi, and Jon Reidy, Identity Burglary, 13 Tex. Rev. L. & Pol. 401 (2009).
The Problem of Identity Crime
5
The divergence between the United States and Canada as to what constitutes “identity theft” is quite useful in examining the difficulties in international cooperation when countries do not even agree on what the crime should be called. In Canada, whose law became effective in early 2010, an official background document authorized by Parliament18 notes that “others” apply the term “identity theft” broadly to encompass many parts of the criminal process, including acquiring, collecting, and transferring personal information, and using the personal information to commit or attempt to commit a crime. Canada, on the other hand, uses both “identity theft” and “identity fraud” to refer to distinct aspects of identity crime. “Others,” as used in the Canadian background document, appears to refer to the United States, although “acquiring” and “collecting” are not actually covered in the U.S. statute. The main U.S. statute does not, in fact, even mention “identity theft,” other than in the title of the act that created the statute: the “Identity Theft and Assumption Deterrence Act of 1998.” A secondary U.S. statute is called “Aggravated Identity Theft,”19 but the “aggravation” is generally more akin to “fraud” than to “theft.” In the rest of the world, few places use the term “identity theft.”20 Thus, a proper name for the crimes has not yet been determined. If an international body were to adopt “identity crime” in proposing a convention (as with the Convention on Cybercrime21 standardizing use of the term “cybercrime”), nations that sign the treaty would become more likely to use the term, or perhaps obligated to do so. It is the preferable term. For the purposes of this book, the term “identity crime” is generally used instead of “identity theft” or “identity fraud.” When the term “identity theft” is used, it used in the manner advanced by the Canadian law, which applies the term to one who “knowingly obtains or possesses another person’s identity information in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element.”22 When “identity fraud” is used, it applies, as put forth by the Canadian statute, to one who fraudulently personates another person, living or dead, with intent to gain advantage, to 18
19 20 21 22
Nancy Holmes & Dominique Valiquet, Bill S-4: An Act to amend the Criminal Code(identity theft and related misconduct, Document No. LS-637E (April 14, 2009), available at http:// www2.parl.gc.ca/Sites/LOP/LegislativeSummaries/Bills_ls.asp?lang=E&ls=s4&source=library_prb&Parl=40&Ses=2 (last modified June 5, 2009). 18 U.S.C. § 1028A (2006). E.g., Canada, and the Australian state of South Australia, as discussed in Chapter 4. Council of Europe, Convention on Cybercrime, opened for signature Nov. 23, 2001, E.T.S. No. 185, [hereinafter “Cybercrime Convention”], available at http://conventions.coe.int/ Treaty/en/Treaties/Html/185.htm. Criminal Code, R.S., 1985, c. C-46 § 402.2(1) (Can.).
6 chapter 1 obtain property, to cause a disadvantage to the person being personated, to avoid arrest or prosecution, or to obstruct justice.23 Identity crimes are not confined within national borders. A crime seemingly committed in one locale, perhaps by a person sitting at his own computer, in actuality may occur in many different places, crossing the borders of the country where its perpetrator acted and affecting people and organizations around the globe. Keystrokes in one country may trigger a computer in a second country, a different legal jurisdiction, to misuse the identity of a person in a third country, and yet another legal jurisdiction. Worse yet, computer networks that process and store huge amounts of identity information make massive thievery and trafficking in identification information possible. Thus, according to a U.N. report, “The decrease in face-to-face transactions coupled with the increasing distance between crimes, criminals, and victims, often across international boundaries, has opened up new opportunities for those who engage in identity-related crime to exploit.”24 Adding to the problem is that identity crimes fall under many different branches of law in different countries: thefts, frauds, and computer crimes, for example. A single framework for identity crimes, including all aspects, would make the tracking of such crimes far simpler, and enable governments to aim resources at those crimes. Were they all under the same general framework worldwide, trans-border commission of the crimes could more easily be curtailed. Identity crime increases as opportunities increase, and the greatest opportunity is provided by the ever-expanding use of the Internet for commerce, banking, governmental functions, and personal functions –in short, for conducting one’s life. As the Cybercrime Convention recites, “Exchange no longer occurs only between human beings, but also between human beings and computers, and between computers themselves.”25 In order to gain access to this global exchange, every person must have some sort of identity: something that will allow a distant computer, and a person accessing that computer, to ascertain that a particular person is actually that person. We are now likely to be identified not by our names or faces, but progressively from an accumulation of identity documents,26 and we are represented by a means of 23 24 25 26
Id. § 402.2(1). Essential Elements, supra note 16. Cybercrime Convention, supra note 21. An “identification document” is any type of document commonly accepted to identify an individual, or intended to be used for that purpose when completed with information concerning a particular individual. It may be one from the federal government or any other governmental body. It might come from the sponsoring entity of an event designated as a special event of national significance, a foreign government, or an international
The Problem of Identity Crime
7
identification27 that constitutes an information-based identity. While the meaning of identity may seem simple and obvious at first glance, it is actually a complex proposition that has been discussed in depth by philosophers, psychologists, legal experts, and sociologists for years.28 The development of the Internet with its “virtual communities” and its “faceless interactions” has resulted in more attention being given to the idea of identity as an asset or a commodity that needs protection.29 As the value of identity as an asset
27
28 29
governmental or a quasi-governmental organization. Such a document may be made by, issued by, or merely under the authority of the body responsible for the identification document. 18 U.S.C. § 1028(d)(3) (2006). Id. § 1028(d)(7). “Means of identification” was not part of the original legislation, but was added later. A “means of identification” can be any name or number that, either alone or in conjunction with any other information, identifies a specific individual. Among the various means of identification contemplated by the statute are: – name, social security number, date of birth, government-issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; – unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; – unique electronic identification number, address, or routing code; or – telecommunication identifying information or access device, meaning an electronic serial number or any other number or signal that identifies a specific telecommunications instrument or account, or a specific communication transmitted from a telecommunications instrument. See discussion in Chapter 2. The United Nations’ Commission on Crime Prevention and Criminal Justice has done a considerable amount of work in recognizing the existence of identity crime, analyzing the means of identity used in member states, and analyzing current statutory regimes. In its “Study on Fraud,” the Commission provided a unique and succinct discussion of the nature of identification documents and information, and their role in criminal activities: “The ability to uniquely identify individuals is a critical element of virtually every aspect of social, political and economic activity. An identity must be created and linked to the specific entity identified. Identification information must be created, transmitted, stored and retrieved, and it is usually linked to other information about the individual it identifies, such as nationality or citizenship status, financial and banking records, criminal records and similar personal and commercial information. The fundamental role identity plays in so many different systems creates a vast range of opportunities for crime if basic identification information can be altered or falsified or if the systems for creating, altering, retrieving and verifying identity and other information can be subverted. For that reason, the criminal law and criminal justice systems of almost all states have addressed identity-related issues in some way.” U.N. Secretary-General, U.N. Commission on Crime Prevention and Criminal Justice, Results of the Second Meeting of the Intergovernmental Expert Group to Prepare a Study on Fraud and the Criminal Misuse and Falsification of Identity, U.N. Doc. E/CN.15/ 2007/8/Add.3 (Jan. 31, 2009) [hereinafter “U.N. Commission, Second Meeting, Study
8 chapter 1 continually grows with the proliferation of online relationships and transactions, it is necessary to understand what identity means. If identity is an asset, what kind of asset is it, what is its value, and how should it be protected? Worldwide communication and commerce have become easy and quick. People enjoy and value the ease with which we can purchase goods, and share and transmit information across local and international borders. Unfortunately, such ease leads to the possibility, and reality, of international criminality, including identity crimes. Identity crime increases as advances in technology give thieves more ways to defraud victims. “These thieves may steal, alter, or hijack your identity or business to commit their long list of crimes under your name and with your money,” notes one authority.30 It is easy to access, and easy to search, information contained in computer systems. The opportunity to exchange and disseminate such information without regard to distance has enabled the mushrooming of the amount of information available and the knowledge that can be drawn from it.31 Some criminals see identity crimes as crimes of opportunity; organized crime, however, takes and uses identity information systematically, and law enforcement authorities worry that the aspects of identity crime that benefit organized crime might also be used by terrorists to finance and carry out attacks. The different laws in different jurisdictions can be exploited, in particular by vast criminal and terrorist organizations, which now have the flexibility to gather and disseminate sensitive personal data as needed from and to anyplace in the world. One can establish a “spoofed” website, for example, using it to lure personal information from everywhere, which can be built and uploaded to an Internet service provider anywhere. Thus, where a crime occurs, an occasional problem for investigating conventional crimes, is always a problem for identity crimes, in which the issues of jurisdiction are not yet resolved, and authorities have not yet learned how to coordinate among law enforcement agencies in multiple states or countries.32 Despite the identity threat, the members of the public and their representatives in government currently have no real understanding of what identity
30 31 32
on Fraud”], available http://www.unodc.org/documents/organized-crime/E_CN_15_ 2007_8_Add_3.pdf. Identity Theft in Canada, Spamlaws.com, http://www.spamlaws.com/id-theft-can.html (last visited Mar. 24, 2010). Cybercrime Convention, supra note 21, at Introduction, ¶ 4. Report on Identity Theft, Public Safety Canada, http://www.publicsafety.gc.ca/prg/le/ bs/report-eng.aspx (last modified Nov. 28, 2011).
The Problem of Identity Crime
9
crimes are and how much damage they do.33 Without such understanding, government officials are unable to create a legal framework to prevent, prosecute, and minimize the impact of identity crimes. Governments, individuals, and businesses have long underestimated the scope of identity crimes, including the financial and nonfinancial losses incurred by its victims. Many crimes that should be considered identity crimes are not so considered, because there is no real understanding of what an identity crime is. For example, the acquisition of identity information, which may be a low-tech operation such as photocopying customers’ credit card information, or scavenging through trash bins for discarded bank statements, is prosecuted and treated like an ordinary theft or, if the information is gathered from discarded material, not prosecuted at all.34 In most countries, identity-related fraud is not separated from ordinary fraud, and is prosecuted under the fraud statutes.35 This book aims to provide answers to the quandaries posed by identity crime. The crux of the book is the Identity Crime Model.36 The Model provides a framework for understanding why instances of identity crime continue their increase even in countries with identity-crime-specific laws. In recognition of this inexorable increase, the book posits some reasons: First, the extant laws do not completely cover the crime. Second, even if those laws did cover the crime, the laws must be enacted internationally, and be accompanied by a commitment for cross-border cooperation in enforcing the laws.37 Third, 33 An oecd Scoping Paper concluded with a list of “Issues for Consideration” that member- states of the oecd should take into account in their efforts to combat identity crimes. One of the suggestions was to develop a common definition of identity crime and its elements. Organisation for Economic Co-o peration and Development (oecd), Scoping Paper on Online Identity Theft (Ministerial Background Report DSTI/ CP(2007)3/FINAL, declassified 2008) [hereinafter “oecd Report”], available at http:// www.oecd.org/sti/40644196.pdf. 34 See discussion in Chapter 6. 35 Id. 36 Chapter 3. 37 A group of scholars at the Hoover Institution of Stanford University noted, in 2000, that “efforts to prevent or deter [cybercrime] have been largely unsuccessful, with increasingly damaging consequences. Information necessary to combat attacks has not been timely shared. Investigations have been slow and difficult to coordinate. Some attacks are from States that lack adequate laws governing deliberate destructive conduct. Such international cooperation as occurs is voluntary and inadequate. Some significant enhancement of defensive capabilities seems essential. Cybercrime is quintessentially transnational, and will often involve jurisdictional assertions of multiple States. Agreements on jurisdiction and enforcement must be developed to avoid conflicting claims.” Abraham D. Sofaer et al., A Proposal for an International Convention on Cyber Crime and Terrorism, iws – The Information Warfare Site, (Aug. 2000) http://www.iwar.org.uk/law/resources/ cybercrime/stanford/cisac-draft.htm [hereinafter “iws Proposal”].
10 chapter 1 even if a strong transnational system is in place, individuals, companies, and governments must adopt rigorous strategies to prevent the crimes, and those strategies must be based on an approach specific to identity crimes. The importance of international unity in identity crime laws cannot be overemphasized. The international community has previously tackled a similar global problem in the Council of Europe’s 2001 Convention on Cybercrime,38 which has been signed not just by European countries, but also by the United States, Canada, South Africa, and Japan, and ratified by the United States and most European countries.39 In its Introduction to the Convention, the framers emphasized that “[s]olutions to the problems posed [by cybercrime] must be addressed by international law, necessitating the adoption of adequate international legal instruments.”40 The same is true for identity crime. This book is intended to guide the international legal community in determining the right laws, and the right enforcement methods, to control the threats posed by identity crime. Many countries use their fraud, theft, and larceny statutes to prosecute identity crimes41 but, as the United States and Canada found out, fraud laws are inadequate to combat the crisis.42 Governments, policymakers, businesses, and law enforcement must embrace a different way of thinking to understand and deal with identity crime. The notion that identity crime is different from fraud or theft or larceny is a new concept; only within the last 10 years has identity crime truly been recognized as a distinct area of law by international organizations.43 However, fraud, theft, and larceny, while they might be charged and successfully prosecuted in an identity crime context, they are not crimes that are contoured to the elements of identity crime. Will a jury always agree that it is “theft” to electronically invade a computer storing information in order to access personal information? Will a judge recognize the taking of 38 39 40 41 42 43
Cybercrime Convention, supra note 21. The convention came into force on Jan. 7, 2004, when there were 5 ratifications, which had to include at least 3 member states of the Council of Europe. See signatory list, referenced below. Convention on Cybercrime Signatories as of Mar. 30, 2010, Council of Europe, http:// conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG (last visited Mar. 30, 2010). Cybercrime Convention, supra note 21, at Introduction, ¶ 6. Countries without identity crime laws, but that prosecute based on other sorts of laws, are discussed in Chapter 6. See, e.g., discussions of the laws of U.K. See Chapter 6. See, e.g., oecd Report, supra note 33; U.N. Commission, Second Meeting, Study on Fraud, supra note 29; European Union Fraud Prevention Expert Group, Report on Identity Theft/ Fraud (Oct. 22, 2007), available at http://ec.europa.eu/internal_market/fpeg/docs/id- theft-report_en.pdf).
The Problem of Identity Crime
11
credit card information by a waiter, for the purpose of selling that information, as “larceny”? Will a prosecutor need to make compromises in order to convince a fact finder that creating a new identity and using it to gain phone service is a serious form of fraud? While the penal provisions attached to fraud, theft, or larceny are instructive as to proper penalties for identity criminals, identity crimes must gain recognition as a stand-alone offenses in order to successfully prosecute and punish them. Recognition for the uniqueness of identity crime must be global in order to successfully prosecute such crime. A universal template for the criminalization of identity-related offenses is needed so that investigations and prosecution of crimes can be coordinated among far-flung enforcement bureaus. Statistics on worldwide identity crime will only become meaningful when the parameters of the crime are clearly drawn and recognized by a substantial number of jurisdictions. International enforcement agencies with a common purpose cannot work effectively when the type of evidence needed to provide proof of a crime differs from one place to another, when the crime was committed in all of those places. An international convention, one specifically aimed at identity crimes, would be an effective way to deal with a borderless crime such as this. It can be modeled on the Council of Europe’s Convention on Cybercrime. The rationale for an international convention rather than mere national laws is much the same as the rationale for the Convention on Cybercrime:44 1. Identity crimes are transnational, and require a transnational response. 2. Identity criminals exploit weaknesses in the laws and enforcement practices of states, exposing all other states to dangers that are beyond their capacity unilaterally or bilaterally to respond. 3. The speed and technical complexity of identity crimes using the Internet require prearranged, agreed procedures for cooperation in investigating and responding to them. 4. A multilateral convention will ensure that all parties to the treaty: i) adopt laws making identity offenses criminal; ii) enforce those laws or extradite criminals for prosecution by other states; iii) cooperate in investigating criminal activities and in providing usable evidence for prosecutions; and iv) participate in formulating and agree to adopt and implement standards and practices that enhance safety and security. 44
iws Proposal, supra note 37.
12 chapter 1 5.
An international agency created pursuant to the Convention will provide a forum for international discussion, ongoing response to technological developments, and technical assistance to developing states.45 Identity impacts many parts of a person’s life, including work, social relationships, and family connections. Identity affects people’s mobility, how they buy and sell merchandise, whether they have access to the rights and privileges of citizenship, whether they are entitled to vote, whether they have access to health care, and whether the health information stored by providers reflects their personal medical history. With so much riding on identity and identification, there is a need for reliable and effective proof that individuals really are who they say they are, and that they have the credentials required to take specific actions. For example, a person needs a valid driver’s license to drive a car or the right diploma to prove the academic competency to assume a position of responsibility. The information included in a license, diploma, or some other document certifying a particular individual must include a means of ensuring its relevance and accuracy. It needs to be managed and controlled by organizations, institutions, and individuals themselves because access to the information or disclosure of it has a huge impact on individuals and their relationship with organizations, businesses, governments, and the public. Because identity is so valuable, and the means of identification can be so detached from the individuals who own them, identification and the documents and data that represent identification are an irresistible target for criminals. Although identity itself has no market value, its value in obtaining money, goods, services, and status is unlimited.46 Identity crimes are attractive to criminals not just for the value of an identity, but also because identity information is so accessible. It is not like ordinary thievery, which targets objects like automobiles and wallets. Identity theft is committed everywhere: homes, businesses, schools, playgrounds, and often, in the garbage cans and dumpsters outside these locations. Because digital data is everywhere, and devices storing and transmitting such data are in most homes and businesses, identity thieves need not ever come anywhere near the persons from whom they are stealing. Every day, people use their credit cards to buy food or gas, give personal information to their employers, and submit data to all levels of government. Each transaction creates an opportunity for identity criminals to obtain identity information and use it, with the victim not realizing his identity is stolen until days, weeks, months, or years later.
45 46
Id. (adapted to a discussion of identity crimes). As to the types of gains resulting from identity crimes, see Chapter 3.
The Problem of Identity Crime
13
Economies are fragile things. Unless we carefully guard the foundations of our most vibrant financial systems, which are built on easy access to funds and ample lines of credit, much of the world’s resources will flow to those who cheat the system at the expense of honest governments, businesses, and consumers. The reality and potential of identity crimes is a threat to our ability to maintain a system of free trade and international commerce unimpeded by the manipulations of cheats and thieves who look for weak spots and strike without mercy. Our systems for welfare, social security, and immigration, which must work properly if the borders of countries are to be respected and the public fisc protected, need methods to ensure that the persons trying to take advantage of governmental benefits and protections are, in fact, for people entitled to do so. Employers and unions must be able to verify that the people who they hire or enroll are entitled to the benefits of employment and the protections of organized labor. An attribute of identity crime that makes it hard to conquer is that it is particularly difficult to investigate and gather sufficient evidence for an indictment. Criminal investigators first must face the challenge of complexity.47 What kind of complexity? 1. An investigation requires the participation of a multitude of different businesses, such as financial institutions, credit card companies, debt collectors, and medical records companies, in each of which investigators may have difficulty establishing contacts.48 2. A single crime may occur in many jurisdictions, which often have imprecise and varying definitions of identity crime if they have any definition at all.49 Evidence that may fit the crime in one place may be a mismatch for the criminal elements required in another place. 3. Evidence often is not something tangible, like a fingerprint or an incriminating document; rather it exists in the virtual world, and can be erased or overwritten if the investigator does not act quickly. Gathering evidence requires specialized knowledge, and that knowledge must be updated constantly to keep abreast of the criminals. Prosecutors must find a way
47
48 49
For a thorough discussion of the challenges facing prosecutors, see International Association of Chiefs of Police, Identity Crime Toolkit for Investigators, To Identity Thieves, Everyone is Just a Number 11 (nd.) [hereinafter “iacp Toolkit”], available at http://www.theiacp.org/investigateid/pdf/binder-resources/ identity-crime-toolkit.pdf. Id. at 38. Id.
14 chapter 1 for judges and juries to understand exactly what the perpetrator did and how that is a crime, despite the lack of tangible evidence.50 4. Identity crime is not a single crime. Rather, it unfolds in stages, from obtaining or creating a usable identity, and then using that identity to commit further crimes, while concealing the true identity of the criminal.51 A person’s victimization from identity crimes may be ongoing and repetitive. One criminal may acquire card information (perhaps by larceny), use it to commit credit fraud (larceny and fraud), gain employment (fraud; offenses against employment laws), get a driver’s license (fraud on the dmv; traffic law violations for driving without a valid license), and commit a money laundering offense, then sell the identity information to someone else who continues to use it until something or someone puts a stop to it. The complexity of identity crime, as discussed above, and the difficulties in prosecuting such crimes are issues that can be mitigated in the long run by changes in the law and in the methods of enforcement. In the absence of effective laws and enforcement, it is necessary to engage in prevention methods. Methods include the use of strong user authentication in computer systems, the development of business policies to address identity theft, content and identification management, gathering and sharing relevant information among stakeholders, consumer education, the creation of partnerships between public and private entities, and international cooperation in both policy and actions.52 The practitioners of criminology have put forth numerous crime prevention models and approaches, but few are well-suited to identity-related crimes.53 There is no specific framework for developing a methodological approach to preventing, and reducing the impact of, identity-related crimes. Additionally, numerous recommendations for prevention have been made by governments, non-profit and for-profit organizations, ngo s, and law enforcement authorities, but these recommendations have been based on prevention approaches that do not address the unique elements of identity crimes. The approach that 50 51 52 53
Id. at 40. Id. See Chapter 7 (“Recommendation for Identity Crime Prevention and Impact Minimization”). Approaches such as the “victim-centric prevention approach” and “crime prevention through environmental design.” See, e.g., Peter R. Ibarra & Edna Erez, Victim-centric Diversion? The Electronic Monitoring of Domestic Violence Cases, in 23 Behav. Sci. & L. 259 (2005); International cpted Association, http://www.cpted.net (last visited Mar. 30, 2010).
The Problem of Identity Crime
15
is put forth in this book is specifically tailored to identity crimes, as opposed to one adaptable to a wide range of crimes. Thus, it should prove more useful in preventing such crimes than generic solutions. A comprehensive book on identity crime is desperately needed. To date, a rather meager body of literature deals with the topic. On a popular level, one will find articles in magazines, newspapers, and on the internet that do little more than offer brief checklists of how to avoid having one’s identity compromised. These pieces are not to be criticized, but they are simply not crafted to deal with the scope and seriousness of identity crime that our current situation demands. At a slightly higher level of sophistication one will find articles appearing in various commercial and banking journals; many of these treatments are quite useful since it is often businesses and banks that are most heavily impacted by identity crime, yet still these articles do not begin to tackle comprehensively the task of effectively confronting identity crime as one of this age’s most serious problems. Moreover, there are books that have been written on identity crime, but none of them address identity crime comprehensively or from the perspective of a legal and legislative analysis; in most cases these books deal with the severity of identity crime and its impact on the average citizen.54 For legal analysis, one can turn to law journals55 and a few legal 54
55
See, e.g., Jim Stickley, The Truth about Identity Theft (2008); John R. Vacca, Identity Theft (2003); Amanda Welsh, The Identity Theft Protection Guide (2004); Bob Sullivan, Your Evil Twin: Behind the Identity Theft Epidemic (2004); Daniel J. Solove, The Digital Person: Technology and Privacy in the Information Age (2004); Kristin M. Finklea, Identity Theft: Trends and Issues (2010). See, e.g., Brandon McKelvey, Financial Institution’s Duty of Confidentiality to Keep Customer’s Personal Information Secure from the Threat of Identity Theft, 34 U.C. Davis L. Rev. 1077 (2001); Edward J. Janger and Paul M. Schwartz, The Gramm-Leach-Bliley Act, Information Privacy, and the Limits of Default Rules, 86 Minn. L. Rev. 1219 (2002); Erin M. Shoudt, Identity Theft: Victims “Cry Out” for Reform, 52 AM. U. L. Rev. 339 (2002); Lynn M. LoPucki, Human Identification Theory and the Identity Theft Problem, 80 Tex. L. Rev. 89 (2001); James P. Nehf, Recognizing the Societal Value in Information Privacy, 78 Wash. L. Rev. 1 (2003); Anthony E. White, The Recognition of a Negligence Cause of Action for Victims of Identity Theft: Someone Stole My Identity, Now Who Is Going to Pay for It?, 88 Marq. L. Rev. 847 (2005); Jeff Sovern, The Jewel of Their Souls: Preventing Identity Theft Through Loss Allocation Rules, 64 U. Pitt. L. Rev. 343 (2003); Daniel J. Solove and Chris Jay Hoofnagle, A Model Regime of Privacy Protection, Ill. L. Rev. 1 (2006); Daivd Narkiewicz; Identity Theft: A Rapidly Growing Technology Problem, 26 Penn. Lawyer 58 (May/June 2004); Catherine Pastrikos, Identity Theft Statutes: Which Will Protect Americans the Most?, 67 Alb. L. Rev. 1137 (2004); Erin Leigh Sylester, Identity Theft: Are the Elderly Targeted?, 3 Conn. Pub. Interest L.J. 371 (Spring 2004); Holly K. Towle, Identity Theft: Myths, Methods, and New Law, 30 Rutgers Computer and Tech. L.J.
16 chapter 1 treatises,56 but none of this material is comprehensive. These treatments typically highlight one or two specially-focused issues within the larger body of issues related to identity crime, and few of them even attempt to deal with identity crime across interstate or international borders. In any case, the reader should know that virtually all of the available literature (popular, commercial, legislative, legal) has been consulted and is cited throughout this book. Thus this book avails itself of the considerably thoughtful and valuable material already available, but goes much further in addressing virtually every aspect of identity crime and how better to confront it legally in all political jurisdictions, including the international community. In other words, this book is the first comprehensive treatment of all aspects of identity crime. It is a legal analysis, suggesting that the national and international communities need to get a grasp on this rapidly growing cancer called identity crime, but also suggesting that radical surgery is needed rather than a steady application of band aids to fix the problem. The book consists of ten chapters including the introduction and the conclusion. Chapter 2 addresses the meaning of “identity” and attempts to make suggestions concerning the need for legislatures everywhere, indeed the international community at large, to begin to universalize such basic matters as defining identity, not to mention making more uniform the array of laws that seek to reduce and eliminate identity crimes.
56
237 (2004); Erin Suzanne Dais, A World Wide Problem on the World Wide Web: International Responses to Transnational Identity Theft via the Internet, 12 Wash. U. J.L. & Pol’y 201 (2003); Chris B. Petrie, Identity (Theft) Crisis! 26 Wyo. Lawyer 22 (October 2003); Sean B. Hoar, Identity Theft: The Crime of the New Millennium, 80 Or. L. Rev. 1423 (Winter 2002); Raymond G. Mullady, Jr. and Scott D. Hansen, Identity Theft Litigation: A Roadmap for Defense and Protection, 2008 Utah L. Rev. 1, No. 2 (2008); Nicole A. Ozer, Rights “Chipped” Away: RFID and Identification Documents, 2008 Stan. Tech. L. Rev. 1 (2008); Rachel Hirsch, Identity Theft Continues to Top FTC’s List of Consumer Complaints, Nat’l L. Rev. (March 28, 2012); Daniel J. Solove, The New Vulnerability: Data Security and Personal Information, 9 (gwu Law School Public Law Research, Paper No. 102, 2008); Vincent R. Johnson, Cybersecurity, Identity Theft, and the Limits of Tort Liability, 57 S.C. L. Rev. 255 (2005); Paul M. Schwartz & Daniel Solove, The PII Problem: Privacy and a New Concept of Personally Identifiable Information, 86 N.Y.U. L. Rev. 1814 (2011). See, e.g., Perspectives on Identity Theft, 23 Crime Prevention Studies (Graeme R. Newman & Megan M. McNally eds. 2009), (presenting a collection of scholarly articles on identity crime that explores the seriousness of identity crime and the need for legislative initiatives to deal with it); See also Reba A. Best, Identity Theft: A Legal Research Guide (2004) (presenting a very useful bibliography of early literature on identity crime).
The Problem of Identity Crime
17
Chapter 3 presents the Identity Crime Model, a framework for understanding identity crimes. The chapter assists the reader in evaluating and developing legal instruments for prevention, recovery, and prosecution, and in developing an overall prevention strategy. Chapter 3 develops a definition of identity crime that includes the five critical components of the crime, namely acquisition, production, transferring, possession, and use, which are discussed in detail. Techniques and strategies for acquiring personal information and documents are covered, including the acquisition of physical items57 and data theft techniques that rely on computer technology, such as phishing, botnets, smishing, vishing, pharming, spyware, malware, web Trojans, keyloggers and screenloggers, system reconfiguration attacks, hacking and cracking, online searching and search hacking, wardriving, and identity theft via social networks. Chapter 3 also provides a comparison of identity-related frauds with generic fraud, revealing the unique features of the former. Different types of identity- related frauds are discussed in detail including identity-related frauds involving: credit cards and payments; banks; trade; loans; real estate and mortgages; employment; criminal evasion; telephones and other utilities; taxes; social security numbers and cards; passports and visas; driver licenses; medical services; credentials; insurance; investments; tenancy; bankruptcy; postal services; email and the Internet. Chapter 3 goes on to discuss situations in which identity information and documents are used for committing other crimes, such as terrorism, money laundering, illegal immigration, drug trafficking, and organized crime. Chapter 4 provides threat analysis, and introduces the Identity Crime Risk Assessment Model, spelling out the identity crime threat agents that directly or indirectly increase or decrease the likelihood of becoming a victim. Examining and understanding the various threats and risks, and how they affect and interact with each other, leads to a structured and methodical approach for reducing identity crime. The economic approach to identity crime legislation and punishment is covered, using the methods of the Law and Economics movement. Chapter 4 discusses the reasons why thieves steal and synthesize identity, and why identity crime is spreading. Identity crime threat agents are discussed, along with their significance and interrelationships, including: the probability of loss occurring, the potential loss to victims and its magnitude, the effort required to commit the crime, the potential gain or reward to the 57
For example, mail theft, dumpster diving, theft of public records, insider theft, thefts involving used computer equipment, theft of data storage devices, skimming, and pretexting are discussed in detail.
18 chapter 1 offender, the commitment required, the capability needed, the role of opportunity, repercussions from an arrest, the probability of an arrest, the motivation to commit the crime, exposure to the crime, and neutralization, or the rationalization used by the criminal to justify his actions. Chapter 4 finishes with impact analysis, and provides a better understanding of the true cost of identity crime to victims. This information then can be used to determine the magnitude of response nations need to develop. An identity crime cost model is developed, and the four primary types of identity crime costs are discussed, specifically, prevention costs, consequential costs, recovery costs, and response costs. Chapter 4 includes an identity crime costing template using the Identity Crime Cost Model. The impacts of identity crime on victims, businesses, government, the community, society, offenders, victim families, and offender families are discussed. Chapter 5 presents a review of the actions taken by a variety of international and regional organizations to combat identity crimes. International organizations that deal with criminal issues have not yet developed specific identity crime legislation. Nevertheless, a variety of these organizations have focused on the problem, and provide insights useful in further developing national legislation and taking action to prevent the spread of identity crimes. Chapter 6 evaluates worldwide statutes and treaties pertinent to identity crime. This part analyzes specific statutes, as defined by several different nations, that pertain to identity. Some are identity-crime-specific such as identity theft and identity fraud statutes in Canada and United States. The others are merely identity-crime-related such as general fraud and theft statutes. Identifying and analyzing the statutes currently used to prosecute identity crime is an important component in developing proper deterrents and law enforcement responses to identity crimes. The coverage is thorough, looking at all laws that might be used in prosecuting identity crime, and then analyzing them with reference to a model of what must be covered if an identity crime framework is to be successful. Where national laws are directly, or even obliquely, targeted toward identity crimes, the discussion of each country’s identity laws includes background information about passage of the law, including the country’s experience with identity crimes, and information about what the law was intended to do. To the extent that statistics are available, the book analyzes the success and failure of the legislation. Included in this study are four countries: United States, Canada, Australia, and the United Kingdom. These countries constitute a balanced sample that represents the state of legislation in the world regarding identity crimes. The countries selected, and the reasons for doing so, follow:
The Problem of Identity Crime
19
The United States is included because it was the first country in the world with identity-crime-specific statutes (enacted in 1998), and thus has the most experience enforcing such statutes.58 Canada, on the other hand, is the most recent country with identity-crime- specific statutes, implemented in 2010,59 and the Canadian legislature has created a statute that includes all five elements of the Identity Crime Model.60 Bill S-4, as the legislation was known, criminalized a variety of early-stage identity- related actions unlawful.61 These activities include trafficking and possessing identity information. The law defines three new core offenses: trafficking in identity information with the knowledge that it will be used in a crime; obtaining and possessing identity data with the intent to use it to commit a crime; and illegally possessing or trafficking in identity documents issued by the government. The changes make it explicit that these activities form part of an identity theft or fraud and allow Canada’s government to begin investigations into identity crimes and obtain convictions for those crimes.62 Australia63 has put a great deal of effort into studying its identity crime problems and responding with legislative solutions, both at the national and state level. Unique among nations, Australia has devised a National Identity Security Strategy (referred to by government documents as “The Strategy”) to “combat the misuse of stolen or assumed identities in the provision of government services.”64 Different states in Australia, for example, South Australia, have passed or are in the process of passing laws that directly target identity crime.65 There is no offense in the United Kingdom specifically called “identity theft” or “identity fraud,” although, under the Identity Cards Act 2006, it is an offense to possess or control false identity documents, including genuine ones 58 59 60 61 62
63 64 65
Discussed in Chapter 6. Holmes & Valiquet, supra note 18. For a discussion of the Identity Crime Model, see above and Chapter 3. Criminal Code, R.S., 1985, c. C-46 §§ 402.1 et seq. (Can.). Nat’l Crim. Justice Section of the Canadian Bar Association, Bill S-4, Criminal Code Amendments (Identity Theft) (June 2009) available at http://www.cba.org/CBA/submissions/pdf/09-31-eng.pdf; Kathleen Lau, Bill S-4 tightens noose around identity thieves, IT World Canada (Jan. 11, 2010), http://www.itworldcanada.com/news/bill-s-4-tightens- noose-around-identity-thieves/139723. Discussed in Chapter 6. Identity Security, Australia Attorney-G eneral’s Department, http://www.ag.gov. au/identitysecurity (last visited Jan. 28, 2010). See, e.g., Criminal Law Consolidation (Identity Theft) Amendment Act 2003 (SA) (Austl.) (amending South Australia’s criminal statutes); New South Wales Crimes Amendment (Fraud, Identity and Forgery Offences) Act 2009 (nsw) (Austl.).
20 chapter 1 improperly obtained.66 Penalties have been increased for fraudulently obtaining passports and driving licenses. The Fraud Act 2006 has been passed67 stating that a person is guilty of fraud if found to be perpetrating various types of fraud, in order to make a gain for oneself or another, or to cause loss to another, or to expose another to a risk of loss. The Fraud Act offenses can be used in pursuit of identity criminals, although they were not specifically designed to do so. United Kingdom is similar to many countries around the world that is actively trying to address identity crime, but is using statutes enacted before identity crime was an issue, or statutes modified to address the issue. The four countries analyzed provide us with the ability to contrast four countries –the United States, Canada, Australia, and the United Kingdom – that have identity-theft-or identity-fraud-specific statutes to each other. This comparison lets us understand whether identity-crime-specific statutes (i.e., statutes addressing identity, identity theft, and identity fraud) are superior in prosecuting identity crime. The book analyzes the limitations and strengths of the statutes, comparing them to the Identity Crime Model. Similarly, the limitations of the countries with no identity-crime-specific statues (e.g., countries that tackle identity crime by using general fraud, forgery, or theft statutes) are addressed. Chapter 7 presents strategies, other than the international convention recommended in the legal analysis, to prevent identity crimes, and to minimize their impact if they occur. The discussion includes government initiatives, industry and non-profit initiatives, identity management, and third-party identity theft prevention and recovery tools. The chapter presents the best method for establishing an authenticated identity, and other recommendations to prevent identity crimes. Chapter 7 finishes with a table of identity crime prevention and impact minimization techniques evaluated based on the Identity Crime Model and the Identity Crime Threat Model. The intention is not to analyze various crime prevention approaches, but instead to present two crime prevention and impact minimization models that are specifically meant for application to identity-related crimes. The two approaches are the Identity Crime Model Approach (idcma)68 and the Identity Crime Threat Agent Approach (idcta),69 which are discussed in detail, with illustrative flowcharts, in the text.
66 67 68 69
Identity Cards Act 2006, c. 15, § 25. Discussed in Chapter 6. Also discussed in Chapters 3 and 4. Also discussed at Chapter 4.
The Problem of Identity Crime
21
In Chapter 8, the Identity Crime Privacy Model is developed to show the interaction between privacy, anonymity, and identity crime. Traditional approaches attempt to reduce identity crime by providing less and less privacy. The Model suggests that it is possible to achieve a reduction in identity crime by enhancing privacy and leveraging the benefits of anonymity, while recognizing that absolute privacy and total anonymity can only lead to an environment in which there can be no exchange of information at all. Additionally, an overview of current and developing technologies is presented which offers a starting point for understanding issues associated with selecting a privacy- protection strategy. From the perspective of identity crime, privacy can be considered a tool for developing effective prevention strategies. Privacy is a far-reaching concept that is difficult to define. It has unique features and operates with unique dynamics because it encompasses ideas from law, philosophy, psychology, and technology. This book recommends that the choice of policies and technologies should always be made on the basis of how they will affect the privacy of individuals and organizations and whether they will protect personally identifiable information while retaining the ability of that data to be useful to society. Chapter 9 presents a draft of an international treaty that provides common rules and guidelines to deal with the international problem of Identity Crime. In much the same way that the international community eventually felt the need to a draft an international treaty to deal with cybercrime, it will eventually deem it necessary to draft a treaty to deal with identity crime. Chapter 10 provides the summary and concludes the book. This study of the worldwide problem of identity crimes has led to several recommendations, chiefly concerned with actions governments must take to ensure that identity crimes do not do needless damage to the world’s economies, to individual lives, to the provision of services, and the free flow of commerce. This book also contains a wide range of prevention, prosecution, and mitigation strategies that can be adopted by individuals, businesses, not-for- profit organizations, and governments to decrease the onslaught of identity crimes. Among the recommendations are: First, there must be a standard definition of “identity crime.” International bodies have looked at the problem, but there has been little movement toward agreement on a standard. Once such a definition exists, the language used to describe and prosecute identity crimes must be standardized. Only after prosecutors speak the same language can they cooperate and prevail over identity crimes. Second, since existing laws in most of the countries around the world are inadequate, an international treaty, similar to the Council of Europe’s
22 chapter 1 Convention on Cybercrime,70 is required to deal with this problem. The trans- border nature of the offense when committed using the Internet conflicts with the territoriality inherent in official authority to enforce national laws. Only a cross-border effort can deal with a crime of this nature. “History has shown that when nations agree upon a common malicious threat, be it piracy on the high seas centuries ago or aviation terrorism of the 20th century, a cooperative, treaty-mediated regime can contribute substantially in addressing the problem.”71 Third, the standards adopted by all nations must encompass the five primary components of identity crime, as reflected in the Identity Crime Model.72 Acquisition, production, transfer, possession, and use, must each be criminalized. The Identity Crime Model assists in understanding identity crimes, evaluating solutions to it, and developing instruments to prevent, prosecute, and recover from identity crimes. Fourth, governments and businesses must conduct identity crime impact assessments to better understand the true cost of identity crime. They need to follow an identity-crime-specific approach to decide upon the right strategies
70
71 72
The best example of the type of convention that can make a dent in identity crimes is the Council of Europe’s 2001 Convention on Cybercrimes, which has been ratified by 25 European countries, as well as the United States, Canada, Japan, and South Africa. See Cybercrime Convention, supra note 21, at pmbl. The framers of that convention stated that they were: – Convinced of the need to pursue, as a matter of priority, a common criminal policy aimed at the protection of society against cybercrime, inter alia, by adopting appropriate legislation and fostering international co-operation; – Conscious of the profound changes brought about by the digitalization, convergence and continuing globalization of computer networks; – Concerned by the risk that computer networks and electronic information may also be used for committing criminal offenses and that evidence relating to such offences may be stored and transferred by these networks. The framers further stated: “The Convention aims principally at (1) harmonizing the domestic criminal substantive law elements of offences and connected provisions in the area of cyber-crime (2) providing for domestic criminal procedural law powers necessary for the investigation and prosecution of such offences as well as other offences committed by means of a computer system or evidence in relation to which is in electronic form (3) setting up a fast and effective regime of international co-operation.” iws Proposal, supra note 37, at introduction. Illustrated in Chapter 3, and discussed throughout this book. The Identity Crime Model is essential to an understanding of identity crimes and for evaluating and developing different legal instruments for preventing, prosecuting and recovering from identity crimes. This model is used for conducting a study of the identity crime schemes of 6 countries.
The Problem of Identity Crime
23
to prevent, or at least minimize, identity crime,73 and engage in threat agent assessment and analysis74 to determine where resources should be spent, and how many resources, to best handle the problem. Fifth, governments, with the cooperation of businesses, must develop identification documents and tools that allow real-time authentication and verification of personal identity information and documents. It is time for changes in the way that we identify people. It is now conceivable that the identifier that a person uses in the physical world also, and seamlessly, can be used in the virtual world. It is possible to develop a means of identification that can be used for both online and offline identity, and one that is robust and fraud-proof. Once such a means of identification is established, it can be protected through better safeguards, tougher legislation, better law enforcement, a higher prosecution rate, and a higher prosecution success rate as the courts become more informed about it. Actions are suggested in this book that can be taken by governments, businesses, and consumers, which include everything from mundane tasks like document management, to things that might currently be seen as exotic, such as the use of biometrics. Sixth, identity can and should be recovered, through the use of “wayback” credit files and alternatives to the social security number, and an agency (either governmental or nongovernmental) that can be a clearinghouse and help center for all cases of identity crime, whether it be credit card fraud, identity synthesis, identity hijacking or stealing, e-check fraud, identity-related employment fraud, identity-related tax fraud, or any of the other means available to gain something by using someone else’s name. Seventh, countries should develop a comprehensive national strategy that does not just focus on criminal law, or on national law, but crosses all governmental lines, involving all levels of government in efforts to combat identity crimes.75 73 74 75
Such strategies as the Identity Crime Model Approach (idcma) and the Identity Crime Threat Agent Approach (idcta), which I have developed, are discussed in Chapters 3 and 4. Discussed in Chapter 4. For example, Australia’s statutory scheme is just one element in its National Identity Security System, which is referred to by the government as “The Strategy.” Discussed in Chapter 6, Section 6C.3.
c hapter 2
What Is Identity?
Introduction
The word “identity” can be tricky. Does it mean one’s personal self, the self as defined by one’s government issued identity cards, the self as defined by one’s name, how one is perceived by family and friends, or something else? Do we need more than one definition of identity? When a criminal has stolen one’s identity, what has he/she stolen? Can someone’s identity be lost? We could add more elusive inquiries to these, but by pondering these few basic questions one can easily see the dilemmas faced by legislatures when trying to address the subject of identity crime. And not surprisingly, legislatures in various countries answer questions like these somewhat differently, which contributes to the variety and range one sees in how these countries address identity crime. A United States federal statute has narrowed the term “Identity” to pertain to specific personal information and documents, and the scope of this volume is limited to crimes involving such information and documents. 18 U.S.C. § 1028(d)(7), states that the term “means of identification” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any (A) name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (B) unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (C) unique electronic identification number, address, or routing code; or (D) telecommunication identifying information or access device. This chapter addresses the meaning of “identity” and attempts to make suggestions concerning the need for legislatures everywhere, indeed the international community at large, to begin to universalize such basic matters as defining identity, not to mention making more uniform the array of laws that seek to reduce and eliminate identity crimes.
© Koninklijke Brill NV, Leiden, 2020 | DOI:10.1163/9789004395978_003
What Is Identity?
2.1
25
When We Say “Identity,” What Do We Mean?
While the meaning of identity may seem simple and obvious at first glance, it is actually a complex proposition that has been discussed in depth by philosophers, psychologists, legal experts, and sociologists for years. The development of the Internet with its “virtual communities” and its “faceless interactions” has resulted in more attention being given to the idea of identity as an asset that needs protection. However, in order to protect identity effectively, and as its value as an asset continually grows with the proliferation of online relationships and transactions, it is necessary to understand what identity means. Is identity an asset, and if so, what kind of asset is it? Identity impacts many parts of a person’s life, including work, social relationships, and family connections. Identity affects a person’s mobility, how he/ she handles business and customer contracts, and how he/she addresses citizenship issues like voting or biological issues like health care. Additionally, there is the need to prove in a reliable and effective way that individuals really are who they say they are and that they have the credentials required to take specific actions. For example, a person needs a valid driver’s license to drive a car or the right diploma to prove academic competency. The information included in the license, diploma, or other documentation belonging to an individual must be managed effectively to ensure its relevance and accuracy. It needs to be controlled by the appropriate organizations and by the individuals themselves because access to the information and/or disclosure of it has an impact on individual freedom and liberty. Philosophically and psychologically, a person’s identity cannot be separated from the individual sense of self, but an identity can also be established through the use of various identifiers. These can be physical (biometric) like iris scans, fingerprints, or voice prints, or they can be written documents, such as passports and drivers’ licenses. Identity can be established through financial identifiers like bank account or credit card numbers as well.1
1 Model Criminal Law Officers’ Committee of the Standing Committee of Attorneys-G eneral, Final Report: Identity Crime 3 (March 2008), available at http://www.lawlink.nsw.gov.au/lawlink/SCAG/ll_scag.nsf/vwFiles/MCLOC_MCC_Chapter_ 3_Identity_Crime_-_Final_Report_-_PDF.pdf/$file/MCLOC_MCC_Chapter_3_Identity_ Crime_-_Final_Report_-_PDF.pdf.
26 chapter 2 2.2
Identity –Dictionary Definitions
Black’s Law Dictionary does not attempt to define the word “identity” in isolation. Instead, it defines several categories of identity: identity of evidence, identity of invention, and identity of design. Actually no one of these categories fits neatly into any definition of identity as it relates to identity crime. But even if a legal dictionary is of limited help in defining identity for our purposes, we should not give up on finding a workable and relevant definition is nevertheless difficult. The National Council on Identity Policy defines identity as “one’s contemporaneous sense of self in relation to each and any context.” The Council makes a further distinction between a real or true identity, which refers to the sense that an individual has of herself or himself, and a legal identity, which may be imposed by a governmental rule of law and is unrelated to the sense of self.2 The Free Dictionary online offers a multipart definition that defines identity as the:3 a. collective aspect of the set of characteristics by which a thing is definitively recognizable or known b. set of behavioral or personal characteristics by which an individual is recognizable as a member of a group c. quality or condition of being the same as something else d. distinct personality of an individual regarded as a persisting entity e. individuality f. information, such as an identification number used to establish or prove a person’s individuality to gain access to a credit account, for example The online Merriam-Webster Dictionary defines identity as:4 a. sameness of essential or generic character in different instances b. sameness in all that constitutes the objective reality of a thing: oneness c. the distinguishing character or personality of an individual d. individuality, the relation established by psychological identification e. the condition of being the same with something described or asserted f. an equation that is satisfied for all values of the symbols
2 Basic Identity Terms & Meanings, The National Council on Identity Policy, http:// idlaw.ncidpolicy.org/basic_identity.html (last visited Jan. 31, 2012). 3 Definition of “Identity”, The Free Dictionary, http://www.thefreedictionary.com/identity (last visited Jan. 31, 2012). 4 Definition of “Identity”, Merriam-W ebster Dictionary, http://www.merriam-webster. com/dictionary/identity (last visited Jan. 31, 2012).
What Is Identity?
27
WordNet 3.0 lists several definitions for identity:5 the distinct personality of an individual regarded as a persisting entity the individual characteristics by which a thing or person is recognized or known c. exact sameness The Identipedia is an identity dictionary designed to clarify issues and technical concepts of identity and digital access management. It offers the following definitions in the context of digital identity management: a. the established relationship between an entity and a particular registration b. an instance of an entity, a user described as a username and password, or an account c. the identifier, such as a username or customer number, used to identify an entity In this schema, an entity can have multiple identities, but usually only one per registration. An identity may have multiple accounts as well, usually one per environment or platform. Therefore, a digital identity is one which refers to the relationship between an entity and a specific registration or the instance of an identity.6 An additional identity concept involves that of legal identity, which is determined by the legal governing structure of a country. There may be differences in the ways various nations handle the issue of legal identity. Canada has issued a Directive on Identity Management that defines identity as “a reference or designation used to distinguish a unique and particular individual, organization or device.”7 In 2002, the Cabinet Office in the United Kingdom provided definitions of identity that specified two types of identity: an attributed identity and a biographical identity. The attributed identity encompasses elements included as a result of birth, such as the birth date, birth name, and parent information. The biographical identity involves those elements that an individual collects after birth via interactions with the larger society. It includes information contained in various documents, such as: a. Electoral registers b. Marital certificates a. b.
5 WordNet Search, http://wordnetweb.princeton.edu/perl/webwn (last visited Oct. 30, 2012) (search “identity”). 6 Allan Milgate, The Identity Dictionary, Identity and Access Management (Aug. 21, 2006, 10:22 PM), http://identityaccessman.blogspot.com. 7 Directive on Identity Management, Treasury Board of Canada-S ecretariat, http:// www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16577§ion=text (last visited Jan. 31, 2012).
28 chapter 2 c. d.
Educational or technical qualifications Employment history8 The Oxford English Dictionary defines identity as “the sameness of a person or thing at all times or in all circumstances; the condition or fact that a person or thing is itself and not something else; individuality, personality.”9 However, this definition is not relevant to terms such as “national identity” or “ethnic identity.” Some experts have argued that the concept of “identity” as commonly used in modern societies is a relatively recent invention, and that dictionary definitions have not caught up with its modern everyday meaning. The older meaning of identity relates to a legal association of a name with a certain individual, and is often referred to in cases of credit card and similar thefts in which identities are “stolen.”10 These definitions comprise concepts from several fields, including psychology, philosophy, and law. Defining identity from the philosophical perspective involves concepts such as oneness and sameness. Those from law involve government regulations, information about individuals that is collected, registered, and stored. Definitions of identity in the field of psychology focus on concepts of self and self-image. Additionally, the conception of identity is affected by circumstances and whether the environment surrounding a given identity exists in the physical world or in a virtual space on a computer. When an identity crime is committed, all facets of identity are impacted. 2.3
Identity Properties and Attributes
The concept of identity can also be approached through an examination of properties that rely on specific behaviors. In this view, a meaningful definition of identity depends on which of nine specific properties is involved. The properties are the means by which the behavior of identity may be observed. The properties are:11 a. Social b. Subjective
8 9 10 11
Final Report: Identity Crime, supra note 77. Oxford English Dictionary (2nd ed. 1989). James D. Fearon, What Is Identity (As We Now Use The Word)? 9 (Nov. 3, 1999) (unpublished draft) [hereinafter “What is Identity”], available at www.stanford.edu/~jfearon/ papers/iden1v2.pdf. Mary Rundle et al., oecd, At a Cross-roads: “Personhood and Digital Identity in the Information Society” (sti Working Paper 2007/7, Feb. 29, 2008), available at www.oecd. org/dataoecd/31/6/40204773.doc.
What Is Identity?
c. d. e. f. g. h. i.
29
Valuable Referential Composite Consequential Dynamic Contextual Equivocal
2.3.1 The Social Property Because human beings are social in nature, they need a way to present themselves to other human beings in the same recognizable manner over time, and they need to be able to recognize the same persistence of being in those others over time as well in order to have any meaningful transactions with them. 2.3.2 The Subjective Property No two human beings have exactly the same perceptions of a given individual. Everyone relies on different characteristics and features of other individuals in order to identity them. Therefore, each person actually possesses multiple identities based on the perceptions of the people with whom he or she interacts. 2.3.3 The Value Property An individual’s past actions are associated with his or her identity. Over time, an identity collects positive or negative value on the basis of these actions. References are often made to someone’s “good name.” Historically, duels were fought to defend the honor of a name, and “dragging (one’s name) through the mud” is legally actionable. Expectations of certain behaviors are linked to a person’s identity, and this reliance on past actions forms the basis for trust in social and business dealings. 2.3.4 The Referential Property An identity is not the same as the actual person. It is a reference to that person. If someone creates several different identities (to have different website profiles, for example) the elements making up those identities ultimately lead to the same physical individual. It is possible for different identities to refer to a single individual. 2.3.5 The Composite Property While individuals often provide information about themselves voluntarily, other information about them can be developed without their active
30 chapter 2 participation. Organizations and governments are constantly creating data related to individuals through various registrations, licenses, and other data collection initiatives designed to improve their operations. 2.3.6 The Consequence Property An identity has a history; whenever information about that identity is collected or shared, there are consequences. Sharing identity information can be dangerous for individuals, as in cases of identity crime, but in many cases, an individual may choose not to share identifying information. 2.3.7 The Dynamic Property Information relating to a particular identity is always changing, so there is a considerable probability that some or all of the data associated with that identity is inaccurate at any given time. 2.3.8 The Equivocal Property Any processes utilized in determining an individual’s identity may be subject to error. 2.3.9 Identity Attributes and Dimensions Identity attributes can be viewed in terms of two separate but related dimensions: the identity dimension and the identification dimension. The identity dimension involves elements that represent an actual person. The identification dimension refers to concepts and terminology associated with the sharing and use of identity information. Separating these dimensions allows for the different but related ideas of description and process, where description refers to the representation of a person via the attributes and states that describe that specific individual, and process involves making one individual unique and separate from all others engaging in the same activity.12 A Examples of Identity Attributes and Where They Are Used There are multiple ways to represent an actual human being for the purpose of identification, as the following paragraphs will show.13 In the realms of 12 WP2, Future of Identity in the Information Society (fidis), D 2.1:Inventory of topics and clusters 26, (Sept. 21, 2005), available at http://www.fidis.net/fileadmin/fidis/deliverables/fidis-wp2-del2.1_Inventory_of_topics_and_clusters.pdf. 13 WP2, Future of Identity in the Information Society (fidis), D2.3: Models 36–37 (Oct. 6, 2005), available at http://www.fidis.net/fileadmin/fidis/deliverables/fidis- wp2-del2.3.models.pdf.
What Is Identity?
31
business and security, identity documents and the information they contain have a major role. The attributes of such documents may include a person’s name or pseudonym and a Social Security number. Biological characteristics may be utilized for identification purposes in the fields of biometrics, forensic, or medical environments. The attributes related to identification via biological characteristics include gender, eye color, fingerprint, dna, retinal or iris scans, face recognition, height, unique gestures, or collected medical information. Law enforcement authorities and societies utilize attributes of identity related to citizenship and justice under a legal system. These include union affiliation, criminal records, and political opinions. The role and function of an individual in an organization or under the law represents other useful attributes of identity and include title, tasks, and responsibilities taken on by an individual. Location is an attribute of identity that may be used where mobility is part of an activity an in the area of e-commerce. Locations may include home, work, or real-time, mobile/g ps coordinates. Assets and transactions are useful identity attributes used in e-taxation, e-commerce, and crime-fighting initiatives. These include real estate and other assets, financial data, tax information, income, and liabilities. Individual competencies as determined through diplomas or demonstrated expertise are attributes of identity valued by educational and other organizations. Personal preferences and interests are frequently used in education, commerce and leisure areas to identify specific persons. Finally, identity attributes can be linked to social and psychological characteristics. Examples of social characteristic attributes are an individual’s personal network of friends, his or her affiliations, and the person’s reputation. These attributes are important for a societal and personal identity. The psychological attributes may be used by human resources and education authorities, as well as in criminal profiling. They include an individual’s psychological state, motivation, sexual orientation, and behavior, along with personality and cognitive style. 2.4
Identity –the Psychological View
The concept of identity as it is known in the modern world stems chiefly from the work of psychologist Erik Erickson, in the 1950s. Erikson defined identity as “a subjective sense as well as an observable quality of personal sameness and
32 chapter 2 continuity, paired with some belief in the sameness and continuity of some shared world image.”14 As noted above, dictionary definitions often fail to communicate the current meanings of the word, as used in the context of everyday speech. The current sense of identity is a relatively recent and complex social construct. While everyone understands how to use the word correctly, it is difficult to provide a short summary that includes the broad range of its current meanings.15 Researchers have assigned specific psychological attributes to a person’s behaviors, and these can be used to talk about a psychological identity. The behaviors may include elements that are relatively permanent or more transient. Psychological identity attributes include: a. Psychological state b. Personality c. Motivation d. Cognitive style The psychological state refers to an individual’s current mood. Personality indicates whether a person trends toward being more introverted or extroverted, whether he or she is more social in behavior or more reserved and private, whether self-confident or insecure. It can also indicate the level of emotional stability. Motivation refers to an individual’s level of curiosity, pain tolerance, and anxiety. It also refers to family and citizenship matters. Cognitive style involves how an individual learns and handles social situations.16 The self-identity concept relates to the features and representations that are unique to a single person and to the way that characterization is structured. In this case, identity can be categorized on the basis of elements such as the: a. Personal b. Biological c. Social d. Legal Identity can be attributed to a physical or abstract “person” (an organization). Researchers in the field of psychology sometimes make a distinction between “I,” which refers to the first-person perspective, the “implicit me,” which refers to the perception an individual has of him/herself, and the 14
Kendra Cherry, Identity Crisis –Theory and Research, About.com Psychology, http:// psychology.about.com/od/theoriesofpersonality/a/identitycrisis.htm (last visited Jan. 31, 2012). 15 Fearon, supra note 86, at 1–2. 16 fidis, supra note 89.
What Is Identity?
33
“explicit me,” or the way the individual is perceived when in a specific context or environment.17 It has also been noted that an identity really reflects an individual’s social relationships, and not innate characteristics. The attributes of age or gender may be altered via different types of clothing or the possession of other tokens. And because identity is “performed” in a social context, it can be corrupted. The victims of identity crime are often traumatized through the theft or misuse of what they know as their “reflection of self.”18 Identity is a concept with two related facets: the social and the personal. In the social sense, identity refers to a social category in which a “set” of individuals are labeled and distinguished according to rules that determine membership in the group according to certain characteristics or features. In the personal sense, identity refers to some unique characteristic(s) in which the individual takes special pride or which is viewed as having a social consequence. So identity can have a double sense, referring at once to social categories and to the source of self-respect.19 2.5
Identity –the Philosophical View
For philosophers, identity is a synonym for “sameness.” It refers to the element(s) that make something recognizable as itself and only itself, different from all other things. Personal identity involves the conditions and features by which an individual is “identical to himself through time.”20 However, there are several philosophical paradoxes that emphasize the problem of trying to develop universal standards for verifying/authenticating a personal identity. The most basic paradox involves the problem of change over time: is a thing the same from one day or one minute to the next? Philosophers use Plutarch’s “Ship of Theseus Paradox” to discuss this issue. Plutarch imagined a wooden ship that has been restored through the replacement of all of its old parts with new parts. Some philosophers argue that the ship is the same after its restoration, while others take the opposite view and call it a new ship. Thomas Hobbes, the English philosopher, posited another ship, which was created by reassembling the old parts; this ship is, therefore, exactly like the original. 17 18
fidis, supra note 88. Caslon Analytics, https://web.archive.org/web/20130807123808/http://caslon.com. au/idcrimeguide1.htm (last visited Jan. 31, 2012). 19 Fearon, supra note 86, at 2. 20 Identity Philosophy, Wikipedia, http://en.wikipedia.org/wiki/Identity_philosophy (last visited Jan. 31, 2012).
34 chapter 2 According to Hobbes, both the ship restored with new parts and the ship reassembled with the old parts appear to qualify equally to be “original.” In the first case, the original ship is remodeled, while in the second case, it is reassembled. It is clear, however, that the two ships are not the same.21 Some of the philosophical concepts applied to identity are qualitative and numerical identity, and essence. Philosophers also address the persistence of a characteristic over time in discussions of perdurance and endurance.22 Qualitative identity involves the sharing of properties. For example, all breeds of dogs are qualitatively identical because they all share the property of being a dog. Two Dalmatians can be said to have a greater qualitative identity because, in addition to sharing the dog property, they also share the Dalmatian property. Numerical identity refers to the relationship that all things have only to themselves and to nothing else. The concept of essence was developed by the ancient Greek philosopher Aristotle. According to Aristotle, essence is what makes something what it is. If a thing loses its essence, it loses its identity. Essence was associated with definition in the thinking of Aristotle and his scholastic followers. Philosophers who support the concept of perdurance believe that things persist in time because they posses time-related features that exist at different times. These features are distinguished by the time in which they exist. Time- related characteristics are used to account for change. Thinkers who support the idea of endurance believe that the existence of an object at different times occurs because the thing has only spatial features and no temporal ones. Material objects, therefore, are said to endure over time. 2.6
Identity –the Legal View
The philosophical basis of the concept of identity is evident in the different approaches taken by different governments and organizations. These approaches result in significantly different legal requirements and impact among various nations. Countries of the world base the requirements and verification of identity on different philosophical foundations. In the European Union, Hegelian ideas are prevalent, while in the United States, the legal system relies more on Lockean concepts.23 21 22 23
Harry Deutsch, Relative Identity, The Stanford Encyclopedia of Philosophy (Apr. 22, 2002), http://plato.stanford.edu/entries/identity-relative/. Id. Rundle et al., supra note 87, at 26.
What Is Identity?
35
For Hegel, an individual exists only when he or she is recognized, and recognition stems from a mass of information that consistently points to/refers to that specific individual. Locke approached identity from the concept of consciousness –that a person consciously knows that he or she is the same human being over time, regardless of context or environment. Both Hegel and Locke influenced current legal theories of identity. The dominance of Hegelian ideas in European law provides Europe with the sense than an individual has a property interest in his or her personal information. For Hegel, property is a feature of personhood, which gives the individual control over that information. European law supports the idea that individuals are free when they join in community with others as offered by the state. European legal theory also supports the ability of individuals to control their private data with the help of the government. In the United States, where legal theory is based on the ideas of John Locke, individuals control their private spheres of influence and have “defensive liberties” against the government. U.S. legal theory relating to personal identity involves preventing the state from interfering in the private sphere; personal information is to be protected by law from the state’s interference.24 Social contract theory as developed by Rousseau in 1762 requires a basic political and social relationship between a state and its citizens, which in turn, depends on the ability of those citizens to legally identify themselves as such. With a legal identity, the social contract disintegrates. The various types of social contract theory as established by Rousseau, Locke, and others provides the foundation for modern democracy and citizenship. Citizens must be able to identify themselves as part of a nation to demand and access the benefits and services of that nation. While a legal identity is not the same as citizenship, it is the prerequisite for it.25 2.6.1 Legal Definition of Identity A legal identity typically refers to an official document, issued and recognized by a government, that includes basic information attesting to the identity and status of the individual who holds the document. Legal identity provides proof
24 Id. at 9–10. 25 Mia Harbitz & Bettina Boekle, Democratic Governance, Citizenship, and Legal Identity: Linking Theoretical Discussion and Operational Reality (Inter-American Development Bank, Working Paper 16, May 2009), available at http://www.iadb.org/ intal/intalcdi/PE/2009/03791.pdf.
36 chapter 2 as to an individual’s status as a person who has the right to demand protection under the laws of a state.26 In societies based on English common law, legal systems must recognize the identity defined and maintained by an individual as that individual’s legal identity; legal identity simply means “identity” in societies that respect privacy. It is a crime in the United States to remove or limit the right of an individual to control his or her identity, including the right to change identity information at will. The U.S. Supreme Court has ruled that infringement of these rights through legislation is unconstitutional. A legal identity allows people to be protected by a state’s legal system and to demand redress when their rights have been violated. A legal identity can be viewed as a sequence of identity attributes, beginning with a birth registration document and moving on to a marriage license, passport, and other documentation over time. Since many agencies may be involved in providing a legal identity for a citizen, the process of obtaining a legal identity can be complicated. The involvement of multiple offices and organizations also introduces a strong possibility of errors, omissions, and negligence as well.27 The United Nations determined that every aspect of social, political, and economic activity relies on the ability of organizations, institutions, and governments to determine the legal identity of a person as a unique individual. A legal identity must be created and associated with a specific individual for such activity to be meaningful, so identity information linked to other data about the individual must be created, transmitted, stored, and retrieved. The critical role of identity in human interactions means that changing or falsifying identity information or breaching an identification system via unauthorized contacts can destroy the basic fabric of government, finance, and social relationships. This has prompted governments worldwide to take action against identity-related crime. To date, most governments have limited their activities to linking identity fraud to the abuse of identity in the commission of other crimes.28
26 27 28
Caroline Vandenabeele, Legal Identity for Inclusive Development, Bangladesh, Cambodia, Nepal (powerpoint presentation) 2, available at http://www.adb.org/Documents/PRF/ REG/RETA-6188-Legal-Identity.pdf (last visited Jan. 31, 2012). Harbitz and Boekle, supra note 101, at 16–17. U.N. Secretary-General, Comm’n on Crime Prevention and Criminal Justice, International Cooperation in the Prevention, Investigation, Prosecution, and Punishment of Fraud, the Criminal Misuse and Falsification of Identity and Related Crimes [Draft 1 Short Version], 52, U.N. Doc. E/CN.15/2007/8 (2007), available at https://www.unodc.org/unodc/en/ organized-crime/identity-related-crime.html.
What Is Identity?
37
2.6.2 Identity Law in the United States In the United States, the treatment of identity under the law is based on English common law going back to 1765. In that year, a ruling from the King’s Bench stated that a person was free to change identity at will. U.S. law developed over time to provide that an autonomous person has exclusive authority over his or her identity; only the individual can determine how he or she will be represented to others in daily life, and the only real authority for attesting to whom someone is, is the person him/herself. No documents or organizations can dictate who someone is. They can only show the identity of an individual at the time the documents were created, and then only on the basis of that individual’s own statement of identity at that specific time. This represents the primary documentation of an identity. All subsequent documents are secondary. While a birth certificate may accurately attest to the time and place of a person’s birth, it offers no legal determination or information about that person’s true or legal identity.29 2.6.3 Common Identifiers of Legal Identity Some of the most common elements used to establish legal identity include: 1. Physical or biometric elements such as photographs, iris scans, fingerprints or voice prints 2. Written elements (documents) like a driver’s license, social security card, or passport 3. Financial elements like bank account, credit card, or employee numbers In 2002, the Cabinet Office in the United Kingdom discussed the concept of identity in terms of attributed identity and biographical identity. Attributed identity is associated with information linked to birth (birth name, birth date, parental information, etc.). Biographical identity involves data about an individual’s societal interactions, including things like voter registration, marriage licenses, educational qualifications, and job history. The control of identity information by the individual is limited, since much of it is under the control of the government, businesses, and public opinion.30 The United States has taken a different approach to legal controls used to mitigate actions involving personal information, leaving the regulation of these controls to private business. In Europe, legislation to regulate legal identity controls has been the norm.31 29 30 31
Legal History: Birth Certificates & Identity, The National Council on Identity Policy, http://idhistory.ncidpolicy.org/hist_identity_bc.html (last visited Jan. 31, 2012). fidis, supra note 88, at 30–31. Technology and Privacy: the New Landscape (Philip E. Agre & Marc.Rotenberg eds., 1998); Lawrence Lessig, Code and Other Laws of Cyberspace (1999).
38 chapter 2 2.6.4 Use of Social Security Numbers In the legal systems of most countries, identity attributes are used as references to a real individual. For example, a name is such an attribute, labeling a person or thing in order to distinguish that specific entity from another. Many countries use unique social security numbers issued by government agencies when processing data for the specific purpose of managing the identity of an individual and the relationship with the state.32 A Switzerland Switzerland has no nationwide identification number, but the country plans to issue unique numbers for the purposes of providing health care in the future. At present, Switzerland uses the ahv, or social security number linked to persons who receive income. It is assigned when an individual is first employed. Only part of the population in the country has such a number, since not all the population is employed. Additionally, circumstances may change this number over time, as it is subject to marriage or name change. The 11-digit number is utilized mainly for contacts between individuals and government agencies. It is rarely used by private sector entities. A considerable amount of information is included in the number, such as references to name, birthday and month, and citizenship status.33 B United States In the United States, all individuals over the age of 18 who receive income must have a social security number (ssn). The social security number is used in many areas beyond the Social Security program, and most of the population has a ssn. The number does not change during the individual’s lifetime. Changes in circumstance (name change due to marriage, for example) are reflected only by replacement of the actual card on which the number is printed. The ssn provides information such as the state in which application for the number is made. Other than inference about the age of the card holder, the number carries almost no information about the individual. C France France’s social security number contains accessible information about the holder. The first digit denotes gender, the next two digits stand for the year of birth, and the next two for the month of birth. The following two digits
32 33
fidis, supra note 89, at 20–23. D2.3: Models, supra note 89, at 23.
What Is Identity?
39
designate in which of the 95 administrative subdivisions of the country the person was born. The next three numbers represent the city of birth, and the final three digits state the rank within the register of births in that city. With the French social security number, the holder’s sex, age, and region of origin can easily be known. 2.6.5 Legitimate Reasons under the Law for Changing Identity People have a legal right to change their identity, and there are several legitimate reasons to do so. These include protecting privacy and avoiding persecution. Writers frequently use pen names to create an association between a document and its author. Pseudonyms may be used in communications to make reference to a person who is not present. Names can also be used as references to a person in information systems. The same person may have different names, such as a surname inherited from the parents, a given name chosen by the parents, a married name acquired from the spouse, a nickname chosen by friends, a pseudonym chosen by a person to reduce the possibility of linking information to that person, or a stage name chosen by an actor to help separate private life from work life.34 Witness protection programs provide new identities for individuals who give testimony in potentially dangerous or threatening situations, as in some criminal trials or corporate whistle-blower lawsuits. In the Nazi era, many Jews escaped persecution by changing their identity. Victims of domestic violence change identity and associated information like social security numbers or credit files. Some individuals change their names when they marry. However, identities created by non-government agencies are becoming more and more difficult to change. Names can change, but the information available about an individual in the public domain is difficult to alter. Yet the increase of identifiers linked to every individual in the modern world makes the ability to control and change them increasingly important. Changing a name is a basic legal right that is recognized in practically all legal systems, which permit individuals to adopt a name other than that received at birth, through marriage, or by adoption. The ease with which a person can do so depends on the jurisdiction in which that person lives. Generally, common law jurisdictions are more liberal about name changes than civil law jurisdictions. The federal courts in the United States have overwhelmingly ruled that changing one’s name at will is clearly a constitutional right. Usually, a person can adopt any name for any reason. Most states allow a legal name 34
Id. at 21.
40 chapter 2 change without any paperwork, but a court order may be required before banks, government agencies, or other institutions accept the change.35 Under common law, adults have the right to change their names simply by use, but obtaining a court order ensures that the change will be officially recognized. In the United States, name changes are usually obtained by petitioning a state court for an order recognizing a change of name in the county where the person resides. A person does not have to be born in the county or state where he or she is bringing the petition.36 However, some courts have ruled that a transgender individual must submit medical evidence that the applicant is actually transgendered. Otherwise, one court has held, “without such supportive evidence, the change of name from a ‘male’ name to a ‘female’ name would be fraught with danger of deception and confusion and contrary to the public interest.”37 2.7
Means of Verifying Legal Identity
Privacy rights and civil rights organizations have voiced concerns about how intrusive authorities should be in requesting or devising personal identifiable information. These groups have focused on initiatives that utilize dna, fingerprints, facial recognition, and information included in large databases. Many groups, including the American Civil Liberties Union, oppose universal identification cards, national identity cards, or identification mechanisms linked to biometrics. For governments, however, being able to verify an individual’s identity is critical. In recognition of this fact, China has developed a national ID system that allows anyone to verify who they are communicating or doing business with. And China plans to conduct the world’s largest experiment with electronic identification cards, which will replace the currently used paper cards carried by 960 million Chinese citizens. The core feature of the new card will involve an embedded microchip that stores the personal information of an individual. This information can be read electronically and compared with databases maintained by Chinese security authorities. Residents in major Chinese cities will be issued additional chip- based identification cards to access social services. The government hopes the
35 36 37
Name Change, Wikipedia, http://en.wikipedia.org/wiki/Name_change (last visited Jan. 31, 2012). In re Application of Ferner, 685 A.2d 78 (N.J. Superior L., 1996). In re Application of Anonymous, 587 N.Y.S.2d 548, (N.Y. City Civ. Ct., 1992).
What Is Identity?
41
new cards will be more difficult to counterfeit, reducing the potential for financial crimes and fraud.38 2.8
Digital Identity
A digital identity is a set of claims made by one digital subject about itself or another digital subject. A digital subject is something that is represented or that exists in the digital realm and with which a user interacts. There are subjects in the digital world beyond human beings, including the devices used to access to the digital realm, digital resources that attract users to the digital realm, and any policies and relationships that exist between other digital subjects. These definitions do not require that an identity must be unique in a given digital context, however. Early information systems were constructed upon that assumption, and the assumption remains useful, but its unique identity is not required in all contexts. One digital subject can make assertions about another without using a unique identifier, for example.39 Identity management involves the secure management of one’s identity, the identification process, and the information associated with the identification. ID management is becoming more important as the Internet becomes an integral part of social endeavors. ID management establishes standards and guidelines that can be used to securely manage personal data, as well as to verify and authenticate specific identities. Most countries start the identity management process with registration at birth. This establishes a unique legal identity for each person. Without birth registration, there is no guarantee that a person will be recognized as the same unique individual throughout his or her life. Each birth registration represents a critical piece of information for the vital statistics system of a nation.40 It is important to remember that individuals have rights; these rights do not attach to profiles constructed from information about the individual. If identity profiles replace an actual person, the concept of personhood dissolves, and identity information can be detached from the individual’s control. Detachment of identity information can limit a person’s participation in society, so it 38 39 40
Andrew Batson, China Begins Effort to Replace Citizen IDs With Digital Cards, Wall Street Journal, Aug. 12, 2003, http://cryptome.org/cn-1bn-ids.htm. Kim Cameron, The Laws of Identity, Kim Cameron’s Identity Weblog (Jan. 8, 2006), http://www.identityblog.com/?p=352. Harbitz and Boekle, supra note 101, at 16–17.
42 chapter 2 is critical to remember that there is always a real person behind data and that person must have full status with personhood when interacting with others.41 2.8.1 Attributes Utilized by Identity Management Systems Several attributes can be used by identity management systems to represent a person and to manage identity information collected about that person. These attributes may identify a person through a name, biological characteristics, geographic location, Identity specific academic or other competencies, or social features. These attributes can be further distinguished by time-related elements. These time-related elements42 are labeled and defined as: a. Permanent-given b. Permanent-acquired c. Persistent situations or states d. Temporal states Permanent-given attributes may be biological (eye color or fingerprints), socio-cultural-economic (birth nation or parents’ names), and even, personality traits. Permanent-acquired attributes are obtained either by circumstances or deliberate action, such as qualifications gained through university graduation or additional language skills acquired during a trip to a foreign country. Persistent situations or states are acquired in non-permanent situations that may last a significant period of time, such as marital status, job title, or physical address. And temporal states represent short-term situations linked to specific context, like a person’s location in geographical space at a given time, or the person’s mood at a certain moment. Further distinctions can be made according to functional categories and application domains. Functional categories include name or social security number, geographical location, biometrics, personality, and social affiliations. Application domains include a work role or names used in leisure activities, government registration information, police files, and medical information. 2.8.2 Personhood Another way to look at digital identity is through the concept of personhood. Traditionally, personhood means recognizing an individual or entity as having the legal status of a person. Under the law in the U.S., corporations are considered persons. In the digital world, personhood involves recognizing that an individual has the status of a person in cyberspace. For example, an avatar
41 42
Rundle et al., supra note 87, at 10. fidis, supra note 89, at 14–16.
What Is Identity?
43
in the online world of Second Life is a person; in a Sims game, the electronic representation of an individual is recognized as a person. Digital identity has implications in the “real world” as well.43 An individual can have several identities in a digital environment. While the philosophical approach to individual identity involves the sameness of someone over time, the digital definition is more limited. In cyberspace, an identity may be something as simple as an email address. Simply put, a digital identity is a construct that refers to an individual but is different from that individual.44 Now, as in the past, having a good reputation and good personal relations with business interests is critical to daily transactions. The prevalence of electronic commerce has made face-to-face identification almost impossible. Consequently, the safety of identity-related information grows in importance in personal and commercial transactions. Businesses and federal government operations depend on the processing of electronic data through automated systems. Obtaining access to identity-related information on such systems gives criminals a wide variety of data concerning an individual’s personal social life. The fact that identity-related information is also stored in databases only compounds the potential for unauthorized access and use of it by criminal offenders. The Internet was constructed without any way for users to know to whom or what they are connecting. Because of this omission, everyone who offers an Internet service must develop ways to work around it. The current Internet is based on a patchwork creation of one-time identity assertions. There is no consistent way for people to evaluate the authenticity of digital sites they visit, nor do they have a way to control the different aspects of their identity online.45 2.8.3 Digital Identity –a Representation of Human Identity A digital identity represents a human identity in distributed network interactions with other people or with digital devices. A digital identity has two parts: who an individual is, and the credentials that individual holds. The credentials constitute attributes of the person’s identity. While the meaning of identity in the physical world is already quite complex, its meaning in the
43 44 45
Lexicon, Identity Commons Wiki, http://wiki.idcommons.net/Lexicon (last modified July 19, 2011). See generally Clare Sullivan, Digital Identiy (2011), available at http://www.adelaide.edu.au/press/titles/digital-identity/Digital_Identity_Ebook.pdf. Marco Gercke, Legal Approaches to Criminalize Identity Theft, in United Nations Office of Drugs and Crime, Handbook on Identity Related Crime 1 (2011), available at http://www.unodc.org/documents/treaties/UNCAC/Publications/Handbook_on_ID_ Crime/10-57802_ebooke.pdf.
44 chapter 2 digital world poses even further ambiguities. Making decisions about digital identity on the basis of real-world concepts requires extreme care. Some experts have suggested using a real-world definition of identity to clarify the meaning of digital identity; in other words, discussing the issues of digital identity via “ordinary language philosophy.”46 Ordinary language philosophy provides a way out of some complicated arguments, such as trying to determine what is “real” and how it “reality” can be proved. Ordinary language philosophers recommend an end to jargon and advocate an examination of words through the ways they are used in ordinary casual conversation. In terms of identity, this means defining the word as referring to enough information to determine who –which individual –is being discussed. The word “identity” is typically used, in ordinary conversation, when there is some doubt about a specific person, whether there is sufficient information to determine who that person is. When a “digital identity” is discussed, there are expectations that it must have some relationship to a real-world identity, but this is not the case. “Identity” does not have a “natural” meaning in the digital realm because language has not had the time to become “ordinary” in cyberspace yet. In the real world, identity is used when attempting to go from doubt to knowledge, by linking known information to other data, and to accomplish something. The same things can be applied to digital identity. Not everyone is subject to identification in the real world, only those about whom doubts must be resolved for a particular purpose. Digital identification is about linking what is known with other information and should be limited to what is necessary to meet the requirement of the identification. An identification token in the real world provides evidence that other information about a person is true. For example, a driver’s license provides permission to drive and a birth date. A digital identification token should be handled the same way.47 2.9
Conclusion
What definition of identity will ultimately be used? Will there be a collection of identifying information that makes an individual unique? Will numbers or lists of biometric measures be used to prove a person is who he says he is? As 46 David Weinberger, There’s No “I” in “Identity,” Journal of the Hyperlinked Organization (Apr. 15, 2004), available at http://www.hyperorg.com/backissues/ joho-apr15-04.html. 47 Id.
What Is Identity?
45
the world becomes a place that increasingly depends on virtual contacts and the creation, transferring, and storing of personal information, identity is likely to progress from an accumulation of documents to a series of numbers. It may be that, in the not-so-distant future, the identity of a human being will be reduced to an identification number, stored resume data, or a credit report. This could be a dangerous development, since it makes the protection of people’s identity exceedingly important.
chapter 3
Identity Crime Framework and Model: Five Components of Identity Crime and the Different Illegal Methods of Acquiring and Using Identity Information and Documents
Introduction
Identity crime is a complex subject. Identity crimes are committed in multiple forms, and various jurisdictions use different terminology to describe and prosecute identity crimes. It is therefore important in this chapter to define and clarify the terms associated with identity crime, and to specify what constitutes an identity crime. An Identiry Crime Framework is proposed which hopefully will lead to some degree of standardization of future legislation crafted by various jurisdictions to deal with identity crime. An Identity Crime Model is then presented to show, in diagram form, for the first time, every aspect of identity crime. The framework and model are then utilized to discuss a range of identity-related issues. The Identity Crime Framework is a new way of analyzing the acts that constitute identity crime. Previous analyses of identity crime have focused primarily on only two aspects of identity crime: identity theft and identity fraud. Theft and fraud constitute the principal language used to characterize identity crimes in legislative enactments. However, the linguistic focus strictly on fraud and theft tends to obscure the reality that there are other acts that are frequently made illegal, or that could be made illegal, if a jurisdiction wishes to genuinely attack identity crime. The Identity Crime Framework eschews the “theft” and “fraud” nomenclature and instead identifies five fundamental facets of identity crime; these five facets encompass the entire range of activities that might constitute a criminal identity-related endeavor. The five components within the Identity Crime Framework are acquisition, production, possession, transfer/trafficking, and use. These aspects of identity crime are fully explained in this chapter. The Identity Crime Model diagram, which represents and illustrates the Identity Crime Framework, provides on one sheet all the information one needs to create a comprehensive system of criminal laws to contend with
© Koninklijke Brill NV, Leiden, 2020 | DOI:10.1163/9789004395978_004
Identity Crime Framework and Model
47
identity crime. The Identity Crime Model is a flowchart that visually provides a bird’s eye view of the Identity Crime Framework. 3.1
Clarification of Terms: Identity Theft, Identity Fraud, and Identity Crime
The term “identity theft” has been broadly applied to all aspects of the fraudulent use of identity, from the preparatory stage of acquiring, collecting, and transferring personal information, to the actual use of the information to commit a crime.1 However, the term “identity fraud” is also commonly used in relation to the fraudulent use of personal information, saving the use of “identity theft” for circumstances in which the criminal has engaged in the unauthorized collection of identity information. This distinction between the two terms has been made clear in Canada’s legislation.2 The Home Office of the United Kingdom has also sought to clarify and standardize the terms, providing this short guide to nomenclature: Identity crime: a generic term for identity theft, creating a false identity, or committing identity fraud False identity: a fictitious (i.e., invented) identity; or an existing (i.e, genuine) identity that has been altered to create a fictitious identity. Identity theft: an event that occurs when enough information is collected about an identity to facilitate identity fraud, whether or not the victim is dead or alive Identity fraud: an event that occurs when a false identity is used, or when another individual’s identity details are used in support of illegal activity, or when a person avoids an obligation or liability by falsely claiming status as an identity-fraud victim3 It is important to use language carefully because different activities, all going under the same rubric, might vary tremendously in the damage done, hence, in the penalty that each activity deserves. Thus, merely obtaining 1 See, e.g., Nancy Holmes & Dominique Valiquet, Bill S-4: An Act to amend the Criminal Code(identity theft and related misconduct, Document No. LS-637E (April 14, 2009), available at http://www2.parl.gc.ca/Sites/LOP/LegislativeSummaries/Bills_ls.asp?lang=E&ls=s4&source=library_prb&Parl=40&Ses=2 (last modified June 5, 2009). 2 See Chapter 6, Part B, (discussing Identity Crime legislation in Canada). 3 WP2, Future of Identity in the Information Society (fidis), D12.10: Normality Mining: Results from a Tracking Study (June 20, 2009), available at http://www.fidis. net/fileadmin/fidis/deliverables/n ew_deliverables/f idis-wp12-del12.10.Normality_Mining_-_ Results_from_a_Tracking_Study_01.pdf.
48
chapter 3
personal information, which might be called “identity theft,” should be a far less severe crime than actually misusing that information for financial gain.4 The latter crime, “identity fraud,” occurs when criminals use illegally obtained personal data for their own gain by making fraudulent purchases, creating false accounts, or trying to obtain employment or health care services.5 This book recognizes that there is a great difference between identity fraud and identity theft, and instead uses the term “identity crime” to cover the entire range of criminal activities associated with identity. This book takes the view that, in order to take effective action to end such crimes, one must recognize the criminality in any activity in which identity information or documents are the targets of criminals, or constitute the tools to commit further crimes.6 As revealed in chapter 6, which discusses current statutes throughout the world that pertain to identity crime, laws that are on the books now criminalize all of the facets of identity crimes. These statutes sometimes directly target identity crimes, but usually the law is aimed at more generic crimes, such as theft or fraud, but can be utilized to convict identity criminals. For the purposes of this book, the definition of “identity crime” is knowingly acquiring, manipulating, producing, transferring, possessing, or using identity information or documents in order to commit a fraud, or to commit other unlawful activities. Identity crime includes the use of document features that serve to authenticate documents,7 and the use of specialized tools to create fraudulent identities.8 This term will be further discussed later.
4 Rachel Kim, Javelin Strategy and Research, 2009 Identity Fraud Survey Report: Consumer Version: Prevent, Detect, Resolve 6 (Feb. 2009), available at www. javelinstrategy.com/brochure/113. 5 Canadian Internet Policy and Public Interest Clinic (cippic), Techniques of Identity Theft (CIPPIC ID Theft Series, Working Paper No. 2, March 2007) [hereinafter “cippic”], available at http://www.cippic.ca/sites/default/files/bulletins/Techniques.pdf. 6 Bert-Jaap Koops & Ronald Leenes, ID Theft, ID Fraud and/or ID-related Crime. Definitions Matter, 30 Datenschutz und Datensicherheit (“Privacy & Security”) 9, 553–56 (2006). 7 28 U.S.C. § 1028(d)(1) (“An ‘authentication feature’ is any hologram, watermark, certification, symbol, code, image, sequence of numbers or letters, or other feature that either individually or in combination with another feature is used by the issuing authority on an identification document, document-making implement, or means of identification to determine if the document is counterfeit, altered, or otherwise falsified.”). 8 28 U.S.C. § 1028(d)(2) (“A “document-making implement” is any implement, impression, template, computer file, computer disc, electronic device, or computer hardware or software that is specifically configured or primarily used for making an identification document, a false identification document, or another document-making implement.”).
Identity Crime Framework and Model
49
Whether someone calls the activity “identity fraud,” “identity theft,” or “identity crime” is important because it impacts how governments and enforcement authorities handle these crimes. The crimes are complicated: the use or abuse of identity may involve either actual identity data like a name, or it may include other information related to that data, such as a credit card number. It may involve absconding with a physical object, like a credit card or driver’s license, which would clearly be a theft, or passing oneself off as someone whom one is not, such as by manufacturing a fake ID card and using it to get a job or government benefits, in which case the theft is not of the ID itself, but rather of the benefits obtained through use of the ID. Thus, we have a mixture of theft and fraud, sometimes more one thing than the other, but usually a combination of both. By using “identity crime” as the all-encompassing term, we take in the various aspects of its nature. By envisioning “identity crime” as something unique, with its own characteristics that are akin to, but not identical to, theft and fraud, and describing it by its own unique characteristics, we develop a clearer idea of the nature of the crime, and can develop the means to combat the crime in whatever jurisdiction it arises. 3.1.1 Is It Theft? The word “theft,” by itself, refers to the “felonious taking and removing of another’s personal property with the intent of depriving the true owner of it.”9 More broadly, it refers to “any act or instance of stealing, including larceny, burglary, embezzlement, and false pretenses.”10 However, the damage done by identity thieves is not so much from stealing the identity, but from using that stolen identity. Identity theft is commonly understood to include the use of an identity to gain access to money, goods, services, or privileges,11 but the words “identity theft” plainly refer merely to the taking of someone’s identity, or identification documents, rather than the use of someone’s identity to commit further crimes. Thus, the definition is imprecise, but under due process standards, precise terms are required so that defendants may respond to charges and mount a defense.12 Such a lack of precision can lead to confusion when the crime takes place in more than one jurisdiction, and it is not always
9 10 11 12
Crime Definitions, Nikole A. Pezzullo, esq, www.nikolepezzullo.com/resources.html (last visited April 24, 2012). Id. Black’s defines “identity theft” as “the unlawful taking and use of another person’s identifying information for fraudulent purposes.” “Use,” therefore, is part of the definition. Black’s Law Dictionary (9th ed. 2009). See Koops & Leenes, supra note 129.
50
chapter 3
certain that a criminal’s actions meet the standards for illegality both in the country where the crime is charged, and in the country where the criminal has acted. Calling something “theft” when in fact it is fraud and embezzlement may engender confusion among defendants, prosecutors, and judges. In the United States, the primary identity crime statutes, 18 U.S.C. §§ 1028 and 1028A, do not even criminalize the theft (illegal acquisition) of identity information or documents. They make criminal the production and use of such documents, but not their acquisition. Yet, 18 U.S.C. § 1028A is explicitly entitled “Aggravated identity theft.” In order to prosecute illegal acquisition (theft), one must resort to other statutes,13 such as the embezzlement statutes,14 the computer protection statute,15 the e-mail fraud statute,16 or the mail fraud statute.17 The term “identity theft” usually refers to situations in which data related to identity is taken in a way that is similar to theft or fraud, i.e., the actual taking of physical documents or other tangible information. The term also covers the taking of documents that are easily and freely obtained or deceiving people into voluntarily handing over their identity documents. “Identity theft” is sometimes also used to refer to a combination of collecting another’s personal information and using that information in a fraudulent way. With this usage, “identity theft” includes gathering personal information in either a legal or illegal manner, creating false ID documents, and using personal information fraudulently. Most legal experts agree, however, that “theft” and “fraud” concepts should be kept separate to clarify the issue.18 3.1.2 Is It Fraud? As discussed above, the U.K. calls “identity fraud” any event that occurs when a false identity is used, or when another individual’s identity details are used in support of illegal activity, or when a person avoids an obligation or liability by falsely claiming status as an identity-fraud victim.19 The United Nations says that “identity fraud” refers to the use of identity information to commit other crimes or to hide in some manner. The concept of deception (required for fraud) does not involve the act of deceiving someone to obtain the ID
13 14 15 16 17 18 19
See table of U.S. identity crime statutes infra § 6A.1.1. 18 U.S.C. §§ 641–69 (2006). Id. § 1030(a)(2). Id. § 1037(a). Id. § 1341. cippic, supra note 128. D12.10: Normality Mining: Results from a Tracking Study, supra note 126.
Identity Crime Framework and Model
51
information, but in the use of the obtained ID information to deceive other people. The deception element includes deceiving technology as well as persons.20 Under the definitions above, identity crimes seem much more like fraud than like theft, although theft may be an element of the crime. In the United States, federal criminal law does not provide a definition of “fraud.” Instead, the law tends to refer to a “scheme or artifice” to defraud and refers to the specific payment mechanism involved in the crime, such as a credit card. State laws do not always refer to a “scheme or artifice” and may address specific or general kinds of fraud.21 In the United States Code, the crime of “identity theft” is placed squarely in the middle of the 40+ laws against various forms of “fraud.” Dictionaries are required to define “fraud.” “Fraud,” in its non-legal sense, is synonymous with deceit or trickery.22 The leading legal dictionary defines “fraud” as “a knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment,” adding that “fraud is usually a tort, but in some cases (especially when the conduct is willful) it may be a crime.”23 Thus, fraud may be the subject of a civil suit (one person suing another for some deceptive act or statement that caused the first person some detriment, such as asserting that a house is in perfect condition, while knowing that it is termite-infested, causing a buyer to pay far more than the house would be worth). Or, if the fraud is of a type that is so serious that it deserves punishment by the state, fraud may be a criminal offense. Fraud is a boundless concept. An early American court decision remarked that fraud “embraces all of the multifarious means which human ingenuity can devise, and are resorted to by one individual to get an under advantage over another.”24 The decision elaborated:
20
21 22 23 24
U.N. Secretary-General, Comm’n on Crime Prevention and Criminal Justice, International Cooperation in the Prevention, Investigation, Prosecution, and Punishment of Fraud, the Criminal Misuse and Falsification of Identity and Related Crimes [Draft 1 Short Version], 53, U.N. Doc. E/CN.15/2007/8 (2007) [hereinafter “U.N. Draft 1 Short Version”], available at https://www.unodc.org/unodc/en/organized-crime/identity-related-crime.html. U.S. Dept. of Justice, Criminal Division, Fraud Section, Response of the United States Delegation to the Intergovernmental Expert Group Questionnaire on Fraud and the Criminal Misuse Falsification of Identity (Identity Fraud), at 5 (2006). Merriam-W ebster Dictionary, http://www.merriam-webster.com (last visited February 9, 2012). Black’s Law Dictionary (9th ed. 2009). Barr v. Baker, 9 Mo. 850, 1846 WL 3690 (1846).
52
chapter 3
Fraud is infinite; judges could not, if they would, lay down as a general proposition what constitutes fraud, or establish any invariable rule which should define it. And even if they could distinctly mark out how far courts of equity would go in relieving against it, or define strictly the species of evidence of it, the jurisdiction would be cramped and perpetually eluded by new schemes which the fertility of man’s invention would contrive. All surprise, trick, cunning, dissembling, and any unfair way by which another is cheated, is fraud; the only boundaries defining it are those which limit also human knavery and human ingenuity.25 Although “fraud” may be “boundless,” “criminal fraud” is not a boundless concept. Criminal fraud exists only under criminal statutes, and criminal statutes must be exact, or at least sufficiently specific as to allow a potential wrongdoer to know that the act that he contemplates might be prosecuted if he carries it out. Thus, the expansive concept of fraud, which includes every “new scheme” that “the fertility of man’s invention would contrive,” is simply not sufficient in criminal law. Criminal statutes must be as exact as it is possible for them to be, or, at least, as exact as the minds of legislators can conjure. No better compendium of the limits of the legislative imagination in the realm of “criminal fraud” exists than Title 18, Chapter 47 of the United States Code, entitled “Fraud and False Statements.” The United States criminalizes about forty different types of fraud,26 ranging from the basic and general,27 to the exotic and specific, such as “Fraud in connection with major disaster or emergency benefits.”28 The basic statute, covering “statements or entries generally,” aims at those who knowingly and willfully (1) falsify, conceal, or cover up by any trick, scheme, or device a material fact; (2) make any materially false, fictitious, or fraudulent statement or representation; or (3) make or use any false writing or document knowing that it contains materially false, fictitious, or fraudulent statements or entries.29 For the statute to apply, such actions must pertain to a matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States. To summarize in one simple phrase, “It is illegal to lie to the
25 26 27 28 29
Id. (quoting a “Prof. Tucker,” perhaps referring to St. George Tucker’s 1803 rendering of Blackstone’s Commentaries, available at http://www.lonang.com/exlibris/tucker/index. html (last visited February 9, 2012)). 18 U.S.C. §§ 1001–1040 (2006). Id. § 1001 (“statements or entries generally”). Id. § 1040. Id. § 1001(a).
Identity Crime Framework and Model
53
U.S. government.” Broadly, the statute encompasses must activities generally called lying, covering up, deceiving, misleading, defrauding, forging, and the like, at least as they pertain to the executive, legislative, or judicial branches. The maximum sentence is 5 years plus a fine, 8 years if the fraud involves terrorism.30 (It is not “fraud” if these statements or documents are submitted to a judge or magistrate as part of judicial proceedings. Within the legislative branch, these actions are only considered fraud in the course of providing goods or services to Congress, or as part of a congressional investigation.31) The basic fraud statute thus gives the broadest possible definition of fraud, one that could include identity crime, but it limits the crime to dealings with the federal government. Identity theft, as defined, covers many fewer actions, but applies on a much wider scale to items meant for identification that are “in or affecting” interstate commerce, or are transported through the U.S. mail.32 In U.S. parlance, that which is identity fraud is called “identity theft,”33 or some other reworking of words like fraud and identification. So, despite the fuzzy use of verbiage in the titles of U.S. statutes, identity theft is primarily a crime of fraud, even in the United States. The terms “identity fraud” and “identity theft” are frequently used to describe situations where someone’s personal data details are used illicitly for gain, i.e., economic or monetary gain, obtaining goods/services, obtaining access to services or applying for benefits.34 3.1.3 Why Must Identity Fraud Be Treated Differently from Fraud? Some commentators have suggested, altogether appropriately, that identity- related fraud should be treated differently from other kinds of fraud, and there are several reasons for believing so.35 It is now possible to conduct identity fraud on a wide scale, and with major results, because of the universal interconnectedness of 21st century society. Transactions that formerly were face- to-face are now conducted at great distances, and among people or machines that have no sure way of identifying each other. Identifiers –the names and 30 31 32 33 34
35
Id.§ 1001(a). Id. § 1001(b), (c). Id. § 1028©. Id. § 1028A. Organization for Economic Co- o peration and Development (oecd), Centre For Tax Policy and Administration, Report on Identity Fraud: Tax Evasion and Money Laundering Vulnerabilities 4, [hereinafter “Tax Evasion and Money Laundering Vulnerabilities”], available at www.oecd.org/dataoecd/ 23/5/42223740.pdf. Koops and Leenes, supra note 129.
54
chapter 3
numbers attached to each individual –have gained importance as the primary means for social intercourse. Identity fraud is, unfortunately, an unavoidable consequence of this sort of society. A comparison can be made between identity crime and computer-related crime, which has developed into its own area of law. While computer fraud can be prosecuted as ordinary fraud, specific attention and criminalization specific to computer fraud has been warranted because combating it requires a special knowledge of computers. The police, prosecutors, and the judiciary must comprehend, to some extent, the technicalities of computers and computer data. Successfully combating computer fraud also requires prevention, and that requires that those who use computers must be aware of their vulnerabilities.36 The field of identity fraud, and identity crime, is much like the field of computer fraud. As Koops and Leenes have written, “The new forms and scale of identity management create new opportunities for fraudsters.”37 The collection of online data for use in the provision of financial services, for example, presents an opportunity that fraudsters cannot resist, and statistics show that they are not resisting.38 The problem requires a mix of measures –legal, technical, and social –in order to defend against it. From the viewpoint of the victim, identity crimes are like ordinary fraud, but with features that make it much more insidious. The victim of an identity crime may not even notice the crime when it occurs: discovery may occur long after the occurrence, and the perpetrator may have left the scene long age, or, since it can be a long-distance crime, may never have been anywhere near the victim. And the victimization may continue long after the crime, in the form of a ruined credit history making it more difficult for the victim to operate in our consumer economy.39 3.2
Goal of Identity Crimes
Identity crimes may be defined according to the purpose or goal of the fraud. In some cases, the actual identity is the target and goal of the criminals (for production or for trafficking which is just the process of transferring). In other cases, offenses against identity may be performed in order to commit other fraud. These cases may represent the largest group of identity-related crimes. 36 37 38 39
Id. Id. Id. Id.
Identity Crime Framework and Model
55
In still other cases, identity crimes may be committed in response to official state actions, i.e., people change their identity for self-protection or to avoid legal penalties.40 The most common type of identity-related crime in North America and the United Kingdom is motivated by the desire for financial gain. The clear intent in these crimes is to obtain a financial benefit. This kind of fraud is also called “financial identity fraud” or “economic fraud” and can be divided into that involving access to existing accounts or to the creation of new accounts.41 ID criminals who have a financial motivation to commit an identity- related crime may decide to use a financial account that already exists, or they may choose to create a new financial account using information gained in an illicit manner. Financially motivated ID-related crimes include credit card fraud, bank fraud, and loan fraud. Within the arena of loan fraud are types of fraud associated with business, personal, student, auto, and real estate loans. 3.3
The Identity Crime Framework
The Identity Crime Framework is a new way of analyzing the acts that constitute identity crime. The identity crime model examines, for the first time, every aspect of identity crime. Previous analyses of identity crime have focused primarily on just two aspects of identity crime: identity theft and identity fraud. These two aspects, theft and fraud, are also the words commonly attached to the crime in legislative enactments. The linguistic focus merely on fraud and theft tends to obscure that there are other acts that are frequently made illegal, or that could be made illegal if a jurisdiction truly wishes to control the problem. The Identity Crime Framework eschews the “theft” and “fraud” nomenclature; instead, it posits five facets to identity crime that encompass the entire 40
41
Nikos Passas, Identity-Related Crimes: A Review of Research and Suggested Typologies, in International Scientific and Professional Advisory Council (ispac) of the United Nations Crime Prevention and Criminal Justice Programme, The Evolving Challenge of Identity- Related Crime: Addressing Fraud and the Criminal Misuse and Falsification of Identity 95 (2008), available at http://ispac.cnpds.org/publications-23-the-evolving-challenge-of- identity-related-crime-addressing-fraud-23.html. Philippa Lawson, Identity-Related Crime Victim Issues: A Discussion Paper 11, U.N. Commission on Crime Prevention and Criminal Justice, E/CN.15/2009, available at www. unodc.org.
56
chapter 3
range of activities that may constitute a criminal identity-related endeavor. Those facets are: a. Acquisition of identity information and documents from others (“identity theft”) b. Production of identity and identity documents, and manipulation of identity and documents to associate them with someone who is not their true owner c. Possession of identity information, documents, and document-making devices d. Transfer of identity information and documents (“identity trafficking”) e. Use of identity information and documents, usually to commit some sort of fraud (“identity fraud”) but also to commit other crimes 3.3.1 Why the Framework Matters Identity crime is prosecuted by mostly every jurisdiction, but it goes by different names in different locales.42 The criminal laws under which identity crimes are prosecuted usually were designed for some purpose other than the prosecution of identity crime. Jurisdictions without specific identity crime laws, or with insufficient laws, often prosecute identity crime as “fraud,”43 but fraud also encompasses a wide variety of other activities, and does not include some of the aspects of identity crime. Few countries prosecute every element of identity crime. “Production” may be under counterfeiting laws, “acquisition” under theft laws, “possession” under laws dealing with counterfeiting or stolen goods, “transfer” under stolen property laws, and “use” under fraud laws. The Framework brings them all together, shows the interplay among the five facets, and advocates statutes that would pull them together into one set of enactments. Once a nation enacts and enforces a comprehensive statute: a. Law enforcement officials will be able to understand the true scope of the problem and take a comprehensive approach to solving it. b. Statistics will come closer to reflecting all acts that are part of the crime. Many governments now believe that they do not even have an identity crime problem, when the reality is that all nations do. A comprehensive statute will allow nations, for the first time, to count the instances of identity crime, and devote the appropriate amount of resources to combating it. 42 43
See discussion in Introduction to this chapter. See, e.g., R. v. Huang (Jian), [2010] ewca (Crim) 375 (9 Feb 2010) (Eng.), discussed in Part 6D.4.6.
Identity Crime Framework and Model
57
c.
Criminalizing every aspect of the crime will allow law enforcement more entry points at which to investigate and arrest criminals. d. The links among various facets of the crime are exposed within the Framework, so that authorities can widen their focus to an entire enterprise. e. Increased prosecution of identity crime will allow countries to better police the provision of government services, improve the atmosphere for business, and promote investment and entrepreneurship. 3.3.2 What’s New and Useful about the Identity Crime Model? The Identity Crime Model is a flowchart that visually represents the unique Identity Crime Framework, discussed above. It shows every facet of the crime, and provides a comprehensive list of frauds and other crimes that identity criminals commit. a. The Model shows all five facets of the crime on one page. b. The Model lists a wide range of criminal uses of identity information and documents. c. The Model shows the sequence of criminal acts, and potential criminal acts, that comprise the many layers of a criminal enterprise utilizing stolen or false identity. Using the Model, one sees how a criminal might commit multiple crimes with the same identity, such as by: 1. fabricating or stealing an identity, then 2. transferring it to someone else, who 3. manipulates the identity documents, and then 4. uses them to commit a fraud, all the while 5. possessing information and documents, which can then be 6. re- transferred to another person to commit further crimes, leading to 7. an unending loop of identity crimes based on a single identity. d. The Model allows legislators to compare their own country’s laws into the Model (as chapter 6 does for some of the largest nations) and determine whether their national or regional laws provide comprehensive protection against identity crime. 3.4
Identity Crime Framework
3.4.1 Introduction The Identity Crime Framework, represented by the Identity Crime Model Diagram below, provides on one sheet all the information one needs to create a
58
chapter 3
comprehensive system of criminal laws to contend with identity crime. Once such a system is in place –as it is, to a large extent, in Canada –one may use the diagram to quickly identify the specific components of identity crime with which the identity criminal may be charged. If identity crime is a major focus of the criminal justice system, as it should be, it would make the most sense to gather all the laws concerned with identity crime in one statute, or one discreet section of the identity crime statutes. In essence, that is what Canada has done. In other countries, sets of laws use the word “identity” in their titles, but one needs to look at the entire collection of statutes, passed by both the central government and the state governments, to identity which specific criminal violation to charge. Laws that may involve the use of identity have, in the past, focused on the tangible gain to the criminal who has used identity for his gain –the focus was on the theft of goods using someone else’s identity, instead of on the theft of the identity itself. There should be a focus on both, with a recognition that there is damage to the person whose identity has been taken (both tangible and intangible damage), and damage to whomever must ultimately pay for the items stolen. Punishment for stealing, creating, or possessing false identities or identity information, in addition to punishment for the tangible objects stolen, is essential because the damage to the individual –loss to a sense of security, loss of time and money –is in addition to the loss of the objects taken by means of stolen identity. Criminalizing early stages of identity schemes – production, acquisition, and possession –allow the authorities to take earlier action to reduce the damage that may occur later, when the identity is used. While the fraud statutes may suffice in some instances to punish the early crimes, it should be recognized that the victimization of an individual whose identity has been taken and misused is distinct from that of an individual who has been deceived by ordinary fraud.44 It is most important for countries around the world to ensure that during any point in a scheme involving identity, a criminal can be prosecuted. Every identity crime has a place on the diagram, and every part of the diagram should be capable of prosecution under a section of every nation’s identity crime law.
44 Passas, supra note 163.
59
Identity Crime Framework and Model
3.4.2
Identity Crime Model Diagram
Gain
Government False identity - Synthetic
identity Government documents fraud Other government documents Evading the law
identity
Child support
identity
identity
identity
Identity
Identity Crimes
f igure 2 Identity crimes related to one another source: author
60
chapter 3
3.4.3 A Brief Explanation A Overview The diagram above is intended to visually represent all possible identity crimes and how they relate to one another. Ordinarily, we speak about the facets of identity crime in the order in which they might logically occur if all facets were present in a single scheme: first, acquisition of an identity; then production of the identity; then transfer; then possession; and lastly, use. Not all of those facets are present in each case of identity crime, of course. The one facet that must always be present is “possession,” which appears at the top of the chart, and is not dependent on any of the other facets. B The Boxes “Possess” Box (deep blue): Possession of a piece of identity information with the intent to use that information for some criminal purpose. Possession may be legitimate –e.g., taking down someone’s credit card information in order to complete a transaction –or it may be mistaken –e.g., picking up someone else’s wallet by mistake. But possession may also be for a criminal purpose, which purpose is evidenced by other aspects of possession, for example, possession of the social security numbers of several people, along with other identifying information. As indicated on the diagram, possession may occur throughout the course of criminal activities, and thus should be capable of prosecution at any time. “Produce-A” Box (gray): Production of a synthetic identity, one that does not belong to any person. It could be a social security number never assigned to an actual person, and used by a counterfeiter to make a genuine-looking document. Then, the document (or the synthetic identity) may be Acquired by someone with the intent to use it for a criminal purpose, or may be put directly into Use for a criminal purpose. If it is merely identity information, another person may be the one who Produces the identity document (Produce-B), which may also utilize identity information associated with a real person. The information may also be used in Trafficking, that is, transferring the document to someone who deals in stolen information in order to earn a quick reward. “Acquire” Box (yellow): Acquisition of identity information for a criminal purpose. The acquisition may be from one who has created a synthetic identity (Produce-A), it may be from a Trafficker, or the acquirer may steal it, or obtain the information legitimately, even accidentally. At some point, the acquirer develops the intent to use the identity for a criminal purpose. Once acquired, the information may be put into Use, may be used to Produce identity documents (Produce-B), or may be Trafficked.
Identity Crime Framework and Model
61
“Motivation” Box (light blue): The intent of the identity criminal. An identity criminal’s immediate intent in Possessing, Producing (Produce-A), or Acquiring identity may be one of three things: to Use the identity in one of the frauds listed in the Use boxes (orange), to Transfer or Traffic the identity for gain, or to Produce (Produce-B) further identity documents. “Transfer/Identity Trafficking” box (red): Trafficking in identity, or in identity documents, is one of the ways to cash in on identity information. Traffickers sell the information to one who intends to Use it, or, at times, to someone who wants to Produce (Produce-B) further identity documents. “Produce-B” Box (gray): Production of identity documents partially or wholly based on information about real individuals. The information generally will come from the Acquirer who has, in one way or another, gathered social security numbers, birth dates, immigration documents, driver license numbers, etc. The criminal will Produce or manipulate information or documents of a real person so that some other person may pass himself off as that person, and gain money or other desired benefits. The information or documents are the final stage before Using those documents for gain. “Use” boxes (orange): Ultimately, identity crimes are aimed at schemes to gain something. The crimes can be categorized as Financial, Non-Financial, Hybrid (Financial and Nonfinancial), and To Commit Other Crimes. Financial frauds are those that directly lead to financial gain. In some of them, the criminal takes over someone else’s bank account, and in some, a new account is opened using the identity information. Categories include bank fraud, credit card fraud, and government benefits fraud. Nonfinancial fraud leads to some other benefit that is not directly connected with financial gain. They include allowing someone to obtain employment, a passport, a driver’s license, or a Social Security card when he is not entitled to it. Such uses can also include evading the law by eradicating a criminal record, or avoiding child support. Hybrid frauds are partly to establish a new status associated with the stolen identity, and also for financial gain. Examples include utility and phone fraud (opening an account in someone else’s name in order to obtain services without paying), credential fraud (pretending to have attained a degree or a position to which one is not entitled, and medical fraud (using someone else’s identity in order to get medical treatment). Frauds to commit another crime occur when the criminal needs to adopt the identity of some other person in order to commit the crime. Terrorism
62
chapter 3
is one example of a crime for which it may be necessary to adopt the identity of some other person. Money laundering and illegal immigration are two others. C The Loop Crimes using false or stolen identities can go on for an extended period, at least until a person whose identity has been stolen figures out what has happened and reports it to authorities. Until that happens, a single identity can be used multiple times. When one criminal is done with an identity, it can go back to a trafficker who can resell it, or to a counterfeiter who can make alterations and create new documents based on some of the same information. Thus, the diagram shows a loop –after use, the identity returns to be repurposed for some other new use. 3.5
Five Components of Identity Crime Model
Identity crime can be broken down into five key components. But before we address these five components, it is helpful to keep in mind that “Identity theft” is a term of art generally used to describe a crime consisting of multiple parts; because it is more than theft, however, a preferable term is “identity crime.” The preliminary parts of the crime might not even be, in and of themselves, criminal. Thus, it is the intent of the person who performs such acts that determines whether the act constitutes an identity crime. For the sake of giving a broad picture, and to tailor responses to this problem, we characterize the five actions/components comprising identity crime as: a. Acquisition of identity information or documents b. Transfer/Trafficking of identity information or documents c. Production of identity information or documents d. Possession of identity information or documents e. Use of the information for criminal purposes The middle three of these components –transfer/trafficking, production, and possession –form the core of the body of law codified by the identity theft statutes, which have been passed by federal, state, and foreign governments. “Acquisition,” which we characterize as part of identity crime, is made illegal under a broad array of other statutes criminalizing theft and embezzlement. “Use” of identity information is the ultimate reason why identity information has value, and the crimes involving the use of the information run the gamut of the family of crimes known as “fraud.”
Identity Crime Framework and Model
63
3.5.1 Acquisition Acquisition can be completely consistent with innocent activity; in fact, it usually is an innocent activity. Every waiter acquires credit card information from his patrons; a restaurant patron could not use a credit card without passing on such information to an agent of the business, who acquires the information quite legally. However, if that same waiter were to retain a copy of each credit card number with the intent of selling a batch of such numbers to someone looking to use them illicitly, he likely would commit a crime at the point of gathering the numbers with the intent to use them for other than the purpose for which they were obtained. The waiter falls into criminal activity because the opportunity presents itself; his acquisition is opportunistic. Likewise, if someone finds a dropped wallet on the street and takes the information in the wallet, i.e. credit cards, social security number, etc. to use them illegally, his acquisition is opportunistic. However, acquisition may also be deliberate; the identity criminal observes that there is a market for identity information, and goes after such information with the intent to use it. A wide range of actions to obtain private information have been prosecuted as identity theft, including activities such as dumpster diving, hacking into computers, stealing paperwork likely to contain personal information,45 and even a teenager’s stealing her parents’ credit cards.46 Acquisition of identity information is outside the scope of the federal identity theft statute,47 but is a criminal activity if it fits within the statutory definitions of other federal offenses, generally in the categories of embezzlement or theft.48 3.5.2 Transfer/Trafficking The second component, transferring, may also be quite legal. A merchant must transfer credit card information on to a bank or credit card issuer in order to obtain payment for merchandise. One who gathers the information needs to transfer them to another party, who then enters the information in order to charge the owner of the credit card. However, if one gathers those numbers and sells them to another, knowing that the other intends to defraud the credit provider and the consumer, one has committed a criminal offense. (The transfer of identity information, or objects containing such information, is a violation of the federal identity theft statute.49 “Transfer” includes the acts of selling, 45 46 47 48 49
H.R. Rep. No. 108–528, at 9 (2004), reprinted in 2004 U.S.C.C.A.N. 779; see also Flores- Figueroa v. U.S., 556 U.S. 646, 655 (2009) (quoting the same report). U.S. v. Vieke, 348 F.3d 811 (9th Cir. 2003). 18 U.S.C. § 1028 (2006). Id. §§ 641–669. Id. §§ 1028(a)(2), (a)(5), (a)(7), (a)(8).
64
chapter 3
pledging, distributing, giving, loaning or otherwise transferring, and does not require any exchange of consideration (anything of value) for the transfer.50) 3.5.3 Production The third component of identity crime, production of identity documents or information, may be performed legally by governments (for example, by the issuance of birth certificates, drivers’ licenses, or social security cards), and by corporations –generally, financial institutions (banks, credit card issuers, mortgage companies). Production of identity information or documents by those not employed by the government or a financial institution, and having the authority to produce such information or documents, is a clear violation of the U.S. federal identity theft statute. The result of production may be a false identity (that is, information for a person who does not exist [synthetic identity crime], or a mix of information for a person that does exist and a person that does not exist [hybrid identity crime]), or may be a counterfeit identity (that is, information for a real person, for use by some other person [true identity crime]). The U.S. federal statute makes it a crime to knowingly produce an identification document without lawful authority.51 The Department of Justice, in its instructions to prosecutors,52 notes that the term encompasses all forms of counterfeiting, forging, making, manufacturing, issuing, and publishing. A government employee whose duty is to simply issue identification documents (i.e., he does not manufacture or assemble the documents) is, by issuing the document, authenticating it; if such an employee were to authenticate such documents without lawful authority, it would constitute an offense under federal law.53 3.5.4 Possession At every phase of every action involving identity crimes, someone must possess identity information, and such possession may be illegal. The U.S. federal statute makes it a crime to possess identity documents, other than those issued lawfully for the use of the possessor, with the intent illegally to use or transfer them.54 A restaurant patron who finds a lost credit card on the floor is in possession, but it is not criminal behavior unless the patron subsequently intends to use the credit card illegally (which is usually demonstrated by the actual 50 51 52 53 54
U.S. Department of Justice, Criminal Resource Manual 1509 [hereinafter “U.S. Criminal Resource Manual”], available at www.justice.gov. 18 U.S.C. § 1028(a)(1). U.S. Criminal Resource Manual, supra note 173. Id. 18 U.S.C. § 1028(a)(3)–(7).
Identity Crime Framework and Model
65
illegal use or transfer of the credit card) rather than being a Good Samaritan and turning in the card to the restaurant management. 3.5.5 Use Use of information is the most important of the five components of identity crime. The first four components might have occurred, but no direct loss has yet been realized, even though the victim’s information is with the criminals and they might have made a profit by trafficking/selling it. Use of an identity document under the U.S. federal identity theft statute includes presenting, displaying, certifying, or otherwise giving currency to the document so that it will be accepted as an identification document in any manner.55 Further, use of an identity document is the basis of a further crime, usually some species of fraud, which is often a crime separate and apart from the crime of identity theft as defined by federal statute. The identity is used for the purpose of gaining some benefit to which the identity criminal is not entitled. Among the most common such crimes are those for which direct financial gain is the motive, such as credit card fraud, bank fraud, and loan fraud (business, personal, student, auto and real estate loans have all been perpetrated by identity criminals). Other uses of false identification documents, and information as reported by the Federal Trade Commission, include: 1. Bankruptcy fraud (filing for bankruptcy in the name of the victim) 2. Creation of other government documents, such as social security cards, drivers’ licenses, and passports 3. Applying for or receiving government benefits 4. Phone fraud 5. Tax fraud 6. Investment fraud (tampering with securities or other investment accounts) 7. Insurance fraud 8. Employment-related fraud 9. Medical identity fraud 10. Evading the law 11. Real estate fraud 12. Tenancy fraud 13. Postal fraud 14. Avoiding child support obligations.56 55 56
U.S. Criminal Resource Manual, supra note 173 (commenting on 18 U.S.C. § 1028(a)). Federal Trade Commission, Taking Charge, What to Do if Your Identity is Stolen (Jan. 2012), available at http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/ idt04.shtm.
66
chapter 3
3.5.6 Gradations of Crime While the five components just discussed are the heart of all identity crimes, prosecutors of identity crimes should also consider several additional factors. These include: a. whether the crime victim is an individual, a business, or a government; b. whether the crime consists of getting, transferring, or manipulating information that has been gained in an unauthorized way; c. whether economic benefits are gained via the commission of the crime; d. the methods by which information was acquired; e. the types of damages suffered by victims; f. the extent of the crime.57 3.6
Techniques and Strategies Used for Illegal Acquisition
3.6.1 Introduction Identity criminals have many techniques they use to commit their crime, but most identities are still acquired using old-fashioned and low-tech methods. Identity information is taken from purses, wallets, and automobile glove compartments.58 Many identity criminals take materials from containers, such as office trash cans, dumpsters, laptops, or desks that are exposed to cleaning or construction personnel in the home or office.59 Offenders may steal hard copy or electronic files with personal information from sources in workplace,60 as well as computer media such as CDs, data storage tapes, and usb drives.61 Traditional methods typically involve the theft of actual, physical items.62 According to Synovate,63 almost 25 percent of identity crime victims who knew how offenders obtained their information said the information had been 57 Lawson, supra note 164, at 10. 58 See How Does Identity Theft Happen?, Identity Theft Action Plan, http://www. portal.state.pa.us/portal/server.pt/community/what_is_id_theft_/12993/how_does_id_ theft_happen/587627 (last visited Oct. 30, 2012). 59 Id. 60 Chapter 1: Common Practices of Identity Thieves, Balance Track, https://web.archive.org/ web/20110113092145/http:/www.balancetrack.org/identitytheft/ (last visited Feb. 9, 2012). 61 Criminal and Legal Affairs Subgroup, G8 Lyon- Roma Anti- Crime and Terrorism Group, Essential Elements of Criminal Laws to Address Identity-Related Crime 3 (Feb. 2009) [hereinafter “Essential Elements”]. 62 Gercke, supra note 121, at 11. 63 Graeme Newman & Megan M. McNally, U.S. Department of Justice Research Report Identity Theft Literature Review 45. (Doc. No. 210459, July 2005), available at www.ncjrs.gov/pdffiles1/nij/grants/210459.pdf.
Identity Crime Framework and Model
67
lost or stolen, with 14 percent reporting that a wallet, checkbook, or credit card had been lost or stolen; 4 percent cited mail theft as the source of information. Thirteen percent of the victims who knew how their personal information had been collected said other means were used, including the actions of co-workers or family members who had access to the data or individuals who had legitimate reasons to have the information and used it later for illicit purposes.64 Thirty percent of information breaches in 2006 occurred via lost or stolen wallets, checkbooks, or credit or debit cards, essentially the same rate as a year earlier. These kinds of thefts represented the second highest average fraud amount at $8,459 and 38 percent of the yearly fraud total at $21.6 billion. Friends, family members, and in-house employees were responsible for 15 percent of all identity crimes in 2006.65 More high-tech methods of identity theft include activities such as “phishing,” in which e-mails solicit personal information from gullible Internet users, and “pretexting,” where a criminal impersonates a victim to obtain personal information about that victim from a source such as a bank.66 With the proliferation of computer technology, identity criminals have become increasingly sophisticated and skilled at exploiting weaknesses in digital systems and working with cyber technologies to obtain the information they need. Common digital techniques of identity theft may involve skimming, spoofing, and the use of computer software known as malware.67 Stealing documents delivered via the post office represents one of the most important ways identity criminals obtain the personal information necessary to commit their identity crimes. Redirecting mail to another address is correlated to actually stealing documents from a mailbox. This method involves changing the destination of mailings from their legitimate recipient’s address to another address at which the identity criminal can simply collect it as his or her own. Dumpster diving refers to the activity of going through trash cans and garbage bins to look for documents that contain personal identity-related information. Other traditional methods of obtaining identity information include insider attacks and the criminal use of personal information that is publicly available. About a third of organizations surveyed in 2007 reported that over 20 percent 64 65
Id. Rubina Johannes, Javelin Strategy and Research, 2006 Identity Fraud Survey Consumer Report 7 (Jan. 2006), available at http://itsecurity.und.edu/ 2006%20Identity%20Fraud%20Survey%20Report.pdf. 66 Duxbury, supra note 181, at 4. 67 Gercke, supra note 121, at 13–14.
68
chapter 3
of their losses of identity-related information was attributed to illicit actions by people inside their organizations68. Employees have access to substantial amounts of credit card information, as well as credit reports with their identifying information. Insider attacks succeed because most security measures implemented by authorities focus on thwarting attacks from outside the organization. Identity criminals also make significant use of publicly available information, obtaining and examining public records for names, addresses, social security numbers, and other personally identifiable information they can use to commit subsequent identity crimes. This examination of identity information and documents acquisition methods will present a profile of the typical identity thief and then examine in detail three categories of techniques: those that involve the theft of physical items, those involving the theft of data through techniques that rely on computer technology, and buying identity information and documents for illegal use. 3.6.2 Acquisition May Be Legal or Illegal In order to commit identity-related crimes, it is necessary to first acquire the identity information of another individual, either in a legal or an illegal way, and with or without the victim’s knowledge. In cases where the acquisition of such information is not strictly illegal, as when someone sifts through someone else’s trash, the victim is still unlikely to have authorized the activity. Once identity information has been obtained, it can be sold, used to create “synthetic identities,” or otherwise used for fraudulent acts. Victims rarely discover identity theft unless some type of fraud is involved.69 3.6.3 Acquisition of Information and Documents: Statistics In order to commit identity crime, offenders must first access an individual’s private information in a process called an “information breach.” Among cases in which the source of the breach is known, 63 percent resulted from four major areas that were under the control of the consumer. These were lost or stolen wallets, credit or debit cards, and checkbooks (30 percent), trusted family members or associates (15 percent), stolen mail or trash (9 percent), and home computers via hacking, phishing, or viruses (9 percent).70 Businesses were the source of personal information breaches in 30 percent of the cases, with data breaches representing 6 percent of the total, fraudulent processing 68 Id. at 13. 69 Lawson, supra note 164, at 10. 70 Johannes, supra note 188, at 2.
Identity Crime Framework and Model
69
of transactions accounting for seven percent, and employee malfeasance representing 15 percent.71 According to a survey from Javeline Strategy & Research, the rate of identity fraud rose in 2009, with the increase attributed chiefly to new accounts. The survey also found that 2009 saw more identity crime victims than any year since 2003 when the survey began. However, the actual dollar amount of out- of-pocket losses paid by victims dropped to an historic low during the year.72 The Federal Trade Commission (ftc) Consumer Sentinel complaint database received more than 800,000 complaints regarding consumer fraud and identity crime in 2007. Total monetary losses for consumers from fraud reached over $1.2 billion.73 About 64 percent of the fraud complaints were associated with solicitations made over the Internet, with 49 percent occurring via e-mail and 15 percent over the web.74 The most common type of identity fraud reported is credit card fraud, which represented 23 percent of the reports. The second most common fraud was phone/utilities fraud at 18 percent, and this was followed by employment fraud at 14 percent and bank fraud at 13 percent. Fraud related to government documents or benefits represented 11 percent of complaints in 2007, with loan fraud totaling 5 percent.75 Of identity fraud associated with banks, fraudulent activities related to electronic fund transfers were reported most frequently in 2007.76 In 2006, 4 percent of the adults in the United States were victims of identity fraud. This represented 8.9 million people. While a significant number, it was a reduction of 11.9 percent from the rate in 2003. And while the rate of identity fraud decreased, the average fraud amount paid per victim rose substantially at 21.6 percent or $6,383 between 2003 and 2006.77 Because of the higher average costs, the yearly amount of identity fraud stayed nearly the same between those years. Since most financial institutions do not hold identity fraud victims responsible for losses, 68 percent incurred no costs related to the fraud in 2006.
71 72 73
74 75 76 77
Id. Id. See Federal Trade Commission, Consumer Sentinel Network Data Book for January-D ecember 2008, (Feb. 2009) [hereinafter “ftc 2009 Data Book”], available at http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2008. pdf. Id. at 3. Id. Id. Johannes, supra note 188, at 1.
70
chapter 3
Average consumer costs for fraud totaled $422, a decrease of 24 percent over 2003.78 Surprisingly, many cases of identity fraud involve someone who is known to the victim. In every case of fraud where the criminal is known, more than 50 percent have close ties to the victim as family members, co-workers, friends or neighbors, or people employed in the victim’s home.79 Costs to consumers rise as the relationship between the fraudster and the victim gets closer. For example, in 2006, if the identity fraud was committed by an employee at a financial institution, costs to the victim to resolve the matter averaged just $8.00. If the fraud was committed by a friend or neighbor, however, costs to consumers increased to $1,209.80 In 2005, 3.7 percent of individuals responding to a survey by the ftc said they were victims of identity crime, suggesting that some 8.3 million adults in the United States experienced some form of identity crime in that year.81 In the ftc report, the victims were classified into three categories on the basis of the definitions of identity theft included in federal law. The categories are “Existing Credit Card Only,” “Existing Non-credit Card Account,” and “New Accounts and Other Frauds.” In terms of the degree of harm done to consumers, new account fraud represented the highest degree of harm and existing credit card fraud the lowest.82 In 2005, 3.2 million adults in the U.S. reported misuse of personal information that was limited to one or more of their current credit card accounts. Misuse of one or more current financial accounts outside of credit card accounts, such as checking accounts or phone accounts, was reported by 3.3 million American adults. Under 1 percent (0.8 percent) of the survey respondents, or 1.8 million American adults, found that their personal information had been fraudulently used to open new accounts or fraudulent activity other than the misuse of current or new financial accounts.83 Educating consumers about identity crimes has affected their behavior, with 69 percent of U.S. consumers shredding any document that includes personal information before they discard it. This essentially eliminates trash as a rich source of data for identity thieves. In contrast, only 31 percent of consumers use a secure mail box. Theft of mail and fraudulent changes of address 78 79 80 81 82 83
Id. Id. Id. ftc 2009 Data Book, supra note 196. Id. Id.
Identity Crime Framework and Model
71
represent 8 percent of the cases in which a victim knows how personal data was obtained.84 While considerable publicity surrounds cases of identity theft linked to the Internet, the online environment actually represents a relatively low risk for consumers. Ninety percent of the known unauthorized access to sensitive, personal information occurs via non-electronic means. Among the individuals surveyed, only 9 percent cited cybercrimes such as hacking, phishing, or spyware as the source of the information breach. An added benefit of identity fraud occurring in the online environment is that electronic monitoring of accounts over the Internet is the fastest way to detect an identity crime. Sixty-five percent of frauds found using paper statements are discovered during the first month after the crime, but 63 percent of fraud discoveries made electronically occur in the first week.85 Identity crime is the fastest growing crime worldwide. 3.6.4 Storing Identity Information for Trafficking or Later Use In some cases, the personal information of millions of individuals is stolen, but the data of only a few is actually used to commit an identity crime. The people involved may think they have escaped from the effects of the theft, but in reality, the information taken during an information breach can be stored and used at any time, even many years into the future. A victim’s personal information can be used when he or she least expects it.86 According to the Privacy Rights Clearinghouse, the major incidents of identity theft at the organizational level involved about 53 million identities, including those stolen from companies like Bank of America and Citigroup. If all known incidents of identity theft at the organizational level in the United States occurring between 2005 and 2007 are considered, there is a one in two chance that a person’s information has been stolen, but not necessarily used in fraudulent activity.87 This means that more identities are taken by offenders than are used for fraudulent purposes, but why? The answer is that they are or at least can be stored for future use.88 There is a flourishing black market for the sale and purchase of identities, and the market is under no time pressure to use the identity information to commit a crime. Identity information is just as useful several years into the 84 85 86 87 88
Id. Id. Digital Transactions: Trends in the Electronic Exchange of Values, Tyfone (Sept. 14, 2010), http://tyfone.com/newsroom/?p=220. Id. Id.
72
chapter 3
future as it is now. Identity information is a commodity that does not become obsolete. 3.6.5 Profile of the Identity Thief According to a study based on interviews with incarcerated identity criminals,89 they tend to have working class or middle class backgrounds, and about 33 percent of them used their job positions to carry out the crimes. These individuals were employed by mortgage agencies, state and local governments, and businesses that had access to credit card and/or social security numbers. About 66 percent of the identity criminals had prior arrest records, most of them for other identity-related theft or fraud. Most of the identity criminals thought their chances of getting caught were very low, and most gave little thought to apprehension. Of those that did, most expected their punishment for the crime to be minimal. Most of the identity criminals did not believe that the crimes caused any real harm to real people, and so they were willing to continue their illegal activities. Research also indicates that there are two major motivations for identity crime: financial gain and concealment of either a true identity or of another crime.90 Identity thieves can be differentiated according to their level of commitment to the crime. Professional criminals are highly committed, typically act in gangs, do considerable planning, and tend to make their own opportunities to steal identities by looking for targets. An example of this activity is a criminal organization that steals identity information to manufacture credit cards, which are marketed and sold on the street in large cities by local gangs that deal in high volume. Offenders learn and use a variety of skills to obtain identity information and to convert that information into goods and/or services.91 Most commonly, identity criminals acquire the necessary information by purchasing it from employees of businesses or state agencies or from people they know, stealing it from residential mail boxes or from the mail boxes of businesses like insurance companies, and either stealing it from friends and/or family members or obtaining it with the permission of these individuals.92 89 90 91 92
Heith Copes and Lynne Vieraitis, Identity Theft: Assessing Offenders’ Strategies and Perceptions of Risk 4 (July 2007), available at http://www.ncjrs. gov/pdffiles1/nij/grants/219122.pdf. Graeme R. Newman, U.S. Dept. of Justice, Office of Community Oriented Policing Services, Identity Theft 14 (June 2004), available at http://www.cops. usdoj.gov/files/ric/Publications/e05042360.pdf. Copes & Vieraitis, supra note 212, at 6. Id. at 5.
Identity Crime Framework and Model
73
Identity criminals must learn various skills to ensure they escape detection and successfully commit their crimes. These skills include the ability to manipulate social situations, an awareness of their external surroundings, and the technical knowledge required to produce fake documents. They need to know how the banking and credit systems work as well, so that they can exploit systemic weaknesses.93 3.6.6 Theft of Physical Items A Mail Theft The increase in mailings of unsolicited, pre-approved credit card applications has made discarded mail an especially rich source of identity information in the United States. By simply completing the stolen applications and substituting a new address, criminals can use the cards to make charges in the victim’s name. In Canada, however, similar applications do not include enough personal data to make them attractive to identity criminals.94 Another common way for identity criminals to obtain personal information is to submit false change-of-address forms at the post office with the goal of directing another person’s mail to the criminal’s address.95 Redirecting mail in this way gives the offender more time to engage in fraudulent activities before the victim becomes suspicious.96 Mail can also be stolen or redirected via collusion between identity criminals and postal workers.97 Mail can be redirected on a single account by submitting the change-of- address at the institution that provides that specific account, or all of a victim’s mail can be sent to another address by completing change-of-address cards at a post office. An identity thief needs very little information about the victim to redirect mail. For example, the Canada Post, an online submission containing valuable information is all that is necessary to change the destination of mail delivery:98 the old and new addresses, the date of the move, phone number, e-mail address, credit card number and its expiration date; to authenticate the information, the post office requires a birth date, knowledge of personal credit history, and optionally, the Social Insurance Number (sin), and driver’s license number and the province in which it was issued. In a 2006 case, identity thieves 93 94 95 96 97 98
Id. Id. (Uzma). Newman & McNally, supra note 186, at 43. cippic, supra note 128, at 6. Newman & McNally, supra note 186, at 43. cippic, supra note 128, at 6.
74
chapter 3
were arrested for fraudulently redirecting mail, having collected all the necessary information from victims via an online job offer.99 In the United States, handwritten change-of-address requests require a response to verification notices that are sent to the current and forwarding addresses. However, since the verification notice can take several days or weeks to arrive after a victim’s mail has already been forwarded, the harm caused by the identity criminals has already occurred.100 Because so many financial documents are sent through the mail, authorities are concerned about mail theft. Identity criminals often concentrate on the mail system because it is relatively easy to use it for fraudulent activity. Criminals focus on incoming mail in particular to obtain pre-approved credit card offers and convenience checks from credit card firms.101 Outgoing mail is useful to identity criminals because it often contains billing information or payments. For example, a credit card payment includes the billing invoice with the card numbers and a check, which provides the bank account and routing numbers of the individual who is sending the payment.102 Criminals even target mail in transit if they are looking to obtain a large volume of mail that can be examined more efficiently for credit cards, checks, or personal data. In these cases, identity criminals focus their attention on places where the mail concentrates as it moves through the postal system.103 B Dumpster Diving While most identity theft still involves stealing wallets, purses, shopping bags, cell phones, laptop and desktop computers, offenders commonly go through the trash at homes or businesses in a practice known as “dumpster diving.” Dumpster diving refers to the process of going through trash bins looking for documents that contain identity-related information.104 In cases where identity thieves obtain information from the trash, they are taking advantage of the victim’s negligence by which he or she unwittingly discards personally identifiable data.105 Offenders sort through both residential and business garbage looking for useful personal and financial information. Some businesses generate trash that is particularly attractive to identity
99 Id. 100 Id. 101 Essential Elements, supra note 184. 102 Id. 103 Id. 104 Gercke, supra note 121, at 11. 105 Lawson, supra note 164, at 15–16.
Identity Crime Framework and Model
75
thieves. These include hotels, rental car firms, and other businesses that take credit cards and then throw away the copies of the receipts resulting from these transactions instead of destroying them after the customer pays.106 C Public Records and Identity Theft Theft of government, financial, medical, or other records may involve either paper documents or computer files and storage devices. Sometimes, individual identity information is made available to the public by third-party organizations, with little consideration of the potential for identity crime. Public records may include obituaries, court documents, organization memberships, real estate filings, and others. Many of these records may also be posted on the Internet, which only magnifies the potential danger of identity crime.107 Offenders can find the personal information of deceased individuals through newspaper obituaries and even cemetery headstones in a practice known as “tombstoning.”108 Printed obituaries often include full names, birthdates, and information about the deceased’s family. Identity thieves who impersonate a deceased’s insurers may also be able to get personal data from the funeral home.109 A case in Atlanta, Georgia involved selling the identity information of 80 recently deceased individuals at $600 each.110 In the United Kingdom, a special program has been implemented to catch offenders who impersonate dead people in order to obtain their pensions. Four organizations to date have been given approval from the General Register Office (gro), which is part of the Identity and Passport Service, to receive copies of the personal details of 12,000 deceased individuals every week. The list allows special mortality screening companies to determine whether a pension claim is legitimate or not. By using death records in this way, the abuse of dead people’s identities will be reduced and ultimately stopped, as will the financial and personal damages inflicted on businesses and individuals through this crime.111 Governments are increasingly putting public records online to capitalize on cost reduction, service improvement, and regulatory transparency. However, making records available in the digital realm brings the danger of identity theft
1 06 cippic, supra note 128, at 5. 107 Lawson, supra note 164, at 16. 108 Essential Elements, supra note 184, at 8. 109 cippic, supra note 128, at 9. 110 Id. 111 Christopher Williams, Home Office death list ‘stops ID fraud,’ The Register (Sept. 23, 2008, 10:52 PM), www.theregister.co.uk/2008/12/23/gro_list/.
76
chapter 3
as well as benefits to citizens. For example, the State of Florida placed marriage and divorce records, property deeds, and military discharge papers online in 2002.112 Recognizing that this was enough information for identity thieves to succeed in their fraudulent activities, the state legislature ordered the data to be “masked” by 2006. In Canada, open court records were made available for electronic access, including family law court records, which often include financial statements and three years’ worth of income tax returns. The tax documents alone provide enough data to enable identity crime.113 In some countries, including Canada and the United States, information kiosks located in public places offer government services such as automobile licensing. These kiosks have been used by identity thieves to obtain a car owner’s name and address, with which they can pretend to be the real owner of the vehicle, get a copy of the ownership papers, forge a driver’s license from the paperwork, get a new key for the automobile, and then steal it.114 As mentioned above, it is not always necessary to commit a crime to get identity-related information. Much of that information is publicly available, and identity thieves can use online search engines to find it. The terms “Googlehacking” or “Googledorks” refer to the activity of using complicated queries in a search engine to filter large amounts of data and discover information about issues relating to computer security and personal information that can be used in a stolen identity scam. Popular file-sharing systems can also be used to get information linked to another person’s identity.115 Publicly available data can be obtained from a variety of sources, including birth and death registry databases, to create false identities that can, in turn, be used to apply for genuine documents like drivers’ licenses, passports, social security numbers, and credit cards.116 Identity information is also available for the taking in telephone directories, marriage announcements, voter registration lists, online resumes, and social networking sites.117 D Insider Theft A substantial percentage of the information used by identity criminals, particularly data related to payment cards and financial accounts, is obtained via 1 12 cippic, supra note 128, at 8. 113 Id. 114 Id. 115 Gercke, supra note 121, at 15. 116 Essential Elements, supra note 184, at 8. 117 Id.
Identity Crime Framework and Model
77
third parties. In such cases, victims often have no knowledge of the theft and are powerless to stop it. Sensitive personal information is endangered because governments and large corporations collect and store large amounts of information, including atm card numbers, passwords, and pin s, over which individuals have no control. Ultimately, the security of this data relies on the integrity of employees.118 According to Canada’s federal Privacy Commissioner, poor management of data storage and retention is one of the largest problems facing organizations in terms of identity crime committed by insiders. In 2006, individuals’ personal information was stolen from the Bank of Canada’s payroll deduction database, and identity documents were forged using this information. The forged documents were designed to allow the fraudulent redemption of Canada Savings Bonds by bank customers nationwide.119 In New York, an employee of a Long Island firm that provided companies with access to credit information from commercial credit bureaus accessed client codes and passwords to obtain credit reports and provide it to a criminal network of 20 identity criminals who then used it steal between $50 and $100 million belonging to their more than 30,000 victims.120 Identity criminals also steal the actual computer hardware, namely desktop and laptop computers, storage devices, and storage media that may contain personal information. According to a 2007 U.S. survey, almost 15 percent of the losses cited by respondents in regard to computer-related offenses involved the theft of sensitive information and mobile hardware.121 E Thefts Involving Used Computer Equipment Businesses and other organizations want to have up-to-date computers and servers, so they update their computer hardware on a regular basis. This results in a large number of discarded hard drives, which are often not erased properly and which may contain huge amounts of information related to the former owner that is potentially useful to an identity thief. The same situation exists for servers that held large databases of information on customers, users, and clients.122 Because simply deleting files is not sufficient to remove them from a hard drive, the situation presents a potential identity crime threat. An
1 18 119 120 121
cippic, supra note 128, at 11. Id. Id. at 12. Marco Gercke, Project on Cybercrime, Internet-Related Identity Theft 14 (Nov. 22, 2007), available at http://www.itu.int/osg/csd/cybersecurity/WSIS/3rd_meeting_docs/contributions/Internet_related_identity_theft_%20Marco_Gercke.pdf. 122 cippic, supra note 128, at 19.
78
chapter 3
example of the problem involves two graduates of the Massachusetts Institute of Technology who purchased used computer hard drives and intentionally scanned them for sensitive information; they found medical data and credit card numbers.123 F Skimming Skimming refers to the use of devices that read, record, and transmit data contained in the magnetic strips on credit and debit cards or similar cards used to access restricted areas. The recorded information is then often sold to identity criminals for traditional uses or to create “cloned” cards that are electronic duplicates of the original stolen cards. Any card that has a magnetic strip, including a library card or airline boarding pass, can be reprogrammed so quickly that the owner of the card remains unaware that his or her information has been stolen.124 Identity criminals in Calgary, Canada copied the debit cards of 35 atm users in an hour in 2004. Sometimes, offenders use hotel key cards, which do not include personal identity information, but which can be used to create fraudulent debit and credit cards because the same technology is used for both. In 2003, five Russians were arrested for a debit card scam that involved buying and modifying five atm machines to capture the information necessary to copy the card, as well as the pin entered by the customer. Approximately 4,000 people were victims of this crime, which was the largest debit card fraud in Canadian history.125 Some skimming operations involve sub-transactions, which need specialized software to complete. An example of such a sub-transaction is the processing of payment on the card plus processing a credit to a rewards program. The software collects that data on the card when it goes through the skimmer and then carries out the transaction’s separate steps. Skimmers can also be attached to a waiter’s apron or placed out of sight under a store counter. While the transaction appears normal to the customer, his or her card is actually being swiped again by the skimmer at the same time as the sales terminal processes the legitimate transaction.126 In more sophisticated operations, a small camera capable of high resolution is installed at a location like an atm in order to capture the victim entering a pin. Identity thieves may simply look over the victim’s shoulder as he or she 1 23 124 125 126
Id. Id. at 9. Id. Id.
Identity Crime Framework and Model
79
enters the pin in an activity known as “shoulder surfing.” Thieves use a modified version of shoulder surfing by utilizing a cell phone camera or miniature digital camera to take a photo of the credit card of an individual in the checkout line at a store.127 Or criminals may create a fake atm that has a skimmer and a camera and install it in a public place. When a victim attempts to use the machine, it appears to be out of order, and after swiping his or her card a few times, gives up, leaving personal identity information behind. This information can then be used to make unauthorized purchase or to create secondary cards.128 Skimming devices can be purchased legally, since they are used to read and write information in cash terminals so that payment cards may be accepted. Businesses such as restaurants and gas stations are often targeted by offenders who use skimmers for illegal purposes. Personal identity information can be obtained by employees at any cash terminal via a skimmer if appropriate security measures are not taken by the retailer.129 G Pretexting Pretexting refers to the act of impersonating someone with a legitimate need for the victim’s personal information in order to dupe the victim into voluntarily providing that information to the offender. Identity thieves, for example, use pretexting to obtain credit reports by pretending to be landlords or employers.130 Personal identity information is sometimes obtained by fraudsters posing as government officials as well.131 Pretexters, for example, may con employees into abusing their employer’s authorized access to credit report information.132 They may use e-mail or phone calls and pose as legitimate companies, claiming there is a problem with a victim’s account and asking for personal data to clear it up.133 In other cases of pretexting, an identity thief may pose as an employee of an agency that issues identification documents, or they may gain access to such an agency by bribing or extorting real employees.134 1 27 128 129 130
Id. at 10. Id. at 9. Id. See All about Identity Theft, StraightForwardMedia, https://web.archive.org/ web/20160110020150/http://www.straightforwardmedia.com/debt2/identity-theft-protection.html (last visited Oct. 30, 2012). 131 See Id. 132 Id. 133 Lawson, supra note 164, at 16. 134 Newman & McNally, supra note 186, at 44.
80
chapter 3
3.6.7 Data Theft Techniques That Rely on Computer Technology Identity crime that involves technology is often based on unauthorized access to computers that hold personal information of value to offenders. Unauthorized access can be obtained through traditional methods of computer “hacking” and malicious software programs, or “crimeware” and spyware, that attach to computer viruses and worms to collect passwords that allow the identity thief to gain entry to a computer hard drive at a later time to search for personal information. Malware and spyware can also be purchased by offenders in order to steal sensitive data from a victim’s computer.135 Hacking is the essence of unlawful computer system access, and it is one of the oldest computer-related crimes. In the past, hackers targeted large business and government organizations, such as nasa, the Pentagon, Ebay, or Google. Increasingly, however, identity criminals are targeting the systems of regular computer users where they may find valuable identity-related data. Criminals are also focusing on obtaining access to systems that host large databases filled with users’ personal information.136 Identifying information may also be exposed to criminals accidentally by businesses and other organizations through “leakage.” This refers to inadequate data security measures or inappropriate document or data disposal.137 With so-called social engineering methods, identity criminals receive personal information directly from the victims via techniques that convince them to provide this information voluntarily. Social engineering is associated with direct fraud scams, including lotteries, high-pressure telemarketing, and Ponzi schemes, in which victims believe that providing their personal information is required in order to receive a payment or other item of significant value.138 The online environment operates largely without face-to-face transactions, so the issues of trust and security have become critical for all financial transactions, including e-commerce businesses and banking. However, the use of payment cards in the offline world also requires a focus on the security and trustworthiness of in-person transactions. The Personal Identification Number associated with a payment card may not act as identifying information about the customer, but it is an indication that the payment will be legitimately authorized.139
1 35 Essential Elements, supra note 184, at 6. 136 Id. at 7. 137 Id. at 8. 138 Id. 139 Gercke, supra note 121, at 12.
Identity Crime Framework and Model
81
The digital nature of Internet-based services, as well as their increasingly global scope, continues to multiply the uses of identity-related information. Commercial and government operations rely on the automatic processing of electronic information, and obtaining access to identity data allows offenders to commit crimes in many areas of social life. Additionally, identity-related information is stored in large, central databases that make tempting targets for identity criminals.140 A Phishing The roots of the identity theft technique known as “phishing” can be found in the 1970s as a scam designed to defraud phone companies. At the time it was called phone “phreaking.” The target of a phishing attack is the enterprise, which usually must handle the losses resulting from the attack, and the customers of the business.141 Now it has been adapted to the Internet and refers to actions designed to make individuals voluntarily disclose their personal information through social engineering techniques. The method was previously called “larceny by tick.” Phishing attacks are extremely varied, but some of the most common use e-mail. The three phases of an e-mail phishing attack include:142 1. Identification of legitimate companies that offer online services and communicate with customer via e-mail 2. The design of websites that closely resemble legitimate websites operated by the identified company 3. Sending e-mails that appear to come from the legitimate company and direct victims to the bogus website In 1996, computer hackers tried to use imposter e-mail messages to get the passwords of the users of America Online (aol). However, the technique really gained notoriety in 2003, when the number of these phishing scams began to grow at a rapid rate. Australia was one of the first regions to be targeted by phishers, but incidents of phony e-mails quickly increased, mostly in the United States and the United Kingdom.143 Phishing represents a rapidly growing technique among identity criminals. Typically, offenders send out large numbers of e-mail messages, and each message appears to have come from a legitimate business. The e-mail advises the 1 40 Id. at 14. 141 Elizabeth Robertson, A Phish Tale? Moving from Hype to Reality 2, TowerGroup (Dec. 2004), i.i.com.com/cnwk.1d/html/itp/A_Phish_Tale.pdf. 142 Gercke, supra note 121, at 13. 143 Robertson, supra note 264, at 8.
82
chapter 3
recipient to confirm personal data with the company by clicking a link in the body of the message. Once a victim clicks that link, they are taken to a website that mimics the legitimate site and asks for additional information, such as a bank account or credit card number. The identity criminals then use that information to commit identity fraud or sell the data to other offenders.144 The fraudster pretends to be a trustworthy company or organization in an e-mail message, and the e-mail message is designed to encourage victims to provide personal information. Phishing scams represent between 20 percent and 25 percent of all identity theft incidents,145 and the fraudulent messages have become so sophisticated that recipients have a very difficult time distinguishing them from genuine communications from real institutions.146 A phishing message usually alerts the victim that something is wrong with his or her account and that passwords must be updated, corrected, or verified if the account is to remain open. Some phishing messages even contain fraud alerts, and many include the company logo and colors of a legitimate message; the use of these elements is known as “spoofing.”147 The fake messages are generally written to communicate a sense of urgency for a reply. Phishing e-mails may be spread by computer worms and viruses, sending the same fraudulent message to everyone in a victim’s digital address book. The phishing scam, overall, relies on a computer user’s inattention to details for its success. For example, names of unlawful, spoofed websites may contain slight differences from the legitimate address of the real company.148 Robert Siciliano, security consultant, reports that individuals respond to five of every 100 phishing e-mails requesting personal information, and they are willing to respond because the messages look so authentic.149 In a study of adults in the United States, individuals were asked whether a number of given e-mail messages were fraudulent, and there was an error rate of about 30 percent.150 While most phishing operations target consumers in the United States, the Anti-Phishing Working Group found over 2,850 active websites in 2005 posing as 80 different legitimate firms in 68 countries.151 The clients of financial
1 44 145 146 147 148 149 150 151
Essential Elements, supra note 184, at 7. cippic, supra note 128, at 13. Id. Id. Id. at 13. Id. Id. Id. at 14.
Identity Crime Framework and Model
83
organizations in Canada are often the preferred target for phishing scams. According to a survey by Ipsos-Reid, 24 percent of Canadians have received e- mails that appear to be from a financial institution and asking them to verify their account number, password, or other personal information. And 14 percent of Canadians who receive the fraudulent e-mails go on to become victims of the scams.152 Evolution of Phishing In the beginning, the e-mails associated with phishing were crude and riddled with spelling mistakes and poorly designed imposter websites. Then phishing “starter kits” became available at hacker sites online.153 These sites operate in an underground economy where identity information is bought and sold. According to identity fraud experts, phishing is expected to evolve into ever more sophisticated and targeted techniques. Offenders are likely to target their e-mails more accurately in order to lure customers of specific financial institutions. With improved targeting of victims, identity thieves who use the phishing technique could increase the rate at which they reach actual customers with their emails from under the current one percent to as much as 100 percent.154 The advanced utilization of malicious software programs (malware) will also make phishing attacks more efficient and lead to the development of even more variants on the process. Currently, organized crime rings are involved in the development and advancement of phishing, which has led to better quality e-mails and scams integrated with malware downloads that make the attacks even more dangerous and harder to detect or prevent. By combining phishing techniques with a virus, Trojan horse, or worm program, identity thieves can install spyware, screen loggers, or key loggers on a victim’s personal computer and receive the result of every keystroke, which could be a social security number, a credit card number, or a bank account number.155 1 Cookies Other identity theft methods likely to be used in the future as phishing attacks evolve include scanning legitimate “cookies” to develop targeted “hit lists” of customers. Most online stores and financial institutions rely on cookies156 – small text files installed on a computer and containing data used to identity 1 52 Id. 153 Robertson, supra note 264, at 4. 154 Id. at 7. 155 Id. 156 Id. at 6.
84
chapter 3
that user with a specific website; the data is stored on the user’s computer. Phishers can access this data by hacking into a website and installing software that captures the identity of the cookie’s owner and the related personal access information stored on a user’s computer. This means that the identity thief can use the cookie to find banking and other personal consumer information and use that information to create targeted customer lists and improve the effectiveness of the phishing e-mails.157 The Internet has altered the nature of security for those fighting financial fraud. In the past, business transactions occurred with face-to-face interaction, and in order to commit such a fraud, the offender had to use a telephone or the postal service. The global, public, and insecure environment of the Internet has tilted the odds in favor of the criminal, since the investment of time and money required to commit large-scale financial fraud is minimal compared to the cost of conducting a postal mail action.158 2 Botnets Botnets159 are used by phishers to take over a victim’s computer remotely. A botnet comprises several “bots,” or software agents that run automatically and by themselves. They are usually associated with malware and may also refer to several “zombie computers,” or computers that have been compromised by downloading a virus or a Trojan horse program that permits a remote user to take control in order to log keystrokes or screen captures to collect personal identity information. In most cases, the computer user does not know that the machine has been breached by a bot.160 3 Organized Crime Mail theft, dumpster diving, and other thefts of physical items requires identity thieves to operate in the area of their targets. With the Internet, however, identity theft and other instances of fraud can be launched from anywhere in the world. In fact, most phishing attacks have their origin in the countries of Eastern Europe and the Pacific Rim and are directed by organized crime
1 57 Id. at 7. 158 Id. at 2. 159 Sarah Calaunan, Phishing Attack Targets Microsoft Outlook Users, TrendMicro, (Jun. 2, 2011), http://blog.trendmicro.com/trendlabs-security-intelligence/phishing-attack- targets-microsoft-outlook-users/. 160 What is a Bot? Or Zombie?, About.com., http://netsecurity.about.com/od/frequentlyaskedquestions/qt/pr_bot.htm (last visited Feb. 10, 2012).
Identity Crime Framework and Model
85
syndicates like the Russian Mafia and the Asian Triads. Identity thieves have also expanded their operations to Latin America.161 One of the most disturbing things about phishing is that the technique relies on the willingness of victims to cooperate with security and other requests that appear to come from their legitimate financial institution. Through the impersonation of a trusted institution in a well-designed fake e-mail that references the victim’s specific relationship with that institution, identity criminals can easily obtain sensitive personal information.162 Global organized crime groups are responsible for most phishing attacks at present. They recruit highly educated technology workers to steal the brands and contents of company websites and to take over commercial servers, as well as the personal computers of consumers. These computers are then used to send out phishing attacks. With the growing use of the so-called “zombie” computers, and the offenders’ practice of rotating the hosts, the time and effort needed to find and stop a false website have increased greatly. Language and legal issues also act as barriers, since many hosts are located in other countries.163 4 Phisher Profile The individuals associated with phishing scams include those who are motivated by financial considerations, as well as those who hunt and prosecute cybercriminals. There is a significant underground “microeconomy” linked to phishing that involves the creators of botnets, the fraudsters who actually do the phishing, and individuals who enable the entire scam. The three groups are interrelated, however, and a single offender can have a number of roles at the same time.164 Botnet creators are different from the stereotypical virus writer who works alone and wants to become famous for breaching a computer system. Instead, typical botnet makers are young and technologically advanced. They are looking to gain financially, and most of them work in Eastern Europe, Brazil, Morocco, or China. With the proliferation of botnet creation tools, however, it is no longer necessary for an offender to have a high level of technological knowledge.165 In the world of phishing, the botmaster tells the botnets what to do and may be the botnet’s creator, or a separate person who is responsible for 1 61 Robertson, supra note 264, at 3. 162 Id. 163 Id. 164 Calaunan, supra note 282. 165 Id.
86
chapter 3
renting or leasing botnets. These individuals may also act as auctioneers, offering their botnets to the highest bidders.166 The offenders involved with phishing show considerable flexibility in continuing their activities over time and not being detected. These offenders exploit the vulnerabilities of computer software, and they are also influenced by global current events. According to researchers, modern phishers have a high awareness of current events and plan their attacks in relation to these events. In one example, after a major hurricane or earthquake, phishers implement attacks that use e-mail and websites designed to receive donations to help the damaged areas.167 5 Phishing Trends The identity criminals who use phishing techniques are professionals and increasingly are part of organized rings that use identity theft to commit other crimes, including money laundering, drug trafficking, illegal immigration, and the theft of vehicles.168 In many cases, the illegal activities of these offenders go undetected because they rely on students or other innocent middlemen. Modern phishing scams configure websites that are virtually identical to the legitimate sites, and fraud experts, such as those on the Intellectual Property Governance Task Force in the United States, recommend that the owners of trademarks use more technical methods to prevent their brands from being compromised by phishers.169 Phishing represents a serious and growing threat, since offenders can buy kits online that allow them to establish phishing systems and exploit Internet and software weaknesses to access the computers of their victims. An anti- phishing tool created by the Netcraft Toolbar Community in 2006 stopped over 609,000 url s that were confirmed as phishing sites. This represented a major increase from the 41,000 url s blocked in 2005. The increase was attributed to the greater use of techniques implemented by professional phishing offenders to automate the propagation of spoofed web pages.170
1 66 Id. 167 Id. 168 Organisation for Economic Co- o peration and Development (oecd), Scoping Paper on Online Identity Theft (Ministerial Background Report DSTI/ CP(2007)3/FINAL, declassified 2008) [hereinafter “oecd Report”], available at http:// www.oecd.org/sti/40644196.pdf. 169 Id. 170 Id.
Identity Crime Framework and Model
87
In regard to escaping detection, several new trends are evident among phishers as well. For example, rather than utilize large numbers of compromised computers in their attacks, modern phishing criminals have started to use smaller botnets that launch a higher number of attacks. These offenders have discovered that it is more difficult for their activities to be detected if many attacks occur from many different locations.171 B Phishing Variants While traditional phishing represents a large segment of the criminal activity, offenders have developed a wide range of variants on the technique. 1 Spear-Phishing Spear phishing refers to an action in which the sender of an e-mail pretends to be a firm’s employee or employer in order to steal the passwords and usernames of colleagues for the purpose of accessing the company’s computer system. The e-mails are personalized to the recipient and appear to come from a source that knows the victim.172 2 SMiShing This term refers to the application of phishing techniques to reach external devices like mobile phones. With SMiShing, users of cell phones receive a text message confirming their subscription to a dating service and telling them that they will be charged a set amount of money each day unless they go to the company’s website to cancel their order. The website is used to steal the user’s personal information. Experts believe that this technique will be used more and more by malware offenders in the future.173 3 Vishing This relatively new phishing method uses phones to steal personal identity information. The offender sends a traditional, spoofed e-mail that appears to come from a legitimate company. The e-mail invites the victim to call a phone number to provide this sensitive information, which plays to the individual’s belief that they are providing the data in a safer way than by putting it online. When the call goes through, an automated voice prompts the victim to enter an account number or password for a fake security verification. Some phishers
1 71 Calaunan, supra note 282. 172 oecd Report, supra note 291, at 4. 173 Id. at 19.
88
chapter 3
may even eliminate the initial e-mail message and call consumers directly in this scam.174 4 Phishing through Spam Extensive phishing can be accomplished through spam. Spam refers to e-mail messages that advertise a product or service. It is only annoying in most cases, but it can also include dangerous messages that are designed to steal the recipient’s identity. In the past, spam e-mails were generally text-based, but now they contain images more frequently, which can be used to transmit malware to an unsuspecting victim’s computer. Also, those who send spam may try to avoid detection by using domain names from small island nations that are not subject to spam filters.175 5 Deceptive Phishing E-mail is the main source for deceptive phishing. A deceptive e-mail message is sent to thousands of people and includes a statement that requires the reader to take some action by first clicking on a link in the message. These “calls to action” may state that there is a problem with the reader’s account, that the account has been compromised, that an unauthorized charge has been made, or provide a fictitious one-time offer of an instant benefit. The link leads to a fraudulent website that is designed to collect the user’s private identity information. While phishers do not cause direct financial harm in most of these cases, they often resell the data on a secondary market that involves online information brokering forums or chat channels specializing in the buying and selling of stolen identity information. With the proliferation of html-capable e-mail readers, fraudsters have eliminated the need to click a link, and instead, offer a simulated legitimate login page in the e-mail message.176 6 Content-Injection Phishing In this type of phishing, malicious content is placed on a legitimate website. The content may redirect users to other sites, install malware on the victim’s computer, or insert a piece of content designed to redirect information to a 1 74 Id. at 20. 175 Id. at 2. 176 Aaron Emigh, ittc Report on Online Identity Theft Technology and Countermeasures, Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures 7 (Oct. 3, 2005), available at http://www. antiphishing.org/Phishing-dhs-report.pdf.
Identity Crime Framework and Model
89
phishing service. While there are many variations of this phishing technique, the three most common methods are: 1 Compromising a computer service through a weakness in its security protocol to replace legitimate content with malicious content or to add malicious content to the site’s legitimate information. 2 Using cross-site scripting vulnerability, which refers to a programming flaw that allows content from an external source (a blog, auction, user review, etc.) to enter the legitimate website; this content may be malware that is not filtered by the site server and so runs in the visitor’s browser. 3 Performing malicious actions via an sql injection vulnerability that allows database commands to be executed in such a way as to result in information leakage because of inadequate filtering.177 7 Search Engine Phishing Using search engine phishing, offenders create web pages for products that do not exist, allow the pages to be indexed by search engines, and simply wait for victims to enter their personal information when they order or pay for the fake product. These sites usually offer products at extremely low prices in order to lure buyers. A phishing scam that involves fraudulent banks has been very successful with this method, since the slightly higher interest rate offered by the fake bank plays to the victim’s greed, a powerful motivating force. Victims are eager to enter their banking information for a chance to transfer funds from their legitimate bank to get the higher rate, even if the fake bank is the “Flintstone National Bank,” of “Bedrock, Colorado.”178 C Pharming Pharming is related to phishing and is also called “domain spoofing.” This technique uses a fake website that purports to be a legitimate business or government site to lure victims into providing personal information voluntarily.179 With the pharming technique, users are directed to a spoofed website via Domain Name System (dns) manipulation. Offenders use the information provided by victims through the spoofed site to log into existing financial accounts and transfer funds, apply for passports, or create new accounts in the victim’s name. Pharming can be accomplished in two ways. One method involves compromising the computer host file via entries that link legitimate domain names to 1 77 Id. at 11. 178 Id. at 12. 179 cippic, supra note 128, at 15.
90
chapter 3
illegitimate Internet addresses. The other method is known as Domain Name System (dns) poisoning.180 This method exploits weaknesses in dns software to get control over the domain name of a legitimate website and then change the address associated with the domain name. When a victim types in the altered address into a browser, it will automatically take him or her to the spoofed website. While the address bar in the browser displays the correct web address, the site displayed on screen is a fake. With both methods, the victim believes the site is legitimate. dns cache poisoning is similar to pharming, but instead of manipulating the dns record on the server, the tampering is performed on the local machine that is used to access a website. dns cache poisoning uses the “host file” and is generally done through some variation of a Trojan horse application, virus, or spyware program. Visitors to a legitimate site are redirected to the thief’s site via a replacement IP address. The customers of over 100 financial institutions in Europe and the United States were targeted by this method in 2006.181 D Spyware Spyware is computer software that allows identity thieves to track all the activities a computer user performs on his or her computer and also permits them to access the contents of the user’s hard drive. Spyware is notorious for making systems slow down or crash, and it is behind most unwanted ads and pop-up messages.182 Anti-virus programs, anti-spyware programs, and firewalls all help in the prevention of spyware installation onto a personal computer, but these aids must be kept up-to-date and are not totally effective. Victims continue to install spyware or malware onto their computers unknowingly; studies have found that spyware is the fastest-growing threat to business systems, outpacing Trojans and other risks. Ninety-two percent of businesses polled said they had been infected by some kind of spyware, while 17 percent reported at least one incident of keylogging or other hacking application being triggered by an employee.183 Some spyware can be implemented to collect personal information from a cell phone, smart phone, or pda. Identity thieves can access information such
1 80 181 182 183
Id. Id. Id. at 16. Id.
Identity Crime Framework and Model
91
as pin s, banking information, credit card numbers and other information without the victim’s knowledge and from a remote location.184 Identity thieves continue to develop new computer technologies as well. A new kind of spyware is attached to a web browser, and once a victim visits the targeted bank’s site, the spyware program replaces parts of the legitimate site with a replica page that takes the victim’s log in credentials and sends him or her to the identity criminal instead of to the bank. These banking Trojans have been used chiefly against banks in South America, but in 2006, the first attack against American Express in North America was launched.185 A similar Trojan was combined with phishing against America Online subscribers, and the spyware was distributed to victims through e-mail messages. In the aol case, the spyware prevented users from logging into their account until they provided credit card numbers and other personal information.186 E Malware Malware is a word constructed from two others: malicious software. It refers to computer code that is inserted into a data system with the intent to damage that system or other systems. It may also target a computer system for uses other than those expected by its typical users. Malware includes programs such as keystroke loggers or Trojan horses. These programs lurk in a computer system and capture information about its users surreptitiously. Increasingly, malware is designed as a standalone tool with the express purpose of stealing the personal information of victims. Identity thieves use threat such as blended and targeted attacks to get this personal data.187 1 Web Trojans Web Trojans are a type of malware that are displayed over login screens, seeking to collect a user’s credentials. Victims believe they are entering their personal information to a known website, while the data is actually being sent to an identity thief, who can then misuse it.188 2 Keyloggers and Screenloggers Keyloggers are programs that install themselves either into a web browser or as a device driver, which monitor data being input and send relevant data to a 1 84 Id. 185 Id. 186 Id. 187 Robertson, supra note 264, at 7. 188 Emigh, supra note 299, at 10.
92
chapter 3
phishing server. Keyloggers use a number of different technologies, and may be implemented in many ways, including:189 1. A helper object in a browser that finds changes to a url and logs data when a url reaches a site designated to collect credentials 2. A device driver designed to monitor input from a keyboard and mouse to log a user’s activities 3. A screenlogger that monitors input from the user and the screen display to avoid input security measures applied on screen Keyloggers can collect credentials for many websites, but are often designed to monitor a user’s location and transmit credentials only for specific sites. Frequently, hundreds of these sites are targeted, including corporate networks and financial institutions. There can be secondary damage from keyloggers. For example, more than 50 credit reporting agency accounts were compromised by a keylogger that spread through pornography spam. These accounts were then used to compromise more than 310,000 sets of personal information held in the credit agency’s database.190 3 Malware-Based Phishing Malware-based phishing involves phishing techniques that add the running of malicious software on a victim’s computer to the typical phishing methods. This type of phishing can be implemented in many ways, but it is generally spread via social engineering or through exploiting security vulnerability. In a common social engineering attack, the victim is convinced to open an e- mail attachment or to download a file from a website. Often, the download file claims to offer pornography, gossip, or celebrity photographs. Sometimes, the downloadable software contains malware.191 Malware uses security vulnerabilities by propagating as a virus or worm that installs the software, or by offering the malware on a website that attacks the vulnerability. Users may be directed to a malicious website through social engineering methods like spam or by adding malicious software into a legitimate website through cross-site scripting.192 The “man-in-the-middle attack” is another type of malware-based phishing in which the offender collects victims’ personal information by intercepting a message intended for a legitimate website.193 With other types of malware attacks, fraudsters install malware on a 1 89 190 191 192 193
Id. at 9. Id. Id. at 8. Id. oecd Report, supra note 291, at 19.
Identity Crime Framework and Model
93
victim’s personal computer and use it to gather users’ passwords or personal IDs when the victim visits the targeted site. Using this method, the identity thief does not have to create a fake website or provide an e-mail link to the site.194 4 Targeted and Blended Malware Attacks Targeted attacks usually attempt to steal intellectual property and proprietary information. Since users have increasingly implemented proactive steps designed to protect their systems, offenders have replaced large-scale attacks that try to exploit as many vulnerabilities as possible with smaller, focused attacks. With a targeted attack, identity thieves find it easier to avoid detection and retain access to a victim’s system for longer periods of time.195 Most malicious activity now combine several malware applications. For example, one blended attack involves embedding malware into a website, the remainder of which is legitimate.196 5 Linked Malware With the linked malware technique, phishers send fraudulent e-mail messages that tell recipients to visit a website to get further instructions or data. Once the victim clicks the e-mail link, spyware, a keyboard logger, and other malicious software is automatically downloaded to user’s personal computer.197 6 Disguised Link The disguised link approach involves sending a phishing e-mail that includes a link. While the link looks legitimate, in reality, it is not functional. The e-mail also includes a coded link to a spoofed site. Victims who click near the legitimate link are sent to a bogus site and asked for personal information.198 7 Rotating Use of Hijacked and Zombie Computers and Servers Perpetrators of phishing either hijack a personal computer electronically or use “zombie” computers to host fake websites. The computers or servers that act as the source are rotated regularly to prevent detection.199
1 94 Robertson, supra note 264, at 7. 195 oecd Report, supra note 291, at 17. 196 Id. at 16. 197 Robertson, supra note 264, at 5. 198 Id. 199 Id.
94
chapter 3
8 Altered url With this method, phishers install a Trojan horse designed to change a url that is typed in by a consumer. In other words, a computer user enters a legitimate url, which is then changed by a Trojan to the url of a fake website. The user never knows that the change has occurred and thinks the legitimate website has been reached.200 9 Session Hijacking Session hijacking attacks monitor a user’s actions on a computer via a malware element. When a user logs in to an account or enters into a transaction, the malware “hijacks” the session and takes malicious actions after the user legitimately establishes the required credentials. Hijacking a session can be done on a local computer through malware, or it can be accomplished from a remote location as part of a “man-in-the-middle” attack.201 10 System Reconfiguration Attacks In these kinds of attacks, the settings on a victim’s computer are changed so that information can be compromised. One way to accomplish this is to alter the user’s dns services so that faulty dns data is provided to users. Another kind of system reconfiguration attack installs a web proxy through which user traffic passes. This is also a type of “man-in-the-middle” attack.202 F Hacking and Cracking Hacking is defined as getting illegal access to a computer system. It is one of the oldest computer-related crimes, and it is frequently used by modern-day identity thieves. Offenders increasingly focus on hacking into the computer systems of everyday users, instead of targeting large organizations such as nasa as they did in the past. Once identity criminals have access to a system, they can easily obtain any identity-related information residing on it. They can also target large systems that host databases filled with identity-related content. The term “hacking” is used to describe the unlawful access to a computer system.203 Cracking is the term used to describe the exploitation of the security vulnerabilities of a computer system. Exploiting known security flaws has often been the focus of identity thieves who attack Microsoft’s Windows software. 2 00 Id. at 7. 201 Emigh, supra note 299, at 9. 202 Id. at 10. 203 Gercke, supra note 121, at 14.
Identity Crime Framework and Model
95
Using discovered security holes, offenders can send corrupt data and relevant instructions to the software program running on the target computer. The corrupt software confuses the machine, and then it will begin to execute the instructions sent by the attacker. The goal of this method is usually the installation of a Trojan horse application, which opens a way into the system through a “backdoor.” This allows a connection to be made to the target computer system without detection, and identity thieves can collect personal data without the knowledge of the victim. This method differs from spyware in that spyware runs automatically. Canadian banks have often been the targets of crackers. Between 2005 and 2006, 78 percent of Canadian firms responding to a survey said they had experienced some type of external security breach during the past year.204 G Online Searching and Search Hacking Identity thieves have found that a significant amount of personal data can be discovered by using search engines to examine legitimate websites. Using common search engines like Google, superpage websites, and genealogy sites (which include considerable information of use to an identity thief, including death records and even social security numbers), offenders can find what they need to commit their crimes. Some public sites and databases contain court records and background searches. For US $200, sites like DocuSearch. com will provide anyone with detailed personal information about a specific individual.205 Offenders often use the process of “Google hacking” to find “hidden” documents on a website. When a site is not managed or configured appropriately, it leaves its information open to exposure via a search engine. Identity thieves can exploit this weakness to find payroll information and employee files.206 Because of the easy availability of online tutorials on how to find specific information with a search engine, anyone can discover how to find personal information. The number of identity crimes associated with Google hacking are increasing throughout the world as Internet use expands.207 H Wardriving Identity thieves take advantage of wireless technology by using the practice known as “wardriving.” Wireless systems allow multiple computers to be 2 04 205 206 207
cippic, supra note 128, at 17. Id. Id. Id.
96
chapter 3
connected to a network simultaneously. When wardriving, offenders drive through neighborhoods in order to detect Wi-Fi wireless networks using pda s and wireless laptop computers and software that can be found on the Internet. Wardrivers look for unsecured networks that they can access. Once they find such a network, identity thieves can use it to access the victim’s computer to obtain passwords, bank account information, or credit card data from files that are stored on the computers connected to the network. An active underground of “waredrivers” provides help to its members by marking specific buildings to note vulnerable locations.208 Not all wardrivers are identity criminals, however. The practice is also performed by some computer users as a hobby or just to obtain free access to the Internet. Some wardrivers even provide warnings to the owners of vulnerable networks.209 An identity thief named Brian Salcedo attempted to obtain credit card information by accessing the central database of Lowe’s home improvement stores in Southfield, Michigan via an unsecured Wi-Fi connection at one of its locations. He and his partner could access all of the networks of other Lowe’s stores in this way, and Salcedo altered a program that handled credit card transactions by configuring it to store card data in a place where he could retrieve it later. Salcedo was sentenced to nine years in prison for his art in the crime.210 The United States Department of Justice brought charges against 11 people in 2008 who had allegedly obtained identity data via wireless networks from nine major retailers in the U.S. The crime resulted in the theft and sale of over 40 million credit and debit card numbers. The perpetrators obtained tens of millions of dollars from the plan, which involved individuals in the U.S., Estonia, Ukraine, China, and Belarus. The crime was characterized as the biggest and most complicated identity crime case in the U.S. The identity thieves used wardriving to commit their crime.211 I Identity Theft via Social Networks Identity thieves are also taking advantage of the growth of social networking to avail themselves of personal information. Social networking websites are based on user-generated content, including personal details about the users. 2 08 209 210 211
Id. at 18. Id. Id. Internet Law –Identity Theft from Wireless Networks, Internet Business Law Services, http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=2177 (last visited Feb. 10, 2012).
Identity Crime Framework and Model
97
Sites like Facebook and MySpace allow users to provide information about themselves and to communicate personal details to others on the network. This information includes names, birthdates, and sexual interests. By accessing social networks, identity thieves can access a wealth of identity-related data that was provided voluntarily.212 3.6.8 Buying Identity Information and Documents It is sometimes easier for identity criminals to simply purchase the personal information they need to commit their fraud than to set up their own theft operations. Stolen identity information can be purchased on the street for as little as $25.213 False identification documents can be bought for as little as $50.214 Counterfeit birth certificates, visas, and passports are also available for purchase. The United States Immigration and Naturalization Service discovered more than 100,000 fraudulent entry permits, visas, alien registration cards, and passports in 2001 alone.215 Personal information can be easily acquired through so-called “carder networks,” or other underground organizations that specialize in the trafficking of sensitive data.216 This information is usually the result of insider theft or illicit and remote exploitation of weaknesses in large computer databases. One very large network was uncovered by the United States Department of Justice’s Criminal Division Computer Crime and Intellectual Property Section in 2003 and 2000.217 In Alberta, Canada an identity thief sold debit and credit card information collected via skimming to an acquaintance for $100 per card, with a profit totaling more than $117,000 before his apprehension by law enforcement authorities. 3.6.9 Reusing Old Victims’ Information Identity criminals are able to continue the recycling of victim information stolen in the past, reusing old data to get credit cards or loans in the victim’s name. The same victim whose credit rating was ruined due to the original identity theft can be exploited again in the future, when it is likely he or she has cleared up the credit file and has good credit once again. Identity thieves can also sell old information to others who want it in order to commit other types of 2 12 Gercke, supra note 121, at 16. 213 Newman & McNally, supra note 186, at 44. 214 Id. 215 Id. 216 cippic, supra note 128, at 13. 217 Id.
98
chapter 3
identity crimes.218 For example, a victim can spend months cleaning his credit reports after being accessed by an identity thief, but another criminal can then use the same information all over again and apply for more credit cards or use it to commit additional crimes. 3.6.10 Conclusion It is apparent that consumers have control over most of the points at which personal information may be compromised by identity thieves. They have the best understanding of their own financial assets and activities, so they can detect fraud sooner than law enforcement in many cases. If given the right tools, consumers can take appropriate preventive actions and have a major impact on the number and costs of identity-related fraud cases. And contrary to common wisdom, consumers view themselves as being primarily responsible for the security of their financial assets. They simply need information about how to protect it. Organizations can provide tools to help consumers protect their sensitive identity information at home and in the workplace.219 Some experts have said that attempting to find identity criminals is not the most effective way to secure Internet transactions. They say that the masterminds of identity-related crimes are very hard to apprehend and that significant arrests in the field are rare. Other experts note that detecting and catching identity criminals has a significant deterrent effect.220 In March 2010, authorities in Spain arrested three men in connection with a botnet comprising almost 13 million computers. The network was said to be one of the world’s largest. It was called Mariposa (which means “butterfly” in Spanish) and was utilized to steal personal and financial information from individuals in 190 countries. While some observers view these arrests as an indication that law enforcement is getting better at tracking these criminals, other cybersecurity experts criticized the activities as a waste of time.221 The men arrested were probably middlemen and not the masterminds, they said. And implementing a botnet like Mariposa does not require a high level of technological skills. All the necessary software can be downloaded from the Internet. The individuals who actually write the programs that are key to cybercrimes are almost impossible to find and prosecute because of both technology and legal factors, according to Marty Lindner, principal engineer with 2 18 Digital Transactions: Trends in the Electronic Exchange of Values, supra note 209. 219 Johannes, supra note 188, at 5. 220 John D. Sutter, Is Chasing Cybercrooks Worth It?, CNN Tech (may 5, 2009, 10:09 AM), http://www.cnn.com/2010/TECH/03/05/cyberattack.prosecute/index.html?hpt=C2. 221 Id.
Identity Crime Framework and Model
99
Carnegie Mellon University’s Computer Emergency Response Team. It is also unclear whether the writing of malicious computer code constitutes a crime. Lindner noted that the United States does not have jurisdiction over the whole planet, so even if an author was found, there may not be legal authority to prosecute him or her. Botnets move from computer to computer automatically with no need for human intervention, which is another reason it is difficult to track down the instigators of the malicious software.222 Identity theft using computer technology continues to grow. According to Symantec, 2.9 million individual viruses made an appearance in fifteen month period, more than in the immediate previous eighteen years. The Internet Crime Complaint Center in the U.S. received 275,284 complaints related to cybercrimes in 2008, an increase of 33 percent from 2007.223 Many researchers are focusing their attention on creating new technologies to address the problem and putting more energy toward consumer education efforts at prevention. Symantec is investigating a new way to implement virus protection that searches for malicious files on the basis of their reputation and behavior online. Researchers at Georgia Tech are using remote monitoring for computers to make sure users have up-to-date anti-virus software that can protect them against attacks.224 There is agreement on the fact that consumers can do more to protect themselves from cybercrimes, however. User education programs are key to identity crime prevention. 3.7
Producing and Manipulating Identity Information and Documents
Identity thieves are creative in producing various kinds of information and documents. The information can be the genuine property of a victim, or it can be false, manufactured information. This section discusses how various identities are classified and presents examples of each classification. 3.7.1 True Identity and False Identity Crime When identity thieves use information linked to an actual person, it is known as true identity crime. When they create a new identity by combining real and false information (hybrid identity crime) or completely false information (synthetic identity crime), it is known as false identity crime. 2 22 Id. 223 Id. 224 Id.
100
chapter 3
A True Identity Crime An identity thief may simply take the actual name, address, bank account, or credit card numbers, etc., from a real person and then use that information to impersonate that individual in various transactions. For example, an identity criminal could use a stolen credit card to charge items on that card to the person who is the legitimate owner of the card, leaving that person with the responsibility for paying the bill. A real consumer’s personally identifying information is used without any modification. The thief has essentially pretended to be the person whose name is being used. In other words, true identity fraud represents crime linked to actual consumers.225 Since any charges made or new accounts opened actually use a consumer’s real identifying information, proof of the crime is likely to appear on that consumer’s credit report. However, the consumer will experience damages relating to the crime in that they are responsible for any charges made or loans taken out in their names, with related harm to their credit history. Add more – see notes B False Identity Crime There are two types of false identity crime that must be distinguished: synthetic identity crime and hybrid identity crime. Synthetic identity crime is sometimes referred to in other literature as fictitious or fabricated identity crime, but those terms are eschewed here in favor of the more common term: synthetic identity crime. In a synthetic identity crime, a criminal will create information that is not real in any respect. He might create a totally false name, social security number, and birthdate; this would create a synthetic identity because none of the information belongs to a real person. In a hybrid identity crime, however, the criminal would combine some false information with some real information. Since this type of crime partially resembles a true identity crime (see Section 4.8.1 a.) and partially resembles a synthetic identity crime, it is referred to as a hybrid identity crime. In a typical hybrid identity crime, the criminal might combine a real social security number with a name that is not associated with that number. This type of identity crime is difficult to detect because nothing shows up on a consumer credit report due to the fact that the information does not provide an exact match to any single consumer.226 There might also be a considerable effect on a consumer in a hybrid identity crime since once the crime is detected, the information that is real might naturally 225 Leslie McFadden, Detecting Synthetic Identity Fraud, Bankrate.com (May 16, 2007), http://www.bankrate.com/brm/news/pf/identity_theft_20070516_a1.asp?s=1#tab. 226 Id.
Identity Crime Framework and Model
101
lead investigators to be suspicious of the person owning the real identity information. So, for example, a criminal who files a false income tax return using real information belonging to a taxpayer, then receives an unwarranted refund based on that information, might lead to serious trouble for a taxpayer seeking to prove his innocence when the error is later discussed by tax officials. Synthetic identity crimes, on the other hand, have little effect on individuals because the information created is not real in any respect; the real victims are business, government or other entities that suffer loss. In 2005, hybrid identity crimes accounted for only 11.7 percent of all identity crime in 2005. Comparatively, synthetic identity crime represented 73.8 percent of the total monetary losses faced by consumer industries in the United States in that year. The average costs of synthetic identity crime to individuals were less than the average paid in true identity crime, however.227 Far beyond 2005, consumers are still affected by hybrid identity crime, since creditors pass on the costs of the crime via higher interest rates and fees. In some cases, debt collectors ignore a false name and pursue the person whose social security number is listed. Collectors can search databases using just the social security number and find the current address for an individual associated with a particular number. This means that innocent consumers could be contacted by debt collectors. Additionally, the use of hybrid identities leads to variations in files and creates sub-files at credit bureaus. A sub-file holds additional information about a credit report that is linked to a real social security number but with someone else’s name. Since the information includes real information connected to an actual consumer, the sub-file and any negative information in it also becomes associated with that consumer. This ultimately damages the consumer’s credit history.228 Identity criminals tend to use female names more frequently when committing synthetic identity fraud, with 62 percent of such crimes in 2005 committed using female names. Another common practice among synthetic identity criminals is known as “tumbling,” in which a social security number is manipulated repeatedly across several account applications; a single number may be “tumbled” many, many times.229 Organized crime rings commonly use false identities in order to participate in activities that require hiding an individual criminal’s true identity. These 227 ID Analytics, National Fraud Ring Analysis 2 (Feb. 2005), available at http:// www.idanalytics.com/assets/pdf/National_Fraud_Ring_Analysis_Overview.pdf. 228 McFadden, supra note 348. 229 ID Analytics, supra note 350.
102
chapter 3
crimes may involve general fraud, financial crime, illegally obtaining employment, protecting assets from being confiscated, or smuggling drugs or people. Criminal gangs also use false travel documents to facilitate their movements across borders, as in the case of terrorists. In addition to creating false documents to support the fake identity of a human being, criminals may create documents to support other kinds of misrepresentation, such as providing false information about a company or a business transaction. To create a false identity, identity criminals either modify some part of their own identity, create a separate and completely false identity, or steal the identity of another person, regardless of whether that person is alive or dead.230 Identity criminals can manufacture the documents they need to support a false identity, including utility bills or bank statements. Many false documents can be created on personal computers, but others require the expertise of specialists, such as those who can create more sophisticated documents like biometric passports. These specialists require certain equipment and materials to manufacture the false document items; while most so-called “forgery factories” are located in private homes, they are capable of providing large quantities of fake documents to support identity crimes. Because of the increased utilization of security features like holograms or computer chip technology in documents used for identification, there is a growing demand for genuine documents obtained through theft.231 Moreover, false travel documents destined for use at border control points must be high-quality forgeries or genuine documents that have been altered in order to pass official scrutiny. Forgers can ask very high prices for such documents. Fake documents of lower quality are less expensive, but often are insufficient to get through the border controls.232 3.7.2 Document Fraud around the World A United States In the United States, document fraud refers to the manufacture, sale, or use of counterfeit identity documents, including fake social security cards, passports, and drivers’ licenses for the purpose of criminal activity, such as immigration fraud. Document fraud also refers to any effort to obtain genuine identity documentation through fraudulent methods. Document fraud has helped terrorists and other criminals in avoiding detection and allowed them to move easily 230 Identity Crime, Serious Organized Crime Agency, http://www.soca.gov.uk/threats/ identity-crime (last visited Feb. 10, 2012). 231 Id. 232 Identity Crime, supra note 353.
Identity Crime Framework and Model
103
within a society and across borders. The case of the 9/11 hijackers provides an example of how dangerous this type of fraud can be. Seven of the hijackers had genuine identity documents from Virginia, which they obtained by submitting false state residency certificates. These documents allowed them to get through security at airports and board the aircraft used in the attacks.233 The United States Immigration and Customs Enforcement (ice) agency heads task forces in ten cities designed to combat the increasing problem of document fraud and immigration benefits. The Document and Benefit Fraud Task Forces were jointly created by authorities at the Homeland Security Department, Justice Department, Labor Department, Department of State and other federal, state, and local government agencies. The task forces seek to develop a comprehensive effort to find the criminals perpetrating these frauds and the individuals who benefit from them.234 B Canada In canada, identity criminals have used stolen identities to establish businesses that commit fraud associated with the gst or to file false income tax returns. Filing false individual income tax returns using fake documentation and data to get refunds and/or gst credits has become a problem as well. In some cases, the preparers of income tax returns inflate the refunds claimed on client returns and pocket the difference, or they may file false returns under old client information and keep the illegitimate returns.235 C Mexico Identity criminals in Mexico create false official documents using information obtained from third parties and photos to create an official identity for a “business.” They then open a bank account, develop contracts, and print invoices for the fake business. Offenders operate the business under false names and do not report the resulting income, disappearing without paying taxes. In some cases, the fake business is used to launder money obtained from illicit activities. When Mexican tax authorities discover the non-payment of taxes, an investigation targets the original and legitimate owner of the identity that was stolen, who has no idea that the crime has been committed. It is difficult to
233 See Expert: Hijackers likely skilled with fake IDs, cnn.com (Sept. 21, 2001), http://articles.cnn.com/2001-09-21/us/inv.id.theft_1_hijackers-identity-theft- social- security- numbers?_s=PM:US. 234 Id. 235 Tax Evasion and Money Laundering Vulnerabilities, supra note 157.
104
chapter 3
identify the real offenders in such cases, and the crime has a real impact on the efficiency and cost of the country’s Ministry of Finance and Public Credit.236 D China Document experts report that it is relatively easy to find forged documents of many kinds in China’s expanding market for fraudulent papers, and it is difficult to screen documents for authenticity in China due to “widespread fraud.” A United States consular official said that no personal documents in China should be trusted; it should be assumed that they are fakes unless there is proof to the contrary, and that verifying such documents in China is time-consuming and labor-intensive. It is also easy to purchase any type of document desired in the expanding market for fraudulent papers.237 It has been suggested that criminal gangs in China and South Asia are key to the human smuggling industry, providing false documents to this market. Typically, Chinese immigrants travel to Thailand as tourists under legitimate passports, and then receive forged identity documents in Bangkok. The altered documents usually allege citizenship in Singapore or Japan.238 In 2007, Chinese nationals who sought entry to the United States generally used fake Taiwanese passports. In 2009, more than 50 Chinese nationals associated with a gang of immigration criminals in Spain were charged with aiding in the illegal entry of Chinese citizens who were provided with false identity documents.239 3.7.3 Counterfeiting Documents: Illustrative Cases A Production of Fake Identity Documents in U.S. Two men were arraigned in Fresno, California in March 2010 on charges related to an investigation by the U.S. Immigration and Customers Enforcement that alleged they were producing and selling counterfeit identity documents. Oscar David Vasquez and Daniel Aquino-Perez, both Mexican nationals and illegal aliens, allegedly offered potential buyers counterfeited immigration and identity documents, including “green cards” (alien registration receipt cards) and social security cards. The men would then photograph the buyers and get
2 36 Id. 237 Immigration and Refugee Board of Canada, China: The Manufacture, Procurement, Distribution and use of Fraudulent Documents, Including Passports, “Hukou”, resident identity cards and summonses in Guangdong and Fujian in particular (2005 –May 2009) (24 June 2009), available at http://www.unhcr.org/refworld/docid/4a7040b72.html. 238 Id. 239 Id.
Identity Crime Framework and Model
105
personal information from them, produce the fake documents in their home, and then deliver them to the buyers. According to Paul Leonardi, the agent in charge of ice’s investigations office in Fresno, the criminals were putting the country at risk, since the documents could be used by dangerous criminals and others who want to hide their true identities.240 B Bribery in China A common means of obtaining fraudulent documents in China is to bribe government officials to provide an authentic document to those who do not meet the criteria for obtaining it legitimately. In 2009, two employees at the labor and security bureau of Beijing produced false documents for 26 people, which allowed them to receive city residence permits.241 C False Degree Certificates in China The center of mainland China’s fake university degree industry is Shenzhen. According to the South China Morning Post, fraudulent degrees can be obtained over the Internet, and a local printer has claimed sales of false degrees totaling 1,500 in 2007.242 The lack of a trustworthy verification system to ensure the legitimacy of university degrees coupled with few penalties for those who produce false documents have been cited as reasons for the high rate of fraudulent degrees in China. China’s Higher-Education Student Information Center is responsible for verifying the authenticity of degree certificates via a database that includes student identification information and serial numbers of certificates.243 D Prevalence of False Documents in Nepal Canadian officials with experience in Nepal report that an individual can obtain any type of Nepalese document through fraud, including forgeries or totally counterfeited documents such as drivers’ licenses, passports, and company identification papers. With these documents, individuals can travel to other nations easily and obtain additional false documentation to continue their
240 2 Central California Men Charged with Producing Fake Identity Documents, U.S. Immigration & Customs Enforcement (Mar. 4, 2010), http://www.ice.gov/news/ releases/1003/100304fresno.htm. 241 Immigration and Refugee Board of Canada, supra note 360. 242 Response to Information Request (rir s), (CHN103134.E June 24, 2009), Immigration & Refugee Board of Canada, http://www.irb-cisr.gc.ca:8080/RIR_RDI/RIR_RDI.aspx?l=e&id=452430 (quoting South China Morning Post (H.K.), June 14, 2007). 243 Immigration and Refugee Board of Canada, supra note 360.
106
chapter 3
journeys to other parts of the world. It is common for government employees to play a role in the provision and distribution of counterfeit identity documents in Nepal. There were 338 finalized, registered, public corruption cases occurring between 2003 and 2006, with charges ranging from provision of fake certificates, passports, vehicle registrations, bribery, and obtaining property through illegal means. During the same period, 233 individuals entered public service using false certificates.244 In 2008, an investigation into the Bagmati Zonal Transportation Management Office found irregularities in the distribution of drivers’ licenses that involved police officers, doctors, and other officials, which relied on false documentation. Also in 2008, the District Administrative Office in Bardiya, Western Nepal, discovered that 18 citizenship certificates had been issued to non-Nepalese people by mobile government teams on the basis of fake identity documents. Nepalese officials also arrested seven members of a criminal gang responsible for the extortion of 1.5 million rupees (US$20,920.50) from 33 businessmen and financial organizations through a scam that required these individuals to deposit funds into fake bank accounts, which were created using false identity cards.245 E Large Counterfeit Operation in Mexico and U.S. Pedro Castorena-Ibarra, 46, was sentenced to prison in a Denver, Colorado court on charges of conspiracy to commit money laundering. The sentenced followed his admission that he operated a huge counterfeit identity document manufacture and sales operation in seven American cities. Over three million fake documents were seized during the investigation of the case by the U.S. Immigration and Customs Enforcement agency. The documents had a street value of over $20 million.246 Pedro Castorena-Ibarra belonged to the Castorena Family Organization (cfo), a very large organized crime family that has over 100 key members responsible for cells in the U.S. comprising ten to twenty individuals.247 The cfo has been linked to manufacturing and distributing high-quality identity documents, including fake birth certificates, marriage licenses, social security cards, 2 44 Id. 245 Id. 246 Associated Press, Mexico man sentenced to 57 months for role in massive counterfeit identity organization, The Gaea Times (Sept. 17, 2009), http://blog.taragana.com/law/2009/ 09/17/mexico-man-sentenced-to-57-months-for-role-in-massive-counterfeit-identity- organization-12652/. 247 The Castorena Family Criminal Organization, Illegal Aliens U.S., http://www.illegalaliens.us/castorena_family_criminal_organi.htm (last visited Feb. 10, 2012).
Identity Crime Framework and Model
107
work authorization documents, vehicle proof-of-insurance cards, and utility bills, among others. The gang started out in Los Angeles, California in the 1980s by making and selling fake alien registration and social security cards. In the 1990s, American Express Corporation attributed over $2 million in losses to false documents traced to the cfo.248 The cfo is very well organized, requiring vendors of their counterfeit documents to keep schedules of types of documents and the time they are sold. The organization charges vendors a fee as high as $15,000 per month to operate in a city.249 F Fraudulent Documents in Maryland In 2008, Ramon “Gonzo” Landeros-Hernandez, 23, a Mexican citizen in the United States illegally, was sentenced to prison for creating and distributing fraudulent identification documents at a rate of dozens per week. He was responsible for hundreds of sets of fake documents produced and sold in the Baltimore and Washington D.C. areas for several years. These sets of documents included a false social security card, fake resident alien card, and on some occasions, a driver’s license. The document sets were sold for between $80 and $150, typically to illegal aliens. Customers sometimes provided the social security numbers, and sometimes, the numbers were randomly chosen; some were linked to real individuals. The offender created the false documents in his home with a computer, printer, and copier.250 3.8
Transfer – Identity Trafficking
3.8.1 Introduction Identity thieves frequently sell the information they steal to identity crime rings and other dealers involved with selling and reselling the data, or they may manufacture and sell false government documents like passports or state identification cards to individuals. The identity information from a single individual may be sold to many different people through underground identity “markets.” 2 48 Id. 249 Id. 250 Press Release, U.S. District Attorney’s Office for the District of Maryland, Illegal Alien Who Produced and Distributed Forged Identity Documents Sentenced to Over 4 Years in Federal Prison (Oct. 20, 2008), available at http://www.justice.gov/usao/md/Public-Affairs/press_ releases/press08/ IllegalAlienWhoProducedandDistributed ForgedIdentityDocuments Sentencedtoover4Years.html.
108
chapter 3
Investigators have found that drug users, traffickers, and distributors are often connected to identity crime activities, particularly those who deal in methamphetamines. These individuals may need to use false identities to obtain the money required to buy their drugs, or they may steal identity information and sell it to brokers that re-sell to other criminals. Drug dealers have been known to use stolen identities to launder their illicit income or to buy the restricted chemicals needed to manufacture drugs. Stolen identity information may also be used by individuals associated with the drug trade to avoid deportation, imprisonment, or other contact with law enforcement authorities.251 In the United States, the large number of illegal immigrants provides a major market for identity thieves, including organized crime rings such as the Russian or Italian mafias that engage in distribution and sale of identity information and false identity documentation. Illegal immigrants are especially interested in getting social security cards, which help them get jobs, medical care, housing, utilities, and benefits from the government.252 3.8.2 Examples of Identity Trafficking A Stolen Identities from School Thousands of schoolchildren, teachers, and school administrators in Puerto Rico may have been the victims of identity crime. The Federal Bureau of Investigation (fbi) in the United States has charged the members of an identity crime ring with social security fraud, identity theft, and aggravated identity theft for selling stolen identity documents to illegal immigrants in the U.S. According to the fbi, search warrants turned up more than 5,000 different kinds of identification documents, both original documents and copies. The theft ring sold the documents as sets, with a social security card and original birth certificate selling for $150 or more, and copies selling for $40 and above. The information was obtained from burglaries of some 50 public schools in Puerto Rico in 2007. During the burglaries, the thieves took the personal files of students, teachers, and administrators. Because many of the victims were children, it is difficult to discover identity theft. The fbi found that the criminals sold their illicit products to buyers in Texas, Alaska, and California.253
251 Joe Campana, Identity Theft 101: What is an Identity Their?, Examiner.com (July 19, 2009) https://web.archive.org/web/20121014053305/http://www.examiner.com/article/ identity-theft-101-what-is-an-identity-thief. 252 Id. 253 Mayra Cuevas Nazario, fbi: Thousands of Puerto Ricans Victims of ID Theft, cnn.com/ world (Apr. 1, 2009), http://www.cnn.com/2009/WORLD/americas/04/01/puerto.rico. theft/index.html#cnnSTCText.
Identity Crime Framework and Model
109
B Stolen Information for Sale Online It is possible to purchase stolen identity information over the Internet at shockingly low costs, according to Symantec, the Internet security company, which discovered the sales when conducting 2007 analysis of Internet traffic and e- mail over a six-month period in 2007.254 The report suggests that selling such information is a professional business, with organized crime gangs worldwide using technological expertise to launch profitable cyber-attacks to get identity information, but also to provide the tools and opportunities for other criminals to become involved in the activity without having sophisticated knowledge of computer code. For example, beginning identity criminals can purchase a toolkit for $50 that will allow them to begin their own identity fraud operations by creating a fake website and sending targeted e-mails. According to Symantec, the three most commonly used phishing kits accounted for 42 percent of all the phishing attacks discovered in the first six months of 2007.255 Online identity auctions are also available. In these auctions, stolen identity information is bought and sold, including social security numbers and credit card data. The United States was host to 64 percent of these auctions in the first half of 2007, according to Symantec, with Germany and Sweden next in line. Credit cards are the most popular item traded in these black market auctions. The price of stolen identity information is surprisingly cheap, as seen below:256 Credit Cards Proxies Email Passwords Compromised Unix Shells Email Addresses Social Security Numbers Mailers Full Identity Scams
$0.50 $0.50 $1.00 $2.00 $2.00/MB $5.00 $8.00 $10.00 $10.00/week
Bank Accounts
$30.00
254 Davey Winder, Online Identity Auction Selling Credit Cards for Half a Dollar, Daniweb. com (Sept. 17, 2007, 6:37 PM), http://www.daniweb.com/news/post1103582.html. 255 Id. 256 Id.
110
chapter 3
C Cyber Crime Online While popular Internet shopping sites like Amazon.com and PayPal are known for their efforts to keep customers’ personal identity information safe, other sites, including Facebook, MySpace, and Twitter are more easily compromised by hackers. For example, identity thieves are selling hacked Twitter passwords and accounts for as much as $1,000 online. These accounts can be used by identity thieves to infect other computers to steal even more personal information by installing malware.257 Online forums and social networks are not secure, and identity thieves are exploiting this weakness to gain access to personal data by sending e-mails pretending to be someone’s online friend. Online identity theft is a sophisticated and lucrative criminal enterprise, and it is very difficult to discover and stop. D Online Marketplaces for Stolen Information Around 1999, identity criminals had several websites at which they could buy, sell, trade, and learn about getting false identities. Counterfeit Library was a British site that featured “novelty” identity documents. These were high- quality fakes, complete with holograms and magnetic strips, for sale for $150. Any type of identity document was available, including military, Secret Service, fbi, or other federal employee IDs. Entire “rebirth packages” were also available; these included a fake birth certificate, driver’s license, passport, social security card, an employee badge, and utility bills to provide proof of residency. Other websites designed to facilitate identity crime were PhantomInfo, which provided computer code that allowed the user to hack into the system of ChoicePoint, a data broker, and for $29 per month, send an unlimited number of e-mails asking for names of people whose identity the offender wanted to steal. The program searched the database at ChoicePoint and returned a current address and social security number for each name requested.258 These websites opened up a new vista for white-collar criminals and created a worldwide market for the purchase and sale of large amounts of stolen identity information. Criminals began to specialize, and identity thieves based in Eastern Europe, particularly Russia, Romania, and Ukraine, became
257 Garrett Godwin, 2010 ftc Identity Theft Statistics, Examiner.com (Mar. 5, 2010), http:// www.examiner.com/x-15313-Detroit-Pop- Culture-Examiner~y2010m3d5-2010-FTC- Identity-Theft-Statistics. 258 Kim Zetter, Tightening the Net on Cybercrime, Wired.com (Jan. 1, 2007), http://www. wired.com/politics/onlinerights/news/2007/01/72581.
Identity Crime Framework and Model
111
the source of Internet crime. Organized gangs from these areas were skilled in developing and launching cyber-attacks against bank card systems. The Russians began to manufacture credit cards and put stolen information on them. In 2001, the offenders from Eastern Europe created CarderPlanet, an online carding and money-laundering site that became the standard for all other carding sites to follow. The organizers of the site paid hackers $1,000 per day to hack into the databases of credit card firms and banks to steal account numbers. These numbers were then sold in blocks of 100 to buyers online. CarderPlanet also provided tutorials and message boards on which identity thieves could share their knowledge and experience. The success of CarderPlanet in Eastern Europe led to the creation of ShadowCrew and TheGrifters, similar sites based in the United States.259 E Social Security Number Stolen via Online Forum Most identity crime involves credit cards. In 2009, Denise Richardson of Florida received two credit card bills that did not result from charges she made. Instead, a thief was using her card to pay for cable television and to open another account using her personal data and social security number. She had to spend hours to clarify the situation, but the damage to her identity was already done. Once a social security number has been compromised through an online forum or other source, it cannot be taken back or replaced. Law enforcement does not have the resources to find the criminal users.260 A consumer advocate for 15 years, Denise is also the author of the book, Give Me Back My Credit, and according to Denise, there are over 10,000 underground chat rooms where identity thieves sell the information. Despite the vigilance and monitoring of law enforcement, identity crime isn’t like any other high-profile crime.261 F Leader of Internet Carding Site Arrested in UK A former delivery man for Pizza Hut helped to operate one of the largest English-language criminal Internet sites. The site, DarkMarket, was actually operated by the fbi as a global market for over 2,000 computer hackers, carders, and identity thieves until it closed in 2008. Members of the site bought and sold stolen bank card and identity information, as well as equipment
2 59 Id. 260 Godwin, supra note 380. 261 Id.
112
chapter 3
for obtaining the card and account personal identification (pin) numbers and for cloning blank cards. The fraud associated with the site totaled in the tens of millions of dollars. Upon his arrest, police found over 2,000 bank cards at the home of Renukanth Subramaniam, 33, a British citizen born in Sri Lanka.262 The members of DarkMarket learned from each other how to commit online bank and brokerage fraud by hacking into websites and by installing devices on atm s that would allow them to get bank card numbers and pin s. The data from the magnetic strips on bank cards sold for $50 for a batch of ten cards; gold and platinum cards went for $80 each, and corporate cards sold for $180 apiece. A package of stolen identity information that included the name, account number, social security number, and other data required to take over the bank account of an existing customer sold for $150 for an account with a $10,000 balance and $300 for an account with a $20,000 balance.263 G Organized Crime and Online Identity Crime While Arizona is a major site of identity crime in the United States, the “business” of identity crime has increasingly become a territory dominated by international crime syndicates. Arizona was a natural location for thieves, due to its transient population and border with Mexico, but in 2002, the creation of the website called Shadowcrew changed the identity crime market. This auction site sold stolen identity and financial information to the highest bidder and is responsible for the development of “phishing,” a technique that uses e-mails purporting to be from legitimate companies to lure victims into providing personal identity information to fraudsters. According to the fbi, the operators of this site, which had almost 4,000 members, stole over $4.3 million between 2003 and 2005. Because the Internet eliminated physical boundaries, a new industry of cybercrime was created.264 Since then, crime syndicates in Russia, China, Asia, and Brazil have used stolen identity data obtained from thieves based in Arizona and other states to conduct online extortion and to make fraudulent purchases. The crime syndicates have gone beyond simple identity theft to pursue 1920s-style extortion and protection rackets. For example, a company was hacked by a Russian 262 Kim Zetter, DarkMarket Ringleader Pleads Guilty in London, Wired.com (Jan. 21, 2010), http://www.wired.com/threatlevel/2010/01/jilsi-pleads-guilty/. 263 Id. 264 Shaun Rogers, Testimonies: Identity Theft Horror Stories, Helium.com (Sept. 1, 2007), http://www.helium.com/items/570041-testimonies-identity-theft-horror-stories.
Identity Crime Framework and Model
113
crime ring, which then held the personal identity data of its clients for ransom; if the ransom was paid, the information would be returned.265 Cuban nationals arrested in Florida had over 200,000 credit card accounts under their control, and fraudulent charges totaling more than $75 million. These criminals used online bank accounts to buy stolen identities at an auction website operated from Eastern Europe. In 2006, criminal hackers were responsible for 315 security breaches that affected nearly 20 million people in the United States, according to the Identity Theft Resource Center. Twenty- nine percent of the breaches happened at military and government agencies, 22 percent at general businesses, 13 percent at health care firms, and 8 percent in the banking and financial services sector.266 3.9
Possession
Many countries and most U.S. states have laws against possessing and/or using the identity of other individuals. In most cases, these laws make it illegal to possess any devices designed to produce false identity documents or to manipulate identity information on existing documents. Charges under state law include trafficking in stolen identities (Alabama), criminal impersonation (Alaska), possession of burglar’s tools or instruments facilitating theft (Delaware), financial identity fraud (Georgia), “fraudulent use of a financial transaction card or number or criminal possession of financial transaction card, financial transaction number and ftc forgery device” (Idaho), vital records identity fraud (Kansas), improperly obtaining identity information (Washington), and unauthorized use of personal identifying information (Wyoming).267 Other jurisdictions have similar laws. Possession is perhaps the most important of the five components of identity crime because there is an element of possession in all of the other four components, thus prosecutors can generally charge criminals with possession of false or identity information even if acquisition, trafficking, production and use are difficult to prove. In 2008, Australia passed legislation that made it illegal for a person to possess equipment capable of being used to manufacture identity documents with the intent to commit a crime. The law imposes a maximum penalty of 2 65 Id. 266 Id. 267 Identity Theft State Statutes, National Conference of State Legislatures, http:// www.ncsl.org/default.aspx?tabid=12538 (last updated July 23, 2012).
114
chapter 3
three years in prison for the offense.268 In order to obtain a conviction, law enforcement must prove that an individual possessed such equipment and was “reckless” in regard to whether it was being used for an illegal purpose. The equipment does not actually have to be used to manufacture fake identity documents for the law to be prosecuted. South Australia’s Criminal Law Consolidation Act includes a separate offense regarding the possession of equipment for making ID information. This law provides for a lesser fault element, and it must be proved that the defendant intended to commit or help in the commission of another crime. There has been significant and ongoing discussion among Australian authorities as to what constituted “equipment” for the purposes of the law, since any computer, printer, or copier could be used to create fake identity documents. 3.10
Use –Criminals’ Goals and the Kinds of Crimes They Commit When Using Acquired Information or Documents
Identity criminals use the information and documents they steal or manufacture in many ways. In most cases, they are simply trying to make money or otherwise enrich themselves. For example, a criminal might be using another person’s name and address to apply for a credit card, without consent, enabling him to use the card to purchase merchandise, obtain a cash advance, or otherwise become financially enriched. But a criminal might use information or documents for purposes other than making money. Thus, a person who has a warrant issued for his arrest may use another person’s information and documents to escape detection and travel freely about the world. A criminal might also combine financial and non-financial goals in a hybrid fashion; thus one might use information to illegally access someone else’s bank account in order to purchase a false passport. Identity criminals can also use stolen or manufactured identity information to commit other crimes, such as money laundering, or to aid with illegal immigration or drug trafficking. In all these cases, one or more of the five components of identity crime (acquisition, possession, transfer/trafficking, production and use
268 Model Criminal Law Officers’ Committee of the Standing Committee of the Attorneys-G eneral, Final Report: Identity Crime (March 2008), available at http://www.lawlink.nsw.gov.au/lawlink/SCAG/ll_scag.nsf/vwFiles/MCLOC_MCC_ Chapter_3_Identity_Crime_-_Final_Report_-_PDF.pdf/$file/MCLOC_MCC_Chapter_3_ Identity_Crime_-_Final_Report_-_PDF.pdf.
Identity Crime Framework and Model
115
of identity information or documents) describe the process by which the criminal pursues his goals. Understanding the initial purpose or intent of the identity criminal is important because of the different impact a crime may have on a victim. The impact on the victim of an identity crime involving credit card fraud is totally different than the impact on a victim of identity crimes involving employment fraud or medical fraud. It will also affect how the criminal will be prosecuted. For example, in addition to prosecution under U.S. Code §1028, a criminal will also be prosecuted under §1029 if the stolen information is used for credit card fraud. Identity crimes may have been committed with one intention (for non- financial gain, for example), but also have additional effects. Someone who uses a stolen identity to evade the law may also avoid paying monetary fines or damages. It is important to remember that sensitive identity information does not have to be acquired illegally to be misused. Legally acquired information can be stored and utilized later to commit fraud. Additionally Identity crime can be a multi-cycled crime as personal information and documents are a commodity that can be recycled over and over again and used for different illegal purpose. Based on the initial intent and benefits to be gained by a criminal who commits an identity crime, we can categorize the illegal use of identity information and documents into four categories: a. Financial b. Non-Financial c. Hybrid d. To commit other crimes Javelin defines identity fraud as the “unauthorized use of a person’s personal information by another to achieve illicit financial gain.” However, this leads to understating the actual incidence of identity crime, since these crimes involve much more than obtaining financial gain. As mentioned above, the initial intent of many identity criminals may have nothing to do with financial gain. In order to really understand the impact of identity crime, it is critical to understand, and perhaps even standardize, what actually constitutes an identity crime. This is why the Identity Crime Model (idcm) offered in this chapter represents an important step forward. In the Identity Crime Model, these four actions are classified as “Criminal Gain” and refer to the use of stolen information or documents by a criminal. In this section we will discuss the different uses of true and false identity information and documents to commit one or more of the four kinds of identity crime mentioned above.
116
chapter 3
3.10.1 Identity-Related Financial Crimes Financially motivated identity crimes are common.269 In 2009 the ftc found that some 10 million Americans had experienced identity crime, with their personal information used by offenders to open bank, credit card, and/or utility accounts under their name. The estimated loss to the victims totaled nearly $53 billion per year at that time, according to the ftc. The federal agency also found that in more than 25 percent of the reported cases of identity crime, the victims were related to the fraudsters or knew them. Most cases had their origin in the workplace, with about 70 percent of the identity crimes committed by co-workers, employees, or business owners.270 The most common type of identity crime in North America and the United Kingdom is motivated by the desire for financial gain. The clear intent in these crimes is to obtain a financial benefit. This kind of fraud is also called “financial identity fraud” or “economic fraud” and can be divided into that involving access to existing accounts or to the creation of new accounts.271 ID criminals who have a financial motivation to commit an identity crime may decide to use a financial account that already exists, or they may choose to create a new financial account using information gained in an illicit manner. Example of financially motivated identity crimes includes credit card fraud, bank fraud, loan fraud, trade fraud, investment fraud, and government benefit fraud. Within the arena of loan fraud are types of fraud associated with business, personal, student, auto, and real estate loans. A study from Javelin Strategy indicates that the total yearly number of fraud victims in the United States rose by 12 percent to 11.1 million adults in 2009, with a total fraud amount rising 12.5 percent to $54 billion.272 However, the report also found that the protection efforts implemented by businesses and consumers helped to resolve fraud faster; almost half of all
269 According to the United States Federal Trade Commission (ftc), there are four categories of financial identity-related crimes. These categories reflect the current rate of commission of such crimes in the United States. These categories, ranked according to their rate of commission (highest first) are: 1) Existing credit card accounts; 2) Existing non-credit card accounts; 3) New accounts; and 4) Other. See ftc 2009 Data Book, supra note 196. 270 Pam Dixon, The World Privacy Forum, Medical Identity Theft: The Information Crime That Can Kill You (2006), available at http://www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf. 271 Lawson, supra note 164. 272 Robert Vamosi et al., Javelin Strategy & Research, 2010 Identity Fraud Survey Report: Identity Fraud Continues to Rise – New Accounts Fraud Drives Increase; Consumer Costs at an All-T ime Low (Feb. 2010), available at https://www.javelinstrategy.com/research/brochures/Brochure-170.
117
Identity Crime Framework and Model table 1
Credit card fraud (based on total complaints filed)
New Accounts Existing Account Unspecified Total
2006
2007
2008
15.2% 10.7% 0.2% 25%
14.1% 9.3% 0.2% 23%
12.3% 8.0% 0.1% 20%
source: federal trade commission
victims filed policed reports in 2009. This resulted in the doubling of arrest and conviction rates and the tripling of prosecutions.273 The mean cost per consumer fell to $373 in 2009 from $498 in 2008, and the time to resolve an identity fraud issue decreased from a mean of 30 hours in 2008 to 21 hours in 2009.274 A Identity-Related Credit Card/Payment Card Fraud Criminals frequently use illegally obtained credit cards or other payment cards to commit identity crimes. The cards used might originate from newly opened card accounts or from existing accounts that already belong to someone. The ftc conducted research between 2006 and 2008 to determine the prevalence of specific categories of identity-related crimes that involved credit or other payment cards. The agency’s findings, while somewhat dated, are nevertheless useful and are summarized below.275 1 New Account Fraud In new account fraud, a criminal opens new credit card or other payment card account with stolen identity information.276 The number of new credit card
2 73 Id. 274 Javelin Study Finds Identity Fraud Reached New High in 2009, but Consumers are Fighting Back, Javelin Strategy and Research (Feb. 10, 2010), https://www.javelinstrategy. com/news/831/92/Javelin-Study-Finds-Identity-Fraud-Reached-New-High-in-2009-but- Consumers-are-Fighting-Back/d,pressRoomDetail. 275 ftc 2009 Data Book, supra note . 276 Ron Lieber, Heading Off New Account Fraud, New York Times, May 24, 2008, http:// www.nytimes.com/2008/05/24/business/yourmoney/24moneyside.html.
118
chapter 3
accounts opened in this way in 2009 rose by 39 percent over the previous year, with the number of online accounts doubling, and the number of new e-mail payment accounts rising by 12 percent. Identity thieves have also started to take advantage of the popularity of cell phones by opening up new mobile phone accounts. Approximately 29 percent of victims polled by Javelin reported having their personal data used for this purpose.277 a
True-Name Fraud in New Accounts
In true-name fraud, an identity criminal uses the personal data of another person to open a new account by which large purchases can be made without any intention of paying off the balance. In these cases, thieves usually alter the billing address so victims remain unaware of account delinquencies until contacted by a credit agency.278 The victim thus suffers significant damage to his or her credit rating. This type of identity crime is difficult to discover and to recover from. According to a report from the Wisconsin Law Journal, there are significant impacts both in terms of the time required to resolve the issue and the financial repercussions of bad credit data. A victim’s credit score immediately drops, and he may have a difficult time getting a mortgage or a vehicle loan or other types of credit as a result.279 True name fraud has the potential to create more financial damage than other types of fraud because the new accounts are issued without the victim’s knowledge. In contrast, when existing accounts are breached, victims generally have some notice via monthly statements. Identity thieves obtain personal information such as name, address, and social security number of their victim, and then use that information to access the victim’s credit record when applying for a new loan. Criminals create access to new credit accounts without the knowledge of the original person; they use unauthorized personal information to create fraudulent accounts that have never been linked to an actual consumer, so the consumer does not receive communications from the account issuer. Identity criminals may create multiple credit accounts using a single victim’s name. Unless the victim
277 Christina Cheddar Berk, Identity Fraud Rises to New High, cnbc Consumer Nation (Feb. 10, 2010, 6:10 AM), http://www.cnbc.com/id/35205179/Identity_Fraud_Rises_to_ New_High. 278 Identity Theft, Lawyer Shop, http://www.lawyershop.com/practice-areas/criminal-law/ white-collar-crimes/identity-theft/ (last visited Feb. 11, 2012). 279 True name fraud can cost a consumer their credit score, Credit Loan, http://web.archive. org/web/20100824221132/http://www.creditloan.com/blog/2010/02/26/true-name- fraud-can-cost-a-consumer-their-credit-score/ (last visited Feb. 26, 2010).
Identity Crime Framework and Model
119
discovers the crime early, his or her entire credit history is damaged, not only because of financial loss, but because of poor credit ratings, higher interest rate, and inability to get a new loan. According to a report from the Federal Trade Commission in 2003, estimated financial losses associated with new-account fraud totaled $32.9 billion in losses to business and $3.8 billion in losses to consumers during 2002.280 Identity crime associated with the creation of fraudulent new accounts represented about 33 percent of all identity crime victims and 66 percent of the total financial costs. And this type of fraud took longer to discover than existing- account fraud.281 This type of identity crime is potentially more serious than existing account fraud since victims do not know about the fraud until they are contacted by debt collectors or suffer other consequences of a negative credit rating.282 The detection procedures and policies developed for existing-account fraud are useless in discovering new-account fraud. To be effective, detection must focus on verifying identification during the application process. Additionally, consumers need a way to determine that accounts opened with their personal information are actually legitimate accounts that they want.283 b
False Identity Fraud in New Accounts
False identity fraud involves the use of real identity information taken from one or more individuals in which that data is combined with fabricated information to create an identity that does not represent a real person or where information does not represent any real person. In most cases, a new credit account associated with the made-up identity is created. In these situations, no consumer or victim exists to report the crime. A technique that identity criminals use is to take the false information they have constructed and apply for several credit accounts with low credit lines and make payments as required. Over time, the false accounts qualify for larger credit lines. The goal of the criminal is to open as many new accounts as possible with various issuers, use up the lines of credit on these accounts, and 280 ftc, Consumer Fraud and Identity Theft Complaint Data 13 (February 2008) [hereinafter “ftc Complaint Data”], available at www.ftc.gov/opa/2008/02/ fraud.pdf. 281 Id. 282 The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan 19 (April 2007), available at www.idtheft.gov/reports/StrategicPlan. pdf. 283 ftc Complaint Data, supra note 403, at 13. Id.
120
chapter 3
then disappear, leaving the creditors with the losses.284 The disappearance of the criminal makes detecting fictitious identity fraud more complex, and it is difficult for lenders to determine whether the accounts were legitimate or not. 2 Identity-Related Existing Accounts Fraud In existing-account fraud, existing credit, debit cards, or a victim’s account numbers, are stolen and used to purchase goods and services. Criminals use the cards or numbers either to buy things in person or use the card information to conduct transactions on the Internet or over the phone. In these cases, the fraud is typically associated with one card account and only a few transactions before the theft is noticed. Once detected, a new card is issued to the real card owner. One of the most important features of this kind of fraud is that the control of the account stays with the original account owner, who is not assumed to be the thief; the owner continues to receive bills and marketing materials throughout the period in which fraudulent activity occurs.285 Taking over an existing financial account involves taking control of an account without the consent of the actual account holder. To do so, identity criminals must acquire the account number, a social security number, personal identification numbers such as pin s, or personal passwords. In most cases, this information is enough to take over the account. Compared to payment fraud in which the criminal usually limits activity to just a few transactions, taking over an account typically involves the theft of an entire balance in a bank account or a full credit line linked to a card.286 Because valid account owners continue to receive information about their accounts, payment card fraud is relatively easy to detect with the review of monthly statements. This kind of fraud has been common in the industry since its beginning, and consumer protection regulators and technology advances have been successful in flagging suspect accounts. The technology has even managed to create a decline in the incidence of credit card fraud.287 Identity crimes for the purpose of financial gain are common in the United States and United Kingdom because the credit markets in these countries have
284 Julia S. Cheney, Identity Theft: Do Definitions Still Matter? 9 (Payment Cards Center, Discussion Paper, Aug. 2005), available at http://www.philadelphiafed.org/consumer- credit-and-payments/payment-cards-center/publications/discussion-papers/2005/ identity-theft-definitions.pdf. 285 Id. at 7. 286 Id. at 8. 287 Id. at 7.
Identity Crime Framework and Model
121
matured so that consumers have easy access to credit, and ID criminals can exploit any weaknesses in the credit system.288 The most common crime is unauthorized use of another’s credit card. This crime is often not considered to be “true” identity fraud because it does not involve the actual impersonation of another individual and has limited financial consequences for the victim. However, the crime does cause significant harm to businesses and the overall economic systems of these countries.289 cifas, the UK fraud prevention service, reported an increase of 207% in account-takeover fraud in 2008. In account-takeover fraud, an identity criminal illegally accesses and uses a legitimate account taken out by another individual. This fraud is facilitated via e-mail, through a practice known as “phishing,” via telephone scams, or through the interception of credit card statements and other communications. Thieves get personal information from these sources and then “take over” or divert the account to fraudulently obtain goods and services or to conduct other fraudulent transactions.290 Scale of the increase in account takeovers is alarming and indicates that identity criminals are adapting to changing conditions. Fraudsters know about the increasingly stringent criteria for lending and that fraud involving credit applications is likely to fail. Therefore, they have focused on account takeover, with no regard for its impact on victims.291 Existing-account fraud also includes the use of stolen identity data to access accounts with debit cards, online banking, check fraud, or electronic funds transfer. To protect against payment card fraud, authorities usually focus on finding unusual transactions and instituting practices that confirm the validity of these transactions. They then deactivate the card. Additionally, there are several participants in the market who have the ability to detect card fraud. Consumers can monitor their accounts, financial institutions may use technology to detect potential fraud, and merchants can implement policies designed to authenticate the identity of customers. Combined with legislative efforts, there activities ensure that minimal financial risk is associated with credit card or debit card identity crime.292
2 88 Lawson, supra note 164. 289 Id. at 11. 290 cifas, The Anonymous Attacker: A Special Report on Identity Fraud and Account Takeover (Oct. 2009), available at http://www.cifas.org.uk/secure/contentPORT/uploads/documents/CIFAS%20Reports/The_Anonymous_Attacker_CIFAS_ Special_Report_Oct_2009.pdf. 291 Id. 292 Id.
122
chapter 3
The type of account targeted by identity criminals has an impact on their behavior. For example, if a deposit account is targeted, ID fraudsters use stolen information to access the accounts and either withdraw funds or transfer balances to other accounts that are controlled by the criminals. On the other hand, if a credit account is involved, the goal is to use up the available credit line as quickly as possible and then disappear. One method used by thieves to escape detection in these cases is to ask for a change of address in order to redirect communications from the account provider away from the legitimate consumer’s address to that of the criminal. This gives thieves more time to drain the accounts as well.293 The behavior patterns of identity criminals in account-takeover cases are evolving in response to the fact that more account holders are using the Internet to manage their finances. According to the Pew Internet and American Life Project, about 25 percent of all adults in the U.S. used online banking in 2004, an increase of 47 percent over 2002.294 This means that personal information was transmitted electronically between consumers and their account providers more frequently, and more identity information was stored in electronic format than ever before, providing many additional opportunities for criminals to access the information and impersonate their victims. There are many methods criminals use to benefit from electronic information. One of the most common is “phishing.” Phishing schemes trick people into voluntarily providing personal account and password information to fraudsters. For example, criminals may send out e-mails that appear as if they come from a legitimate banking website. Global losses due to phishing in 2004 were estimated at between $100 million and $400 million.295 Other methods include keystroke-logging and the use of spyware or malicious code surreptitiously installed on an unsuspecting consumer’s computer. By understanding these methods, financial service providers can develop ways to prevent or mitigate the damage they cause. 3
Examples of Identity-Related Credit Card/Payment Card Account Fraud Account card fraud can take many forms and be committed by just one or two offenders in relatively simple crimes or become massive, global frauds impacting millions of victims worldwide. The crimes can be carefully planned group efforts involving sophisticated computer hacking, or they may represent 2 93 Id. 294 Id. 295 Id.
Identity Crime Framework and Model
123
crimes of opportunity committed by individuals. The following examples illustrate the variety of card frauds committed. a
New Account Scams
Authentify, a security company based in Chicago, Illinois, discovered an interesting example of how stolen identity information is used to create fraudulent new accounts. In this scam, Chinese fraudsters used a “botnet,” a network of hijacked personal computers, to apply for cell phone accounts, automobile loans, and credit cards on thousands of web pages. The botnet used names and social security numbers stolen from unsuspecting victims in combination with a mailing address and telephone number that gave access to the accounts to the criminals.296 Cyveillance in Arlington, Virginia, was able to retrieve over 1 million social security numbers stored on computers in Russia, China, and other countries. The firm also discovered more than 2 million compromised web pages that steal information from their visitors. IDology in Atlanta, Georgia, captured an identity criminal who was using the name and social security number of a Georgia woman in an online application for a new credit card, and then used the name of an Ohio woman to apply for credit at another web site.297 David Joe Hernandez returned home from military service to find that he was being sought by collections agents for delinquencies on 20 different credit card accounts. He also discovered that he was linked to a number of felony crimes, including a drug charge that made it difficult for him to get a job. Hernandez was the victim of new account fraud, which is the most difficult kind of identity crime to discover, prosecute, or resolve.298 Because of the Internet, it is impossible to know how an identity thief obtained Hernandez’s Social Security number, since millions of these numbers have been stolen by thieves who hack into computer databases or capture information from personal computers using malicious software. Hundreds of bogus e-mail offers lure victims into voluntarily giving up personal information as well.299 Once a social security number has been lost or stolen, the legitimate owner remains at risk forever, since identity criminals use the data over and over. 296 Byron Acohido & Jon Swartz, While He Served Abroad, His Credit Was Under Siege, USA TODAY (June 5, 2007), http://www.usatoday.com/money/perfi/credit/2007-06-04- credit-report_N.htm. 297 Id. 298 Acohido & Swartz, supra note 419. 299 Id.
124
chapter 3
b
Stolen Credit Card Numbers
c
Use of Stolen Credit Cards
d
Fraudulent Credit Histories
In a case of identity crime that the U.S. Justice Department has labeled the largest in American history, three men in New Jersey were indicted in the theft of over 130 million credit and debit card numbers. The numbers and other card account information were stolen from a credit and debit card processing firm Heartland Payment Systems in Princeton, NJ, 7-Eleven Inc., a convenience store chain headquartered in Texas, and Hannaford Brothers Company, a supermarket chain based in Maine. The criminals allegedly exploited weaknesses in the computer networks of these companies to steal credit card numbers and other account data. The information was then sold to others who would use it to make fraudulent purchases and illegal, unauthorized bank withdrawals.300 In another case of credit and debit card theft, three people in the United States and eight others in Estonia, Ukraine, Belarus, and China were charged with stealing over 40 million credit and debit card numbers and accounts by driving through neighborhoods, hacking into wireless networks, and installing software that accessed account details. The accused then hid the information they obtained on computers in the U.S. and Europe before selling it. At least nine large retail chains were targeted, and the crime resulted in large losses to banks, businesses, and consumers, according to the U.S. Justice Department.301 Two men in Ohio were arrested and one was charged with identity theft, forgery, and possession of stolen property in a case involving the use of a stolen credit card at a local Byrne Dairy when a surveillance camera caught them in the act. The stolen card was also allegedly used at a Sunoco gas station. According to police, the card had been in a purse that was stolen from a tavern.302 In an extensive loan and credit scheme, Jerry Van Le of Stockton, California, and other individuals worked together to commit multiple acts of fraud linked to Le’s credit repair business. Between 2006 and 2008, Le used his business to create fake identities for himself and his customers. They used these identities
300 Three Indicted in Largest Corporate Identity Theft Case in History, Fox News (Aug. 17, 2009), http://www.foxnews.com/story/0,2933,540060,00.html. 301 US cracks ‘biggest ID fraud case, bbc News (Aug. 5, 2008), http://news.bbc.co.uk/2/hi/ business/7544083.stm. 302 Auburn Man Arrested in Stolen Credit Card Case, Auburnpub.com (Feb. 11, 2010), http://auburnpub.com/news/auburn-man-arrested-in-stolen-credit-card-case/article_ cc07ef01-d008-5830-82f7-20a00ac85481.html.
Identity Crime Framework and Model
125
to establish fraudulent credit lines with credit unions and banks, credit card firms, and auto dealerships. Le used his contacts in the financial industry to build fake credit histories for the fraudulent identities as well. Le also created an array of fake paperwork to support the credit applications, including W-2 forms, pay stubs, letters from employers that did not exist, and bogus California drivers’ licenses. Charging between $3,500 and $6,000 for his services, Le created false credit histories for about 40 clients. Some of these individuals used their fake identities to commit other fraud. The false lines of credit that Le and his clients obtained were used in 2006 to buy a $378,000 home, several luxury automobiles, and obtain about $200,000 in cash from multiple credit cards acquired by Le in his own and fictitious names. Total losses resulting from Le’s crimes were estimated at between $1.5 million and $2 million.303 B Identity-Related Bank Fraud The statutes covering bank fraud in the United States include §1341, which address frauds and swindles. This statute provides that anyone in violation of the law will be fined or serve a prison term of not more than 20 years, or both. If the violations occur in connection with any benefit authorized or paid in connection with a presidentially declared major disaster or emergency, a fine of not more than $1 million or imprisonment of not more than 30 years, or both, will be imposed.304 Additionally, Section 1005 of Title 18 of the United States Code requires that there be a specific intent to defraud included as an element of the offense. However, it is not essential that an indictment allege a specific intent if it includes statutory language. Showing “recklessness” is not enough to prove intent. The statute specifies three criminal intents: the intent to injure, the intent to defraud, and the intent to deceive. In cases of bank fraud, it is enough to provide proof of any one of these intents. Actual damages do not have to be shown to bring bank fraud charges under the statute.305 In bank fraud, identity criminals may create fake checks that use a victim’s name and/or bank account number. They may also open a new bank account with the victim’s personal information and write bad checks on it. Another common practice among bank fraudsters is to clone an atm or debit card and 303 Jerry Van Le, Credit Repair Specialist Pleads Guilty to Fraud Scheme, Mortgage Fraud Blog (Feb. 11, 2010), http://mortgagefraudblog.com/perp-walk/item/12974-credit_ repair_specialist_pleads_guilty_to_ fraud_scheme. 304 18 U.S.C. § 1341 (2006). 305 Id. § 1005.
126 table 2
chapter 3 Types of bank fraud in 2006–2008
Year Electronic Fund Transfer Existing Accounts New Accounts Unspecified Total
2006
2007
2008
6.6% 8.5% 3.6% 0.1% 18%
7.9% 7.5% 3.3% 0.1% 18%
8.0% 5.8% 3.1% 0.1% 16%
source: federal trade commission
use all the funds in a victim’s account via electronic withdrawals. Additionally, if an identity criminal is committing another financial fraud, they can use a fake checking account for cashing out by using cash-advance checks in the name of the account’s owner or cashing tax refund checks made out to the victim. Another example involves using the victim’s checking account to deposit unauthorized wire transfers from brokerages if offenders are committing investment fraud.306 The Federal Trade Commission (ftc) found that 16 percent of identity crimes in the United States in 2008 consisted of bank fraud, a decrease from the 18 percent measured in 2006. Of total bank fraud cases, eight percent involve electronic funds transfers in 2008, compared with 6.6 percent in 2006, while just 5.8 percent represented existing account fraud, compared to 8.5 percent two years earlier. Fraud involving new bank accounts totaled 3.1 percent of all bank fraud cases in 2008, while in 2006, that figure was 3.6 percent.307 1
a
Examples of Bank Fraud Mistaken Identity
A woman in San Francisco, California, found herself charged with felony identity theft in 2008 after her wallet was stolen on a city streetcar in 2006. The police came to arrest her nearly two years after the wallet theft on a no-bail
306 About Identity Theft, Federal Trade Commission, https://web.archive.org/web/ 20120503022415/http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/ about-identity-theft.html 307 ftc 2009 Data Book, supra note 196.
Identity Crime Framework and Model
127
warrant from a town near Denver, Colorado, charging her with being the mastermind behind a scam in stolen checks and bank withdrawal slips were used to obtain over $60,000 from the bank accounts of other people. She faced 19 felony charges, and by the time they were dropped after seven months, she had spent over $46,000 in legal costs. Margot Somerville blames the small-town police department for making the mistake and treating her as a criminal rather than a victim, but the police say a handwriting expert confirmed she had written many of the forged documents in the case. The bank is happy that the charges were dropped.308 b
Fraudulent Identity Documents
c
Fraudulent Debiting from Bank Accounts
In Robbinsdale, Minnesota, a mortgage assistant was charged with bank fraud, access device fraud, and aggravated identity theft in a case involving the theft of personal information from 93 victims and using it to steal money and goods. After his indictment in 2009, Jason Alan Tauer entered a guilty plea to stealing the data from individuals who applied for mortgages at Ameriquest Mortgage where he worked for about a month in 2005. Tauer also obtained financial and personal information from mail stolen from 208 victims and various items he got from gym lockers. All the information was used to create fraudulent identity documents and checks. He then used these documents and checks to get cash and other goods and services. One victim’s identity information was used to obtain a credit card, which Tauer then used to get over $30,000 in cash from atm s in Minnesota. All the cash disbursements were charged to the victim.309 A case of bank fraud in Miami Beach, Florida involved a man and his driver in an identity crime and telemarketing scam designed to steal millions of dollars from financial institutions in the United States and their account holders via the unauthorized debiting of funds from customers’ bank accounts. In all, over 42 counts of conspiracy to commit bank fraud, aggravated identity theft, conspiracy to commit mail and wire fraud, substantive wire fraud, and mail fraud were brought against the two men. The men were among 17 defendants charged in connection with an international bank fraud ring responsible for attempts to debit more than 100,000 customer accounts totaling over $30 million. The 308 Susan Sward, A strange case of identity theft, SFGate (Mar 22, 2009), http://articles.sfgate. com/2009-03-22/news/17214604_1_streetcar-legal-bills-theft. 309 Jennifer Harmon, Mortgage Assistant Pleads Guilty to Identity Theft, Mortgage Fraud Blog (Feb. 10, 2010, 2:00 AM), http://www.nationalmortgagenews.com/nmn_features/ -466472-1.html.
128
chapter 3
identity crimes were committed through a fake telemarketing business that collected names and bank account information and targeted thousands of elderly people, many of whom lived in New Jersey.310 d
pin Cashing
According to Rita Glavin, head of the criminal division at the U.S. Justice Department, identity criminals are capable of committing large-scale data thefts that may affect thousands or even millions of individuals. Instead of simply buying goods and services with stolen credit card numbers, for example, offenders are using a relatively new and sophisticated form of bank fraud known as pin cashing. In this crime, stolen financial information is immediately provided to other criminals who withdraw funds from atm s worldwide. Offenders made 9,000 withdrawals in less than 48 hours and obtained a total of $5 million in one case using just four prepaid debit card accounts.311 C Identity-Related Trade Fraud One of the least recognized areas of financially motivated or economic fraud can be found in the trade sector. This sector is responsible for trillions of dollars in imports and exports on a global basis and has little accountability or oversight. While there are established rules requiring honesty when declaring value, points of shipment origins and destinations, and the identity of all buyers, sellers, shippers, and brokers, it is common for regulators to receive misleading or false information. The lack of oversight allows for an environment in which it is easy to commit tax evasion, money laundering, and to evade imposed sanctions. For example, identity criminals may use the personal information of others to make trades. In the case of “conflict diamonds,” the point of origin and identities of those benefiting from the transaction are frequently misrepresented to conceal the fact that those linked to violence in Africa use the profits to continue their war efforts.312 The second-largest bank in France lost $7 billion in a trade fraud that was characterized as the largest in history. Jerome Kerviel, called a “loner genius,” was a stock trader who set up a fictional firm and made unauthorized trades by impersonating someone with the authority to do so. His detailed knowledge 310 Fl. Man and Driver Convicted in $30 Million ID Theft and Bank Fraud Ring, Office of Inadequate Security (Feb. 17, 2010), http://www.databreaches.net/?p=10059. 311 Terry Frieden, U.S.: Identity Theft Grows as Hackers Get Savvier, cnn.com/world (Mar. 31, 2009), http://www.cnn.com/2009/US/03/31/identity.theft/index.html#cnnSTCText. 312 Passas, supra note 163, at 96–97.
Identity Crime Framework and Model
129
of the operations of the Société Générale bank allowed him to conduct his activities without being discovered for some time. Kerviel breached five levels of security controls and did so in a manner that eliminated all traces of his activity. Some industry analysts believed that Kerviel put as much as $119 billion of the bank’s money at risk. His scheme was not complicated; he simply purchased futures contracts on stock indexes in Europe, betting that the indexes would either increase or decrease in value. Things went well for some time, but when the markets around the world fell because of a potential recession in the United States, bank authorities noticed something was wrong in the trading procedures.313 D Identity-Related Loan Fraud The loan fraud category of identity crime includes both personal and business loans, student loan scams, and auto loans. According to a Federal Trade Commission study, loan fraud represented 4 percent of reported fraud in 2008, down from 5 percent in 2006. Of that total, business, personal, and student loan fraud represented 1.8 percent in 2008, a decrease from 2.5 percent in 2006. Fraud involving auto loans or leases contributed 1.3 percent to the total in 2008, compared to 1.7 percent two years earlier. A considerable amount of loan fraud involves mortgages, but that category is treated separately below.314 The ftc conducted research between 2006 and 2008 to determine the prevalence of specific categories of identity-related crimes. The agency’s findings are summarized below.315 1 Personal or Business Loan Fraud While a personal or business loan is sometimes essential to doing business, borrowers must be aware of the dangers imposed by identity criminals who prey on unsuspecting individuals. The dangers are so great that Arizona’s Attorney General has issued a warning to state residents about fraudulent loan companies offering fake loans. The offenders behind these scams usually advertise in small markets and community newspapers, offering debt consolidation, small business, mortgage, and other types of loans. They will frequently use the logo of a trusted and legitimate financial institution to attract customers. 313 Linda Hervieux, French Bank Loses $7B in Trade Fraud, NY Daily News (Jan. 25, 2008), http://www.nydailynews.com/news/world/french-bank-loses-7b-trade-fraud- article-1.341604. 314 ftc 2009 Data Book, supra note 196. 315 Id.
130 table 3
chapter 3 Loan fraud (based on the total complaints)
Business/Personal /Student Loan Auto Loan/Lease Real Estate Loan Unspecified Total
2006
2007
2008
2.5% 1.7% 1.3% 0.2% 5%
2.3% 1.4% 1.3% 0.3% 5%
1.8% 1.3% 1.2% 0.2% 4%
source: federal trade commission
In a typical scam, the ads will tell consumers to call a “third party consultant” who will take personal information from the victim over the phone in order to fill out a loan application form. The requested information may include social security numbers and other sensitive information. The loan always receives approval during the phone call, and a loan package is faxed to the victim. The package asks for bank account information and informs the victim that, to obtain the loan amount, he or she must wire an advance payment or deposit via Western Union to the consultant. However, the loan is never received, since the victim has been deceived by a fake company, which absconds with their advance payment money. The danger of identity crime is very high, since the fraudulent consultants may request copies of drivers’ licenses and or social security cards. The identity criminals in these cases are often “phishing” for personal information from victims that they can keep and reuse for future identity crimes or to sell to other identity criminals.316 Personal loan fraud is extremely common and results in millions of dollars in losses to consumers annually. A fraudulent loan offer is frequently made through an unsolicited letter, e-mail, or telephone call, and the offender will ask for personal information, including bank account number or social security number.
316 Judy Hedding, Fake Loan Scam: Recognize and Avoid Fraudulent Fake Loan Offers, About.com, http://phoenix.about.com/od/scam1/a/fakeloan.htm (last visited Feb. 12, 2012).
Identity Crime Framework and Model
131
Loan scammers will typically ask for an upfront fee, sometimes in the form of an application fee, processing fee, or insurance fee, before any loan money is released. Legitimate lenders rarely ask for such fees when making personal loans. Borrowers should be especially on guard if the loan consultant asks for money to be wired to another location by Western Union or MoneyGram, particularly if the destination is overseas. Some loan scammers are extremely brazen and will ask for a second payment to complete the loan process once the victim has sent an initial amount of money per their instructions.317 Risks associated with personal loans are even greater online, since identity criminals can hide behind the anonymity inherent in the Internet. 2 Identity-Related Student Loan Fraud Law enforcement authorities are concerned about the potential for abuse in the private loan sector, especially when identity criminals target students through student loan offers. Federal officials fear that abuses similar to those occurring in the subprime mortgage market could become common in the student loan sector. In 2008, five women in the Seattle, Washington area were charged with taking out over $690,000 in fraudulent private student loans. Beginning in 2005, a woman and her two daughters and two female associates filed over 70 applications for private student loans using the names and social security numbers of other individuals. While most of the applications were not approved, at least 24 of the fraudulent applications were successful, and lenders sent checks to the fraudsters’ addresses.318 Private educational loans are made by lenders as standard business transactions, with the banks charging higher interest rates than those under low-cost federally guaranteed educational loans. The five women counted on the fact that the private lenders would rather make large, higher-interest loans, and they exploited a feature of student loans that makes it more difficult to discover fraud. In most cases, lenders defer payments as long as they are enrolled in school, so years may pass before it becomes clear that the borrower has no intention of paying it back. The deferment period also makes it difficult for the individuals
317 Protect Yourself from Personal Loan Fraud, Personal Loans (Oct. 12, 2009) www.personalloans.org/protect-yourself-from-personal-loan-fraud/. 318 Kim Clark, Five Charged With $690,000 in Student Loan Fraud, U.S. News (June 25, 2008), http://www.usnews.com/articles/education/2008/06/25/five-charged-with-690000-in- student-loan-fraud.html.
132
chapter 3
whose identities were stolen in the application process to discover the theft until the loan comes due. Still, some investigators believe that there were red flags. For example, many loan checks were sent to the same address, and on some applications, the name did not match the social security number. In one case, the social security number of a deceased person was used.319 3 Auto Loans Auto loan scammers utilize the same identity crime techniques as other fraudulent loan makers. They use the logos of legitimate firms in their advertising and communications, ask for personal information, and request upfront payments before any processing of the loan can begin. Many of the fraudulent lenders are looking for personal information such as names and social security numbers that they can use to commit other crimes as well. They attract victims via the promise of low interest rates and easy credit approval. The proliferation of online auto sales opportunities has only spurred an increase in identity crime. 4 Online Auto Loans One online auto loan website, Allstate Auto Lending, which no longer operates, was the subject of many consumer complaints from people who said they lost hundreds of dollars while trying to get a loan to purchase a new car. Borrowers found the firm through sponsored links on Yahoo’s search screen, and when they applied for a loan, were told to provide their social security number, their bank account information, and a copy of their driver’s license, and to wire 5 percent of the loan amount via MoneyGram to an escrow account as insurance in case of a default on the loan. The escrow account was allegedly located at the Palm Bank in Bradenton, Florida. However, that bank did not exist, and the money was lost.320 In addition to the lost money and car, victims had also provided all the personal information an identity thief needed to steal their identity. The potential borrowers felt safe applying at a site that advertised on a top search engine like Yahoo.321 However, it is important to scrutinize online advertisers as closely as one would any site one would find using a search engine. A study coauthored by McAfee and antispyware activist Ben Edelman found 3 19 Id. 320 Tom Spring, Net Watchdog: Beware of Auto Loan Scams, PC World (Oct. 26, 2006), http:// www.pcworld.com/article/127613/net_watchdog_beware_of_auto_loan_scams.html. 321 Id.
Identity Crime Framework and Model
133
that 9 percent of sponsored results from top search engines, including Yahoo, lead to websites that contain spyware and scams, and could be operated by people who send spam. Borrowers should also be aware that seeing the Better Business Bureau’s “reliability” logo on a web page is no guarantee that the site is actually part of the program. Many offenders display the logos of legitimate and trusted organizations as part of their efforts to lure potential victims. Identity thieves are also adept at creating official-looking paperwork and forms.322 When applying for an auto loan anywhere, borrowers should expect to see a loan application than requests name, address, phone number, birth date, and social security number. This is all the information an identity thief needs. The Better Business Bureau or a consumer protection program should always be consulted to determine whether or not a business is legitimate, particularly if it is operating online.323 Online auto loans can save time and energy, and the lenders tend to offer a variety of attractive options for borrowers –at a slightly higher fee to pay for the convenience. They also tend to finance borrowers with lower than average incomes. However, it is likely that the online lender is simply running a “phishing” operation, looking for personal information that can be used in an identity crime.324 E Identity-Related Investment Fraud Investment-related identity fraud accounts for only 0.2% of identity crimes.325 Identity criminals can cause problems with online brokerage accounts. For example, some investors have been surprised when checking their accounts to find that the balance is much lower than expected, even though they know that neither their securities nor the market decreased in value.326 Then the investors notice that money was transferred several times from the account to an external checking account without authorization. The investors have been victimized by an identity thief who took their money and their personal identifying information at the same time.
3 22 Id. 323 6 Online Auto Loan Scams to Watch Out For, Loan.com, http://www.loan.com/car-loans/ 6-online-auto-loan-scams-to-watch-out-for.html (last visited Feb.12, 2012). 324 How to Identify Online Auto Scams, Financial Web, http://www.finweb.com/loans/how- to-identify-online-auto-loan-scams.html (last visited Feb. 12, 2012). 325 ftc 2009 Data Book, supra note 196. 326 Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information, U.S. SEC, http://www.sec.gov/investor/pubs/onlinebrokerage.htm (last visited Feb. 12, 2012).
134
chapter 3
Online brokerage accounts are convenient in many ways, but they are also vulnerable to identity crime. Identity criminals often use malicious software that monitors the investor’s computer and send information to the offender’s computer. The software may log key strokes, which allows thieves to obtain passwords and usernames for online accounts. Or thieves may “phish” for personal information using fraudulent e-mail messages and fake websites that trick visitors into providing a social security number or bank account number.327 Many identity criminals do not utilized sophisticated technology, but instead rely on more traditional methods of theft, such as watching an investor type in sensitive information or look through the trash to find confidential account data. They may use other identities to spread false information that could impact the price of a stock as well. 3.10.2 Identity-Related Non-Financial Crimes Non-financial identity crimes are common and are of several types. The most common are the following: 1. Passport fraud 2. Employment fraud 3. Postal fraud 4. Driver’s license 5. Social Security Card 6. Other government documents Someone who steals an identity in order to get a job will also obtain the financial benefits associated with that job (i.e. salary). But because the crime in this example is employment fraud, using false information for obtaining a job, it is an example of a non-financial identity crime. The identity criminal will be paid a salary because he is working. If he is not working he will not receive a salary. The fraud is getting the job, not the salary. So we classify this as a non- financial crime. Illegally obtaining a social security card is also a non-financial identity fraud. The criminal can then use the social security card to obtain social security benefits, get employment, obtain a credit card, or secure other benefits for which a social security care is required. Someone who illegally obtains a driver’s license or a passport is also committing a non-financial identify crime. The documents might be used for opening a checking account, cashing a check, traveling internationally, registering 327 Id.
Identity Crime Framework and Model
135
an automobile, or any number of other purposes. Financial gain might ensue, but obtaining the documents are not in themselves financially related, so the crimes are considered non-financial identity crimes. A Identity-Related Employment Fraud Employment fraud refers to an identity crime in which an individual gets a job using a stolen or fictitious social security number. Identity thieves often appropriate that number along with the name and birth date of the victim; many offenders use their own names with a fake Social Security number. Employment fraud is categorized as a non-financial identity crime and in 2008, it represented one of the fastest growing types of identity crimes.328 According to the Federal Trade Commission, employment fraud constitutes roughly 15% of all identity crimes.329 Wages earned are reported to state and federal tax authorities under the social security number, so having this number stolen and used in a fraudulent manner opens victims up to tax audits, additional taxes, lost refunds, and mistakes in government records, all of which are very difficult issues to resolve. Often, employment fraud leads to other kinds of identity crime, since illegal workers may use the stolen identity to obtain other services once they are employed, including health insurance, utilities, government identification, benefits, and credit cards. Most frequently, employment fraud is committed by illegal immigrants who want jobs. Individuals who are deemed “uninsurable” may use stolen identities to gain employer-sponsored insurance coverage, or felons may conceal their criminal histories in this way to get employment. Offenders who want access to customer or account information held by an employer may also hide their true identities in order to commit their crimes. While some employers are willing to overlook the use of fraudulent documents to obtain low-wage workers, they could face potential difficulties with state and federal authorities for hiring people who have misrepresented themselves. A 2009 study of illegal aliens in the United States found that, far from being “undocumented,” these individuals have many types of fraudulent documents, including fake social security cards, forged drivers’ licenses, and false birth certificates. According to the study, an estimated 75 percent of illegal aliens of working age use fake social security cards to get a job. Ninety-eight percent 328 Joe Campana, Identity Theft 101: What is Employment Fraud?, Examiner.com (Aug. 10, 2009) http://www.examiner.com/x-9215-Identity-Theft-Examiner~y2009m8d10- Identity-theft-101-what-is-employment-fraud. 329 ftc 2009 Data Book, supra note 196.
136
chapter 3
of the thieves who have false cards use their own names with stolen social security numbers. States with the highest rates of illegal immigration also have high rates of employment-related identity crime. For example, 33 percent of all the identity crimes in Arizona are employment-related. Of the ten states with the highest rates of identity crime, eight (Arizona, California, Florida, Texas, Nevada, New York, Georgia, and Colorado) also have the highest percentage of illegal aliens.330 Somewhat surprisingly, children are the major targets of identity thieves, with more than a million children in Arizona being victims of identity thieves. Illegal aliens are willing to commit felonies to gain employment, evidenced by their use of fake documents and commission of identity crime to get jobs. These are serious crimes that have negative ramifications for society in general, and while the U.S. Bureau of Immigration and Customs Enforcement (ice) targets large document fraud rings, the agency has limited resources. Identity crime cases totaled only 7 percent of the total case load for ice in 2007.331 B Government Documents and Benefits Fraud Government benefits fraud often involves identity crime. Identity criminals steal the personal information of victims in order to get money or services from the government. Since a Social Security number (ssn), social security card, or Medicare card is necessary to make an application for government benefits, this is what identity thieves need to commit their crime. The crime is related to government identification fraud, which refers to the use of ssn s and forged ID cards. Government benefits and identification fraud constituted 1.3% of all identity crimes in 2008.332 In 2008, reports of identity fraud linked to government benefits fraud and government identification fraud rose 65 percent, nationwide, over 2007. Some states, notably Wisconsin, saw the number of these kinds of identity fraud crimes increase by 100 percent.333 Government benefits fraud may involve Medicare or Medicaid. It may be committed via the use of a person’s total stolen identity, or just a social security number. This kind of fraud also includes the illegal activities of businesses that
330 Ronald W. Mortensen, Illegal, but Not Undocumented: Identity Theft, Document Fraud, and Illegal Employment, cis (June 2009), http://www.cis.org/IdentityTheft. 331 Id. 332 ftc 2009 Data Book, supra note 196. 333 Joe Campana, Identity Theft 101: What is Government Benefits Fraud?, Examiner.com (Aug. 27, 2009), http://www.examiner.com/x-9215-Identity-Theft-Examiner~y2009m8d27- Identity-theft-101-what-is-government-benefits-fraud.
Identity Crime Framework and Model
137
bill the government for Medicare services they overstated or never rendered using stolen Medicare card numbers. Government benefits fraud includes taking tax refunds/rebates that are due an identity crime victim. Offenders often obtain state welfare checks or qualify for state-operated health care programs. They may illegally obtain food stamps, disability benefits, or other public assistance using stolen identities.334 Because government social workers want to help those in need, they may accept fraudulent social security numbers in order to provide benefits to the poor. Every time they do this, however, they are creating new victims of identity crime, who are likely to experience significant financial consequences and future problems.335 1 Identity-Related Social Security Card Fraud In the United States, the social security number (ssn), in addition to identifying individuals for the purposes of social security benefits, functions as the chief identification element in many corporate and government records. It is used in electronic and other enforcement programs and to link various records in information systems. Because authorities rely so heavily on the ssn, it represents a rich target for identity thieves.336 Nearly all segments of modern automated record keeping are impacted by misuse of the ssn. It is utilized as a personal identifier by most state and federal agencies, including the Internal Revenue Service, state departments of motor vehicles, and credit and insurance firms. It represents the key that opens many opportunities for identity crime.337 In 2008, the 110th United States Congress amended Title 18 of the United States Code in H. R. 5234 and the Social Security Act to restrict the misuse of social security numbers and to impose penalties for the misuse. Generally, the amendments prohibit the “display, sale, or purchase” of Social Security numbers, with “display” meaning the intentional communication or availability of the numbers, on the Internet or by any other method, to the general public, or to use the numbers without authorized consent of the owners. Exceptions were made for requirements under federal law and for public health, national security, and law enforcement purposes, among others.338 3 34 Id. 335 Id. 336 936 Social Security Violations, U.S. Department of Justice, http://www.justice.gov/ usao/eousa/foia_reading_room/usam/title9/crm00936.htm (last visited Feb. 12, 2012). 337 Id. 338 H.R. 5234, 110th Cong. (2008).
138
chapter 3
Identity criminals often use social security numbers in their crimes. It is relatively easy for them to obtain these personal numbers. They may do so by stealing physical items, including wallets and mail. Communications from credit card companies, banks, and tax authorities provide access to these identification numbers. Thieves may also steal personal information provided online to unsecured websites or from online banking sites. Other ways fraudsters may obtain social security numbers include going through the trash, posing as someone with a legitimate need for the information, either over the phone or through e-mails, and purchasing stolen identity information from someone who has legitimate access to personally identifying information, including social security numbers, such as a store or bank employee.339 Once offenders have obtained the ssn, they can use it to create new identities or to access financial accounts of the legitimate owners. Nearly all identity crimes have the social security numbers of victims as a major target. Special agents in a joint operation with federal, state, and local law enforcement officers arrested eight people on charges of social security fraud and identity theft in Puerto Rico. The case involved the theft of identification documents from 50 public schools there. Puerto Rican public schools have presented a significant target for identity thieves looking for the personal information of United States citizens since 2007. Thieves have stolen both original and copies of social security cards, passports, and birth certificates and then sold the information to buyers in Texas, Alaska, and California.340 The fraudsters in the case were also charged with creating fake Puerto Rican drivers’ licenses. 2 Identity-Related Passport and Visa Fraud A passport is a formal document issued by a government that allows its citizens to travel to and from the country of origin. In the United States, passports are recognized by legal authorities as proof of identity and citizenship. In 2005, over 10 million passports were issued by the U.S. government, and 3,564 new cases of passport and visa fraud were investigated by diplomatic security officials in that year.341
339 Identity Theft and Your Social Security Number, Social Security Administration, http://www.ssa.gov/pubs/10064.html (last visited Feb. 12, 2012). 340 8 arrested in ID theft, Social Security fraud, U.S. Immigration and Custom Enforcement (Mar. 31, 2009), http://www.ice.gov/news/releases/0903/090331sanjuan.htm. 341 Passport and Visa Fraud: A Quick Course, U.S. Department of State, http://www.state. gov/m/ds/investigat/c10714.htm (last visited Feb. 12, 2012).
Identity Crime Framework and Model
139
Passport fraud is committed by individuals who want citizenship but cannot obtain it in a legal way. It is also committed by criminals who want to change to hide their true identities, including terrorists, and individuals who are involved in financial fraud. Criminals linked to drug trafficking and the smuggling of aliens commonly commit passport fraud in the course of their other crimes.342 Passport fraud is usually perpetrated in foreign countries with older passports by changing the photograph in the passport and substituting it with that of another individual. Documents used to obtain the passport and support the applicant’s identity, such as birth certificates, may be forged so that the resulting passport is fraudulent. Additionally, criminals may use the identity of a deceased individual to obtain a passport.343 According to 2003 testimony from Robert W. Starnes, Special Agent- in-Charge of the Houston Field Office, Bureau of Diplomatic Security, the U.S. passport represents one of the most important identity documents in the nation. It functions as proof of identity and proof of citizenship. It also permits free passage into the country with less scrutiny than that given to foreign documentation. Additionally, a U.S. passport provides American citizens with visa- free entry into many other countries, which gives them a high value among international criminals.344 Passport fraud is generally used to facilitate other crimes, such as illegal immigration, flight from legal authorities, various economic crimes including bank and credit card fraud, smuggling of drugs or weapons, hostile intelligence, and international terrorism. The foreign terrorists who are known to have operated in the U.S. have all used fraudulent identity documents, including state drivers’ licenses. To obtain a passport, individuals must provide proof of identity by submitting a valid government-issued document, usually a driver’s license or an identification card. For criminals to get a passport, they must first obtain these documents. The most common ways to do so are by gaining a stolen identity, a fake identity, or a true identity using fake citizenship documents.345 Once foreign citizens are in the U.S. under a visa, they attempt to meld into society by getting a state driver’s license or ID card. When they have these documents, individuals can use them to open credit card and/or bank accounts and get social security cards. This emphasizes the need for authorities to limit 3 42 Id. 343 Id. 344 How Passport and Visa Fraud Relate to Identity Fraud, U.S. Dept. of State, http://www. state.gov/m/ds/investigat/c10680.htm (last visited Feb. 12, 2012). 345 Id.
140
chapter 3
the use of the driver’s license and ID card as unquestioned forms of identity documentation.346 Visa fraud is related to passport fraud. Visa fraud includes the sale or transfer of legitimate visas, misrepresenting reasons for travel to a country, and forgery or alteration of the visa documents. Illegal immigrants may commit visa fraud for economic reasons, to hide from prosecution, or to commit other crimes such as drug trafficking or terrorist operations. Smugglers may commit visa fraud during the commission of other crimes as well, and federal employees who have access to visa information typically commit visa fraud for reasons of financial gain. 3 Identity-Related Driver’s License Fraud Driver’s license fraud constitutes approximately 1% of all identity crimes, according to the ftc.347 Driver’s license fraud causes damages to its victims through the creation of poor driving records and unpaid fines, both incurred at no fault of the true license holder. These elements often result in suspension of the license or its entire revocation. In Canada, victims of identity theft or fraud often discover the crime when they attempt to renew their car insurance or driver’s license, since unpaid fines must be paid before renewals can go into effect.348 Driver’s license information is also used to facilitate other criminal activity by taking advantage of the prevalent use of the license for identification purposes. Substantial damages may accrue to the state in terms of detection and investigation of identity fraud cases. In Georgia, driver’s license fraud involves using another person’s identity, submitting false identity documents, and taking other accounts with the intent to obtain a driver’s license for someone or by someone who is not eligible to have the license. Driver’s license fraud is a crime in Georgia, and perpetrators may be charged with any of several state and/or federal violations, including forgery and identity fraud.349 Examples of such fraud include presenting false immigration documents (“green card”) by undocumented aliens who are not eligible for a state license of identification card, presenting a fake birth certificate or social security card that has been created on personal computer by changing the identity information, or presenting a birth certificate that belongs to someone else. 3 46 Id. 347 ftc 2009 Data Book, supra note 196. 348 Lawson, supra note 164, at 13. 349 Driver’s License Fraud, Georgia Department of Driver Services, http://www.dds. ga.gov/drivers/DLdata.aspx?con=1749371756&ty=dl (last visited Feb. 12, 2012).
Identity Crime Framework and Model
141
However, the creation of a false driver’s license is not driver’s license fraud in Georgia, and the state does not investigate claims that someone has made or used a counterfeit license unless the complaint involves the state’s licensing agency or equipment. Ticket fraud is also not considered driver’s license fraud in Georgia. If an individual finds that someone else was using their identity when they received a ticket, and that person receives a conviction or revocation of the license on the legitimate owner’s driving record for an offense he or she did not commit, that is not driver’s license fraud. The owner must go to court and convince the judge that he or she was not at fault to have the false information removed from the record. Such a high number of clerks in the motor vehicles office in Virginia have been found selling fraudulent drivers’ licenses that the state is removing the manufacture of these licenses from the 74 regional offices to a remote, private facility on the North Carolina border.350 The facility keeps visitors, cell phones, and cameras away, and operates under extreme security. Virginia is not alone in taking steps to reduce driver’s license fraud, which facilitates underage alcohol consumption, utilization of state services by out- of-state visitors, and financial scams run by identity criminals. Brian Zimmer, president of the Coalition for a Secure Driver’s License, says the measures taken by states to stop driver’s license fraud go a long way in stopping the casual identity thief. However, professional criminals continue to provide fake licenses with a high degree of sophistication. To hinder their efforts, most states use holograms, multiple photographs, or images that can only be detected under ultraviolet light on their drivers’ licenses. Many of the fake licenses are sold to illegal immigrants so that they appear to be legal residents of the states. These efforts do not address the utilization of false birth certificates and other documents to prove identity when applying for the license, however. With the high volume of agencies issuing the certificates, it is difficult for motor vehicle departments to verify the authenticity of every one. In many locations, it is easy for an individual to get a valid copy of someone else’s birth certificate using public access laws, says Frank Abagnale, an fbi security consultant and former con artist.351 C Evading the Law Another common identity crime involves one person who willing impersonates another in order to avoid law enforcement actions. Evasion of the law 350 Thomas Frank, States take steps to cut down on driver’s license fraud, USA TODAY, May 26, 2009, www.usatoday.com/news/nation/2009-05-25-licenseinside_N.htm. 351 Id.
142
chapter 3
constitutes roughly 2% of identity crimes.352 Victims of this kind of identity crime have been detained and even arrested by authorities for crimes they did not commit. In one case in the United States, a mother of two children was jailed for a brief time in 2008 for a burglary committed by a woman who had stolen her identity. The information had been stolen four years before the crime, and the victim had to pay $3,500 on legal fees in order to clear her name.353 D Identity-Related Postal Fraud In the United States, any crime in which the mail is used to further a criminal activity is investigated by postal inspectors. It is the actual use of the U.S. mail that transforms a criminal action into postal fraud, and inspectors have the authority to prosecute the perpetrators or to take administration action against them.354 Investigations are based on the number of complaints received by the public concerning fraudulent actions, as well as the pattern and substance of these complaints. In some cases, the information will be shared with other regulatory agencies to determine if violations occurred in their jurisdictional areas.355 In many cases of postal fraud, the crime involves the misrepresentation of the sender’s identity, the delivery of forged documents, or illicit requests for personal information. For example, in one case, bogus forms claiming to be from tax authorities are sent with requests for personal banking information in order to collect taxes on deposit interest.356 This information is then used in other fraudulent actions or in identity crime. In other cases, the mail itself is the target of thieves: they steal packages containing merchandise or envelopes that clearly indicate payment of some kind is inside. These include credit cards or payment cards mailed out by banks. The theft of checks is often done for purposes of “check washing,” in which the names on the checks and their amounts are altered. One of the most famous mail thefts in history was the so-called “Great Train Robbery” in Britain in 1963 when thieves stopped a mail train by tampering with signal lights and took all registered mail containing valuables sent by local banks to their head offices.357 3 52 ftc 2009 Data Book, supra note 196. 353 Lawson, supra note 164. 354 United States Postal Inspection Service, https://postalinspectors.uspis.gov/ (last visited Feb. 13, 2012). 355 Id. 356 Id. 357 Id.
Identity Crime Framework and Model
143
The Mail Fraud Statute (Title 18, United States Code, Section 1341) represents the oldest consumer protection statute in federal law. It is designed to address white-collar crime and service misrepresentations. Under this statute, fraud is defined as a “scheme or artifice” that uses the United States mail to obtain property or money via false or fraudulent representation. In mail fraud, the postal system is utilized to obtain anything of value from a victim by various means, including offering a service, product, or investment opportunity that falls short of any claims made for it. In order to get a conviction for mail fraud, a prosecutor must show intentional misrepresentation and reliance on the postal system to carry out the scheme.358 E Identity-Related E-Mail/Internet Fraud The Internet has opened up a great many opportunities for identity criminals, particularly through the use of electronic mail. The number of scams relying on e-mail has grown along with the number of Internet users, although, according to the ftc, identity crimes relying on email constituted only 1.1% of all identity crimes in 2008.359 Many of the unsolicited e-mails received by Internet users are part of “phishing” crimes, in which scammers want to obtain personal information, such as social security or bank account numbers, from victims that they can use themselves to obtain money and goods or sell to other fraudsters for various purposes. A number of examples of email fraud can be cited. 1
a
Examples of Identity-Related Email/Internet Fraud Counterfeit Check Scheme
A counterfeit check scam targeting law firms in the United States has been in operation for some time. In this scam, offenders send e-mails to attorneys that claim to come from individuals overseas who need a lawyer to collect delinquent payments from people in the U.S. The scammers send a retainer agreement, invoices stating the amount owed, and a check made out to the law firm. The firm is then told to take the retainer and other applicable fees out of the check amount and wire any remaining funds to banks located in China, Korea, Ireland, or Canada. By the time the attorney discovers the check is counterfeit, monies have already been sent to the foreign banks.360 358 United States Postal Inspection Service: The Mail Fraud and False Representation Statutes, The Center for Regulatory Effectiveness, http://www.thecre.com/fedlaw/ legal10/statutes.htm (last visited Feb. 13, 2012). 359 ftc 2009 Data Book, supra note 196. 360 New Twist on Counterfeit Check Schemes Targeting U.S. Law Firms, fbi.gov (Jan 21, 2010), http://www.fbi.gov/cyberinvest/escams.htm.
144
chapter 3
In a new approach, the e-mails sent to attorneys purport to be from an ex- wife in an Asian country for business who claims to be trying to collect a divorce settlement from her ex-husband in the U.S. Once the law firm takes her case, an e-mail is sent to the ex-husband and a “certified” check is received for the settlement amount via a delivery service. The law firm is then told by the ex-wife to wire the funds, minus the retainer, to a bank account overseas. As in the previous scenario, money is transferred before the firm discovers the check is no good.361 b
Charity Donation Scams
E-mail users received appeals for aid to Haiti following the January 2010 earthquake there. As with past natural disasters and large-scale tragedies, fraudsters have taken advantage of individuals’ desire to help by launching e-mail campaigns claiming to collect money for charitable organizations. Scammers are likely to pretend to be victims of the disaster or officials requesting donations. E-mail recipients should be especially wary of messages that claim to show photographs of the disaster area provided as attachments. These attachments may contain viruses. The fraudulent e-mails may also request the recipient’s personal or financial information in order to “complete” a transaction.362 c Hitman
This threatening e-mail states that the sender will kill the message’s recipients if they refuse to pay thousands of dollars to the online “hitman.” In 2008, several new versions of the scam appeared, one of which told the recipient to call a telephone number included in the e-mail, while the other said either the recipient or a “loved one” would be kidnapped unless a ransom was paid. Victims were told they had 48 hours to respond to the e-mail, while the sender would give the location for a wire transfer five minutes before the deadline and make additional threats if the money was not received within half an hour of the time deadline. To convince recipients that the “hitman” knew them, their personally identifiable information was contained in the message. Victims of this scam are usually told to wire money by Western Union or MoneyGram to the United Kingdom.363
3 61 Id. 362 Haitian Earthquake Relief Fraud Alert, fbi.gov (Jan 13, 2010), http://www.fbi.gov/cyberinvest/escams.htm. 363 Id.
Identity Crime Framework and Model d
145
Astrological Reading
In astrological scams, victims receive e-mails that offer free readings if birthdate and birth locations are provided. Once the reading is received, the victim is encouraged to buy a more extensive reading that will provide details about a favorable event about to happen in the future. The victim then pays for the full reading, but never receives it, and attempts to contact the “professional astrologer” by e-mail fail, and the messages are returned as undeliverable.364 3.10.3 Identity-Related Hybrid Crimes Hybrid identity crimes occur when the crime does not clearly fit into either the financial or non-financial identity crime category or when the crime can be either financial or non-financial. Identity tax fraud is a hybrid as it can be a financial or non-financial identity crime. For example, an illegal immigrant that files an income tax return using a fraudulently acquired social security number commits a non-financial identity crime because the tax return itself is filed properly and the income earned is reported properly and he pays the correct amount of taxes; but if he uses other people’s stolen information to obtain a tax refund, he has committed a financial identity crime. Medical identity fraud is a hybrid too. The initial intention might be both financial and non-financial. For example, an illegal immigrant who uses someone else’s identity information or/and document to get medical treatment that he cannot get himself has engaged in a hybrid identity crime. Examples of hybrid identity crime include the following: 1. Real estate fraud 2. Utility or phone fraud 3. Tax fraud 4. Medical fraud 5. Professional identity fraud 6. Credential fraud 7. Insurance fraud 8. Tenancy fraud 9. Bankruptcy fraud A Identity-Related Real Estate Fraud Real estate/mortgage fraud often involves criminals who use stolen identities or forged documents to transfer the property title of a registered owner to themselves without the owner’s knowledge. The criminal takes out a mortgage 364 Id.
146
chapter 3
on the property and then disappears after receiving the money advanced on that mortgage. Victims often lose title to their property as a result. Real estate fraud is of particular concern in Canada, and it was at the top of the list of predicted growth areas for fraud in the United States in 2009, according to the United States Identity Theft Resource Center.365 The ftc conducted research between 2006 and 2008 to determine the prevalence of specific categories of identity-related crimes. The agency found that real estate loans constituted only 1.3% of all identity crimes in 2006 and 2007, and 1.2% in 2008.366 Some of the most common types of real estate fraud identified by the United States Department of Housing and Urban Development (hud) are: 1. Home improvement scams in which real estate professionals receive loans in the names of fictitious borrowers or via the stolen identities of real people 2. Equity fraud, which occurs when a criminal forges the signature of a property owner on a deed in order to steal the equity on the property through loans taken out using that property as collateral 3. Flipping, an activity in which property is purchased and then resold at inflated price on the basis of false appraisal values to a fictitious person or via the stolen identities of real people to someone without authorization. 4. Equity skimming, which involves an owner who sells property to a phony buyer at a price far above its real value.367 According to the United States Federal Bureau of Investigation, there were over 63,000 suspicious activity reports (sar s) relating to mortgage fraud in 2008 and nearly 29,000 as of April 2009. To address these reports, the fbi created 56 mortgage fraud task forces and working groups. The agency had more than 2,000 pending mortgage fraud investigations as of April 2009. The agency estimated total yearly losses resulting from mortgage fraud were over $4 billion.368 Mortgage fraud is generally defined as a material misstatement, misrepresentation, or omission that is relied upon by a lender to fund, purchase or insure a loan. Although mortgage fraud can occur in many different schemes and forms, it is usually committed as either fraud for housing or fraud for profit.
3 65 Lawson, supra note 164, at 11. 366 ftc 2009 Data Book, supra note 196. 367 Real Estate Fraud, OC.gov http://egov.ocgov.com/ocgov/Clerk-Recorder%20-%20Tom%20 Daly/Services/Property%20Documents/Real%20Estate%20Fraud%20Alert (last visited Oct 31, 2012). 368 Fraud Enforcement and Recovery Act of 2009, Pub. L. No. 111–21, § 5, 123 Stat. 1617, (codified as amended in scattered sections of 18 and 31 U.S.C.)).
Identity Crime Framework and Model
147
In cases of fraud for housing, the borrower makes misrepresentations, usually regarding income, personal debt, or property value in order to secure a loan. The Federal Bureau of Investigation (fbi) found that fraud for housing accounts for 20 percent of all mortgage fraud in the United States. Fraud for profit involves complicated transactions performed by real estate professionals and bankers to take money from borrowers or financial institutions. According to the Mortgage Asset Research Institute (mari), participants in fraud for profit schemes “skim equity; overstate income, assets, or collateral value; steal identities to secure or transact loans; overstate appraisal values for the purposes of selling the property multiple times; and invent fictitious properties and buyers to secure loans.”369 1
Examples of Real Estate Fraud
a Straw Buyers
In Wisconsin, a mortgage broker developed a scam that involved setting up “straw buyers,” or people who pretend to be homebuyers, but who never intend to pay the mortgage or live in the home they are purchasing.370 These fake buyers used stolen identities in order to qualify for the home loans. Once they were approved, the broker connected them with sellers who were in on the scam and sold the homes for inflated prices. Seller’s fees were collected on each sale, and part of the illicit earnings was shared with the “buyers.” This fraud satisfied everyone: the sellers received higher-than-deserved prices for the homes; the buyers received a share of the money and did not have to pay back the mortgage amount. However, the scam had negative effects on the banks, which had to handle foreclosed properties, the neighborhoods that had vacant properties, and the individuals who had their identities stolen. The broker in this scheme, James J. Lytle, made $3,000 to $20,000 on each of the 19 deals brokered, dividing the proceeds among his partners in crime. Lytle tricked lenders into providing more than $4 million between 2004 and 2005 for properties that had highly inflated values. Lytle also used a stolen identity to buy his own home for $150,000 more than he had paid for it three years before.
3 69 Id. 370 Wisconsin Home Loan Fraud Relies Heavily on Identity Theft, Identity Theft 911 (June 15, 2007), http://web.archive.org/web/20071017234342/http://identitytheft911.org/ alerts/alert.ext?sp=966.
148 b
chapter 3 Stolen Identities
Augustus C. Okoye of Milton, Massachusetts is facing federal charges for the alleged commission of identity fraud and defrauding mortgage lenders. According to the charges, Okoye used the name, social security number, and birthdate of his brother to obtain mortgage loans and buy three properties in the Boston area. Okoye also lied about the “borrower’s” monthly income, job status, and intent to occupy the properties in order to get the loans.371 Another example of real estate fraud is that of Mahn Huu Doan in Philadelphia, Pennsylvania. Doan, who also used the name Bruce Doan, described himself as a real estate broker. He received a prison sentence of 151 months for a scheme involving mortgage fraud and identity theft. Doan used false or stolen identities to buy houses and used government-insured loans obtained with false information. His schemes also utilized fraudulent and inflated appraisals of property so he could sell it at a higher price. In addition to the prison term, Doan was ordered to pay restitution totaling over $5 million, $5,000 in fines, $400 in a special assessment, and three years of supervised release.372 c Fraudulent Loans
Luis Uribe of Tampa, Florida, a principal of a non-licensed contracting service, allegedly used his mortgage broker’s license to take out 32 fraudulent loans in 2008, resulting in over $6 million in losses. After obtaining the fraudulent loans, he divided the proceeds into bank accounts under his control. Although many notices were filed with county clerks, indicating that work was beginning, no actual construction work was performed, nor were any employees hired by Uribe’s company. According to prosecutors, the firm was used to improperly raise the value of the properties purchased, to take real and fake equity out of the properties, and to “siphon” the proceeds from the fraudulent loans.373 d
House Stealing
House stealing is a relatively new crime that combines features of identity crime and mortgage fraud. In this scam, offenders select a house they want
371 Augustus C. Okoey, Man Charged with Defrauding Lenders and ID Theft, Mortgage Fruad Blog (Feb. 09, 2010, 9:18), http://mortgagefraudblog.com/perpwalk/item/ 12969milton_man_charged_in_mortgage_fraud_scheme. 372 Pennsylvania Man Sentenced for Mortgage Fraud and Identity Theft, Real Estate Rama ( June 17, 2009), http://pennsylvania.realestaterama.com/2009/06/17/philadelphia- man-sentenced-for-mortgage-fraud-and-identity-theft-ID0250.html. 373 Mortgage Broker Facing 30 Years for Fraud, Tampa Bay Business Journal (Mar. 28, 2008), http://tampabay.bizjournals.com/tampabay/stories/2008/03/24/daily46.html.
Identity Crime Framework and Model
149
and then assume the identity of the owner. This is usually accomplished by getting personal information from the Internet or through other scams. They then use this information to create fake identification documents, including social security cards. The thieves then buy forms for transferring property from an office supply store, and after forging the legitimate owner’s signature and using the fraudulent IDs, they file deeds with relevant authorities and take ownership of the house.374 There are several variations on the theme as well. Sometimes, thieves use vacant houses like vacation homes or rentals, and after researching to find the owner’s name, use the same procedure to transfer the deed, put the house up for sale, and take the proceeds. Another variation involves stealing a house that still has someone living in it, finding a buyer who is willing to purchase the property after seeing some online photos, and sell the house without the residents’ knowledge. In this case, the legitimate owners continue to pay the mortgage even though they no longer own the house. House stealing can be a more complicated process. The owner of a real estate business in Los Angeles, California scammed over 100 homeowners and lenders out of approximately $12 million by promising to help distressed homeowners refinance their mortgage loans and avoid foreclosure. Instead, she used stolen identities or “straw buyers” to take out new loans to buy the homes. She and her partners took the borrowed money, but never made mortgage payments. The legitimate homeowners lost title to their property, and the lenders lost the money provided to the fake buyers. Martha Rodriguez, the real estate agent, admitted targeting homeowners facing foreclosure. She said she found victims via computerized databases that list properties going into foreclosure.375 The experience of James and Paula Cook of Frisco, Texas, is a pointed example of the need for a stronger transaction authentication process for real estate. The Cooks traveled away from their home for several days, and when they returned, they found that someone had changed the locks on their house. The following day they met a man who thought he owned their home because he had made a $12,000 down payment to a Carlos Ramirez. Checking their title at the Denton County Courthouse, the Cooks discovered that someone had 374 House Stealing –The Latest Scam On The Block, North County Gazette, (Mar. 25, 2008), http://www.northcountrygazette.org/2008/03/25/house- stealing%e2%80%94the- latest-scam-on-the-block/. 375 Lisa Wade McCormick, “House Stealing” Scam Combines Identity Theft, Mortgage Fraud, Consumer Affairs (Mar. 27, 2008), http://www.consumeraffairs.com/news04/2008/ 03/house_stealing.html.
150
chapter 3
forged Paula Cook’s maiden name and transferred the deed to Carlos Ramirez. The thief was able to steal Paula Cook’s identity and the house using only a copy of her signature, her social security number, and her driver’s license number.376 Identity experts point to this case as a call for more stringent procedures for transferring the ownership of real estate. The solution, they say, is not a national ID card or a card that is more difficult to forge, but better transaction authentication procedures. The real problem does not involve the misuse of identity information, but fraudulent transactions.377 e
Fake Job Applications
f
Theft by Deception
In 2004, six individuals were indicted in a scam that involved falsifying documents and obtaining personal identity data from people who thought they were filling out job applications. The offenders then used this information to make false loan applications, fraudulent employment verifications, and altered financial documents.378 The identity thieves used help-wanted ads to get personal information from individuals who thought they were applying for jobs at a mortgage brokerage. The victims were asked for their social security numbers and drivers’ licenses as part of the application process. John Melchionna was charged with identity theft and forgery after using another man’s identity to take out $270,000 in loans. Melchionna used an associate’s name to buy real estate in Elizabeth, New Jersey, forging the name on mortgage documents to secure the loans. Melchionna also faced court action for charging $300,000 on credit cards obtained in the victim’s name and using the address of investment property owned by the victim. Additionally, the offender collected rents on behalf of the victim while intercepting the mail at the investment property. Melchionna used the identity of another friend to obtain a $40,000 loan and securing that loan with false documentation.379
376 Bruce Schneier, Identity Thief Steals House, Schneier.com (Aug. 29, 2005), http://www. schneier.com/blog/archives/2005/08/identity_thief.html. 377 Id. 378 ID theft leads to charges for six –Amerifunding scheme, The Mortgage Fraud Reporter, (April 7, 2004), http://mortgagefraud.squarespace.com/journal/2004/4/7/ id-theft-leads-to-charges-for-six-amerifunding-scheme.html. 379 New Jersey man charged with ID theft and mortgage fraud, The Mortgage Fraud Reporter (Jan. 29, 2010), http://mortgagefraud.squarespace.com/storage/Union. County-Prosecutor.pdf.
Identity Crime Framework and Model g
Short-Sale Fraud
h
Real Estate Broker/Investor Fraud
151
In Atlanta, Georgia, Brent Merriell was indicted on charges of aggravated identity theft and of lying to the Federal Deposit Insurance Corporation (fdic). Neil Barofski, Special Inspector General for the Trouble Asset Relief Program (sigtarp), noted that while there were many reasons for the nation’s financial crisis, fraud such as that perpetrated by Merriell had a significant role in the failure of several financial institutions.380 fdic representatives said that the agency aggressively investigates and prosecutes fraud that puts financial recovery in danger, while the Department of Housing and Urban Development is committed to protecting the limited program funds and ensuring money goes to those who really need help. The agency is working with law enforcement and prosecutors to move against offenders who are looking to gain from the nation’s financial hardship. According to the charges, Merriel took out millions of dollars in loans in his name and in the names of family members and friends from the Omni National Bank before the bank’s failure. In October 2009, Merriell was delinquent on loan repayments and faced foreclosure on 14 properties. He asked the fdic to forgive $2.2 million in loan payoffs and to let him use a short sale for two properties. In a short sale, a lender agrees to sell property on which the current owner has defaulted to a third party for less than the total amount due. In this case, however, new real estate purchases were being made in the names of those whose identities had been stolen, and the loan commitment letters and sales contracts submitted by Merriell to the fdic were counterfeited and forged. Donella Locke of Indianapolis, Indiana received a sentence of 71 months in prison following a conviction in a case of mortgage fraud. The fraud involved a number of expensive homes throughout the state. Between 2004 and 2006, Locke participated in several fraudulent real estate transactions as either a real estate broker or investor. The transactions were related to homes priced between $300,000 and $1.4 million. For five of the properties, Locke gave a false social security number to the lender and created fake employment verifications, rent verifications, false business names and income amounts, and utilized the name of acquaintances without their knowledge of permission on false residential leases that were also submitted to the lenders. As a result 380 Atlanta man indicted on ID Theft and Short Sale fraud allegations, The Mortgage Fraud Reporter (Jan. 5, 2010), http://mortgagefraud.squarespace.com/journal/2010/1/5/ atlanta-man-indicted-on-id-theft-and-short-sale-fraud-allega.html.
152
chapter 3
of the false documentation and representations, the lenders made loans they would otherwise not have granted.381 B Identity-Related Telephone/Utilities Fraud One of the first things a criminal does after acquiring illegal identity information or documents is to establish a phone line so that he can use this phone number for applying for new phone or wireless accounts with the stolen identity or change the number on the existing accounts so that if the security department contacts the original card holder to verify charges the offender will be able to verify the charges without the legitimate owner’s knowledge. In addition to phone service, identity criminals may use a stolen identity to obtain utility services, such as electricity, gas, or cable television.382 Individuals who commit identity-related crimes frequently use the telephone as a means of defrauding the elderly or wealthy people. Typically, these crimes involve telling consumers that they have won a lottery or another kind of prize, but must send a cashier’s check before receiving their winnings. In actuality, the person to whom the checks are to be sent does not exist, and the criminal receives the money. Some cases involve the mirroring of actual lottery websites, and “winners” are directed to the fraudulent sites to convince them that the transactions are legitimate. Scammers can easily commit utilities fraud because very little information is required to open a new account with an electric or other utility company. Identity thieves can call the utility, provide a name, birthdate, and social security number over the phone, and create a new account. There is no check to see if the numbers provided actually belong to the caller, only a verification that the numbers are valid. There is no check as to whether the caller is the legitimate owner of the information. Offenders can use any name they want and simply change the last three numbers of a valid social security number to provide the numerical pattern that will satisfy the systems of utility companies.383 There is no need to provide a copy of a lease or any paper documentation. The ftc conducted research between 2006 and 2008 to determine the prevalence of specific categories of identity-related crimes. The agency’s findings are summarized below.384 A breakdown of the phone and utilities fraud in 381 Indianapolis woman sentenced to 71 months in prison for mortgage fraud, The Mortgage Fraud Reporter, (Jan. 28, 2010), http://mortgagefraud.squarespace.com/journal/ 2010/1/28/indianapolis-woman-sentenced-to-71-months-in-prison-for-mort.html. 382 About Identity Theft, supra note 429. 383 Utility Fraud, The Scammers Manifesto (Dec. 27, 2006), http://thescammersmanifesto.blogspot.com/2006/12/utility-fraud.html. 384 ftc 2009 Data Book, supra note 196.
153
Identity Crime Framework and Model table 4
Phone or utilities fraud (based on the total numbers of complaints filed)
Utilities –New Accounts Wireless –New Accounts Telephone –New Accounts Unauthorized Charges to Existing Accounts Unspecified Total
2006
2007
2008
5.8% 7.2% 4.4%
5.2% 6.4% 7.3%
5.5% 4.1% 3.4%
0.7% 0.5% 17%
0.5% 0.5% 18%
0.5% 0.2% 13%
source: federal trade commission
Indiana shows that 9 percent of such frauds in the state target wireless phone accounts, almost 11 percent apply to telephone accounts, and 12.8 percent occur in utilities accounts. Phone or utilities fraud represents 30 percent of all fraud in the state.385 In a common phone fraud, an identity thief will gain access to home phone service with a stolen identity and make unauthorized calls that appear as if they are coming from that legitimate account. The charges are displayed on the bill of the real account owner.386 In Ohio, wireless phone frauds represent 9.3 percent of all phone and utilities fraud activities in the state, while nine percent are represented by landline phones. Utilities fraud accounts for 12 percent of all phone and utilities fraud in Ohio, and phone and utilities fraud totals 27 percent of all the fraud in the state.387 Again, the offender gains access to a legitimate account and makes unauthorized calls using the identity information linked to that account, with the charges for all calls showing up on the real account owner’s bill.388 The takeover of mobile phone accounts is another common identity crime. It is often easier for the identity thief to take over the existing account than 3 85 ftc 2009 Data Book, supra note 73. 386 Ohio Identity Theft, Creditreport.com, http://web.archive.org/web/20100211130943/ http://www.creditreport.com/identitytheft/statistics/Ohio-identity-theft.asp (last visited Feb. 12, 2012). 387 ftc 2009 DATA BOOK, supra note 73. 388 Ohio Identity Theft, supra note 509.
154 table 5
chapter 3 Indiana phone or utilities fraud
Types of phone and utilities fraud
Indiana
All locations
9% 10.8% 12.8% 0.7% 0.4% 30%
10.0% 11.9% 11.9% 11.9% 0.1% 28%
Types of phone and utilities fraud
Ohio
All locations
Wireless Telephone Utilities Unauthorized charges to existing accounts Unspecified Total
9.3% 9% 12% 0.5% 0.4% 27%
10.0% 11.9% 11.9% 11.9% 0.1% 28%
Wireless Telephone Utilities Unauthorized charges to existing accounts Unspecified Total source: federal trade commission
table 6
Ohio phone or utilities fraud
source: federal trade commission
to open a new account, because opening a new account requires that a social security number be provided. Existing-account takeover is equally lucrative and more difficult to discover and prosecute. It is possible that the offenders gained access to the cell phone account by stealing a statement that came via the mail.389 Consumers may believe that the cell phone company will simply remove any fraudulent charges, but that is not always the case. An example of mobile phone fraud and the problems it can cause the legitimate account owner is
389 Tom Fragala, Mobile phone account takeover fraud, Truston, (Mar. 9, 2008), http://www. mytruston.com/blog/identity_theft/mobile_phone_account_takeover_fraud.html.
Identity Crime Framework and Model
155
that of Michael Carner and his account with Sprint. In 2007, identity thieves gained access to his account, added 14 new cell phones, and began making calls on the account. Carner was unaware of these activities for two months because he was on vacation. In spite of Carner’s reporting the crime when he returned, things deteriorated, and he was assessed late fees, was harassed by collection calls, interruptions in service, and received a $5,000 bill. When he tried to cancel the account, he discovered that the criminals had also extended his contract for two years, so he would have to pay a $200 termination fee to get out of it. He did not receive any bills from Sprint because they were being mailed to another address that was used by the identity thieves, so late fees piled up. After several months of interrupted service, collection calls, and late fees, Carner changed cell phone companies to stop what he felt was harassment for a situation he did not create. Two years later, Sprint still maintains that he owes the early termination fee.390 C Identity-Related Tax Fraud Criminal tax fraud, also called tax evasion, involves avoiding payment of federal, state, or local taxes via illegal methods. Tax fraud differs from tax avoidance, which is an attempt to lower or avoid paying taxes through legal means, and from tax resistance, which is the refusal to pay taxes for ethical reasons. In 2008, according to the Federal Trade commission, tax fraud constituted 12.2% of all identity crimes.391 Typically, mistakes and careless actions do not constitute tax fraud. When determining whether criminal tax fraud has been committed, the irs will look for acts of intentional wrongdoing, which may include:392 1. Failure to file a tax return 2. Understatement of income 3. Providing insufficient records 4. Hiding assets 5. Lack of cooperation with tax authorities 6. Participating in and/or trying to hide illegal activities Persons convicted of criminal tax fraud may face penalties such as fines of up to $500,000, incarceration, and/or asset forfeiture. 390 Bob Sullivan, Hit by ID Theft, Then Plagued by Sprint, nbc News.com (Mar. 7, 2008), http://redtape.nbcnews.com/_news/2008/03/07/6345893-hit-by-id-theft-then-plagued- by-sprint?lite. 391 ftc 2009 Data Book, supra note 196. 392 Criminal Tax Fraud, Law Office of Sara Azari, http://www.azarilaw.com/html/fraud- forgery.html#tax-fraud (last visited Feb. 12, 2012).
156
chapter 3
Identity fraud imposes a burden on the national economy because of lost tax revenues and overpayment of income tax refunds, and losses experienced by banks, credit card companies, retailers, and consumers.393 Some of the common ways identity criminals use to avoid paying taxes include:394 1. Creating a new identity or taking over an existing person’s identity to file false income tax returns for the purpose of obtaining refunds. 2. Using false/stolen identity to establish a business to commit income tax fraud. 3. Creating an identity obtained through a stolen passport to obtain a tax or business registration. 4. Stealing correspondence from tax authorities and using the details to get a job or claim repayment for medical and other expenses. 5. Creating companies that do not actually conduct any business in order to simulate transactions that will generate tax refunds. 6. Using a false identity as a manager of a bogus business. 7. Using suppliers’ documentation in a fraudulent manner in order to reduce applicable tax rates or to state fictitious business losses. 8. Filing claims for individuals who do not exist. In a report published in 2008, federal law enforcement agencies in the United States conducted a tax-refund fraud investigation that found in one case a minimum of $13.1 million in federal and state tax refunds obtained through fraudulent activity.395 The investigation started after a bank reported anomalies in automated clearing house credits received from state and federal revenue offices. Fourteen defendants in the case ultimately pled guilty to charges including aggravated identity theft and wire fraud.396 In 2007, 17 defendants were named in a tax fraud case in which they stole identity information, including social security numbers from elderly nursing home residents, and used that data to prepare state and federal tax returns. The fraudsters created fake W-2 tax forms by listing non-existent employers, false home addresses, and other false information. According to the indictment filed in the case, all of the tax information on the filed returns was completely false.397
3 93 Tax Evasion and Money Laundering Vulnerabilities, supra note 157, at 4. 394 Id. at 6–7. 395 Trends, Tips & Issues, The SAR Activity Review, Issue 14, October 2008, available at http://www.fincen.gov/news_room/rp/files/sar_tti_14.pdf. 396 Id. 397 Id.
Identity Crime Framework and Model
157
The returns were filed electronically in Internet cafes and other “hot spots” in order to hide the true identities of the filers, and filing fees were paid with credit or debit cards obtained using the names of the identity crime victims. At least 365 federal refund claims were file with amounts ranging from $4,000 to $47,000. Multiple state returns were also filed. Commercial mailboxes were used to receive the refund checks, and “runners” were used to pick up mail to further conceal the identities of the identity criminals.398 Several bank accounts were opened to receive electronic fund transfers of refund payments as well. Some of the refund money was wired to foreign banks.399 The extensive criminal activity was finally discovered when employees at a bank raised questions about the legitimacy of a number of large federal tax refunds that were deposited into the account of a single individual for the supposed benefit of seemingly unrelated people.400 1
U.S. Internet Revenue Service (irs) Takes Action on Identity-Related Tax Fraud In the United States, the Internal Revenue Service (irs) has created a way to identify accounts targeted by criminals who steal personal information for purposes of tax fraud. The method represented one of the agency’s priorities for 2009 and its focus on the protection of taxpayer information. The irs is particularly concerned about tax-related identity crime. This crime can be committed in two ways. In the first, a criminal uses stolen personal information to file a fraudulent tax return and claim a refund before the crime victim files a legitimate return. In the second method, a criminal commits employment fraud by using another person’s social security number to get a job with false personal information. This places the victim under suspicion for tax fraud.401 Because a single social security number can be used many times to file false tax returns, the irs developed an “identity-theft indicator,” which flags suspect accounts electronically. Once an account is marked, the taxpayer does not have to prove the additional fraud occurred; the irs knows that the account has been previously compromised.402 The agency only uses the indicator where individuals can prove that they were victims of identity crime, however. 3 98 399 400 401
Id. Id. Id. Gautham Nagesh, IRS Develops System to Combat Tax-Related Fraud, Nextgov (July 9, 2008), http://www.nextgov.com/nextgov/ng_20080709_4805.php. 402 Id. (Maha).
158
chapter 3
In fiscal 2009, the irs will begin a second phase involving the indicator, and will develop a more sophisticated algorithm that will be used to distinguish valid tax returns from those that are fraudulent. This is intended to stop tax- related identity crime before it happens.403 Concerns remain about the lack of a standard for flagging accounts throughout all irs units. The irs is also in the process of creating a unit within the agency to help victims of identity crime. When a taxpayers suspects his or her account has been targeted by identity thieves, a telephone hot line will be available for reporting these concerns and for educating consumers about how to protect their financial accounts.404 2 Australian Efforts to Control Identity-Related Tax Fraud Australian authorities are also taking steps to control and detect identity- related tax fraud. About 33 percent of all fraud cases in Australia involve some kind of identity crime, but the Tax Office has been successful in controlling the efforts of criminals to create identities in order to defraud the tax system.405 The major threat from identity criminals to the tax system in Australia currently involves opportunistic individuals and groups organized to exploit the increase in online transactions to steal personal identity information. This information is then used to “take over” an identity, which can then be used to defraud the tax system. Australia has also detected an organized global effort to trade in stolen identities.406 Some of the steps authorities in Australia have implemented to address these growing problems include:407 a. Creating stronger requirements for proving identity. b. Educating communities about the importance of the tax file number and its role in personal security, while offering information to tax professionals about how to protect client data. c. Using the analytical strengths of tax agency staff and other intelligence capabilities to find and respond to suspect transactions. d. Investigating and prosecuting tax-related identity crime cases.
4 03 Id. 404 Id. 405 Compliance program 2007–08, Australian Taxation Office, http://www.ato.gov. au/corporate/content.asp?doc=/content/88713.htm&page=75 (last modified Aug. 16, 2006). 406 Id. 407 Id.
Identity Crime Framework and Model
159
In the area of credit and refund fraud, Australian authorities automatically check proposed refunds against a set of criteria developed from intelligence collected from compliance activities. When any type of fraud is detected, all relevant agencies work together toward successful investigation and prosecution.408 An example of a tax fraudster successfully brought to justice following an investigation in Australia is that of a former tax agent who was jailed for his role in identity-related tax fraud.409 Simon Minh Phung received a five-year jail sentence after pleading guilty in 2007 to several charges relating to identity- related tax fraud. The Australian Tax Office alleged that Phung had created 17 false identities between 2000 and 2003 and used them to file 58 fraudulent tax returns. The total amount of money involved was Australian $565,000.410 3 Examples of Tax-Related Identity Crime Consumer complaints about identity crime increase during the annual tax season. The United States Internal Revenue Service has issued special warnings about e-mail messages sent to taxpayers that appear as if they come from the federal agency. Since the irs never sends such e-mails, consumers can be assured that the communication is a scam, and the frequency of tax-related phishing scams in which criminals attempt to steal identities increases as the April 15 filing date approaches.411 a Fraudulent irs E-Mails
In one fraudulent scheme, a tax refund form is e-mailed to a consumer, purportedly from the Taxpayer Advocate Service, a legitimate organization that helps taxpayers resolve problems. The bogus form tells the recipient that he or she is entitled to a refund of a specific amount. The taxpayer is asked for name, address, phone number, and a significant amount of personal financial information, including bank account number, credit card number, and card expiration date. It also requests the mother’s maiden name. The form is signed with a fictitious name and signature that claims to be that of the Taxpayer Advocate. The scam implies that taxpayers must complete and submit the form
4 08 Id. 409 Lisa Mak, Former Tax Agent Jailed for Identity-Related Tax Fraud, Australasian Business Intelligence (June 20, 2007), http://www.highbeam.com/doc/1G1- 165298320.html. 410 Id. 411 Tax Fraud–Tax-Related Identity Theft, Fraud Guides, http://www.fraudguides.com/tax_ identity_theft.asp (last visited Feb. 12, 2012).
160
chapter 3
to receive their tax refund when this is not the case. Tax refunds are claimed on the annual tax return, and do not require a separate application.412 Another tax-related e-mail fraud involves communications stating that the irs has calculated their “fiscal activity” and found they are eligible for a tax refund of a specified amount. The scammers include what appears to be a copy of the real “Where’s My Refund?” page from the real irs website, and like the real form, the taxpayer is asked to provide social security number and filing status. However, the fraudulent form also asks for credit card account numbers instead of the refund amount as stated on their tax return, as the legitimate irs web page does.413 Several other fraudulent e-mails are sent by identity thieves that appear to come from the irs, but are only meant to obtain social security numbers or credit card numbers and other personal information from unsuspecting taxpayers. One bogus e-mail tells taxpayers that they can receive $80 if they fill out an online customer satisfaction survey. Another fake e-mail says it was sent from the irs “Fraud Department” and asks the recipient to click a link in the e-mail that may activate a Trojan horse virus. Many fraudulent e-mails tell recipients that they are eligible for refunds and claim to come from addresses such as “tax-[email protected]” or “[email protected].”414 b
Stolen Refund/Stimulus Checks
Many taxpayers did not receive the refund or stimulus checks to which they were entitled because identity thieves stole their social security numbers. The crime went undetected until the Internal Revenue Service raised questions about the income of the victims. The irs received thousands of complaints about this fraud in 2009. Brenton King from Orem, Utah was 17 years of age when his wallet was stolen at a ski resort. By the time he was 25, at least five individuals used King’s social security number to report income. The identity thieves never paid taxes on this income, however, so King could not receive a tax refund or a stimulus check from the government, despite the fact that he reported the theft when it occurred. According to Senator Max Baucus (D-Montana), it takes the irs about a year to figure out who the legitimate taxpayer is in cases like this, and in the meantime, the victim’s tax accounts are frozen. Senator Chuck Grassley (R) believes the irs does not do enough to address tax-related identity crime; the 4 12 Id. 413 Id. 414 Id.
Identity Crime Framework and Model
161
fact that the agency does not prosecute sends a message to identity criminals that they will get a free pass. However, irs spokesman Dean Patterson says identity crime is a top priority for the agency, but that a stolen identity is different than a stolen car. With a car, once a few procedures are completed, the incident is over. In the case of identity crime, however, multiple criminals can use the same stolen information many times, creating additional problems for the victims.415 c
Tax-Return Identity Crime
Police and Internal Revenue Service officials in Indiana investigated identity crimes following reports by nine taxpayers that someone else had already filed a tax return for them before they filed their own return. At least seven of the nine taxpayers had their tax returns prepared and filed electronically at the same H&R Block office. The returns of four of the complainants had been prepared by the same person.416 D Identity-Related Medical Identity Fraud The U.S. Federal Trade Commission found that 3 percent of all identity crime victims in 2005 (about 250,000 individuals) were victims of medical identity crime. Information from these victims was used to receive health care, obtain medical benefits, or to get medical insurance.417 In 2006, about 500,000 Americans were victims of medical identity crime, according to the World Privacy Forum.418 The ftc calculated that Medical identity crime constituted 2.0% of all identity crimes in 2006 but declined to 1.3% of total identify crimes in 2008.419 In 2010, the Ponemon Institute determined that over 1.4 million people had been victimized by medical identity crime, paying approximately $20,000 each for resolution to their cases. Over 50 percent of the victims said they had to pay for care they never received in order to keep their health care coverage.420 415 Abbie Boudreau & Scott Zamost, Identity theft nets some tax refunds, stimulus checks, Cnn.com (Mar. 20, 2009), http://www.cnn.com/2009/CRIME/03/19/tax.scams/index. html#cnnSTCText. 416 IN: 9 claim tax return ID theft, DataBreaches (Feb. 12, 2010), http://www.databreaches. net/?p=9999. 417 Dixon, supra note 393, at 31. 418 Joe Campana, Identity theft 101: What is Medical ID Theft?, Examiner (Aug. 3, 2009), http://www.examiner.com/article/identity-theft-101-what-is-medical-id-theft. 419 ftc 2009 Data Book, supra note 196. 420 Go Figure: Fraud Data, Coalition against Insurance Fraud, http://www.insurancefraud.org/medicalidentitytheft.htm (last visited Feb. 12, 2012).
162
chapter 3
Between 1992 and 2006, the Federal Trade Commission took in 19,428 claims from individuals who were victims of identity crime.421 The complaints were divided into those reporting identity crime for the purpose of obtaining medical services and complaints about identity crime for the purpose of getting government benefits like Medicare or Medicaid.422 According to the ftc, the number of identity-crime victims who had their government benefits misused increased from 0.4 percent of all victims in 2001 to 1.5 percent of all victims in 2005.423 Those who suffered medical identity crime increased from 1.6 percent in 2001 to 1.8 percent in 2005, according to ftc statistics.424 In medical identity crime cases, personal identity information is used to obtain actual medical care or to make false claims for care never received. These crimes cause significant financial harm, but perhaps more importantly, they compromise the health of victims through inaccurate records about their physical condition.425 Additionally, a victim’s insurance coverage may become depleted, the victim may lose eligibility for health and life insurance, or could even be disqualified from some jobs.426 The theft of medical information may not be discovered for some time, since few consumers regularly review their medical records. Most do not know their records have been compromised until they receive collection notices or find their coverage limits have been reached when making application to their insurers for coverage.427 It is relatively easy for identity criminals to forge Medicaid and social security cards, which imposters can use to secure medical benefits. This type of theft has potentially deadly consequences for its victims, since the information stored in a medical record belongs to that of the thief and not to the legitimate owner of the name and card. And with the move toward electronic medical records, all information kept under a victim’s name and social security number can be collated and correlated within seconds. This means that once the imposter’s records are collated with the victim’s, the chances of medical mistreatment of that victim are high.428
4 21 Dixon, supra note 393, at 31. 422 Id. 423 Id. 424 Id. 425 The President’s Identity Theft Task Force, supra note 405, at 18. 426 Id. at 19. 427 Id. at 20. 428 Campana, supra note 541.
Identity Crime Framework and Model
163
Medical identity fraud should not be confused with financial identity fraud. The main feature of medical identity fraud is the fact that a victim’s medical record is falsified with the input of the thief’s medical data. Financial identity crime occurs whenever someone steals a victim’s identity to commit a fraud or another crime. The incidence of medical identity crime is increasing because of the high and rising costs of health care services. In 2006, health expenditures totaled $2.16 trillion, and by 2015 are expected to reach over $4 trillion. Health care fraud accounts for about ten percent of these costs.429 Medical identity crime represents a lucrative arena for criminals and increased by 197 percent between 2001 and 2005, according to the Federal Trade Commission. Law enforcement prosecuted 537 cases under the Health Insurance Portability and Accountability Act, which was enacted to protect federally subsidized health care benefits. Also under the law were 250 civil enforcement actions that resulted in savings and recoveries of $35.4 billion in 2005.430 Medical identity fraud can be categorized as both a health care fraud and an identity crime. It combines violations of medical privacy with identity crime and health care fraud. It occurs whenever someone’s name or insurance information is illicitly used to obtain medical goods or services, or to make fraudulent claims for those goods or services, falsifying medical records in order to support the claims. It may occur in a health care environment, but not actually constitute medical identity crime. For example, a medical worker may steal the credit card of a patient and make unauthorized purchases, but this is not medical identity fraud. If a doctor alters a medical record to hide an error, this may be health care fraud but not medical identity fraud. The central issue with medical identity crime is the intentional misappropriation of personally identifying information, while the main issue in health care fraud involves the intentional submission of false claims.431 Medical identity crime is a crime that involves both information and health care, and thus causes financial, medical, and other harm to the victim.432 Medical identity crime is often difficult to track, but there are commonalities that can be recognized by health care professionals and that can be used to categorize fraudulent activity. For example, someone who is desperate for medical care will sometimes commit medical identity fraud in order to get it. These individuals are not professional criminals, but have a medical need and lack the financial resources to meet it. Medical professionals –insiders with 4 29 430 431 432
Dixon, supra note 393. Id. Id. Id.
164
chapter 3
access to patient records –may steal information or fabricate care for profit. Opportunists with access to medical information may succumb to the temptation to make easy money and commit medical identity fraud as well. For example, employees of a medical center in New York could not resist reviewing the medical records of a patient in a highly publicized child abuse case. Finally, organized crime is capable of implementing complicated “clinic takeovers” through which Medicare patients are lured into a facility that is staffed with legitimate or illegitimate doctors, services are performed, and the government is billed without the patient knowing he or she has been the victim of a medical fraud. Such clinics usually stay in business for just a few months and then disappear in order to avoid detection.433 Medical privacy laws like the Health Insurance Portability and Accountability Act make it difficult for patients to review their medical records. While they do have a right to such a review, the records of an identity thief pretending to be the victim are protected by privacy laws. When mistakes are noted by a victim, health care workers can become confused about the law’s requirements and use the law to avoid correcting mistakes in a record. Victims may have to hire a lawyer who understands the complexities of medical privacy law to resolve their issues.434 Creative identity criminals may present a threat to the lives of their victims. In some cases of medical identity crime, offenders have replaced all of the victim’s medical data with their own, which results in inaccuracies and even life- threatening possibilities when the victim goes in for treatment. For example, a victim’s records may reflect the wrong blood type or show the existence of a condition that might preclude him or her from getting a job. If the thief is addicted to drugs, he or she may use the victim’s information to obtain multiple prescriptions. Victims could suffer reactions to drug allergies that are not recorded because the thief’s information has replaced the real data.435 Additionally, medical identity crime can have serious social consequences. For example, a number of mothers have suffered intense scrutiny by social service organizations, and even faced charges of being unfit parents, when their medical records inaccurately state that they gave birth to children who were addicted to drugs, despite never having had the recorded children. Many were threatened with the removal of the children they did have. Victims could also 4 33 Id. 434 Campana, supra note 541. 435 Sheila Guilloton, Medical identity theft is a fast growing crime that can endanger your life, Examiner (Mar. 9, 2010), http://www.examiner.com/article/medical-identity-theft-is-a- fast-growing-crime-that-can-endanger-your-life.
Identity Crime Framework and Model
165
experience problems with their insurers if their records show that they have exceeded lifetime limits.436 Several examples of medical identity fraud can be cited. 1 Lack of Insurance An identity crime investigated by the Doylestown, Pennsylvania police provides an example of how complex a web can be created around the victims of identity crime. A husband and wife discovered that an acquaintance they had known in childhood had lived for ten years under the husband’s name. The offender took up the false identity under the assumption he was under a bench warrant. He was self-employed until he contracted a long-term and ultimately fatal illness without medical coverage. The hospital and doctors had attempted for years to recover the hundreds of thousands of dollars in medical fees charged to the husband’s name by his childhood acquaintance.437 2 Ruined Financially Hospitals are not always understanding about the predicaments of medical identity fraud victims. Joe Ryan of Vail, Colorado, started to receive bills and then telephone calls from collection agencies involving a $40,000 operation he never had. After Ryan verified that the hospital and collection agency did indeed have his name, social security number, and birthdate, both entities went ahead with their collections actions, despite the fact that someone other than Ryan had undergone the operation. Police believe a career criminal had the medical treatment after stealing Ryan’s identity and then later died. The identity thief left a confession via voice mail, stating that he had to get to the hospital but had no insurance.438 3 Mistaken for Drug Offender In Utah, Anndorie Sachs was contacted by the state’s Child and Family Services, which informed her that her newborn child had tested positive for drugs. Sachs had not had a child, but the agent who called was convinced she was hiding the fact and told her that the state was ready to take custody of her four existing children. In actuality, Sachs was the victim of identity crime. The woman 4 36 Id. 437 International Association of Chiefs of Police, Identity Crime Toolkit for Investigators, To Identity Thieves, Everyone is Just a Number 7 (nd.) [hereinafter “iacp Toolkit”], available at http://www.theiacp.org/investigateid/pdf/ binder-resources/identity-crime-toolkit.pdf. 438 Id.
166
chapter 3
who stole her identity had a baby using Sachs’ name, and when the baby tested positive for methamphetamine, she left the hospital and her newborn. Sachs was left with a bill of $10,000 and a major problem with social services. Her medical records had been changed to reflect the blood type and the medical history of the thief, a total stranger.439 4 Mistaken Diagnosis A bill collector harassed retired school teacher in Florida, Linda Weaver, concerning the payment of a bill for a foot amputation. She was mistakenly diagnosed with diabetes after being the victim of an identity crime and billed for the amputation of her right foot. She refused to pay the bill, sending notarized photos of her foot, still attached, to the hospital as proof she never had the operation. Later on, when she suffered a heart attack, she awoke in a hospital room after several days to find a nurse asking her what medications she was taking for her diabetes, the disease she never had.440 If she had undergone surgery with the doctors thinking she was a diabetic, the results could have been deadly.441 5 Professional Criminal A professional criminal, Joe Henslik, who had committed bank robberies, check forgery, and other scams, entered a hospital for treatment in 2003 using an identity he stole from a victim while working for a publisher. He received an operation that cost $41,188, but the victim is the one who was billed. The victim had spent two years as of 2006 trying to clear up his financial and medical histories.442 6 Use of Family Member’s Identity An aids patient used the health insurance information of a cousin to obtain about $76,000 in treatment over a period of 15 years before confessing to the identity crime just before he died. A woman in New Mexico received treatment for a toothache using her sister’s identity, and a medical provider has stated that it receives about a dozen identity thieves every week who say they left their identification information in the car.443
439 Five Common Types of Identity Theft, Crime Reduction Canada, http://www.crimereductioncanada.com/Documents/Identity_Theft/IDT_5_Types.pdf (last visited Feb. 12, 2012). 440 Dixon, supra note 393. 441 Go Figure: Fraud Data, supra note 543. 442 Dixon, supra note 393. 443 Id.
Identity Crime Framework and Model
167
7 False Billing by Psychiatrist A psychiatrist in Boston, Massachusetts was convicted of fraud after he falsely billed insurers for sessions that involved a false diagnosis, non-existent treatment sessions, and fake medical histories. In this crime, the psychiatrist diagnosed one of the children of his victim, despite having never seen the child, and billed an insurance firm for his services.444 8 Murder by Podiatrist In one of the most terrible crimes associated with medical identity crime, a podiatrist in Chicago, Illinois was convicted of murder after he shot and killed a patient in 2002. A grand jury found Ronald Mikos killed the patient when she refused to lie for him after he had misappropriated her personal information to submit false bills to insurance companies.445 9 Phony Health Clinic In California, two Ukrainian brothers were indicted for allegedly setting up a phony health clinic where phony doctors performed cursory exams and ordered ultrasound tests on patients who were lured to the clinic with offers of free transportation and baby formula.446 10 Theft by Clinic Employee The U.S. attorney for the Southern District of Florida indicted Fernando Ferrer, Jr. and Isis Machado for wrongfully accessing computerized patient files and downloading the personally identifying information of over 1,000 patients at the health care facility where she worked as a front desk office coordinator. Machado stole patient names, addresses, birth dates, Social Security numbers, and Medicare numbers, and then sold the information to her cousin, Ferrer. He was instrumental in allowing the information to be used in submitting $2.8 million in false Medicare claims. Both were charged with identity theft, conspiracy to commit computer fraud, and wrongfully disclosing individuals’ health information, plus computer fraud and aggravated identity theft. The prosecution is occurring under the Health Insurance Portability and Accountability Act and is the first of its kind in the district and the third in the U.S.447
4 44 445 446 447
Id. Id. Id. Id.
168
chapter 3
11 Use of Acquaintance’s Identity Rasheem Tolliver of the Bronx, New York, used a stolen identity to receive medical treatments totaling $70,000 and to sue a landlord for injuries incurred when he fell from a fire escape. The New York State Insurance Department Frauds Bureau arrested him after he admitted using the identity of an acquaintance. Tolliver was uninsured and receive emergency and follow-up care under the stolen identity. He then used that same identity to file a negligence lawsuit against the landlord. Tolliver was charged with identity theft, insurance fraud, and falsifying business records.448 E Identity-Related Credentials Fraud Credentials have become increasingly important as a way to determine the competence of individuals in a particular realm of endeavor or simply to provide a method for enhancing trust. For example, pin numbers and passwords are required for financial transactions, while academic credentials assure the public that individuals have the education to be qualified on a subject. The certification of true identity and competence is important among individuals associating in the real, globalized world. However, there is concern that the system of trust enabled and represented by credentials is being severely damaged by fraud.449 In the world of academics, the credentialing process represents the core of the higher education system. Individuals typically receive two types of documents during this process: a transcript that shows the academic history of the degree holder, and a testamur, showing the details of the degree obtained. The documents prove to prospective employers that the individual has the skills and knowledge needed for the job. These documents have a distinct value, similar to that of birth certificates, passports, or social security cards.450 To avoid fraud, institutions impose various means of authentication and verification. Specialized companies are in the business of checking references and performing background checks. Such checks are useful, since qualification fraud is common. In the United States, a 2003 study found that nearly 500,000 individuals lied to their prospective employers every year about 448 Bronx Man Allegedly Steals Identity to Obtain Health Insurance, Insurance & Financial Advisor (Sept. 24, 2009), https://web.archive.org/web/20090930125600/http://ifawebnews.com/2009/09/24/bronx-man-allegedly-steals-identity-to-obtain-health-insurance/. 449 George Brown, Fighting Credential Fraud: A Brief Critique of Australian and American Approaches to Qualification Verification and Authentication, World Education News & Reviews (Oct. 2005), https://web.archive.org/web/20120705231519/http://www. wes.org/eWENR/05oct/feature.htm. 450 Id.
Identity Crime Framework and Model
169
having graduated from an institution of higher learning.451 In 2002, a study of more than 7,000 resumes discovered that 52 percent of academic job candidates claimed a partial degree as a full degree.452 Higher education credentials are valuable in the marketplace, since these qualifications lead to higher social status and better jobs. However, the increase in the number of unrecognized providers of degrees, large number of “diploma mills,” fraudulent transcripts, and inflated testamurs available indicates a real need for authentication procedures that can effectively control fraud. To illustrate a case of credentials fraud in China, a police officer in China stole another student’s identity in order to help his daughter gain entrance into the university. The official, Wang Zhengrong, stole the identification number and the name of one of his daughter’s classmates, who had achieved significantly higher scores on a national college entrance examination. As a result, the official’s daughter went to the university, while the legitimate owner of the name and number, Luo Caixia, was required to spend a year re-taking the test. She eventually went to another university. The situation was discovered when Luo attempted to open a bank account and was told there were problems with her personal information. Luo has turned to legal authorities for resolution. She cannot receive necessary graduation and teaching certificates, since they have already been issued to another person using her name. The case caused outrage in China where the national college entrance examinations are critical for young people. Since the exams determine who will go to university and which university they will attend, they are key to social mobility.453 Students who attend private universities have more job opportunities than those who go to government schools. Therefore, the competition for university positions is intense. Many Chinese condemned the father for his actions, but in his view, he was only trying to ensure that his daughter had a secure future.454 F Impersonating Professionals Identity crime sometimes takes the form of impersonation of a professional person such as a doctor or lawyer. The theft of a doctor’s identity can cause particular harm to patients through inadequate or dangerous care and to the physician through damage to his or her professional reputation. 4 51 Id. 452 Id. 453 Chinese Anger at Student ID Theft, bbc News, http://news.bbc.co.uk/2/hi/8036431.stm (last updated May 6, 2009). 454 Toddy Martin, A Discussion on Identity Theft Cases in China, Ezine Articles (Jan 10, 2010), http://ezinearticles.com/?A-Discussion-on-Identity-Theft-Cases-in-China&id=3613843.
170
chapter 3
In one case, a doctor in Tennessee was a victim of professional identity crime when his Medicare provider number was stolen by criminals who used it to bill false claims under the government program in his name. Without the doctor’s knowledge, over $1 million in payments from Cigna Medicare was funneled to the fraudsters.455 Nurses can be the victims of professional identity crime as well. In New York in 2005, the state attorney general file suit against a woman who had impersonated a nurse for two years.456 Frank William Abagnale, Jr., who was born April 27, 1948, is one of the most famous professional imposters. He successfully impersonated a doctor during his criminal career in the 1960s, as well as a lawyer and an airline pilot. He was also successful in passing $2.5 million in forged checks in 26 countries during a five-year period. He currently operates a financial fraud consultancy company.457 Another imposter famous for his medical impersonation was Ferdinand Waldo Demara, Jr., who died in 1982. He was known as the “Great Imposter” and was successful in impersonating many professionals during his life, including a surgeon and cancer researcher. Probably his most famous effort was masquerading as taking the identity of a living person and passing himself off as a surgeon on the hmcs Cayuga in the Royal Canadian Navy during the Korean War. With the help of his photographic memory, he was able to perform major surgeries and handle wound infections, and all individuals under his care survived. When his impersonation was discovered, the captain of the ship refused to believe Demara was a fake. The Navy did not press charges against him and he returned to the United States.458 G Identity-Related Insurance Fraud Insurance-related identify fraud accounts for 0.3% of all identity crimes.459 Identity criminals can obtain insurance by using stolen identity information. They are most likely to take out homeowners, renters, health, or car insurance, depending on their requirements. If an identity criminal has committed employment fraud, he or she may decide to obtain employer-sponsored
4 55 Dixon, supra note 393, at 30. 456 Id. 457 Frank Abagnale, Wikipedia, http://en.wikipedia.org/wiki/Frank_Abagnale (last modified Oct. 23 2012). 458 Ferdinand Waldo Demara, Wikipedia, http://en.wikipedia.org/wiki/Ferdinand_Waldo_ Demara (last modified Oct. 5, 2012). 459 ftc 2009 Data Book, supra note 196.
Identity Crime Framework and Model
171
health insurance under the identity used to get the job. If the offender uses that health insurance to visit a doctor or hospital, the thief may be committing medical identity crime as well as insurance theft. Illegal immigrants who use stolen identities may visit a hospital emergency room and be treated under the name and social security number of the identity crime victim. The charges are made to the victim’s health insurance in these cases. Identity criminals who take out a new mortgage or rent a house using a stolen identity may buy homeowners or renters insurance under that same identity. If they purchase a car, they may obtain auto insurance under the victim’s name.460 A former resident of New Jersey was indicted on charges related to insurance fraud, identity theft, and falsifying records. According to the indictment from the Burlington County grand jury, Jeremy Sager impersonated another individual through the fraudulent use of the name John M. Schlauer. Sager used this name on official documents between 2003 and 2006. He reported being in an automobile accident in Philadelphia in which he had hit a pedestrian. In the lawsuit arising from the accident, Sager, using the name of Schlauer, falsified and submitted documents to a New Jersey insurance firm and attempted to defraud that firm of about $100,000 in benefits to be paid to the plaintiff in the lawsuit. According to New Jersey insurance fraud investigators, it is common for insurance to be obtained and claims made under false identities.461 H Identity-Related Tenancy Fraud People who have poor credit histories or a history of past legal problems may use the identities of others in order to rent a home or business location. In such cases, victims of tenancy fraud may be landlords who face unpaid rent, property damage, and other tenant-related problems.462 There are particular issues that arise when offering rental properties and real estate online. Authorities have received many complaints from victims of scams that involve apartment and house rentals. A typical rental fraud occurs when a victim advertises rental property and is contacted by a potential renter. Once they agree on a rental price, the criminal forwards a deposit in the form 460 Joe Campana, Identity theft 101: What is Insurance Fraud?, Examiner (Sept. 8, 2009), http://www.examiner.com/article/identity-theft-101-what-is-insurance-fraud. 461 Press Release, N.J. Dept. L. Pub. Safety, Former New Jersey Resident Charged With Identity Theft and Auto Insurance Fraud (Apr. 8, 2009), available at http://www.nj.gov/oag/newsreleases08/pr20080408a.html. 462 Lawson, supra note 164, at 14.
172
chapter 3
of a check to the property’s owner to cover expenses. The scam proceeds in one of two ways. The check may be written for more than the specified amount and provided with the instruction to have the remainder sent back to the scammer, or the check will be for the correct amount, but the scammer backs out of the agreement and requests a refund. Banks do not generally put holds on the funds, so the victim has immediate access to them and thinks the check has cleared. Ultimately, the victim discovers the check is a fraud, and he or she is responsible for all the losses.463 I Identity-Related Bankruptcy Fraud The bankruptcy system is often used by identity criminals to commit a crime. An identity criminal may file a case in bankruptcy court using the name and/ or social security number of another individual if the criminal was barred from filing multiple bankruptcy cases. Or the personal information of another person could be used on a bankruptcy petition to obtain an automatic stay without having the filing associated with the criminal’s name. There have also been cases in which parents file bankruptcy in a child’s name, thinking that this will not negatively impact the child’s credit rating. Or another person’s identity may be used in a bankruptcy filing for purposes of revenge, as in the case of an ex-spouse or partner.464 Identity criminals sometimes use the information from a bankruptcy case to obtain a driver’s license, a job, an apartment, a loan, a credit card, or other property in the name of the victim. The false identity could be used initially to create a credit account, and then if the thief is unable to pay, he or she may file bankruptcy under the false name to postpone the consequences of the default.465 In one case, a California woman’s social security number and driver’s license number were stolen by another woman who worked for the college attended by the victim. The criminal used the victim’s personal information for more than three years, opening accounts and renting an apartment in the victim’s name. When the thief ultimately defaulted on the rent and all other financial obligations, she filed for bankruptcy in the victim’s name to postpone her eviction.466 463 New E-Scams and Warnings, F.B.I., http://www.fbi.gov/cyberinvest/escams.htm (last visited Feb. 13, 2012). 464 Sandra R. Klein, Identity Theft & Bankruptcy Fraud, abi Committee News (June 2005), http://www.abiworld.org/committees/newsletters/CFTF/vol2num1/theft.html. 465 Id. 466 Id.
Identity Crime Framework and Model
173
Some identity criminals target homeowners who face foreclosure, fraudulently promising the homeowners that they can negotiate with lenders for lower payments or refinancing, or help with finding investors to buy the property. To further their schemes, the criminals convince homeowners to implement quitclaim deeds and transfer the property to the fraudsters. These crimes are lucrative for the thieves who charge victims “upfront fees” and monthly “rent.” They then file fraudulent bankruptcy cases uses false identity information rather than contacting lenders as they promised the original homeowners.467 Once they get an automatic stay, the thieves may change the deeds and transfer the property to other persons under their control. Additional bankruptcy cases are filed in these names. By continually transferring property and filing serial bankruptcies, thieves can delay foreclosure for years. The fraudulent use of a victim’s personal identity information in a bankruptcy case is especially negative because laws and courts are used to facilitate the fraud. 3.10.4 Identity Crimes Committed to Commit Other Crimes In thinking about the use of information and documents to commit one of the four kinds of identity crimes (financial, non–financial, hybrid, or other identity crimes), it is sometimes the case that the commission of one of these crimes is only a step in a progression to commit other crimes. Consequently, this section discusses how illegal use of information or documents is sometimes merely a tool to commit one of several other types of crime: terrorism, money laundering, illegal immigration, drug trafficking, or organized crime. A Terrorism In the United States, the 9/11 Commission’s report emphasized the importance of preventing and addressing identity crimes and their role in terrorist activities. According to the report, fraud no longer represents simply a matter of theft. With the proliferation of terrorism around the world, fraudulent travel documents have become as critical as weapons for offenders. In many cases, the gate for boarding an aircraft is the last chance to determine whether the travelers are who they purport to be.468 Economic identity fraud is particularly attractive to terrorists as a way to fund their operations.469 Several countries have reported cases of fraud believed to be associated with terrorist activities, while others are concerned 4 67 Id. 468 iacp Toolkit, supra note 560, at 11. 469 U.N. Draft 1 Short Version, supra note 143, at 39–42.
174
chapter 3
about small-scale, local identity fraud activities that may be used to finance terrorist groups.470 Locally based identity fraud is becoming more common as a source of terrorist funding because of the low cost of many terrorist activities, the ease of exploiting the weaknesses of large transnational operations, and the fragmentary nature of groups like Al Qaida.471 Both large and small terrorist organizations have used credit card fraud, and some countries are concerned about using fraud against providers of telecommunications services to obtain access to Internet, e-mail, and phone connections that are anonymous and untraceable.472 There is also considerable worry related to the possible use of charitable fraud to finance terrorist actions. The abuse of charities and nonprofits involves using these organizations to launder money or secretly transferring funds to terrorists, in addition to fraud and the diverting of donations to questionable sources.473 There are two major ways that terrorists use charities to finance their operations. One is to establish a fake charity for purposes of funded terrorist acts directly. The other is to infiltrate legitimate charities in order to divert their donations to terrorism. These actions are considered either fraud or theft against the charitable organization.474 Legitimate charities are concerned because stringent accounting requirements imposed to stop diversion of funds are difficult to meet, and they increase the organization’s administrative costs. And even the mere hint of a link to fraud or terrorism tends to deter donors. Legal organizations linked to specific religious, ethnic, or cultural communities are especially impacted if these interests are associated with regions where conflict exists. It can be difficult to distinguish between fraud and other crimes in these cases.475 Many countries are investigating the use of identity crimes committed by terrorists that allow them to obtain personal identity information and documents that could be used to operate without the fear of arrest or surveillance that would be the case if a terrorist’s true identity is known.476 International authorities are concerned about terrorists using false identity documents to avoid scrutiny. Documents might be altered or forged, or they
4 70 471 472 473 474 475 476
Id. Id. Id. Id. at 40. Id. Id. at 41. Id.
Identity Crime Framework and Model
175
may be genuine documents obtained via the use of false names and birthdates. Sympathizers to the terrorists’ cause may also simply give their documents to questionable groups for their use and then claim, falsely, that the documents were lost or stolen.477 Identity crimes linked to terrorism are difficult to separate from other crimes without clear evidence. Many basic criminal scenarios for terrorist-related crimes are the same as those for other organized criminal groups. These crimes may be associated with the financing of terrorism is the same way as to money- laundering.478 In addition to using identity crime to facilitate their global travels, terrorists may finance operations via stolen credit accounts. A group of international terrorists in the United Kingdom relied on stolen credit card information obtained through phishing attacks and laundered the funds through online gambling websites to finance their activities. Credit card data has also been placed on the black market, and the terrorists were able to create a network of websites that allowed them to communicate.479 No one is immune from these activities, as the experience of Chief William Berger of the Palm Bay, Florida police department illustrates.480 Berger was holiday shopping in 1997 when he applied for a store credit card to get an immediate discount on his purchases. He received the card and a statement about a month later, paid the bill, and never used the card again. In 1999, he received another statement that showed he bought auto insurance from an unknown company. Since he knew he had used the same insurer for 20 years, he contacted the credit card firm and discovered that between the time his statement was issued and the time he telephoned, over $6,000 in additional auto insurance from four other companies had been charged to his credit card account. The credit card firm investigated the issue and cancelled his card ten days later and zeroed out his account.481 Berger continued to ask questions about what had occurred and learned that he had made an excellent target for identity criminals because his card had remained dormant for two years and because South Florida, where he lives, is a popular location for retirees. Retirees tend to leave active lines of credit open when they die, presenting easy pickings for criminals in the credit
4 77 478 479 480 481
Id. at 39–42. Id. at 42. iacp Toolkit, supra note 560, at 11. Id. at 5. Id.
176
chapter 3
industry. Over 19,000 complaints concerning identity crime were reported to the Federal Trade Commission by Florida victims in 2007.482 Berger’s credit card firm suspected that some of their employees gave or sold personal information to criminals who then used it to buy the unauthorized car insurance. Later on, the credit card company discovered that these same individuals bought the insurance to establish fake accidents, which in turn, generated false claims. The groups that reaped the benefits of these scams were linked to terrorist organizations in the Middle East, and these groups used the insurance settlement money to fund terrorist activities, such as the attacks of September 11, 2001.483 The focus on terrorism and its control and prevention has increased around the world since the attacks in the United States in 2001. It has become clear to investigators that the scope of terrorists’ criminal activities goes far beyond the obvious acts of violence to include financial crimes that are committed to fund their operations. The U.S. Federal Bureau of Investigation (fbi) has emphasized the threats presented by the crimes of identity fraud and social security fraud. Terrorists commit these crimes to gain employment, to access secure locations, and to obtain driver’s licenses and bank and/or credit card accounts to fund their actions.484 The Terrorist Financial Review Group within the fbi has joined with the Social Security Administration to investigate social security numbers associated with past terrorism investigations and by expanding the traditional scope of these investigations. Currently, investigators include fraud schemes committed by groups that use the proceeds to finance terrorist organizations.485 While the U.S. Department of Justice Executive Office for U.S. Attorneys definition of terrorism concentrates on acts designed to further political goals through threat or force, many of the criminal charges brought against suspected terrorists have not involved such acts. Of the 33 lead charges brought in connection with international terrorism cases, the second-most common category involved charges of fraud and the misuse of identification documents. The third largest group of charges involved fraudulent passports and visas.486
4 82 Id. 483 Id. at 7. 484 Gary Gordon et al., Identity Fruad: A Critical National and Global Threat, 2 J. Econ. Crime Mgmt. 1 (2004), available at http://www.utica.edu/academic/institutes/ecii/publications/articles/BA2C8FE1-D0EC-26B6-50870F45EA5CC991.pdf. 485 Id. 486 Id.
Identity Crime Framework and Model
177
From 1997 through September 11, 2001, the most common charges for international terrorism were kidnapping, murder, and the taking of hostages. The most common domestic terrorism charges involve importing and storing explosives. However, the charges most commonly imposed from September 12, 2001 through March 2002 were associated with fraud. Close to 40 percent of combined international and domestic terrorism cases during this period involved general fraud and/or false statements. Such charges represented just 4.8 percent of federal terrorism charges for combined international and domestic cases during the previous five years.487 B Identity-Related Money Laundering Money laundering is generally addressed by law enforcement authorities through elements of identity and the identity-related activities criminals use to launder illicit proceeds. Most anti-money laundering programs and policies depend on the ability to identify the parties to a financial transaction, i.e, “know your customer.”488 Reliable identification processes are key to the control and/or deterrent of additional crimes. Methods of money laundering are often connected to the use of information and communications technologies.489 These technologies make it possible to remotely transfer large amounts of money and expand efforts in international transfer and offshore banking, all of which complicate the regulatory environment. The Organization for Economic Cooperation and Development conducted a survey to determine the most common ways identity fraud was used to facilitate money laundering. Several methods were discovered by the tax authorities that participated in the survey. These included:490 a. Using false and stolen information to establish businesses using other identities to commit tax and gst/vat fraud. b. Depositing large amounts of cash that are then transferred to other accounts in different countries, so that funds are transferred to legal businesses. c. Gaining access to major depositories of identifying information via computer hacking, compromising employees with access to the data, or deception.
4 87 488 489 490
Id. U.N. Draft 1 Short Version, supra note 143, at 60. Id. Tax Evasion and Money Laundering Vulnerabilities, supra note 157.
178
chapter 3
d.
Using the Internet to get information about companies making sales online in order to transfer money from the accounts of those firms to personal accounts opened under a false identity. In France, identity fraud has been used in the advertising sector. These scams involve the use of identity and corporate identity to extort money from companies to which a bogus ad agency has “sold” advertising space. This scam is sometimes used by money launderers. Money laundering has traditionally been linked to the attempts by drug traffickers to transform their ill-gotten gains into legitimate financial assets. According to the U.S. Drug Enforcement Agency (dea), the total of yearly laundered funds estimated in 2003 was $600 billion, or about 2 percent of the world’s gross domestic product.491 Drug trafficking remains a major reason for money laundering, but the globalization of financial services combined with advances in technology has transform the process into a serious threat for financial institutions. According to the Suspicious Activity Reviews (sar s), which are filed by financial institutions, the top-ranked category of suspicious activity between April 1996 and November 2002 involved money laundering, which accounted for 48.2 percent of the reviews filed during those years. In 1996, 843 defendants were sentenced in federal money laundering cases, while by 2000, 1,106 such defendants received sentences, according to the U.S. Treasury Department.492 1 Examples of Money Laundering Several high-profile cases identified by Transaction Systems Architects illustrate how money laundering threatens financial institutions and erodes the public’s confidence in such institutions that do not have appropriate money- laundering detection programs. a
Bank of New York
Between February and August of 1999, a Bank of New York former vice president and her husband created accounts at the bank for three firms and facilitated 160,000 unauthorized wire transfers totaling more than $7 billion for customers of Russian banks. The case prompted the Bank of New York to make an agreement with the U.S. Federal Reserve, which required the creation of an effective program to control money laundering and prevent future actions of this kind.493 4 91 Gordon et al., supra note 607. 492 Id. 493 Id.
Identity Crime Framework and Model b
179
Operation Casablanca
In 1988, the U.S. Customs Service implemented a sting operation that led to the conviction of 28 bankers from two of the biggest banks in Mexico. The money laundering actions included 13 wire transfers made by the head of the Banco Industrial de Venezuela’s office in Miami, Florida, which totaled $4.1 million.494 c Noncompliance Cases
Noncompliance cases involved the failure to meet government regulations designed to fight money laundering. The Financial Crimes Enforcement Network of the U.S. Department of Treasury imposed penalties on nine banks between April 1999 and April 2000 for not complying with the Bank Secrecy Act (bsa). The penalties totaled over $1.3 million. Among the banks in noncompliance was the Sunflower Bank, N.A. of Salina, Kansas. This bank had filed 1,900 Currency Transaction Reports (ctr s) in an improper manner.495 Authorities note that there is no aggregate data concerning the use of identity theft and fraud in money laundering activities, but that it is safe to assume that the perpetrators of these crimes did not always act under their true identities. It is likely that the either stole, produced, or purchased fraudulent identity documents to facilitate the laundering of their funds. C Identity-Related Illegal Immigration It is a well-known fact that millions of illegal aliens working in the United States are using stolen identities. The first thing illegal immigrants usually do when entering the country is obtain a social security number, which they need to get a job, and they often get one illegally. It is likely that thousands of American citizens are sharing their identities with immigrants and have no knowledge of it. The scope of the problem is huge: each year almost 9 million individuals pay taxes under the wrong social security number or the name on W-2 tax forms does not match the name on file with the Social Security Administration (ssa).496 While there can be many reasons for such errors, in some cases it is an indication that someone has used another person’s social security number to gain employment. When the ssa faces this situation, it collects the money and puts
4 94 Id. 495 Id. 496 Bob Sullivan, Hidden Cost of Illegal Immigration: ID Theft, NBC News.com (March 31, 2006, 10:00 AM), http://redtape.nbcnews.com/_news/2006/03/31/6346107-hidden- cost-of-illegal-immigration-id-theft?lite.
180
chapter 3
wage credits into the Earnings Suspense File. Since 1984, that file has collected almost $500 billion.497 There are also indications that many of the 9 million mismatched names and numbers represent immigrants using the wrong social security number; the ssa found that these “no-match” payments come most frequently from the agricultural and restaurant industries. Some of the wrong numbers are selected at random, or they may belong to a deceased person, or they may be totally fictitious. However, many of the numbers come from real victims, including children.498 Victims rarely know that their information has been stolen because there is no way for them to find out. The Social Security Administration does not inform victims if their numbers are being used by another person, and the extra earnings are not reflected on the victim’s statement because they go to the Earnings Suspense File. The Internal Revenue Service does not reveal information about misuse of data, nor do credit reporting agencies. Victims only discover the problem when unpaid taxes or unpaid bills show up, and debt collectors track down the legitimate holder of the social security number.499 In 2006, federal authorities raided the meat-processing plants of Swift & Co. in six states and arrested 1,282 individuals. These individuals were charged with immigration violations, and 65 also faced charges of identity theft and other crimes.500 There are almost 200 nations that use unique passports, stamps, seals, and visas, so the potential for document fraud in the area of immigration is very great. There are also over 8,000 state or local offices with the authority to issue birth certificates, drivers’ licenses and other documents in the United States, presenting additional opportunities for aliens to establish identity and/or residency. They may also use such documentation to enter the U.S., avoid being deported, or obtain permanent residency.501 Usually, a person attempting to enter the United States at a port of entry faces inspectors from the Immigration and Naturalization Service (ins), who 4 97 498 499 500 501
Id. Id. Id. iacp Toolkit, supra note 560, at 10. Richard M. Stana, Director, Justice Issues, United States General Accounting Office, Identity Fraud: Prevalence and Links to Alien Illegal Activities, Statement Before the Subcommittee on Crime, Terrorism and Homeland Security, and the Subcommittee on Immigration, Border Security, and Claims, Committee on the Judiciary, House of Representatives (June 25, 2002), at 6, available at http://www.gao.gov/new.items/ d02830t.pdf.
Identity Crime Framework and Model
181
require the individual to produce one of several documents proving identity and/or authorizing his or her entry into the country. Documents include border-crossing cards, U.S. passport, alien registration card, non-immigrant visa, among others. Inspectors at entry points discover tens of thousands of fraudulent documents every year. Between 1999 and 2001, ins inspectors intercepted more than 100,000 fraudulent documents each year.502 While most individuals use identity theft or identity fraud to enter the country illegally, some use fraudulent documents to commit more serious crimes, including drug trafficking and terrorism. According to the ins, its efforts to enhance enforcement on the southwest border of the U.S. have resulted in a greater reliance on smugglers, who have become more sophisticated and organized than in the past. The agency predicts the reliance on fraudulent documents in connection with the smuggling will increase in the future.503 D Identity-Related Drug Trafficking Drug trafficking is made easier with the use of fraudulent identity documents. This crime has been categorized as a rapidly growing problem by the U.S. Customs Service and the Office of National Drug Control Policy (ondcp). It is estimated that the flow of cocaine through the area known as the Transit Zone, which include the Gulf of Mexico, the Caribbean, and the eastern Pacific Ocean, amounts to over 500 metric tons each year. Most of the smuggling is done in small, high-speed boats that cannot be detected by radar; it is estimated that 90 percent of these boats reach their destinations. In 2001, the U.S. Coast Guard reported record seizures, including 138,393 pounds of cocaine and 34,520 pounds of marijuana.504 According to the National Association of Counties, identity crimes linked to methamphetamine rose from 27 percent in 2005 to 31 percent in 2006.505 Some users of the drug commit identity crime to obtain their supplies. They can generate cash by stealing and cashing personal checks or by using stolen credit cards to buy items they either resell for cash or trade for drugs. In California’s central valley, which has been designated as a High-Intensity Drug Trafficking Area, traffickers have organized groups of drug users and told them to steal personal identity documents and paid them in methamphetamine. The stolen identities obtained by the drug trafficking organizations are used to launder the drug money by opening bank accounts in the victims’ 5 02 503 504 505
Id. at 7. Id. at 10. Gordon et al., supra note 607. iacp Toolkit, supra note 560, at 9.
182
chapter 3
names, using the identities to transfer large amounts of money via money services firms and to buy money orders that require proof of identification. They may even apply for mortgages using the victims’ identities or go online and make purchases in their names. The organized drug traffickers may use stolen identities to provide criminals with new names in order to avoid prosecution or deportation. They may also buy the chemical essential to drug manufacture with the stolen credit cards or checks.506 Law enforcement investigations indicate that abusers of methamphetamine are most often implicated in the drug-related identity crime complaints they receive. Officials in California, Arizona, Arkansas, Oregon, Colorado, Kansas, and Washington have found that stolen mail and other documents linked to identity theft have been found at locations searched under warrant for methamphetamine. The Federal Trade Commission found that the rates of reported identity crime are highest in states with high levels of methamphetamine distribution and abuse.507 The drug abusers often find their identity information by going through victims’ trash, stealing their mail, or via Internet scams. Mario Earl of Seattle, Washington, the head of a crime ring that was involved with drug trafficking and bank fraud, was sentenced to 102 months in prison and required to pay some $30,000 in restitution for charges relating to conspiracy to distribute marijuana and bank fraud. He was arrested in January 2009 after an investigation of a drug trafficking organization determined that large amounts of the drug were being moved from Seattle and Phoenix, Arizona to Chicago, Illinois. The drug trafficking was found in connection with an investigation of bank fraud, which showed that conspiracy members obtained identity documents with stolen names and skimming data from bank debit and credit cards. The leaders of the bank fraud ring were also sending large amounts of marijuana through FedEx to Chicago.508 E Identity-Related Organized Crime Organized criminal gangs are taking advantage of the lucrative opportunities available with identity crime. The criminals use many methods to steal the personal information of their victims. For example, two Russian immigrants
506 Intelligence Bulletin: Methamphetamine- Related Identity Theft, Nat’l Drug Intelligence Center (May 2007), http://www.justice.gov/archive/ndic/pubs22/ 22972/index.htm#top. 507 Id. 508 Press Release, U.S. Dept. of Justice, Leader of Drug Trafficking and Bank Fraud Ring Sentenced to 8+ Years in Prison (Jan. 11, 2010), available at http://www.atf.gov/press/ releases/2010/01/011110-sea-drug-and-fraud-ring-ldr-sentenced.html.
Identity Crime Framework and Model
183
earned their living by driving through semi-rural, wealthy neighborhoods where mailboxes are located in clusters along a road. They were looking for credit cards to steal. Then, with a few phone calls, they would activate the cards and recruit another person to buy goods with cards at a variety of high- end stores. The goods would be returned for cash or credit to the thief’s own account.509 In 2002, identity crime was considered to be the fastest growing crime in the United States. Mail theft is the usual precursor to an identity crime. Since mail theft is a federal crime, the postal service acts as chief investigator in many cases and apprehends more identity criminals than any other agency. It took four years of surveillance and wire taps and interviews with low-level criminals before the Russian credit card scam was stopped. When the ring was finally discovered, investigators estimated that they stole and used over 800 credit cards and netted about $1 million a year.510 Identity criminals do not operate in the classic “mafioso” style of criminal organization, but tend to work in a looser network of “cells” that do business with one another instead of reporting in a hierarchical manner to a “boss.” According to Jim Deal, an agent with the Secret Service, these criminals are not looking for a thrill or quick money for drugs; they are exploiting loopholes in the system and doing business in a less-than-lawful way. The decentralization makes these gangs difficult to find and prosecute, but a growing number of identity criminals worldwide are operating this way.511 Russian, Asian, Romanian, and Mafia groups have entered the identity crime arena and are involved with credit card fraud, mail fraud, and check fraud. In San Jose, California, a gang of 15 Samoans was charged with mail theft, and the first case of skimming in the Lake Tahoe area –the use of device to take information from the magnetic strip on a credit card –involved an Asian gang that stole the credit card numbers of 56 customers at a sushi restaurant and ran up $839,000 in charges in a single month. A Romanian group on the West Coast specialized in breaking into cars in remote campgrounds and stealing credit cards to get cash advances in Nevada casinos as well as to make counterfeit identity documents. Rural mailboxes represent the most tempting target for organized gangs, who troll for identity information
509 Identity Theft: The Organized Crime Factor, Identity Theft 911 (Aug. 2003), http:// web.archive.org/web/20100524045303/http://identitytheft911.org/articles/article. ext?sp=90. 510 Id. 511 Id.
184
chapter 3
like social security numbers, birthdates, and bank account numbers that they can use to apply for new credit cards or use to manufacture false identity documents.512 Skimming and counterfeited credit cards are the most prevalent scams in Europe, Asia, and Latin America. The Mafia views this segment of the crime market as very lucrative. In New York City, a gang linked to the Genovese crime family was arrested for credit card theft. The gang paid retail clerks in many different stores, from large chains to small neighborhood businesses, to skim the credit cards of their customers and paid them $50 for each stolen identity. The gang then manufactured fake cards and sold them for $1,000 each. When the offenders were arrested, police found data from over 4,300 credit cards, 200 cloned cards, and the equipment for cloning cards.513 Organized crime groups are often involved in weapons trafficking, which is also facilitated through identity crime. For example, the purchase of firearms can be made under a stolen or fictitious identity. This allows the traffickers to avoid detection when the gun is either used to commit another crime or sold to another individual.514 Criminal groups have also entered cyberspace, prompting an increase in organized efforts to create computer viruses and worms, which in turn, fuel an underground economy that specializes in spam and identity crime. The customers of Postini Inc., an e-mail security service provider in California, reported over 16 million “directory harvest” attacks in a single month. These attacks are attempts by criminals to take over the entire e-mail directory of a company. Experts say that what began as a rogue virus-writing hobby has become a significant link to efforts by organized crime to use malicious computer code to make money. Criminals can use viruses and Trojan horses to infect computer systems and use these systems as engines for spam; they then sell the access to those engines on the underground spam market.515 Law enforcement authorities broke up an identity crime ring that targeted individuals on the Forbes 400 list. However, according to Robert Siciliano, an expert on personal security and identity crime, noted that the very rich are not the only targets for identity thieves. Often, identity crime is the work of organized crime. International and domestic crime rings have shown their capability in committing identity crimes. Researchers have 5 12 513 514 515
Id. Id. iacp Toolkit, supra note 560, at 10. Dan Verton, Organized Crime Invades Cyberspace, Computer World (Aug. 30, 2004), http://www.computerworld.com/s/article/95501/Organized_Crime_Invades_Cyberspace.
Identity Crime Framework and Model
185
found that, in addition to multimillionaires, the thieves go after households headed by individuals who are between the ages of 18 and 24, regardless of their income. While these two demographics are most often targeted, anyone in any age group can become a victim of an identity crime ring, since the ring is committed to stealing identifying information from many thousands of people.516 The extent to which Medicare and Medicaid programs are targeted by hard- core organized crime syndicates is increasing. These groups are focusing their attention on medical fraud, especially schemes that involve identity crime and false claims. In Los Angeles, California, Armenian, Russian, and Nigerian gangs have been discovered by federal authorities and charged with large-scale identity crimes. For example, two Nigerians were charged with charging Medicare $6 million in fake billing for durable medical equipment.517 In another common scheme, organized criminals attempt to convince individuals to consult doctors for illnesses they do not have. These scams recruit primarily homeless and poor residents from city shelters. In one Los Angeles case, criminals at three hospitals paid homeless people to be hospitalized for non-existent conditions.518 The recent death of actor Corey Haim has been linked to an investigation of a large prescription-drug ring that provided unauthorized prescriptions with fraudulent prescription drug pads ordered from a San Diego, California vendor. California’s Attorney General Jerry Brown stated that Haim’s death is just another tragedy connected to prescription-drug abuse, which is linked to large criminal organizations. In this case, the ring used stolen physician identities to order the prescription drug pads used to write the fake prescriptions. The doctors whose names have been stolen for use on the pads are usually unaware that their identities have been stolen.519
516 Press Release, ID Theft Security, Identity Theft Expert Points to Organized Crime and Warns that Identity Thieves Target All Demographics (Aug. 24, 2007), available at http://openpr.com/news/26608/Identity-Theft-Expert-Points-to-Organized- C r i m e - a n d - Wa r n s - t h a t - I d e n t i t y - T h i e v e s - Ta r g e t - A l l - D e m o g r a p h i c s . html?sid=20b312157b38f8fc32486cd9f0fd8ba0. 517 Anne Zieger, Organized Crime Getting Deeper Into Medical Identity Theft, Fierce Health Care (Oct. 23, 2009), http://www.fiercehealthcare.com/story/organized-crime-getting- deeper-medical-identity-theft/2009-10-23. 518 Id. 519 Alan Duke, Corey Haim’s Death Linked to Prescription Drug Probe, AG Says, CNN.com (Mar. 12, 2010, 11:01 PM), http://www.cnn.com/2010/SHOWBIZ/Movies/03/12/corey. haim.drug.probe/index.html.
186 3.11 .
chapter 3
Conclusion
We have identified the five components of identity crimes, and discussed the overall concept of “fraud,” the broad category into which identity crimes find their jurisprudential niche. Identity crime, as hopefully has been adequately demonstrated, comes in a multitude of sizes, shapes, and forms. Identity crime is one of the world’s fastest growing crimes, and greater attention by all sectors of society to deal with identity crime is desperately needed. We now move to a discussion of the international trends in addressing identity crime.
chapter 4
Threat Agents and the Impact of Identity Crime
Introduction
Increasingly, identity crimes are crimes “waiting to happen.” This is primarily because in the present computer age, personal information is more accessible than ever before and the number of criminals seeking out this information is steadily on the rise. This chapter addresses two different aspects of identity crime: 1) threat agents, and 2) the impact of identity crime. Threat agents, examined in the first part of this chapter, are those factors or people that make identity crime possible or more likely. If one can address in advance the threat agents, that is, the factors that might lead to, or the people who might commit, an identity crime, then it is possible that the identity crime will not be committed. But eliminating identity crime entirely is impossible in the real world, so it is useful to examine in the second part of this chapter the impact that identity crimes have upon individuals and organizations that are victimized by such crimes. Chapter 7 addresses related topics: other forms of prevention (in addition to addressing threat agents as discussed in this chapter) of identity crime and minimizing the impact of such identity crimes that are not prevented. 4.1
Identity Crime Threat Assessment Model and Threat Agent Identification and Analysis
4.1.1 The Bike Analogy Suppose you have a bike. One day, someone steals it. How do you handle it? Do you get another bike, or do you give up biking altogether because of the threat of theft? Perhaps you’ll try to mitigate the “threat agents,” those things that make a bike theft more or less likely. You could get a better lock. You could avoid riding in neighborhoods you perceive as places where theft is more likely to occur. You could bring your bike inside at night, since thieves are more likely to operate under the cover of darkness. In most cases, you will not stop riding your bike. You will take the steps necessary to reduce the risk of it being stolen. You become more aware of the risks, the things that make theft more likely, and you continue to enjoy your bike. Just as it is with the bike analogy, so it is with identity crime. When you know the risks and threats that make identity crimes more likely to occur,
© Koninklijke Brill NV, Leiden, 2020 | DOI:10.1163/9789004395978_005
188
CHAPTER 4
you can take the steps to mitigate their impact. You don’t give up your credit cards or stop using the Internet because they represent threats to your identity. You learn about all the threat agents that apply to identity crimes and take action to avoid it completely or lessen the damage and/or losses that may arise from them. There is a tendency for governments, businesses, and other authorities to focus on just one or two threat agents when devising prevention strategies and loss remedies for identity crimes. However, it is important to consider all the threat agents and how they interact with each other to develop a comprehensive identity crime mitigation approach. 4.1.2 Threat versus Risk A threat can be considered a function of a threat agent’s motivation, capability, opportunity, and the impact a crime might have on the person or organization against whom it was committed.1 According to Webster’s Dictionary, “threats” are indications of something impending, while “risks” represents a posibility of an injury or loss.2 The Oxford Dictionaries define “threat” as the “a statement of an intention to inflict pain, injury, damage, or other hostile action on someone in retribution for something done or not done; a person or thing likely to cause damage or danger.”3 In this discussion of identity crime risk, risk represents the probability that a threat will be successful, together with the extent of the potential loss. Threat assessment has typically been part of risk analysis, which is used by managers to determine the costs and benefits of taking particular actions. Risk analyses are quantitative, relying on the calculation of mathematical probabilities, or qualitative, categorizing costs and benefits in terms of high/medium/ low potential. Most threats defy any kind of probability analysis, however. The introduction of new threats, such as those presented by identity crime in the Internet age, has made most existing threat assessment models inadequate. Because the concepts of threat and risk are different, they must be treated differently, as well as submitted to an examination of how the impact of risks and threats combine.4 1 Stilianos Vidalis & Andrew Jones, Geo Bureau, Analyzing Threat Agents & Their Attributes (nd.), available at http://tinyurl.com/avo8cvp. 2 Merrian Webster Dictionary, http://www.merriam-webster.com (last visited Oct. 31, 2012) (search for “threat” and search for “Risk”). 3 Oxford Disctionaries, http://oxforddictionaries.com (last visited Oct. 31, 2012) (search for “threat”). 4 Stilianos Vidalis & Andrew Blyth, Understanding and Developing a Threat Assessment Methodology (n.d.) (unpublished manuscript), available at http://tinyurl.com/baueqsm.
Threat Agents and the Impact of Identity Crime
189
4.1.3 Threat Assessment A threat assessment offers a way for organizations to define, analyze, and understand the threats that apply to their particular activities. For example, in regard to identity crimes, a threat assessment can uncover the vulnerabilities in a credit-card processing system that allow for its exploitation by identity criminals. An effective assessment will lead to the creation of countermeasures to protect vulnerable areas from such exploitation.5 Threat assessment involves a determination of threats related to vulnerabilities of identity crime victims and the capabilities of criminal threat agents. It should also consider the cost/benefit elements of any approach designed to control identity crime. If the cost of a program aimed at reducing the risk of a crime is high, but the particular variable targeted has a very low rate of occurrence or a minimal loss impact, the program may not be as useful or effective in reducing real crime rates as one that addresses a high-loss variable that occurs frequently. And if potential losses related to a particular threat agent are low while costs are high, it may not be worthwhile for organizations to take any action to reduce or prevent the threat. The impact of an identity crime is related to the gain or benefit obtained by the offender upon committing the crime, combined with the victim’s losses. Organizations should develop threat analysis models that address each type of identity crime in order to create prevention or mitigation strategies that are appropriate to the risk involved. For example, the impact of an identity crime committed in regard to immigration status is high when the risk of increased international mobility for terrorists is considered. The Risk Impact/Probability Chart6 describes risk as having two major dimensions: probability and impact. Probability refers to the fact that an event may occur, while impact refers to the various financial and non-financial costs associated with a risk that does occur. If a risk has a low probability and a low impact, it can generally be ignored, while high-impact/high-probability risks must be addressed. 4.1.4 Threat Agents Generally, “threat agent” is a term that usually refers to an individual or group that has the perceived ability to threaten another individual or group. As one author poignantly notes,
5 Id. 6 Risk Impact/ Probability Chart, Mind Tools, http://www.mindtools.com/pages/article/ newPPM_78.htm (last visited Oct. 31, 2012) (chart displayed on following page).
190
CHAPTER 4
“It is the threat agents that manage the threats, and not the security o fficers.”7 A threat agent might also, however, be some other factor or force, such as a blackout, tornado or other tragic event that can create havoc for a person if the event damages or alters the person’s computer records, bank accounts, or other personal information. Identifying threat agents is an ongoing process that must adapt as conditions and technologies change, and threat agents may obtain new capabilities over time.8 Threat agents can manifest in corporate settings as computer viruses or other malware, employees and/or subcontracting maintenance staff and security guards, or terrorists and other ideologically motivated individuals. In terms of identity crime, a threat agent may be a highly trained and well- funded professional operative from a hostile government bent on terrorism, or a member of a terrorist group with its own political agenda. Organized crime groups are interested in buying and selling stolen identity and financial account information, including bank account numbers, credit cards, or other data and documents that can be converted to money or leverage to commit other crimes. Vandals, organized crime gangs, and even natural disasters like fires or earthquakes are threat agents.9 Corporate threat agents are generally insiders employed by the organization who have access to identity information and motivated by financial gain; sometimes, there is an element of revenge for perceived wrongs perpetrated by the corporation. Part of any threat assessment for a business organization is profiling employees (also outside assistance personnel such as e.g., auditors, computer repair personnel, and after-hours maids and cleaning personnel), assessing their knowledge of sensitive information and thus their capability to commit identity crimes, then implementing checks on these employees and workers to make sure they are not accessing and using valuable information to commit identity crimes. 4.1.5 Identity Crime Threat Agent Assessment A threat agent assessment is useful for both prevention and correction purposes. It is designed to discover the activities and processes that can restrict and/or reduce identity crimes most effectively. It has also been developed to help in creating a cost-effective prevention strategy for identity crimes and to
7 S. Hinde, The Law, Cybercrime, Risk Assessment and Cyber Protection, 22 Computers & Security, 90–95 (February 2003). 8 Vidalis & Jones, supra note 643, at 5. 9 Id. at 4.
Threat Agents and the Impact of Identity Crime
191
High
isk lR
Probability of Occurrence
ca iti Cr
M iu ed lR ve -le
m isk
Lo R el lev wisk
Low Low
Impact of Risk
High
f igure 3 Risk impact/probability chart source: author
minimize the impact of such crimes on individual victims and society in general. By obtaining an in-depth understanding of each threat agent, it is possible to identify the factors that increase or decrease the probability of an identity crime occurring. A qualitative threat assessment emphasizes the need for a more in-depth analysis of the specific variables associated with identity crime threat agents. The list of variables identified here is by no means exhaustive, but it represents a starting point for organizations thinking about creating mitigation programs to address identity crimes. Identity Crime Threat Agent is a function of the following variables: 1. Capability 2. Commitment 3. Effort 4. Gain to the offender 5. Potential loss to the victim 6. Motivation 7. Neutralization 8. Opportunity 9. Probability of loss occurring 10. Probability of arrest
192
CHAPTER 4
11. Repercussions of arrest 12. Reason for motivation 13. Exposure to crime or victim vulnerability Governments, law enforcement officials, and business authorities can focus their efforts to impact seven variables: 1. Potential loss to victim/s or magnitude of the potential loss (impact) 2. Gain to the offender 3. Effort required to commit the crime 4. Repercussions of arrest 5. Probability of loss occurring 6. Neutralization 7. Exposure to crime Additionally, when exposure to crime decreases, the identity crime threat decreases; if Gain to the offender is lower, the threat is lower. When the effort to commit the crime rises, the threat risk drops. The variables that result in a lower identity crime threat are: 1. Reduced exposure to crime. 2. Lower gain/benefit to the offender. 3. Increased effort to commit the crime. 4. Increase in repercussions of arrest for the crime. 5. Increase in probability of arrest for the crime. 6. Reduced neutralization or justification for the crime. Decreases in Opportunity or Gain reduce the commitment and/or capability required of an offender to commit an identity crime. With an increase in Capability and/or Commitment, Opportunity may increase as well. If potential losses are very low, it may not be cost-effective to take any action to reduce or prevent a threat agent from manifesting. When dealing with risk, “a large potential loss and a low probability of occurring is often treated differently from one with a low potential loss and a high likelihood of occurring.”10 4.1.6 Identity Crime Threat Agent Variables A Capability Capability has been defined as “the degree to which a threat agent is able to implement a threat.”11 Whether or not an identity criminal is able to commit
10 11
Risk Assessment, Wikipedia, http://en.wikipedia.org/wiki/Risk_assessment (last modified Oct. 22, 2012). Vidalis & Jones, supra note 643, at 3.
Threat Agents and the Impact of Identity Crime
193
a crime depends on the resources available to the offender. The criminal must have the capability to commit the crime. Different types of crimes require different levels of capability. Some require specific technical expertise, such as counterfeiting identification documents. Others require minimal capability, such as using a friend’s name when questioned by police or when representing oneself online. Most identity criminals acquire personal information by purchasing it from other people, stealing it from mailboxes, or finding it in the trash. Even these simple methods require a certain capability which the criminal must utilize in order to commit the crime. Over time, successful identity criminals develop specific skills that enable them to commit their crimes. In addition to technological skills, identity criminals may have certain psychological capabilities, such as intuition and social skills that enhance their ability to get away with a crime.12 If an identity criminal has the capability to commit a crime, it means that he or she has the knowledge and tools required to do so, as well as the ability to utilize them effectively. In addition to tools, skills, and knowledge, the capability to commit a crime may include associations with other individuals who may provide aid and support to the offender. Some identity crimes require more resource capabilities than others. For example, identity crimes that rely on the use of computers require a certain level of knowledge. The use of malware means that criminals need to know how to write or implement malevolent code that will exploit a weakness in a computer network. Or, if the criminal does not have the computer skills required to develop malware, he or she needs to have the financial resources to “buy” an expert to implement it. At the very least, an identity criminal who wants to use technology to obtain identity information must know how and where to find the expertise necessary to commit the crime. Another example of capability to commit a crime involves having the right equipment. If an identity criminal wants to obtain account numbers from credit card holders or from atm card users, a “skimmer” is required. A “skimmer” is a specialized device that can copy the information included on the magnetic strip of a credit card. Then, to make use of that information, the identity thief either needs the equipment for duplicating the card and/or the connections by
12
Heith Copes & Lynne Vieraitis, U.S. Dept. of Justice, Identity Theft: Assessing Offenders’ Strategies and Perceptions of Risk 2 (July 2007), available at www. ncjrs.gov/pdffiles1/nij/grants/219122.pdf.
194
CHAPTER 4
which to convert the stolen information to cash by selling it to other criminals or co-offenders. When the opportunity to commit an identity crime decreases, or if there is a reduced gain to the offender, a higher degree of commitment and/or capability is required. As capability increases, the opportunities that present themselves to the criminal tend to increase as well. B Commitment Commitment is related to effort and motivation. If a criminal must expend considerable effort to commit an identity crime that promises high rewards, he or she is likely to be willing to make the commitment. On the other hand, if the effort required is out of proportion to the gain, the criminal is less likely to commit that particular crime. In other words, a higher level of commitment is needed if more effort is required and if there is less opportunity or a lower potential reward. If a criminal’s commitment increases, he or she may discover additional opportunities to make that crime happen, thereby increasing the likelihood that the crime will be committed. Commitment to a criminal act is not a passive process, but arises from the way a criminal interprets the risks/rewards and effort required to successfully take that action.13 There are several ways that a criminal’s perceptions of effort and risk can be addressed to lessen the potential of reward. First, the perceived risk of being caught can be enhanced. Next, the perceived risk of being identified can be raised. The amount of effort required to reach the reward goal can be increased, and finally, the perceived gain can be reduced.14 C Effort Required to Commit Crime Identity crime is generally considered to be similar to a white-collar crime in which the offender deliberately attempts to steal information and then tries to sell it or use it. Acts are usually labeled as “white-collar crimes” on the basis of the “respectable” social status of the offender or on the characteristics of the offense. However, identity crimes do not fit neatly into either category. Identity
13 14
Marilyn Clark, Commitment to Crime: The Role of the Criminal Justice System, European Journal of Criminology (Apr. 2006), http://euc.sagepub.com/cgi/content/abstract/ 3/2/201. Andrew B. Wootton & Caroline L. Davey, Crime Lifecycle, Design Against Crim (2003), available at http://www.veilig-ontwerp-beheer.nl/publicaties/crime- lifecycle-guidance-for-generating-design-against-crime-ideas/at_download/file.
Threat Agents and the Impact of Identity Crime
195
criminals come from a variety of demographic groups, having very different ages, social class, job or criminal histories. They use many methods to get identity information and to convert it to cash and/or other valuable goods, such as new credit card accounts or loans.15 Identity crimes may also be categorized as “white-collar” since they are often committed during the course of normal job duties, or because of the belief that the crime does usually not involve physical harm to the victim. And while identity criminals are frequently believed to be skilled computer hackers with organized networks, the reality is that identity criminals usually operate on a mundane level devoid of sophisticated computer technology. They are more likely to dig through the trash or pay insiders to get personal information than they are to perform a sophisticated computer operation.16 Related to the variable of Commitment, the effort required to commit a particular identity crime responds to the interplay of risk and reward. If the offender’s perception of risk and/or effort is increased, it is likely that the crime will not be committed.17 Raising the perception of risk and the amount of effort required, while reducing perception of potential reward at the same time can be accomplished if authorities increase the offender’s perceived risk of being caught. Criminals are also less likely to make an effort to commit an offense if they believe that their ultimate gains will be low. As rational beings, criminals will not be motivated by low levels of gain. D Gain/Reward to the Offender The gain or benefit that an identity criminal believes will be obtained as a result of illegal activity is probably the chief motivator of a criminal act. Other variables follow the initial idea that a crime is worth committing because of the potential benefit it will provide. Identity criminals are typically interested in financial gain, but some have ideological motivations or social reasons to commit a crime. A terrorist may want to cause damage to a perceived enemy, or an individual may want to hide his or her true identity for some reason and will therefore steal someone else’s.
15 16 17
Heith Copes & Lynne M. Vieraitis, Understanding Identity Theft: Offenders’ Accounts of Their Lives and Crimes, Criminal Justice Review (Sept. 2009), http://cjr.sagepub. com/cgi/content/abstract/34/3/329. Identity Theft is Usually an Equal Opportunity, Unsophisticated Crime, Andrew Patrick, http://www.andrewpatrick.ca/security-and-privacy/id-theft-criminals (last visited Feb. 2, 2012). Wootton & Davey, supra note 656, at 16.
196
CHAPTER 4
In some cases, the losses to a victim of identity crime may be much lower than the gains for the criminal. Identity crime for purposes of immigration is one example of this. The criminal will always weigh the level of gain against the other factors impacting the commission of a crime; the criminal will always ask whether it is “worth it.” Offenders may bring in much higher incomes from illegal enterprises than they could earn through legitimate work, but they must balance this with the possibility of being caught and sent to prison. In this case, the cost of going to jail is not measured in monetary terms, but in the value of restrictions imposed and freedom lost.18 Governments and other organizations responsible for paying for crime prevention, detection, and punishment also balance the impact of a crime with the cost of addressing these issues. Every gain by a criminal represents a loss to an individual victim and to society at large. Criminal gains also represent a type of forced transfer of wealth. For example, someone who uses a stolen or fake identity to enter a country illegally ultimately means a cost to the country in terms of social services, schooling, jobs, health care, benefits, and other factors. E Potential Loss to Victim(S) Magnitude of the Potential Loss Losses to victims as a result of identity crime are easy to see. There are the obvious financial losses, and then there are the psychological losses associated with the violation of the basic sense of being a unique individual. And the basic nature of an identity crime –stealing someone’s personal identity information –means that once this information is in someone else’s hands, it can be used to commit multiple crimes, violating the victim over and over again. So there are both financial and non-financial losses to individuals to be considered with identity crime. Victims of identity crimes suffer similar experiences, regardless of the type of crime associated with their losses. When they report the crime, they often get no help from the authorities responsible for initially issuing the identity information, such as the agencies that issue birth certificates, credit cards, or driver’s licenses. Law enforcement rarely investigates identity crimes just because of the sheer number of fraud cases they must handle. Police departments sometimes refuse to issue police reports to victims,
18
Gary Becker, Crime and Punishment: An Economic Approach, Journal of Political Economy 12 (1968).
Threat Agents and the Impact of Identity Crime
197
claiming that financial institutions like banks and credit card firms are the “real” victims. It often takes years to recover from an identity crime. Individuals have difficulties getting any help from financial institutions. They usually have problems dealing with the credit reporting agencies to get erroneous information removed from their records. Victims may be harassed by collection agencies for debts they did not incur; they may face lawsuits, garnishment of wages, or loss of their homes. The average amount of time it takes for identity crime victims to clear up the mess created by the criminal can be as much as 175 hours by one estimate. And it takes an average of two years to regain a good financial status following a crime.19 Identity crime victims may feel angry and helpless and are often emotionally scarred for life. A worst-case scenario occurs when an identity thief commits a crime in the victim’s name. The whole burden for proving the crime was committed by another individual falls on the victim and can take years and significant amounts of money to clear up.20 F Motivation Motivation is related to effort and commitment. Motives can be political, religious, terrorist, or they might be reasons of revenge, power, or personal gain.21 In most cases, motivation is affected by several factors, such as life circumstances or the local environment, and never by just one.22 “Motivation is the degree to which an aggressor is prepared to implement a threat.”23 Researchers have found that, among employees, the likelihood that an insider will commit an identity crime has less to do with having the opportunity to do so and more with how dissatisfied the employee is. Employees are frequently motivated to commit a crime if they perceive that they have been treated unfairly by the employer, or that they are not being paid enough to do their jobs. In these
19
20
21 22 23
Janine Benner et al., Privacy Rights Clearinghouse, Nowhere to Turn: Victims Speak Out on Identity Theft – A Survey of Identity Theft Victims and Recommendations for Reform, (May 1, 2000), available at www. privacyrights.org/ar/idtheft2000.htm. Beth Givens, Testimony for U.S. Senate Judiciary Subcommittee on Technology, Terrorism, and Government Information, Identity Theft: How It Happens, Its Impact on Victims, and Legislative Solutions (July 12, 2000), available at http://www.privacyrights.org/ar/id_ theft.htm. Vidalis & Blyth, supra note 646, at 8. Wootton & Davey, supra note 656, at 16. Vidalis & Jones, supra note 643, at 2.
198
CHAPTER 4
cases, the identity crime represents an “equalization” of circumstances for the employee.24 The motivation to commit an identity crime is similar to that in the crime of embezzlement. Some of the reasons cited by embezzlers for their crimes include:25 1. Perceived pressures, including financial and job-related pressures 2. Perceived opportunities, including weak or non-existent internal controls and having achieved a level of trust from the employer 3. The employee’s personal integrity and/or rationalization of the act, including management’s level of honesty or dishonesty G Neutralization Neutralization, or rationalization of a criminal act, is one of the most interesting factors influencing the commission of an identity crime. According to one source, “One of the most important elements in the decision to commit crime is the psychological process of sanitizing the conscience so that it can be accomplished.”26 If individuals do not believe that their actions will hurt a real victim, or if that victim is a large corporation, they are more likely to commit a crime.27 Researchers have identified what they characterize as the Fraud Triangle, three factors that determine whether an individual will commit an identity crime. These are perceived pressures felt by the individual, the perceived opportunity to commit the crime, and the individual’s rationalization or integrity. All three are necessary in some degree before a person will make the effort to commit the fraud, but personal integrity and the ability to rationalize, or neutralize, the crime is perhaps the most important. Many individuals facing serious financial pressures do not commit identity crime because of their personal codes of ethics. Auditors have even ranked an employee’s attitude 24 25 26 27
Joseph T. Wells, Why Employees Commit Fraud: It’s Either Greed or Need, Journal of Accountancy (Feb. 2001), http://www.journalofaccountancy.com/Issues/2001/Feb/ WhyEmployeesCommitFraud.htm. Stephen A. Linker, Embezzlement: What? Who? Why? How? Detection!! Prevention!!, M&K Rosenfarb llc (Jan. 2006), http://www.envoynews.com/rwcpas/e_article000514029. cfm?x=b11,0,w. Heith Copes, Lynne Vieraitis & Jennifer M. Jochum, Bridging the Gap between Research and Practice: How Neutralization Theory Can Inform Reid Interrogations of Identity Thieves, 18 J. of Criminal Justice Educ., 444, 445 (2007). M. S. Umbreit, R. B. Coates & B. Kalanj, Victim Meets Offender: The Impact of Restorative Justice and Mediation (1994), available at http://www.ncjrs.gov/ App/publications/abstract.aspx?ID=147713.
Threat Agents and the Impact of Identity Crime
199
as more significant than situational factors as indicators of potential criminal activity, such as embezzlement. Typical rationalizations for committing fraud include:28 1. I am only borrowing the money and will pay it back. 2. Nobody will get hurt. 3. The company treats me unfairly and owes me. 4. It’s for a good purpose. 5. It’s only temporary, until my financial position improves. 6. Everybody’s doing it. In a landmark 1957 study, Gresham Sykes and David Matza developed what came to be known as neutralization theory. Sykes and Matza believed that everyone is committed to the cultural system that dominates in their environment, and because of this, thinking about committing a crime has a negative impact on the self-concept of potential criminals in terms of guilt and shame. These feelings keep most people from taking illegal actions. However, some people do engage in criminal activity, and it is the contention of Sykes and Matza that they can do so by using various techniques to minimize the negative self-image that would ordinarily be created by performing a criminal act.29 Some of the ways that individuals neutralize their illicit actions are: 1. Denying responsibility (the act is accidental or due to uncontrollable forces). 2. Denying the victim (the victim deserved it). 3. Denying any injury (no one is really hurt by the action). 4. Condemning those who disapprove (they are hypocrites). 5. Appealing to higher loyalties (acting in accordance with a higher power). Nearly one if four of Americans believe that it is permissible, quite acceptable, or somewhat acceptable to defraud an insurance company.30 Many offenders believe that identity crime is a victimless crime because it only affects the insurance company. Since insurers are often involved with identity crime prevention and detection, this statistic has implications for law enforcement authorities. H Opportunity Most efforts to control identity crimes focus on reducing the opportunities for offenders to commit them. For a threat agent to commit a crime there must be 28 Linker, supra note 667. 29 Copes, Vieraitis, & Jochum, supra note 668. 30 Go Figure: Figure Data, Coalition Against Fraud, http://www.insurancefraud.org/ olderstatistics.htm (last visited Oct. 31, 2012).
200
CHAPTER 4
the appropriate conditions in place that allow it to happen. Without opportunity, any amount of commitment or capability will not matter. It is necessary to understand a criminal’s perceptions of opportunity to commit an identity crime in order to develop crime prevention strategies. Criminal opportunity theory is generally based on exposure to crime, target attractiveness, and guardianship.31 Identity crimes are often crimes of opportunity, arising from situations and circumstances involving friends, family members, or acquaintances who exploit an individual’s personal data to obtain a loan or credit card in their name. Some job positions lend themselves to providing significant opportunities for committing identity crimes. Those who work in Social Security offices or Departments of Motor Vehicles have ample opportunity to steal personal identity information. Individuals who work in retail environments that handle hundreds of credit card transactions each day also have considerable opportunities to commit identity crimes. Bank employees are often found to participate in fraudulent activities involving identity information;32 in some cases, they steal personal information and sell it to criminal gangs, which use it to commit other crimes. I Probability of Loss Occurring, or Impact The impact of an identity crime involves the probability of loss resulting from its commission. Impact addresses the result of a threat actually reaching an asset, such as a company’s market share or the trust of consumers or users.33 It is important to analyze the costs and benefits of any measures used to counter identity crimes, since in some cases, the costs of prevention may be higher than the losses actually incurred. Losses may be categorized as minor, moderate, major, or catastrophic. With any proposed solutions to prevent or mitigate identity crime impact, authorities must ensure that the solutions are cost- effective and that the return-on-investment is beneficial to the organization.34 The impact of an identity crime can be separated into avoidance costs, costs in consequence of the crime, and costs related to responses to the crime. 31
See generally Douglas Longshore, Self-Control and Criminal Opportunity: A Prospective Test of the General Theory of Crime, 45 Social Problems 102 (1998); Pamela Wilcox et al., Guardianship in Context: Implications for Burglary Victimization Risk and Prevention, 45 Criminology 771 (2007). 32 Wells, supra note 666. 33 Vidalis & Jones, supra note 643, at 3. 34 Yufei Yuan, Presentation for the Society of Internet Professionals, Combating Identity Theft: A Theoretical Framework, (Feb. 28, 2006), at 29, available at http://www.sipgroup. org/resources/ppt/ID_theft_Yufei_YuanI.pdf.
Threat Agents and the Impact of Identity Crime
201
Avoidance costs may include the level of fear in a population, government costs for crime prevention, or costs in anticipation of the occurrence of a crime. Consequence costs include physical and/or emotional harm, medical costs, legal expenses, productivity loss, and property loss, among others. Response costs may include police expenses, enforcement costs, prison and probation costs, and victim compensation.35 See Paragraph 3.3 herein for a detailed discussion of the impact of identity crime. J Probability of Arrest If an offender perceives that his or her probability of arrest is high, the reward obtained by committing the crime must also be very high for the offender to take the risk. So raising the perceived risk of discovery and identification reduces the probability that the crime will be committed.36 Identity criminals can be prevented from committing crimes if there is a high probability of arrest associated with their activities. The probability of arrest is established by legislation that takes into consideration the following: 1. How many resources should be put toward enforcing the law? 2. How much punishment should be used to enforce the law? These two questions form the basis for a cost-benefit analysis that determines the social losses from various offenses and balances the use of resources with activities required to minimize those losses. The optimal amount of enforcement depends on the costs of apprehending and convicting offenders, as well as the nature of any punishment and the responses of offenders to changes in law enforcement.37 Appropriate enforcement and punishments have been shown to deter crime. The economic model of crime suggests that offenders are rational economic beings that take action under uncertain conditions. The number of criminal acts is a function of the probability and costs of being caught. The probability of arrest can be determined through calculations using the “police clearance rate” for discovered identity crimes. The clearance rate represents the certainty of sanctions being imposed. Research indicates that the probability of arrest provides a significant deterrent, while the actual length of the 35 36 37
Costing Principles & Methodology, Mainstreaming Methodology for Estimating Costs of Crime, http://www.costsofcrime.org/CostingPrinciplesAndMethodology/ (last visited Feb. 6, 2012). Wootton & Davey, supra note 656, at 16. Gary S. Becker, Crime and Punishment: An Economic Approach, 76 J. Political Econ. 169 (1968).
202
CHAPTER 4
prison sentence imposed has not been shown to have a significant relationship to crime commission.38 K Repercussions of Arrest When someone is arrested for identity crime, the repercussions of that arrest are felt by the criminal, of course, but also by individuals other than the criminal. The criminal faces loss of reputation, loss of employment, possibility of incarceration, and loss of contact with family and friends. The family might face loss of a spouse and parent in a home setting, loss of income, embarrassment in the community in which it lives, and other unpleasant and potentially life-altering repercussions. Moreover, if the family is forced to obtain financial assistance from the state, taxpayers in effect suffer the repercussions of identity crime by having to pay for the consequences. In other words, the family of a convicted offender may pay a high price, both financially and socially, for acts beyond its control. Arrests also stretch the limits and resources of a court system. Additional prison inmates may create problems and expenses for the state through overcrowding in prisons or increased costs for law enforcement officials. Moreover, there are potentially devastating repercussions experienced by the victims of the identity crime. Victims suffer financial loss, psychological stress, and many other social, financial, and practical repercussions. L Reason for Motivation Reason for motivation is a complex area that involves life circumstances and the immediate or traditional social environment. For example, individuals living in areas with low employment may commit identity crimes just to survive. In other cases, the environment may encourage crimes to be committed for ideological, religious, or political reasons. A society may approve of criminal acts committed against perceived enemies, as when terrorists seek to harm their targets. Drug addicts may be compelled by their addictions to commit crimes to maintain their habits; organized crime “families” or gangs may expect their members to commit crimes to show loyalty. In some fields of criminology, it is believed that criminality is a function of individual socialization and the way individuals are influenced by life experience, family relationships, peer groups, authority figures, and other
38
See id.; Wootton & Davey, supra note 656; Costing Principles & Methodology, supra note 677; Apalichian State University, White Paper, www.business.appstate.edu (last visited Feb. 11, 2010) (on file with author).
Threat Agents and the Impact of Identity Crime
203
socialization agents. The focus of interest is the social process by which any individual has the potential to become a criminal. There have been four major proponents of this idea.39 1 Differential Association Theory Edwin Sutherland pioneered the idea that criminal behavior can be learned with other people in an interactive communications process. Differential association theory suggests that criminal behavior involves learning techniques, motives, drives, and rationalizations, and that people become criminals when the direction of the motives and attitudes they learn comes from favorable thoughts about violations of the law.40 2 Differential Reinforcement Theory In the 1960s, social learning theories moved away from Sutherland’s idea that primary groups like families were the source of criminal learning behavior. Instead, differential reinforcement theory attempted to apply operant conditioning concepts, stating that eve non-social situations could reinforce the learning of criminal behaviors. Ronald Akers, the developer of the theory, stated that people learn deviant behavior via differential association with deviant members of their peer group, then learn how to get the rewards of such actions and avoid the punishment provided as consequences of the actions. In this theory, criminal knowledge is obtained by thinking about past experiences, and criminal behavior is learned through conditioning and/or imitation. 3 Punishment Reinforcement Theory This theory is based on conditioning, deprivation, satiation, the proceeds of crime, and the lack of punishment. Its chief proponent, C.R. Jeffery, believed that a person who is deprived of something responds to a given stimulus in a different manner than one who is satiated. Punishment represents a major variable for Jeffery, who argues that an offender performs criminal acts because he or she was not punished enough in the past for similar acts. Jeffery was concerned, therefore, with the poor administration of the criminal justice system. He believed that the certainty of punishment, rather than its severity, acted as a deterrent to criminal behavior.
39 40
Learning Theories of Crime, http://www.apsu.edu/oconnort/crim/crimtheory12.htm (accessed Feb. 2, 2012) (on file with author). See generally Edwin H. Sutherland, Principles of Criminology (1924).
204
CHAPTER 4
4 Neutralization Theory Neutralization theory, which informs one of the variables of the Identity Crime Threat Risk Model, states that people use excuses that allow them to pursue criminal behavior, despite the fact that their personal values and attitudes also permit them to admire honest individuals who follow the law. People use excuses, rationalizations, to allow themselves to “drift into crime.” Identity criminals are diverse, demographically. Many lead lives similar to street criminals, while many others use the gains obtained from their crimes to live “respectable” lives at the middle-class level. Most offenders commit identity crimes because they need quick cash and perceive identity crime as a relatively easy, risk-free method of getting it.41 Jon D. Hanson of Harvard Law School believes it is important to review the situation in which a potential offender finds him/herself, including the individual’s internal cognitive biases and his or her external family, community, and social norms when looking for motivational reasons related to the commission of crimes. These factors have a greater influence over human actions that “choice.”42 M Exposure to Crime, or Victim Vulnerability Exposure to crime can include many different things. Some victims are more vulnerable to criminal acts than others because of where they live, how they use the Internet, or whether they rely on credit cards. Exposure to identity crime can be reduced by improving: 1. Victim education. 2. Protection of private identity information by businesses and other agencies. 3. Methods used to verify identity. Enhancements in the ways that identity is verified also has the added benefit of apprehending identity criminals, thereby increasing their risk of detection and reducing target attractiveness. A decrease in exposure to identity crime will lead to a reduction in the threat of that crime being committed. N Rational Choice Theory The rational choice model can easily be applied to identity crime. This model assumes that individuals choose the best action in a given situation according
41 42
Copes & Vieraitis, supra note 654. Law and Economics, Wikipedia, http://en.wikipedia.org/wiki/Law_and_economics (last modified Oct. 12, 2012).
Threat Agents and the Impact of Identity Crime
205
to the preferences and restrictions that face them. Two assumptions are included in rational choice theory:43 All activities can be ranked according to preference, and that logical operations apply to the preferred actions (if Action A is preferred to Action B, and B is preferred to C, A is preferred to C). In most cases, an individual makes a deliberate effort to steal someone’s identity, and in general, that individual will prefer the target that offers the highest reward at the lowest cost. People make decisions about how they should act by comparing the costs and benefits of different courses of action. O The Ideas of Gary Becker Gary Becker theorized that much of human behavior can be viewed as rational and designed to maximize utility. His position is not that of a traditional self- interest motivation, but is based on individual preferences. Individuals act to maximize their welfare, but the action is based on an individual position limited by income, time, memory, and calculation ability. People weigh the costs and benefits of their actions, and after calculating the potential for getting caught at a crime and the potential for being punished, they may make a rational decision to commit a crime that provides a desired benefit. This approach has implications for public policy, since it shows that increasing a fine may not be the best way to stop a crime as an effort to increase surveillance, given the rational balancing of a criminal act by a potential offender.44 4.2
The Impact of Identity Crime
Having examined Identity crime threat agents and their different variables, we now take a close look at the impact of identity crimes. This analysis is intended to offer a framework by which nations around the world might understand the true costs of identity crime and use this understanding to create equitable responses to the issue. To date, no nations other than the United States and Canada have implemented laws directly targeting identity crimes, although the United Kingdom and Australia have plans in progress to do so. By gaining knowledge about the true impact of identity crime by analyzing its cost and performing a cost-benefit analysis of the issue, effective legislation and programs designed to reduce identity crime can be justified. This analysis 43
Rational Choice Theory, Wikipedia, http://en.wikipedia.org/wiki/Rational_choice_theory (last modified Oct. 23, 2012). 44 Becker, supra note 679.
206
CHAPTER 4
will discuss two major topics: the impact on and cost to the victims of identity crime and an overall view of the impact and costs of identity crime to society. The impact will vary with each type of identity crime, according to its purpose or use. The incident total cost is different based on the “use” of the identity information. For example, the impact of an identity crime committed for employment- related purposes will differ from that of an identity crime related to a credit card. The cost to taxpayers and the government from employment-related identity crime is different from a credit card identity crime. This approach sets the identity crime cost analysis apart from assessments of the costs of other kinds of crime. Impact analysis is an important but often overlooked element in the identity crime lifecycle, and the fact that there are multiple victims in the typical identity crime scenario is rarely given attention. For example, consider the individual whose identity has been stolen and then used by an identity thief to obtain credit cards and loans. If the victim then tries to refinance his home to obtain emergency funds, he is denied the refinancing because of negative information in his credit report. It is clear that the individual in this case feels the direct impact of the identity crime, but the other victims in this scenario include the credit card and loan companies, and indirect effects are felt by society at large. If there is no analysis of the impact and/or costs of identity crime on its multiple victims, it is impossible to prioritize issues associated with the various types of identity crimes or to develop appropriate prevention and response measures. Determining the impact/cost of identity crime is a complex undertaking that requires consideration of the approaches taken in different countries around the world. It extends beyond direct financial matters. For example, it is necessary to consider which activities in a particular jurisdiction have been criminalized under the law, since definitions of criminal offenses are not standardized or universal around the world. Additionally, there are important psychological/emotional costs associated with identity crimes that have an impact on individuals and societies. For example, an increased fear of identity crime in a population may result in loss of trust in a business or government agency, leading to more direct repercussions, such as less frequent use of credit cards or reduced buying behavior. The costs of identity crime can be considered from the viewpoint of legal philosophers discussing the nature of the state or by determining the benefits of crime prevention programs in which successful intervention to reduce crime in one area simply displaces criminal activity to another area.45 45
Costing Principles & Methodology, supra note 677.
Threat Agents and the Impact of Identity Crime
207
It has been noted that there are difficulties associated with separating the impact and losses associated with identity crimes from those arising from other crimes like fraud that are perpetrated via assumed and/or false identities. Several agencies that provide overall loss figures did so by aggregating the losses from primary offenses related to identity crime. Quantifying losses in some instances, such as those linked to damaged reputations, remains difficult, however. Some governments believe that qualitative assessments of losses resulting from identity crime can be determined. These losses would include:46 a. Victim’s financial and non-financial losses. b. Time and effort required of victims to repair damaged reputation. c. Financial and non-financial losses arising from other crimes committed under a false identity. d. Public and private costs of prevention, investigation, and prosecution (prevention, response, recovery). e. Loss of efficiencies due to security measures. f. Costs linked to loss of consumer confidence in business. The costs of identity crimes are rising in many countries. The increases have been attributed to the growing availability of the means for rapid transmission of information, greater globalization, increased utilization of remote communications to conduct transactions rather than in-person interactions, the ease with which identity documents can be forged with available high-tech methods, and the increasingly widespread gathering and dissemination of information about individuals by private-sector and public organizations.47 Because so much information about individual persons is accessible online, people have become more concerned about unauthorized access and misuse of their personal data. For example sixty-two percent of Australians reported being very or extremely concerned about this issue.48 46
47
48
U.N. Secretary-General, U.N. Commission on Crime Prevention and Criminal Justice, Results of the Second Meeting of the Intergovernmental Expert Group to Prepare a Study on Fraud and the Criminal Misuse and Falsification of Identity, U.N. Doc. E/CN.15/2007/ 8/Add.3, at 62–63 (Jan. 31, 2009) [hereinafter “U.N. Commission, Second Meeting, Study on Fraud”], available at http://www.unodc.org/documents/organized-crime/E_CN_15_ 2007_8_Add_3.pdf. Model Criminal Law Officers’ Committee of the Standing Committee of the Attorneys-G eneral, Final Report: Identity Crime (March 2008), available at http://www.lawlink.nsw.gov.au/lawlink/SCAG/ll_scag.nsf/vwFiles/MCLOC_MCC_ Chapter_3_Identity_Crime_-_Final_Report_-_PDF.pdf/$file/MCLOC_MCC_Chapter_3_ Identity_Crime_-_Final_Report_-_PDF.pdf. Id.
208
CHAPTER 4
4.2.1 The Four Impacts (or Costs) of Identity Crime As can be seen in the following table, an identity crime imposes several different costs on the victims, which may be individuals, businesses or organizations, and governments and taxpayers. Each identity crime will have one or more victims that will suffer most of the impact, which are more than one in number. In fact, there are four distinct ways that an identity crime imposes costs on its victims. There are costs associated with efforts to prevent the crime, costs arising from its consequences, costs linked to responses to the crime, and costs relating to efforts to recover from the effects of having been a victim of an identity crime. Also see Figure 4 (following Table 7) that illustrates graphically the four costs of identity crime. Impact Table49
4.2.2
table 7
Impacts of identity crime Individuals
Businesses
Governments/ Taxpayers
x x
x x
x x
x
x x
x
x
x x
Prevention costs Government crime prevention Non-government crime prevention Consequential costs Property loss Productivity loss Household services Lost school days Medical and mental healthcare costs Pain, suffering and lost quality of life Tort claim expenses Long-term consequences Offender costs Loss of reputation
49
x x x x x x x
Costing Principels & Methodology, supra note .
x
x x x x
Threat Agents and the Impact of Identity Crime209 table 7
Impacts of identity crime (cont.) Individuals
Businesses
Governments/ Taxpayers
Response costs Police involvement Prosecution services Court involvement Legal defense costs, offender Criminal sanctions Prison Probation Financial penalties Offender costs Fear of crime Lost productivity Victimization of inmates Lost freedom to inmates Victim support services Recovery costs Victim support services Legal defense costs, victim Legal defense costs, business Re-establishment of trust Business Government Losses to victim’s family Losses to offender’s family Repair of reputation
x x x x x x x x x x
x x x
x
x
x
x
x x
x
x x
x x
x x x x
x
210 4.2.3
CHAPTER 4
Identity Crime Cost Model –Overall Loss/Impact Analysis50
f igure 4 The four costs of identity crime SOURCE: THE AUTHOR CREATED THIS CHART USING THE INFORMATION AVAILABLE ON http://www.costsofcrime.org/ CostingPrinciplesAndMethodology/
4.2.4 Prevention A Costs in Anticipation of Crime Preventing identity crimes involves a number of opportunity costs. For property theft, for example, these costs include the time it may take an individual to lock the doors of his or her home or to set a burglar alarm, or taking a longer path when walking to a destination in order to avoid areas of perceived danger. For an identity crime, opportunity costs include the time it takes to check a monthly bank statement or utility bill for suspicious 50
See Costing Principals and Metholodgy, Mainstream Metholody for Estimating Costs of Crime, http://www.costsofcrime.org/CostingPrinciplesAndMethodology/ (last visited Oct. 31, 2012)
Threat Agents and the Impact of Identity Crime
211
activity or the effort required to request a yearly credit report from an authorized agency. Prevention of identity crime also involves the direct costs to a business of ensuring that customer records are stored and handled as securely as possible. It is difficult to estimate the costs associated with the fear of becoming a victim of identity crime, and even after taking precautions, the fear of potential victimhood often remains strong enough to influence behavior. For example, an individual using an atm may select one location over another according to its security features, even if this location is out of the way. The fact that people and organizations are willing to pay these opportunity costs means that there is a value to the fear that could possibly be quantified. According to the American Bankers Association, banks allocated resources toward the prevention of check fraud and other identity-crime-related matters on the basis of their size. Community banks spent under $10,000 for prevention and other identity crime costs in 2000; comparatively, large money-center banks allocated approximately $10 million.51 B Over-Deterrence One of the unintended costs of identity crime prevention efforts is over- deterrence, or a scenario in which plans and policies designed to protect identity may inhibit desired activities. In the case of e-mail, for example, the automatic identification of mail senders, which is meant to reduce the threats of identity crime and other annoyances associated with spam e-mails, actually limits the actions of legitimate mail senders. Some Internet experts have suggested that solutions such as automatic identification actually encourage spammers to hack into computer systems and steal accounts to send their damaging messages; in other words, spammers will rely even more heavily on stolen identities than before the anti-spam measures were put in place. Therefore, any measures that are designed to protect potential victims from identity crime are more likely to limit the activities of honest people and organizations, while giving criminals the incentive to change their behavior and adapt to a new regime.52 51 52
Graeme Newman & Megan M. McNally, U.S. Department of Justice Research Report Identity Theft Literature Review 30 (Doc. No. 210459, July 2005), available at www.ncjrs.gov/pdffiles1/nij/grants/210459.pdf. Adam Shostack & Paul Syverson, What Price Privacy? (And Why Identity Theft Is About Neither Identity Nor Theft), 12 Econ. of Info. Sec. 129, 137 (2004), available at www. nrl.navy.mil/chacs/pubs/04-1221.1-1128.pdf.
212
CHAPTER 4
4.2.5 Consequences The consequences resulting from identity crime are many and include both financial and non-financial impacts. The United States General Accounting Office reviewed data indicating that the costs of identity crime for businesses included “soft costs” such as the need to increase staffing of fraud departments in businesses and other organizations. A consumer reporting agency reported having to double their fraud-victim assistance department staff; the cost of the department in one year was $4.3 million.53 Regardless of whether a victim of identity crime actually loses any wages due to time away from a job to deal with the consequences of the theft, any time away from work represents a loss of productivity, and someone will pay for that loss, typically the employer or the government. Additionally, the intangible costs and consequences of pain and suffering experienced by a victim of identity crime, and perhaps even a reduced quality of life resulting from the psychological impact of the crime, represent one of the biggest issues for a victim and must be considered in discussions of cost. See Figure 5 in section 4.2.5.C for a model of losses suffered by identity crime victims. A Costs to Society The costs to society at large resulting from identity crime include those on law enforcement and national security. Since most identity crimes are committed with the intention to use the acquired information to commit other crimes, such as theft of funds or obtaining credit or government benefits fraudulently, the burden on law enforcement is substantially increased. Additionally, there is a growing trend among organized crime groups to commit identity crimes in order to facilitate the smuggling or trafficking in people or drugs. Terrorist groups, including the hijackers involved with the September 11, 2001 attacks on the United States, use false identities and fake social security numbers and fraudulent identification documents to help them commit their crimes. Terrorist groups may also use fraudulent identity documents to get jobs in other countries to hide their real activities and avoid detection by law enforcement authorities.54 It is difficult to estimate the non-financial and intangible costs that identity crimes have on society at large. Such costs may include risks or threats to 53 54
Newman & McNally, supra note 693. Law Commission, Review of the Privacy Act 1993 Stage 4, at 448 (Mar. 2010), available at http://www.lawcom.govt.nz/sites/default/files/publications/2010/03/ Publication_129_460_Whole%20Document.pdf.
Threat Agents and the Impact of Identity Crime
213
national security and/or public safety, societal burdens imposed by illegal immigrants, potential threats to privacies guaranteed by the U.S. Constitution via prevention efforts calling for national identification cards or biometric identification measures, and the costs of devising and implementing these measures. Other societal costs may include higher costs passed on to consumers in the form of retail prices or insurance premiums, an increase in paranoia in the general public about the potential for identity crime, and reduced confidence in a company or government to fulfill its promises.55 B Costs to Society in Terms of Loss of Privacy and Security Reduction in privacy also has a cost to security. Polls have sometimes asked how much privacy people would exchange for increased security. However, it is assumed rather than argued that decreasing privacy increases security. Just the opposite may be true. Law enforcement has made use of anonymous tips for years with the recognition that much of the information gathered would not have been given without a plausible expectation of anonymity. Very shortly after September 11, 2001, the Anonymizer set up an Web interface “providing anonymous access to the fbi’s Terrorism Activity tip page to over 26,000 individuals around the world” (cnn, 2001). They have since added anonymous interface to the Utility Consumer’s Action Network. Similarly, the Witness Protection Program relies on the ability to assign people a new identity. In an environment in which all commercial and public actions by individuals are monitored, this possibility becomes far less plausible. To effectively monitor to the degree necessary for effective authentication as discussed in section 1.6, the creation of a new identity would likely be noticed in a commercial database (whose entries would be shared without disincentives to do so). The person who turned in Khalid Sheikh Mohammed and received a new identity might not have risked doing so without the possibility of receiving a new identity.56 C Costs to Individual Victims Victims of identity crime usually suffer direct financial losses. For example, they may lose their savings or be required to pay utility bills and/or loan payments on accounts that were made without their knowledge. Indirect losses to identity crime victims include damage to their credit rating.
55 56
Newman & McNally, supra note 693, at 38. Shostack & Syverson, supra note 694.
214
CHAPTER 4
There is also a psychological impact that is associated with identity crime. The theft of an individual’s identity is an assault on the person’s privacy and sense of individuality. Victims suffer from stress and are often less likely to be active participants in society after an identity crime. They no longer feel safe after criminals have accessed their personal information; the fact that a criminal has a person’s home address is enough to make that person feel insecure and worried about the potential for additional transgressions on their privacy, at minimum, or even the threat of physical harm. One of the most significant effects of identity crime on victims is the damage done to their reputation. This damage has both financial and emotional costs. In some cases, victims may even be convicted of crimes they did not commit. More common, however, is the negative information that is included in their credit reports as a result of criminals using their accounts to run up large bills with no intention of paying them. This often means that, later on, victims of identity crime will be denied loans or housing on the basis of this negative credit information until the credit report is fixed. The amount of time it takes for a victim to clear up negative information and restore their good credit has been estimated at some 40 hours in the simplest of cases, and over 200 hours and thousands of dollars if their information has been used to commit multiple identity crimes.57 In 2007, survey respondents spent an average of $550.39 dollars in out-of- pocket expenses for damage done to an existing account. These expenses include: postage, photocopying, purchasing police reports, travel, buying court records, and childcare. In reference to new accounts, respondents spent an average of $1,865.27 compared to $1,342 in 2006.58 Individuals who are victims of identity crime are subject to economic, emotional, and other non-financial damage. While financial institutions do not hold victims responsible or liable for debts fraudulently incurred with their stolen information, victims must spend substantial amounts of time and money attempting to resolve the problems that arise from identity crime. These include rejected credit card applications, harassment from debt collectors, denial of loans, or bounced checks. Between 1999 and 2001, the Federal Trade Commission’s Identity Theft Data Clearinghouse noted that over 2,600 victims reported having to pay out-of-pocket costs as the result of an identity crime.
57 58
Law Commission, supra note 696. Identity Theft Resource Center, Identity Theft: The Aftermath 2007, at 4 (2008), available at http://www.idtheftcenter.org/artman2/uploads/1/Aftermath_2007_ 20080529v2_1.pdf.
Threat Agents and the Impact of Identity Crime
215
Over 200 of these complaints alleged losses of more than $5,000, while 203 alleged losses totaling more than $10,000. According to the California Public Interest Research Group (calpirg) and the Privacy Rights Clearinghouse, victims of identity crime might spend an average of 175 hours trying to resolve problems related to the crime. Costs paid out by these victims, in addition to legal fees, were reported as averaging $100 per victim. One in six of those reporting information to the Privacy Rights Clearinghouse stated that they had been the subject of a criminal record because of the activities of an identity thief. There is no easy way for a victim to check on whether they have become the subject of a criminal record, since there is no agency or procedure similar to a credit-report check to make this determination. Being subjected to a criminal record for the actions of another may have a significant financial impact on identity crime victims through loss of work, property, or reputation.59 1
Identity Crime Victim Loss Analysis –as a Consequence of the Crime (Figure 5): An offender can commit multiple crimes using the same identity, i.e. using one person’s identity for credit card fraud, mortgage fraud, government benefit fraud, etc. For each action the following model can be used to assess the true impact of each identity crime.60 D Opportunity Costs The opportunity cost of a good or service is simply what must be given up in exchange for that good or service. An example is a victim who spends an average of 10 hours meeting with police, prosecutors, and attending court proceedings. This time is considered an opportunity cost, and in this case would be based on the hourly earning capacity of a victim. This is a financially-based cost. Other opportunity costs include the value of pain, suffering, lost quality of life to victims, and fears experienced by the public at large.61 Opportunity costs also include the inability of a victim to find a job, qualify for a loan, or buy a car. All of these may result in additional financial costs to 59 60 61
Richard M. Stana, Identity Theft: Growing Prevalence and Cost, Almanac of Policy Issues (Feb. 14, 2002), http://www.policyalmanac.org/crime/archive/identity_theft. shtml. (April 2, 2004) (the author created this chart using the information available on this website), available at http://www.rikoksentorjunta.fi/uploads/bhw8jg0vde5.pdf. Costing Principles & Methodology, supra note 692.
216
CHAPTER 4 Type of Crime (Use of Identity Information / Document): Financial
Non-Financial
To commit other crime(s)
Hybrid
Method used to acquire information: (Friend, Family, Employee, Phishing scam, Hacking etc.)
Duration of Crime Victim Profile (For a single crime there can be multiple victims)
Individual(s) / People
Consequential Costs
Business
Government
Other (taxpayer etc.)
Victim’s Loss Assessment
Financial Non-Financial, Time, Loss of opportunity etc. Emotional/Psychological trauma
Recovery costs
Prevention costs
Precautionary spending and behavior Pain and suffering
Response costs
f igure 5 Type of crime source: the author created this chart using the information available on https://web.archive.org/web/20050413142712/http:// www.rikoksentorjunta.fi/uploads/bhw8jg0vde5.pdf
the victim as well, and they are imposed whether or not the victim is being held responsible for financial losses by an institution. For many of these kinds of costs, both personal and financial elements are linked. For example, a requirement imposed by some financial institutions that the victim prove fraud has taken place leads to a delay in actions that can be taken to control related exposure to that fraud. Thieves may continue to perpetrate the fraud using the stolen identity during the delay, and total losses to all parties are increased. Such delays also raise the level of frustration in victims who want immediate help in resolving the problem.62 62
Newman & McNally, supra note 693, at 35. (Rayan).
Threat Agents and the Impact of Identity Crime
217
1 Problems Experienced by Victims Eighty-two percent of identity crime victims discovered the crime through a demand from a creditor for late payment, being contacted by a collection agency, denial of credit or a loan, notification from law enforcement agencies, or by noticing that money was missing from a bank account. Only 10 percent found out about the crime through proactive measures taken by businesses, while only 8 percent noticed anything unusual on their credit reports.63 More than 33 percent of households who experience an identity crime had one or more problems of different kinds that resulted from that crime. 34 percent had been contacted by a bill collector, while 31 percent reported having problems with their banks. Collectors were more likely to be involved when a fraudulent credit card account was at issue. One in six households had to pay higher interest rates due to identity crime, while one in nine faced denials of utility or telephone services. Seven percent of households faced a civil suit or judgment, while others were subject to a criminal investigation.64 2 Offender Costs The costs of identity crime are paid by offenders and their families as well. The removal of an offender from the family may impose significant hardships, financial and otherwise. Many identity criminals offend to get money to benefit the family. They may also commit identity crimes for non-financial reasons that provide a benefit to the offender and/or family (medical care, etc.). The losses associated with the removal of an offender from family and home are more relevant if the offender commits the crime in the area –city or country –in which he or she lives. The further away an offender is from the victim, the less of an impact the offender’s losses will have on that community, and there will also be less of a positive impact (through transfer of wealth from the victim to the criminal), since any offender gains will then benefit a different economy. 3 Psychological Consequences The ramifications of identity crimes go beyond the initial financial losses as well. Almost 50 percent of victims have problems obtaining credit and/or loans after an identity crime, while about 20 percent must pay higher interest rates. More than 66 percent of victims face major difficulties when attempting to remove negative data from a credit report. These elements impose a significant
63 64
Identity Theft Resource Center, supra note 700. Costing Principles & Methodology, supra note 692.
218
CHAPTER 4
psychological impact on victims and their families. Victims may become angry, anxious, or depressed due to losing their financial footing. About 50 percent of victims become unable to trust other people as the result of their experiences following an identity crime, and more than half no longer believe that law enforcement can protect them.65 Personal crimes like identity crime have been found to reduce the quality of life for an average American by 1.8 percent. This figure includes only the cost to the household that is directly involved; it does not measure the impact of fear induced by identity crimes in the general society.66 4 Long-Term and Short-Term Effects of Identity Crime There is a distinction to be made between costs that are based on incidence and those based on prevalence. Costs based on incidence consider individual episodes of identity crime, determining all the costs associated with that single incident. An individual who experiences the theft of his or her identity may have to face the impact of that crime and its consequences for years after the initial event. Incidence-based costs are those that account for both the current and future costs of an incidence of identity crime in the year in which the crime occurred. Costs based on prevalence are those that account for harm done to a victim of identity crime in any given year, regardless of the date of the initial crime.67 Discussions of identity crime victimization must consider the initial harm and the psychological impact of the crime over time. The actual identity crime may be considered the “primary wounding,” while the “secondary wounding” refers to how a victim is treated by the public and private agencies encountered when reporting, prosecuting, and remedying the situation. It also refers to the extended impact on the victim of a credit score damaged by the actions of the identity thief or the consequences for the victim of having a criminal history misreported on an employment background check, for example.68 Just 9 percent of identity crime victims responding to a 2007 survey indicated that their experience had not affected their ability to “go on with my life” in any way. Twenty percent reported that their lives were still feeling the impact
65 66 67 68
Daniela Baumgarthuber, How Much Will ID Theft Cost Me?, IdentityTheftFacts.com (July 7, 2009), http://www.identitytheftfacts.com/ (on file with author). Ted R. Miller, Mark A. Cohen & Brian Wiersema, Nat’l Institute of Justice, Victim Costs and Consequences: A New Look 1 (Jan. 1996), available at https:// www.ncjrs.gov/pdffiles/victcost.pdf. Costing Principles & Methodology, supra note 692. Identity Theft Resource Center, supra note 700, at 19.
Threat Agents and the Impact of Identity Crime
219
of the identity crime six to 12 months later; almost 36 percent said the crime was still affecting them two years later, and 5 percent said they felt the effects ten or more years after the initial crime. Most respondents, 64 percent, stated that their inability to get credit was the longest-lasting effect, while 36 percent reported a rise in their credit card rates.69 5 Non-Financial Personal Costs Victims of identity crime pay costs other than financial ones. In addition to the time and effort required to resolve problems related to the crime, victims suffer from emotional damage, feelings of being violated, and frustrations arising from attempts to clear their names and/or dealing with harassment from collectors for bills incurred by the identity thief.70 Individuals who have been targeted by identity thieves frequently have difficulty clearing negative information from their credit agency records. In fact, credit agencies were ranked first in a list of reasons why victims cannot clear their records, with 32 percent of those surveyed attributing their major problems to credit agencies. Other reasons for difficulties included the fact that an individual’s social security number was linked to another person’s information or ignoring victim’s fraud alerts.71 There are also some unexpected costs to victims that arise from identity crime, including higher insurance rates, higher credit card rates, and the creation of a criminal record. Sixty-four percent of victims surveyed said their inability to get credit was their biggest problem after an identity crime experience. Twenty-seven percent had their credit cards cancelled, despite the fact that the accounts were appropriately maintained, while 53 percent reported that collection agencies continued to call after the crime was discovered. Fourteen percent of individuals reported having problems with renting property after becoming a victim of an identity crime.72 E Loss of Reputation For individual victims, damage to reputation represents a significant impact of identity crime, and it may have financial consequences as well. In some cases, an individual may be arrested or even jailed because he or she pays the price for an identity thief’s activities. Criminals who use an individual’s name and other personal information often do not suffer the consequences of their acts, 69 70 71 72
Id. Newman & McNally, supra note 693, at 34. Identity Theft Resource Center, supra note 700, at 4. Id. at 4–5.
220
CHAPTER 4
nor do law enforcement authorities who misidentify the actual offender or employers and/or financial institutions who continue to attribute crimes to the identity crime victim. In modern societies, an individual is responsible for maintaining his or her own good reputation, but other organizations, governments, and businesses also contribute toward the make-up and maintenance of that reputation.73 While financial organizations, law enforcement representatives, and other authorities recommend that individuals protect themselves from identity crime by checking their credit records twice each year, this action is inadequate in the current environment. It has been said that making such a recommendation is like requiring someone to leave a home unlocked and suggesting that he or she check the local pawn shop to see if personal items have been “fenced” as stolen.74 F Costs for Business Businesses face significant costs related to identity crime. Customers’ personal data may be misused by identity criminals, exposing a business to the costs of investigating a fraud, restoring the security of its stored information, and reimbursing customers for any losses they might have incurred. According to a 2006 fraud survey by kpmg, the perpetrators of identity crimes frequently work inside a business. These identity thieves can be found in both management and non-management positions, and they are typically motivated to commit the crime for financial reasons. Additionally, organized crime syndicates have sometimes recruited workers at financial institutions to gain access to the personal data of customers. In some cases, the identity of a business may be misappropriated by criminals and used to solicit funds or other benefits. This activity is frequently linked to alleged charities that collect monies from the public after a natural disaster.75 The average losses for goods and services experienced by businesses in 2007 totaled nearly $48,000.76 4.2.6 Response A National Economies Identity crimes have a serious impact on national economies. Identity crimes create financial losses for societies and can potentially lead to more serious 73 74 75 76
Shostack & Syverson, supra note 694. Id. Parliamentary Library Research Service, Research Brief No. 1, Crimes Amendment (Identity Crime) Bill 2009, at 8 (Mar. 2009). Identity Theft Resource Center, supra note 700, at 4.
Threat Agents and the Impact of Identity Crime
221
crimes that present a danger to national security, such as terrorist acts and human trafficking. According to the Australian Institute of Criminology, about 25 percent of incidents involving fraud that are reported to the country’s federal police are associated with “the assumption of false identities.” In 2003, the Securities Industry Research Center of Asia-Pacific (sirca) determined that the costs of identity fraud paid by large businesses in Australia totaled $1.1 billion between 2001 and 2002.77 In the United States, eight million adults, or nearly 4 percent of the adult population, were victims of identity crime in 2007, with total costs of the crimes at $49.3 billion. Of the total, less than 10 percent was paid by identity crime victims; most of the losses were born by businesses, government, and other agencies. According to one study, in one year 3.6 million households, or about 3 percent of the U.S. population, included at least one person who had suffered the unauthorized use or attempted use of their personal identity information in the past six months. Losses to these individuals were estimated at $3.2 billion. And while there appeared to be a decrease in the cost of identity crime between 2003 and 2007, the time required for victims to resolve the problems linked to their stolen identity rose from 33 hours to 40 hours.78 Financial costs related to identity crime in the United Kingdom totaled an estimated £1.7 billion between 2004 and 2007, according to a Home Office committee, while the nation’s Fraud Prevention Service determined the number of identity crime victims at over 67,000. The most rapidly increasing identity crime in the UK involves the impersonation of individuals who are deceased; this type of crime cost the country an estimated £250 million per year.79 At some point, the costs borne by individual victims begin to impact the overall national economy, both financially and in terms of lost productivity. There are social costs to the overall well-being of a society.80 There are also external costs, which are those imposed by one individual on another who does not accept the negative consequences of an action voluntarily. A property theft is not usually considered to have a social impact because someone –the 77 78
79 80
nzlc IP17 Review of the Privacy Act 1993, at 444–456 (2010), available at http:// www.lawcom.govt.nz/sites/default/files/publications/2010/03/Publication_129_460_ Part_20_Chapter-17-Identity%20Crime.pdf. Model Criminal Law Officers’ Committee of the Standing Committee of Attorneys-G eneral, Final Report: Identity Crime 10 (March 2008), available at http://www.lawlink.nsw.gov.au/lawlink/SCAG/ll_scag.nsf/vwFiles/MCLOC_MCC_ Chapter_3_Identity_Crime_-_Final_Report_-_PDF.pdf/$file/MCLOC_MCC_Chapter_3_ Identity_Crime_-_Final_Report_-_PDF.pdf. Id. Costing Principles & Methodology, supra note 692.
222
CHAPTER 4
offender –is still able to use that property. Some experts argue, however, that thieves should not have their use of stolen goods counted as part of the social welfare. So-called victimless crimes are also sometimes thought to have little social cost when the well-being of those who enjoy such activities is considered. Again, some experts believe these are criminal activities that lower the quality of life in neighborhoods or increase medical and other costs, which ultimately become the responsibility of taxpayers.81 Victims of identity crime may lose, on average, $2,000 to $15,000 in wages when dealing with their cases. This results from the necessity of spending between one day and nine months attempting to repair the damages done to their finances and reputation by identity criminals. In out-of-pocket costs, victims may pay $850 to $1,400 for expenses relating to paperwork and legal fees associated with taking their identity crime cases to court.82 Costs to a national economy also impact a country’s security efforts. Since identity criminals frequently undertake their activities to commit additional crimes, including money laundering, smuggling, or terroristic acts. The 9/11 hijackers in the United States relied on false identities and illegitimate social security numbers and identity documents to help them commit their crimes. The costs that result from identity crime impose a significant cost on the national economy. These costs result from efforts to prevent, detect, and respond to identity fraud, in addition to the direct financial losses associated with the crimes. For example, authorities in Australia have estimated costs linked to identity crime ranged from US$1 billion to more than US$3 billion in 2007. In 2008, estimates of costs relating to identity crime in the United States totaled $66 billion, while those in Europe were estimated at more than $130 billion in 2007.83 As with individuals, national governments can also suffer from a loss of reputation. The agencies responsible for keeping personal identity information safe are likely to experience a loss of trust among citizens if they fail to do so. The risks related to conducting business transactions online, which include the risk of identity crime, also create obstacles to the expansion of e-commerce, which translates into financial losses for society at large. 1 Federal Criminal Justice System The federal criminal justice system incurs significant costs when it handles identity crimes. There are costs linked to the investigation, prosecution, and 81 Id. 82 Baumgarthuber, supra note 707. 83 Law Commission, supra note 696.
Threat Agents and the Impact of Identity Crime
223
incarceration of offenders as well as the supervision of these offenders once they are out of prison. Identity crime is considered a type of white-collar crime, with the Federal Bureau of Investigation estimating that the average cost to investigate such crime totaled about $20,000 between over a two-year period. Estimates for the costs associated with prosecuting a white-collar crime averaged $11,400 per case, while the Bureau of Prisons determined that in one year the cost of operating the minimum-security facility generally used to house white-collar criminals averaged approximately $17,400 per inmate. After release, community supervision of an ex-inmate averaged some $2,900 per offender per year.84 While most government agencies do not record separate statistics for identity crimes, those that do provide numbers to the U.S. General Accounting Office base them on white-collar crime and other kinds of financial crimes. The U.S. Secret Service estimates that costs linked to investigations of identity fraud arrests as far back as 1995 totaled $442 million in one year, $450 million in 1996, and $745 million in 1997, including losses to individual victims and financial institutions. In 2001, the Secret Service estimated its investigative costs at an average of $20,000 between 1998 and 2000. The U.S. Federal Bureau of Investigation (fbi) reported an estimated average cost for its white-collar investigative program at $20,000 during those years as well.85 Costs have significantly increased of course since these data were reported. In regard to federal prosecutions for white-collar crimes, available data indicated that some 13,700 white-collar crimes were handled in 2000, with a cost per case estimated at $11,400. Law enforcement officials noted that there was a need for more prosecutors and support staff members to investigate and prosecute identity crime cases.86 2 Consumer Response Behavior In the opinion of some experts, consumers must bear the burden for their exposure to identity crimes because they fail to take precautionary actions. In 2008, researchers found that over a third of consumers believe that most identity crime occurs online, while in reality, only 12 percent of identity crime is attributed to the online environment. However, the belief that online crime is prevalent has resulted in many consumers shying away from online banking or shopping.87 84 Stana, supra note 701. 85 Newman & McNally, supra note 693, at 32. 86 Id. 87 Identity Theft Resource Center, supra note 700, at 30.
224
CHAPTER 4
Eighty-five percent of American consumers are aware that identity crime can occur anywhere at any time, with 65 percent stating that their feelings of vulnerability to identity crime has increased between 2007 and 2008. Sixty percent of Americans recognize that identity crime is a real problem and not just a function of media attention.88 4.2.7 Recovery Identity crime victims must make considerable efforts to resolve problems, both financial and non-financial, that arise from the crime. As they attempt to do so, their experiences with recovery activities and the agencies they must contact to remedy the situation in which they were left by the crime sometimes only compound their injury and frustration. Victims have reported difficulties even in reaching the various assistance agencies. According to the U.S. Federal Trade Commission (ftc), victims have problems when they try to submit a report of the identity crime to the police, and of those who manage to reach the appropriate party, many report dissatisfaction with the way they were treated.89 Victims have also had difficulties when trying to contact the three major credit agencies, particularly in terms of reaching an actual representative instead of an automated information system. The ftc noted that identity crime victims were especially dissatisfied with their treatment by credit reporting agencies. Most people who contacted their credit card issuers were satisfied with the recovery efforts, but satisfaction was lower among those who had to open a new account or whose losses were larger than $5,000. Few identity crime victims felt the credit bureaus were effective in removing fraudulent charges from their accounts, and in spite of alerts placed on their accounts, 46 reported that they experienced a recurrence of financial fraud in those accounts.90 The number of hours spent by a victim of identity crime to repair the damage done by a criminal who either attacked an existing financial account totaled 116 in 2007. In cases where new financial accounts were created, victims spent over 157 hours to resolve their problems. Seventy percent of identity crime victims said that they spent as much as a year to clear up the misinformation in their accounts in 2007, an increase from 50 percent in 2006. Twelve percent reported that it took them one to two years to address all the difficulties related to the crime, while 19 percent said it took more than two years to resolve their cases.91 88 89 90 91
Id. Newman & McNally, supra note 693, at 35. Id. Identity Theft Resource Center, supra note 700, at 4.
Threat Agents and the Impact of Identity Crime
225
About 33 percent of households that were victimized by identity crime reported resolving the problems linked to the crime in one day, while approximately 20 percent said they spent two to seven days handling their problems. One day or less spent addressing identity crime problems was most likely to occur in households that experienced the theft of credit cards and existing accounts. Those that experienced the theft of their personal data were more likely to spend three or more months resolving issues related to the crime than those facing difficulties linked to credit card or existing account fraud.92 In terms of continuing misuse of accounts compromised by identity criminals, some 75 percent of households found that the misuse ended rather quickly, particularly in situations where credit card theft was involved. Fifteen percent of households facing problems related to the misuse of personal information were often unsure of whether the unauthorized use had stopped or not. Approximately one in six households reported having continuing problems arising from the initial incidence of identity crime.93 A Victims’ Experiences with Recovery Organizations Victims of identity crime reported that they had to call credit authorities and collection agencies over three times in order to resolve their problems in 2007. Forty percent said they felt “stonewalled” by authorities when they reported an identity crime, and many indicated difficulties obtaining a police report about the incident. Thirty-four percent of identity crime victims surveyed in 2007 were satisfied with the level of service they received from financial institutions or credit issuers, but 58 percent were not pleased, despite achieving a resolution to their problems. Forty-eight percent said they had to make three or more attempts to receive help from these organizations. Forty-eight percent of victims were relatively pleased with the aid they received from utility companies, including cell phone, cable, and energy firms, in 2007. This represented nearly twice the rate of satisfaction as measured in 2006. Collection agencies were the most problematic for victims of identity crimes. Seventy-one percent reported that they had to make at least three separate contacts with these agencies to resolve their issues, a major increase over previous years. Thirty- seven percent said that at least one of the collection agencies they contacted refused to clear the account, even if they received proof that an identity crime occurred. This was a significant increase over the ten percent of victims reporting this s ituation in 2006.94 92 93 94
Id. Id. at 5. Id. at 22.
226
CHAPTER 4
B Emotional Impact on Victims Many victims of identity crimes report experiencing stress in their family life and feelings of anger or betrayal. Other emotions mentioned by victims include fear regarding personal finances, the feeling that law enforcement cannot protect them, powerlessness, grief, difficulty trusting people, and the desire to give up and stop battling the system. Some feel that the identity criminal has stolen “everything” from them and even have thoughts of suicide resulting from the identity crime.95 Since family members are sometimes involved in the theft of identity and personal data from other members, the impact on the family can be significant and require much effort to recover from. Some family members will turn against the theft victim if that victim chooses to prosecute the thief; they may pressure the victim to drop the legal case. Victims of identity crimes are frequently hesitant to file a police report about the crime when a family member is involved.96 The first study of the emotional impact of identity crime on victims was conducted in 2003. Since that time, Dr. Charles Nelson, a psychologist who has treated crime victims for some 32 years, has paid close attention to the issue. He notes that victims of identity crime respond in ways similar to individuals who survive crimes such as rape, repeated abuse, and violent assaults. Many identity crime victims show signs of classic Post Traumatic Stress Disorder (ptsd). Whether or not the emotional costs of identity crime meet the general standards for ptsd as defined by the American Psychiatric Association, it is clear that victims experience the same psychological, emotional, and behavioral symptoms as individuals who suffer from violent crimes. This kind of psychological damage is rarely recognized or acknowledged by business, law enforcement, or governmental agencies. The problem is not often considered by victims’ family or friends, yet some identity crime victims suffer so much psychological and emotional pain that they consider suicide.97 C Real Location of Victim Costs In the long term, an approach other than prosecuting the identity criminal and leaving the victim to resolve the problems that arise from having his or her 95 96 97
Katrina Baum, First Estimates from the National Crime Victimization Survey: Identity Theft, 2004, Bureau of Justice Statistics Bulletin, April 2006, at 4, available at http://bjs.ojp.usdoj.gov/content/pub/pdf/it04.pdf. Id. Identity Theft Resource Center, supra note 700.
Threat Agents and the Impact of Identity Crime
227
identity stolen is required. For example, if the costs of sending preapproved credit offers included a requirement that the senders of these offers pay for fraudulent charges and the resulting damage to the victim’s reputation, the offers may not be worth sending. This would eliminate one of the most common sources of stolen identity information. Or if the potential for damage caused by sharing an individual’s personal financial data was included in the value of such sharing, it would not be worth it for financial institutions to take part in this activity. This would eliminate the need for governments to enact laws governing an individual’s ability to opt in or out of such sharing.98 The risks related to conducting business transactions online, which include the risk of identity crime, also create obstacles to the expansion of e-commerce, which translates into financial losses for society at large. The most frequent categories chosen were anger, feeling betrayed, feeling unprotected by police, deep fears regarding personal financial security, having a sense of powerlessness or helplessness, experiencing sleep disturbances, frustration, annoyed, exhaustion, and the feeling of giving up. In recent years, consumer advocates for identity crime victims have encouraged the passage of legislation in the areas of victims’ rights. This has resulted in a number of free victim assistance programs designed to help identity crime victims battle the emotional damage they suffer.99 4.3
Costs of Identity Crime by Use
4.3.1 Financial Identity Crime The direct costs of identity crimes linked to financial activities are relatively easy to recognize and define. Estimates placed the cost of identity fraud to financial institutions at over $8 billion in 2005; in 2000, there were over 500,000 cases of identity crime reported in the United States alone.100 Added to the direct monetary costs of identity fraud are indirect costs such as computer security, additional training for employees, and the potential loss of reputation for the business and/or individual victimized by identity thieves. In many cases, identity thieves take money out of a victim’s bank or other financial account, run up large debts on stolen credit cards, or commit other financial fraud using the victim’s name. In addition to these direct, out-of-pocket 98 Shostack & Syverson, supra note 694. 99 Identity Theft Resource Center, supra note 700, at 27–28. 100 Financial Identity Theft Could Reach $8 Billion’ On Wall Street, HighBeam Research (Oct. 1 2001), www.highbeam.com/doc/1G1-79558019.html.
228
CHAPTER 4
monetary costs, victims may also spend considerable amounts of money in their attempts to correct errors in credit reports for which the identity criminal is responsible or to restore a damaged reputation in the community.101 Direct losses experienced by the financial services industry also include staffing fraud departments at banks, credit card firms, and credit reporting agencies.102 The American Bankers Association determined that monetary losses to the financial services industry often involve check fraud linked to identity crime. For credit card companies, monetary losses arise chiefly from account takeovers by identity thieves and fraudulent applications.103 Identity fraud committed for financial purposes is so widespread in the United States that most businesses and consumers simply consider the crime a cost of doing business. Many firms include the financial losses that result from identity crime into their bottom-line accounting instead of attempting to fight it.104 4.3.2 Credit Card Fraud/Payment Card Fraud A considerable amount of identity crime involves the fraudulent use of payment cards. Payment cards include credit cards, debit cards, charge cards, fleet cards, gift cards, and stored-value cards.105 Identity crimes related to payment cards include new account fraud, true-name and fictitious identity fraud in both new and established accounts, stolen credit card numbers, and the creation of fraudulent credit histories. Each of these activities imposes financial and psychological costs on victims. In the credit-card system, there are two end-users: the cardholder or consumer and the merchant. And there are banks and card organizations that process the transactions and charge fees for their services. Which party then actually bears the cost in a case of credit card fraud?106
101 What are Identity Theft and Identity Fraud?, The United States Department of Justice, http://www.justice.gov/criminal/fraud/websites/idtheft.html (last visited Feb. 2, 2012). 102 Stana, supra note 701. 103 Id. 104 6 Different Types of Identity Theft –Don’t be the Next Victim!, The Free Library, http:// w ww.thefreelibrary.com/ 6 +Different+Types+of+Identity+Theft+- +Don%27t+Be+the+Next+Victim!-a01073960863 (last visited Feb. 6, 2012). 105 Payment Cared Industry, Wikipedia, http://en.wikipedia.org/wiki/Payment_card (last updated Oct. 20, 2012). 106 Yu-Ting Lin, Who Bears the Cost of Credit Card Fraud? Re-Examining the Zero-Fraud- Liabilities and the No-Surcharge Rule, Presentation at the 2009 Annual Meeting of
Threat Agents and the Impact of Identity Crime
229
In 2007, the United States Department of Homeland Security has estimated that the cost of credit card fraud totaled as much as $500 million each year. While credit card companies bear most of the burden of this crime, cardholders often suffer direct financial losses and other losses resulting from legal actions, and loss of time and energy in struggles to resolve credit-report issues once an identity crime linked to their card has been discovered. Additionally, the losses experienced by credit card firms are generally reflected in increased interest rates for all cardholders.107 A review of the consumer fraud and identity crime complaint data at the U.S. Federal Trade Commission indicates that the agency received over 800,000 such complaints in 2007. Complainants stated their losses totaled over $1.2 billion, with credit card fraud the most common type of identity crime reported at 23 percent of the complaints.108 While many of the compliance tools used by financial institutions have previously been viewed as cost centers, some experts believe these tools can be utilized to monitor transactions to prevent identity crime. Doug Johnson of the American Bankers Association noted that tools related to compliance can now be used for fraud mitigation, and he recommends using these tools to detect credit card fraud. Alan Nevels, senior vice president of operations and card risk for icba Bancard, believes that financial institutions need to take a “layered approach” to fraud prevention. Credit card issuers need to implement neural networks, a customer name-matching option, and online verification to help them fight identity crime. Each of these layers adds costs, but Nevels believes that third-party card transaction processors have become more willing to absorb some of the cost linked to fraud-prevention solutions.109 The direct financial costs of identity fraud involving credit cards are paid chiefly by the credit card industry itself, as long as the victimized consumer takes all necessary and required steps to remove false charges to their accounts. However, the indirect costs of restoring a good credit record, bearing the burden of lost jobs or loans, and the psychological stress resulting from an identity crime are suffered by the individual victim. If these costs were felt by those who did not properly authenticate a credit card transaction, it would Law and Society, at 1–2, available at http://www.allacademic.com//meta/p_mla_apa_ research_citation/3/1/5/1/6/pages315164/p315164-1.php. 107 Anne Borden, The Cost of Credit Card Fraud, LawyersandSettlements.com (April 27, 2007, 9:00 PM), http://www.lawyersandsettlements.com/features/credit-card-fraud. html. 1 08 Linda McGlasson, Credit/Debit Card Fraud: New Trends, Incidents, Bank Info Security (June 23, 2008), http://www.bankinfosecurity.com/articles.php?art_id=891. 109 Id.
230
CHAPTER 4
soon become too expensive for them to continue their casual approach when authorizing a transaction.110 Identity crime involving payment cards may have a significant impact or a small one, depending on how quickly a victim reports the losses and begins recovery efforts on compromised accounts. For those who report thefts or suspicious activities in a timely fashion, liabilities and charges are generally limited. However, the emotional impact of identity crime may be felt by victims for a long time.111 If a credit card is reported as stolen before it has been used by the identity thief, card issuers are prohibited from holding the victim responsible for unauthorized charges. If a stolen card has been used in a fraudulent manner before the crime has been reported, however, victims are liable for the first $50.00 charged to the card. In the case of debit cards, there is no fixed liability for victims of identity crime. The amount a victim will be responsible for depends on when the theft of the card is reported. However, if the theft is reported before the debit card is used, victims cannot be held liable for subsequent charges to the card by their financial institution.112 If the theft of an atm card is reported within two days of its discovery, victims are responsible for just $50.00. If the loss is reported after the two-day period but within 60 days of an unauthorized withdrawal, victims are liable for as much as $500.00 of the amount of the withdrawal. If a bank card theft is reported after 60 days, victims may potentially face the responsibility for paying the total of the money fraudulently withdrawn from the end of the 60-day period to whenever the card is finally reported as stolen.113 The indirect costs of credit card or bank card theft to the victim include the time lost in trying to clean up a bad credit report, lost jobs or loans, and psychological stress associated with have a personal identity stolen.114 4.3.3 Bank Fraud In 1999, the American Bankers Association found that identity crime accounted for 56 percent of total check-fraud losses at banks with assets of $500 million and 5 percent at banks with assets totaling $50 billion or more. The average percentage attributable to identity crime at all banks was 29 percent. Actual losses to banks in 1999 were $679 million.115 1 10 Shostack & Syverson, supra note 694. 111 Baumgarthuber, supra note 707. 112 Id. 113 Id. 114 Shostack & Syverson, supra note 694. 115 Newman & McNally, supra note 693.
Threat Agents and the Impact of Identity Crime
231
Bank fraud that involves checking accounts represents high losses to banks in comparison to amounts lost via bank robberies. Identity criminals cause problems for banks by using forged checks. An individual’s responsibility for paying the amounts of forged checks varies according to the state in which he or she lives. If they do not notify a bank in a timely manner about a suspected forgery, or if they do not monitor their accounts on a regular basis to find potential problems, they could be responsible for any losses that result from a fraudulent bank transaction. However, banks are usually responsible for losses resulting from check forgeries.116 4.3.4 Loan Fraud Most loan fraud involves using false information on a loan application. Identity thieves typically use stolen names, social security numbers, and financial accounts to apply for fraudulent loans. In one case, an identity criminal opened checking and savings accounts using a stolen name and then obtained a social security number under that name. He applied for seven automobile loans. Additionally, he filed fraudulent documents about his job and level of income, including false tax returns. He was able to get about $380,000 in loans using these methods, which he utilized to buy expensive automobiles, including a Ferrari, a Rolls-Royce, and several Mercedes-Benz models. In seven months, this single criminal ran up $460,000 on multiple credit cards.117 He also used various visa and MasterCard accounts to obtain substantial cash advances and used the American Express account to pay $93,600 towards the purchase of a Patek Philippe Moon Phase watch with a purchase price of $95,600. This case offers an illustration of the high cost rates associated with the crime of loan fraud. Crimes such as these have a negative impact on the individuals whose information has been stolen, as well as on society at large, since high fraudulent charges only lead to higher interest rates and other fees as loan organizations attempt to shield themselves from crime and recoup their losses. 4.3.5 Real Estate/Mortgage Fraud Mortgage loans based on fraudulent information usually result in delinquency, default, or foreclosure, and they have a negative impact on neighborhoods.
1 16 Baumgarthuber, supra note 707. 117 Les Henderson, Crimes of Persuasion: Schemes, Scams, Frauds: How Con Artists Will Steal Your Savings and Inheritance Through Telemarketing Fraud, Investment Schemes and Consumer Scams (2003).
232
CHAPTER 4
However, mortgage fraud represents a relatively low-risk, high-yield crime, and individuals working as accountants, mortgage brokers, or lenders are sometimes drawn to it. People working in these fields are familiar with the way mortgage loans work, and they know how to exploit the system’s weaknesses. Victims of mortgage fraud include borrowers, mortgage firms, and the people who live in neighborhoods affected by the fraud. As a result of the crime, lenders face high foreclosure costs, broker commissions, attorney fees, reappraisals, and related expenses. When property sells at an artificially inflated price, the price of property in surrounding areas also becomes inflated. As property values rise, so do property taxes. And homeowners may find it difficult to sell their property when neighboring properties that are affected by mortgage fraud begin to deteriorate.118 Rising foreclosure rates provide identity criminals with the chance to defraud homeowners who are financially vulnerable. In 2006, Mi Su Yi and her husband, Paul Amorello, were sentenced to prison in California for a fraud that involved business lines of credit and home equity lines of credit. The couple withdrew cash from the lines of credit before checks were returned due to lack of funds. They laundered the money through bank accounts that they opened with fake identities.119 4.3.6 Tax Fraud Identity thieves can obtain fraudulent tax refunds by stealing the identities of legitimate taxpayers. A report from the U.S. Treasury Department notes an increase in the theft of taxpayers’ identities by individuals who want to work without paying federal taxes on their pay. The Internal Revenue Service (irs) rarely prosecutes these cases, but the taxpayers who are the victims of the scams usually face significant problems attempting to resolve problems with tax authorities. This is because it is the policy of the irs to investigate cases of identity crime only if they are committed in conjunction with other criminal offenses that have “a large tax impact.” Job-related identity crimes typically involve lower-wage workers, and the rules of confidentiality under which the agency operates prohibits contacting employers to alert them of potential crimes.120
118 Mortgage Fraud Report 2006, Federal Bureau of Investigation (May 2007), available at http://www.fbi.gov/publications/fraud/mortgage_fraud06.htm. 119 Id. 120 Lynnley Browning, Report Finds Two Kinds of Tax Fraud Have Spread, New York Times (April 10, 2008), http://www.nytimes.com/2008/04/10/business/10identity.html?_r=0.
Threat Agents and the Impact of Identity Crime
233
According to the report, the number of fraudulent tax returns filed as a result of identity crime rose from about 3,000 in 2002 to almost 21,000 in 2007. Job-related identity crimes increased more than 200 percent during the same period to a total of more than 35,000 incidents. According to the Federal Trade Commission, almost 25 percent of identity- crime complaints received by the agency are tax-related.121 In response to the report from the Treasury Department, the irs said it could take additional action to stop fraudulent tax refunds and has placed numerous warnings on its website about identity-related scams that rely on the use of stolen social security numbers. However, the irs cited the regulatory prohibition on sharing taxpayers’ information and would not agree to contacting employers whose workers appear to be using stolen identities.122 4.3.7 Medical Identity Fraud While medical identity fraud has not been the focus of as much attention as identity crimes dealing with financial accounts, it has the potential for being much worse, since individuals are victimized when they are most vulnerable – when they are sick. The costs associated with medical identity crime include the obvious financial losses, denial of insurance later on, and the use of all available insurance benefits by an unauthorized party. More importantly, however, is the false information that is included in a victim’s medical records, which can result in potentially dangerous treatment for the legitimate medical account holder. There is also a loss of reputation for the patient, doctor, and health care organization, a loss of privacy for the victim’s medical information when it becomes part of a crime investigation, and the loss of time that victims must spend to clear up their records. There is always a significant threat of future harm for the victim when false information is added to a medical record. Since doctors make medical treatment decisions on the basis of the medical history, any mistakes in that record have potentially deadly consequences.123 About 250,000 individuals become the victims of medical identity crime in the United States every year. In June of 2008, the University of Utah Hospital discovered that the personal information of 2.2 million patients had been compromised by identity criminals, and each one of these cases has the potential
1 21 Id. 122 Id. 123 Latour Lafferty, Medical Identity Theft: The Future Threat of Health Care Fraud is Now, 9 J. of Health Care Compliance 11 (2008).
234
CHAPTER 4
to impose physical harm on a patient.124 Consumer protection authorities are paying closer attention to the problem of medical identity crime as the ramifications of the crime become more evident, but there are no specific agencies or services that focus on the monitoring of medical records in ways similar to those applied to customer records in the financial industry. This imposes a significant burden on individuals to protect and monitor their own private medical information, with special attention given to treatment invoices and insurance claims. 4.3.8 Bankruptcy Fraud Bankruptcy is a method by which businesses and individuals can clear up all outstanding debts and start over, but identity criminals often use the procedure for profit. There are basically three ways to commit bankruptcy fraud: by hiding assets so they are not liquidated in bankruptcy proceedings; by filing bankruptcy in more than one state in a fraud involving multiple filings, which often use stolen identities; and through what are known as petition mills.125 In one type of bankruptcy fraud, debtors respond to an ad for a firm that promises to help them avoid eviction from their rental homes. Debtors give the company all of their personal details and pay high fees that they expect will protect their interests and save them from eviction. However, what has actually happened is that the company has filed bankruptcy in the name of the debtor, taken all of their available cash resources, and imposed significant damage to the reputation of the debtor.126 4.4
Conclusion
Identity crime threat agent has many variables (generally, a variable is a rationale or inducement that incentivizes the threat agent for the commission of an identity crime). These variables, specifically identified in this chapter, need to be understood and incorporated into any identity crime prevention strategy. In addition, businesses, organizations, and governments need to understand the true impact of identity crime that affects them, directly or indirectly, and 124 Melinda Rodgers, U of U Medical Records Stolen, 2.2 Million Patients’ Data at Risk, Salt Lake Tribune (June 11, 2008), http://www.sltrib.com/ci_9540210. 125 Mercy Maranga, Bankruptcy Fraud: Three Ways Of Doing It, Articlesbase (Aug. 05, 2009), www.articlesbase.com/finance-articles/bankruptcy-fraud-three-ways-of-doing-it- 1098707.html. 126 Id.
Threat Agents and the Impact of Identity Crime
235
have an equitable or appropriate response to prevent a crime or mitigate its effect after it is committed (impact of identity crime is discussed further in Chapter 7). In summation, it is important to understand the kinds of identity crimes that can be committed, who commits these crimes and why, and to consider all factors that will increase or decrease incidents of identity crime.
chapter 5
International Trends in Addressing Identity Crime
Introduction
Identity crimes are not confined within national borders. A crime seemingly committed in one locale, perhaps by a person sitting at his own computer, in actuality may occur in many different localities, crossing the borders of the country where its perpetrator acted and affecting people and organizations around the globe. Computer networks that process and store huge amounts of information on the identity of individuals make massive thievery and trafficking in identification information possible. “The decrease in face-to-face transactions coupled with the increasing distance between crimes, criminals, and victims, often across international boundaries, has opened up new opportunities for those who engage in identity-related crime to exploit.”1 The legal framework to criminalize identity-related crime thus far exists only on a national level.2 International organizations that deal with criminal issues have not yet developed specific identity crime legislation. Nevertheless, a variety of international and regional organizations have focused on the problem, and provide insights useful in further developing national legislation and taking action to prevent the spread of identity crimes. 5.1
International Organizations
5.1.1 United Nations A International Recognition of “Identity Crime” The United Nations’ Commission on Crime Prevention and Criminal Justice has done a considerable amount of work in recognizing the existence of identity crime, analyzing the means of identity used by member states, and
1 Criminal and Legal Affairs Subgroup, G8 Lyon-Roma Anti-Crime and Terrorism Group, Essential Elements of Criminal Laws to Address Identity-Related Crime 3 (Feb. 2009) [hereinafter “Essential Elements”]. 2 See Chapter 4. (discussing United States, Canada, Australia, and United Kingdom laws specific to identity crime (identity-specific statutes), which includes any statutes related to identity, identity theft, and/or identity fraud, as well as additional laws that may be used in prosecuting identity crimes (identity-related statutes) in Chapter 4).
© Koninklijke Brill NV, Leiden, 2020 | DOI:10.1163/9789004395978_006
International Trends in Addressing Identity Crime
237
analyzing current statutory regimes.3 In its “Study on Fraud,” the Commission provided a unique and succinct discussion of the nature of identification documents and information, and their role in criminal activities: The ability to uniquely identify individuals is a critical element of virtually every aspect of social, political and economic activity. An identity must be created and linked to the specific entity identified. Identification information must be created, transmitted, stored and retrieved, and it is usually linked to other information about the individual it identifies, such as nationality or citizenship status, financial and banking records, criminal records and similar personal and commercial information. The fundamental role identity plays in so many different systems creates a vast range of opportunities for crime if basic identification information can be altered or falsified or if the systems for creating, altering, retrieving and verifying identity and other information can be subverted. For that reason, the criminal law and criminal justice systems of almost all states have addressed identity-related issues in some way.4 The Commission notes that legislation in most states is currently limited to dealing with identity problems in terms of the further crimes that can be committed through identity abuses, although states recently “have started considering the problem from the perspective of identity itself. Thus, in addition to the misuse of identity, “underlying, preparatory or supporting conduct such as taking, copying or fabricating identity and the various forms of tampering with identity systems should be treated as a new and distinct form of criminal offense.”5 The Commission differentiates between the term “identity crime” and “identity theft.” “Identity crime” is used to cover all forms of illicit conduct involving identity, including identity theft and identity fraud; it is a “forward-looking usage,” that most states have not yet adopted. “Identity crime” includes preparatory or constituent offenses such as forgery and impersonation, whereas “identity theft” refers to the taking of information in a manner analogous to
3 U.N. Secretary-General, U.N. Commission on Crime Prevention and Criminal Justice, Results of the Second Meeting of the Intergovernmental Expert Group to Prepare a Study on Fraud and the Criminal Misuse and Falsification of Identity, U.N. Doc. E/CN.15/2007/8/Add.3 (Jan. 31, 2009) [hereinafter “U.N. Commission, Second Meeting, Study on Fraud”], available at http:// www.unodc.org/documents/organized-crime/E_CN_15_2007_8_Add_3.pdf. 4 Id. at 3. 5 Id.
238
CHAPTER 5
theft or fraud, including theft of tangible documents and intangible information, taking abandoned or freely-available documents or information, and persuading individuals to surrender documents or information voluntarily.6 The Commission adds the term “identity fraud” to the mix, referring to the use of identity information to commit other crimes or avoid detection and prosecution in some way. A broader term, “identity-related crime,” has been used to include such situations that target identity information itself as well as other information to which it is linked. In some contexts, the term “identity abuse” is used, carrying no assumption that the conduct is a criminal offense or should be criminalized. The criminal regimes of various countries surveyed by the Commission are covered elsewhere. However, the Commission, by looking at the worldwide spectrum of identity-related crime, was able to come to a few realizations about the relationships of identity crime to other categories of crime. For instance, the relationship between identity-related crime and organized crime: Beyond carrying out identity-related crimes as part of other criminal activities such as money-laundering, some organized criminal groups may be sophisticated enough to engage in identity-related crimes as a distinct criminal operation. Responses from States suggested two key scenarios. Organized criminal groups might use identity-related crime to protect their members and operations from surveillance of illicit activities and to carry out routine, non-criminal activities such as international travel. There was also evidence of the specialization of groups … that develop the expertise to fabricate increasingly sophisticated identity documents or exploit weaknesses in issuance schemes, deceiving or corrupting authorities, in order to obtain genuine documents, which could then be sold to others for use in crime, terrorism, illicit travel, migration or other activities in which legitimate identification would be prejudicial… .7 B Development of Legislation Working groups within the United Nations have set as a “key objective” the development of criminal legislation that addresses identity-related crime. The working groups see identity crime as having the potential to harm economies and jeopardize national security.8 The gist of the United Nations’ work on the
6 U.N. Commission, Second Meeting, Study on Fraud, supra note 771, at 4–5. 7 Id. at 11. 8 Essential Elements, supra note 769, at 4.
International Trends in Addressing Identity Crime
239
problem of identity crime is its identification of the essential elements that statutes must include in order to criminalize identity crimes: specifically, what should be made illegal in relation to the acquisition, transfer, use, and possession of false identification documents and false identifying information.9 The U.N. Commission paper suggests that “the best approach for crafting criminal laws to address identity-related crime is to develop an inventory of common issues that need to be addressed and possible approaches and options for addressing them as essential elements of an overall program of criminalization.”10 The outline of the essential elements that any nation’s criminal code should consider consists of the following:11 a. Definitions i. Scope of offenses ii. Exclusion of innocuous conduct iii. Concept of information requiring protection b. Scope of acts to be covered i. Initial acts A. Acts done for the purpose of acquiring identity information B. Possession of documents and information C. Possession of devices to obtain information D. Possession of devices to access computer systems or other identity infrastructures E. Transfer (e.g., sale) of information of another ii. Second phase acts A. Fraud B. Forgery C. Impersonation D. Avoidance of detection c. Incorporating a mental element d. Particular considerations i. Types of information to cover (physical and digital) ii. Adaptability to technological advances iii. Exclusion of legitimate state activities iv. De minimis or innocuous activity The United Nations approach posits that, first, a nation must decide whether merely to adapt its current criminal statutes to clearly include identity crimes, or to create, as the United States has done, specific “identity theft” and 9 10 11
Id. at 15. Id. Id. at 16–18.
240
CHAPTER 5
“identity fraud” offenses. If such offenses are created, a country needs to delineate the scope of the offenses, and make sure that they exclude innocuous conduct. A statute must clearly define the scope of identification documents and information to be protected. Criminal law protections need to extend beyond tangible documents to the information that those documents contain and the information needed to create, use, and verify them.12 National laws, in order to be effective, must incorporate their own concepts and identity infrastructures, but they need to be similar enough to those of other countries to make them effective when international cooperation is needed to investigate and prosecute such crimes.13 The United Nations paper addresses both the initial acts of unlawful or unauthorized acquisition and transfer of identity information and documents, and the subsequent acts of fraud stemming from those initial acts. So long as all phases are covered, officials will be able to intervene at the stage where law enforcement will be most effective. Some activities that could be criminalized are now merely seen as activities in preparation for crime, chiefly, the acquisition and transfer of information. If these activities are seen as crimes in their own right, law enforcement has new opportunities to intervene.14 One fear expressed by the U.N. paper is that innocuous activity may come under criminal statutes. The paper recommends that elements be added to the statutes to guarantee that innocuous actions cannot be prosecuted. For example, “possession of another’s identity documents might require … an added criminal purpose, or the absence of some lawful justification or excuse.”15 The mental element, such as that the action must be intended for an illicit purpose, is identified as important to make sure that the offense is not overbroad. Drafters of legislation must decide, suggests the U.N. paper, whether the intent element is satisfied if the perpetrator merely intended to take information, or whether he must have the intent to use the information for some other offense, such as fraud.16 (The statute in the United States includes the mental element of “knowingly,” but some elements of the statute do not require any specific intent to commit some other act.). The United Nations paper lists specific concerns that every country should address as it develops its identity crime regime: 12 13 14 15 16
Id. at 16. Id. Id. at 17. Id. Id.
International Trends in Addressing Identity Crime
1. 2.
241
The classes of identity information and documents they should cover; The need to address both physical and digital information, media and documents; 3. The need to develop provisions that can keep pace with the evolving nature of identity theft, particularly its exploitation of new technologies; 4. The need to allow for de minimis activity and ensure that innocent actors or innocuous acts are not caught (as an example, the use of a credit card belonging to one family member by a family member who is orally authorized to do so by the other family member, but who is not listed by the card issuer as an authorized user); 5. Whether and how to address the creation of “fictitious” persons as opposed to real persons; 6. The need to exclude legitimate state activities from inadvertent criminalization, such as the operations of undercover police agents who need to use false names or identity documents; and 7. The need to ensure that criminalization is not restricted to activity carried out for economic gain.17 The crimes recommended for criminalization by the United Nations Commission on Crime Prevention and Criminal Justice are the “initial acts” listed above, as opposed to the “second phase” acts that are already, in most cases, deemed criminal. The Commission focuses on the acts constituting acquisition, possession, and transfer of identity documents and information, as well as devices to obtain such information (access devices). Specifically, the Commission sees the following as benefits: a. Creating incentives to recognize the scope of the problem. b. Clearly recognizing abuses of identity as criminal wrongdoing even if no subsequent criminal offenses are committed. c. Allowing earlier investigation, prosecution and international cooperation, and halting operations before secondary crimes of deceit and dishonesty can be committed. d. Ensuring that victims will be heard, and that they are recognized as victims of a crime. e. Allowing penalties to be developed that reflect the seriousness of the underlying activity. f. Supporting more effective prosecutions for offenses in schemes in which different offenders carry out different stages of the process. g. Supporting more effective international cooperation and complementary investigations and prosecutions. 17
Essential Elements, supra note 769, at 18.
242 h. i. j.
CHAPTER 5
Helping to combat the international organized crime elements of identity theft. Supporting global commerce by attacking a major threat to international commercial structures and confidence in them. Supporting the work of the International Civil Aviation Organization technical group working on machine-readable travel documents.
C International Cooperation The United Nations, as the world’s preeminent body for international cooperation, has issued a draft version of a paper with valuable suggestions on what can be done to achieve such cooperation.18 The draft set out to deal with several issues, specifically:19 (a) the nature and extent of fraud and the criminal misuse and falsification of identity; (b) domestic and transnational trends in fraud and the criminal misuse and falsification of identity; (c) the relationship between fraud, other forms of economic crime, the criminal misuse and falsification of identity and other illicit activities, including organized crime, money-laundering and terrorism; (d) the prevention and control of fraud and the criminal misuse and falsification of identity using commercial and criminal law, criminal justice and other means, and how those could be harmonized; (e) the particular problems posed by fraud and the criminal misuse and falsification of identity for developing countries and countries with economies in transition. The method used by the Commission to gather its information was a questionnaire sent to all member states, combined with information from commercial and other private-sector sources.20 The U.N. Commission on Crime Prevention and Criminal Justice draft report provided a long list of conclusions and recommendations based on its work. They essentially consisted of the following:
18
19 20
U.N. Secretary-General, Comm’n on Crime Prevention and Criminal Justice, International Cooperation in the Prevention, Investigation, Prosecution, and Punishment of Fraud, the Criminal Misuse and Falsification of Identity and Related Crimes [Draft 1 Short Version], U.N. Doc. E/CN.15/2007/8 (2007) [hereinafter “U.N. Draft 1 Short Version”], available at https://www.unodc.org/unodc/en/organized-crime/identity-related-crime.html. (Syed). Id. at 4. Id. at 6–7.
International Trends in Addressing Identity Crime
1.
2.
3.
21 22
243
Further work is needed in gathering, analyzing, and disseminating information about fraud and identity-related crime. While, in the case of economic fraud, most states have clear legislative definitions and offenses, these are not detailed enough to enable research into specific types, trends and patterns involving international schemes, organized crime, and how communication technologies are used in order to commit such fraud. And as for identity-related crime, much less is known, and work must be done to allow for: a. a standard classification framework for offenses and activities; b. gathering of material from multiple sources, including official offense reports, complaints, and alternative sources less likely to be influenced by under-reporting; c. estimations of the costs of fraud, with input from national experts on money laundering and appropriate commercial associations; d. gathering of information about identity-related crime as a distinct problem in its own right, and in the context of related criminal activities.21 Member states are encouraged to ratify the two relevant conventions: the Convention Against Transnational Organized Crime, and the Convention Against Cybercrime (discussed below). Member states should review their existing legislation to make sure that their definition of a “serious crime” fits within the definition of “serious crimes” in the Convention Against Transnational Organized Crime. Member states should make sure that law enforcement and other relevant agencies are trained in the investigation of cybercrime, including where appropriate, the use of the Convention Against Cybercrime.22 Domestic agencies must have the powers to investigate, prosecute and punish fraud and identity-related crime. Specifically: a. Member states should consider modernizing fraud offenses and investigative powers to deal effectively with frauds committed via telephone, e- mail, the Internet and other telecommunications technologies. b. Member states that apply anti-money laundering measures only to designated predicate offenses should consider including fraud and similar offenses.
Id. at 10–12. Id. at 12–13.
244
CHAPTER 5
c.
Member states that criminalize fraud only on the basis of individual fraudulent transactions may wish to consider criminalizing conduct such as the operation of fraud schemes and the perpetration of mass-frauds.23 4. Determining which country has jurisdiction to prosecute cases of identity-related crime will be a large problem, because present-day frauds tend to take place in many places at the same time. Traditional territorial jurisdiction is not sufficient, and will lead to cases where no state can prosecute effectively, and has sufficient jurisdiction to do so, while an overbroad approach can lead to conflicts in jurisdiction. Therefore, states with narrow jurisdiction should broaden their approach. If more than one state has jurisdiction, they should collaborate so that the state in the best position to prosecute is the one to do so. Member states should establish jurisdiction to prosecute fraud in any case in which the accused offender is found in their territory, but they cannot extradite for some reason to another state that has territorial jurisdiction to prosecute the offense.24 5. Appropriate limitation periods should be established so that the time limit on prosecuting a fraud does not expire before any state has a chance to prosecute. Extensions of time limits, or suspension and reinstatement, should also be considered.25 6. Member states must maintain adequate research capacity to keep abreast of new developments in fraud and identity-related crime, share their research, and collaborate across borders.26 7. Because “economic fraud is an inherently commercial crime and can be seen as a distortion or perversion of legitimate commercial dealings,” cooperation between criminal justice systems and the private sector is essential. Security countermeasures should be incorporated into commercial technologies when they are first developed. Those in a position to identify and report economic fraud or identity related crime should be trained; this includes commercial customers or communication subscribers, and employees who handle business transactions.27 8. For developing countries, it is recommended that basic anti-fraud elements and expertise be included when planning and implementing 23 24 25 26 27
Id. at 14. Id. at 15–16. Id. at 16–17. Id. at 17. Id. at 18–19.
International Trends in Addressing Identity Crime
9.
10.
11.
245
technical assistance in developing basic economic and commercial structures.28 Measures must be adopted for the prevention and deterrence of economic fraud and identity-related crime, specifically, educating potential victims; educating those in a position to detect and deter fraud; gathering and analyzing timely information on the crimes, and rapidly sharing that information; developing commercial practices and systems taking into account the threats and costs of such crimes. Such measure should be adopted at the national, regional, and global levels.29 Develop technical means of prevention, including making documents such as passports or credit cards more difficult to falsify, and making the supporting information systems more difficult to subvert and more reliable as a means of rapid identification when cards or documents are used.30 Investigators and prosecutors must be trained. “Training must address the extremely wide range of variations of fraud, the sophisticated nature of many of the offenses, the involvement of elements of transnationality and organized crime, and the criminal/commercial duality of fraud.” The training must recognize that identity-related offenses involve both new, high-technology forms of crime, and long-established crimes, such as document forgery.31
5.1.2 European Union The European Union has not, to date, developed coordinated statutory schemes on identity crimes. Its most significant directive the privacy of data is one enacted in 1995 on the “protection of individuals with regard to the processing of personal data and on the free movement of such data.”32 In its most significant passage, this directive provides that member states of the Union must provide that personal data be: a. processed fairly and lawfully; b. collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing 28 29 30 31 32
Id. at 20. Id. at 20–21. Id. at 22. Id. Directive 95/46/EC, of the European Parliament and Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 95/46/EC, 1995 O.J. (L 281), available at http://europa.eu/legislation_summaries/information_society/data_protection/l14012_en.htm.
246
CHAPTER 5
of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; c. adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.33 Although the problem of identity crime in Europe has been studied, official responses by the European Commission, the governing body of the European Union, have been limited. One such response has been by the EC’s Fraud Prevention Expert Group’s subgroup on identity theft, entitled “Report on Identity Theft/Fraud.”34 The report contains a thorough description of the problem of identity crimes, and the current schemes within individual European countries. In addition, a second subgroup, the Law Enforcement group, has the objective of investigating the possibility of (and any possible obstacles) to creating centralized law enforcement units to address non-cash payment fraud.35 Although the group has made recommendations, there has been little progress on actually coordinating efforts involving non-cash payments. The identity theft subgroup of the Fraud Prevention Expert Group is reported to be working to develop an end-to-end document on identity verification in the financial world.36 One valuable aspect of the subgroup’s report is in
33 34 35 36
Id. at art. 6. (Arsh). Fraud Prevention Expert Group (fpeg) Subgroup on Identity Theft, Report on Identity Theft/F raud (Oct. 22, 2007), available at http://ec.europa.eu/ internal_market/fpeg/docs/id-theft-report_en.pdf) [hereinafter “fpeg Report”]. Id. Perpetuity Research and Consultancy International Ltd, The Fight against Identity Fraud: A Brief Study of the EU, the UK, France, Germany and the Netherlands 10 (2006), available at http://www.perpetuityresearch.com/ publications.html.
International Trends in Addressing Identity Crime
247
identifying measures that are currently being taken to prevent identity crime in the European Union. Identified as “best practices” are:37 a. Lunching awareness and educational measures, including maintaining of devoted websites, citing the United Kingdom and France. b. Public authorities keeping databases on identity documents, identity related information, or on payment instruments. These databases may, for example, give details of lost and stolen documents or payment cards. Such databases are generally available to officials, but may have wider availability (citing Netherland, Belgium, Germany, Sweden, and two Interpol databases). c. Single contact points allowing citizens to declare identity fraud/theft related problems (citing Canada, but no European Union countries). The report goes on to recommend what else can be done, specifically, education, facilitation of access to databases, and setting up a central notification point in each country.38 It recommends better communication and cooperation among public authorities, and exchange of information among all parties. The need for more statistical data is emphasized.39 In addition, the report emphasizes the need for effective penalties, and creation of a specific crime of identity theft, as was done in the United Kingdom. Harmonization of EU criminal legislation in this regard is recommended.40 Other recommended measures are improving the capacity of police forces through the creation of dedicated specialized units, improving the training of magistrates and prosecutors in financial issues, and enabling rapid end-to-end investigations internationally. The report notes that the private sector could facilitate these investigations by eliminating certain costs for the police (for example, in some countries, the police must pay Internet Service Providers to have an IP address identified).41 5.1.3 Organisation for Economic Co-Operation and Development The Organisation for Economic Co-operation and Development, or oecd, is an international group of 30 countries that “uses its wealth of information on a broad range of topics to help governments foster prosperity and fight poverty through economic growth and financial stability.”42 The oecd’s Committee on 37 38 39 40 41 42
fpeg Report, supra note 802, at 32–33. Id. at 34. Id. Id. at 35. Id. at 35–36. What We Do and How, oecd, http://www.oecd.org/pages/0,3417,en_36734052_ 36761681_1_1_1_1_1,00.html (last visited Jan. 21, 2010).
248
CHAPTER 5
Consumer Policy published a paper entitled “Scoping Paper on Online Identity Theft,” prepared by Brigitte Acoca of the oecd Secretariat, which served as a basis for the development of policy principles on online identity crime. The paper was declassified on January 9, 2008.43 The oecd paper presents the results of a survey of the 30 oecd members of what they have done to address identity crime and the implications of creating a separate criminal offense for identity crime. It thoroughly describes the acquisition component: the different methods that identity thieves use to acquire victims’ personal information, including social engineering techniques and technical subterfuge involving the installation of malicious software. It describes the use component: different ways in which identity thieves misuse victims’ personal information. It then provides a profile of identity crime victims, including a discussion of whether identity crime is more prevalent offline or online. It then sets out oecd member country and international enforcement efforts aimed at stemming on-line identity crime.44 Of greatest value is the paper’s description of the current schemes of the oecd nations to combat identity crime, including various international, bilateral, and regional approaches to the problem.45 The paper also describes various public-private sector international enforcement initiatives.46 The oecd Scoping Paper concludes with a list of “Issues for Consideration” that member-states of the oecd should take into account in their efforts to combat identity crimes:47 Definition: There are no common definitions of the crime and its elements. These must be developed. Legal status: Identity crimes are not offenses per se in most oecd member countries’ laws. Whether “identity theft” should be treated as a stand-alone offense needs to be considered. Co-operation with private sector: The private sector must be involved, especially in launching awareness campaigns, developing industry best practices, and developing technological solutions.
43
44 45 46 47
Organisation for Economic Co- o peration and Development (oecd), Scoping Paper on Online Identity Theft (Ministerial Background Report DSTI/ CP(2007)3/FINAL, declassified 2008) [hereinafter “oecd Report”], available at http:// www.oecd.org/sti/40644196.pdf. Id. at 3. Id. at 35–54. Id. at 54. Id. at 56.
International Trends in Addressing Identity Crime
249
Standards: Member countries must establish national standards for private sector data protection and impose a duty to disclose data security breaches on companies and other organizations storing data about their customers. Statistics: Other than the United States and the United Kingdom, statistics on identity crimes do not exist. Only in the United States are identity crime statistics seen as a separate offense. Statistics need to be developed to determine the impact of identity theft in the digital marketplace. Victim assistance: Member countries should consider developing victim assistance programs to help victims of identity theft recover and minimize their injuries. Remedies: Member countries should consider whether to enact legislation to provide more effective legal remedies for victims of identity theft. Deterrence and enforcement: Member countries should consider increasing resources for law enforcement, identity theft investigations, and training, especially given the rapid evolution of identity theft techniques and methods. Education: Consumers, users, governments, businesses, and industry need to be educated on identity crimes. Co-ordination and co-operation: Member countries should consider developing national centers dedicated to the investigation of identity theft crimes, as well as cooperating with other member countries in a. enhancing deterrence b. participating in key international treaties, like the Convention on Cybercrime c. improving response to requests for investigative assistance, and d. strengthening co-operation with foreign partners in areas such as training law enforcement). 5.1.4 Council of Europe: Convention on Cybercrime The Council of Europe is an international organization, separate from the European Union, that works toward European integration. It has established the Convention on Cybercrime,48 the first and only legally binding multilateral treaty addressing the problems posed by the spread of criminal activity online.49 Parties to the Convention are required to establish laws that criminalize security breaches resulting from illegal access to computer systems, illegal access to computer data, data interference, system interference, and the misuse 48 49
Council of Europe, Convention on Cybercrime, opened for signature Nov. 23, 2001, E.T.S. No. 185, [hereinafter “Cybercrime Convention”], available at http://conventions.coe.int/ Treaty/en/Treaties/Html/185.htm. oecd Report, supra note 811, at 50.
250
CHAPTER 5
of access devices.50 An additional protocol was added in 2003 regarding the criminalization of acts of a racist and xenophobic nature committed through computer systems.51 The Convention aims for “a common criminal policy for the protection of society against cybercrime by adopting appropriate legislation and fostering international co-operation.”52 To achieve these goals, the Parties commit to establish certain substantive offenses in their laws which apply to computer crime. Online identity crime is not mentioned in the Convention; however, it is indirectly covered under sections pertaining to illegal access to computers, illegally accessing computer data, and computer-related fraud.53 Parties to the Convention must adopt laws to ensure that their law enforcement bodies have the necessary authority to deter, investigate and prosecute cybercrime offenses and actively participate in international co-operation efforts.54 As of January 22, 2010, the Convention had been ratified by 25 European countries as well as the United States.55 5.2
Conclusion
Identity crimes increasingly are committed across national borders, thus requiring several jurisdictions to become involved to prosecute the crimes. Despite laws and approaches to identity crime that are at best at odds or at worst nonexistent, authorities in the various jurisdictions affected are often compelled to cooperate, however awkwardly, to prosecute crimes committed. As will become more evident in Chapter 6, only a handful of nations now criminalize identity-related crime; but their approaches, while similar in some respects, are at considerable variance. And as discussed in this chapter, a number of regional political and semi-political bodies have begun dealing with identity 50 51
52 53 54 55
Convention on Cybercrime, supra note 816, at ch. ii, sec. 1, tit. 1. Council of Europe, Convention Committee on Cybercrime, Additional Protocol to the Convention on Cybercrime, Concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed Through Computer Systems, Nov. 23, 2001, E.T.S. No. 189, available at http://conventions.coe.int/Treaty/en/Treaties/Html/189.htm. Convention on Cybercrime, supra note 816, at pmbl. oecd Report, supra note 811, at 50. Convention on Cybercrime, supra note 816, at art. 25. Convention on Cybercrime Signatories as of Mar. 30, 2010, Council of Europe, http:// conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG (last visited Mar. 30, 2010).
International Trends in Addressing Identity Crime
251
crime as a collective problem. This is progress, but progress on a regional basis. The larger international community will continue to face a rise in identity crime and no matter how much progress the various nations and regional organizations make in dealing with identify crime, there still needs to be an international treaty that presents genuinely common rules and guidelines to deal with a genuinely international problem. In much the same way that the international community eventually felt the need to a draft an international treaty to deal with cybercrime, it is likely that it will eventually deem it necessary to draft a treaty to deal with identity crime. Chapter 9 presents a draft of such a treaty.
c hapter 6
Identity Crime Legislation in the United States, Canada, Australia and the United Kingdom
Introduction
Chapter 6 provides an analysis, the identity crime statutes, as well as some case law, of the United States,1 Canada,2 Australia,3 and the United Kingdom.4 It also describes various other, non-criminal statutes and regulatory programs aimed at combating identity crimes and recovering identity once it is lost. Most of the world does not have laws focusing on identity crime. The four countries presented here all do have laws specific to identity crime (herein called “identity-specific statutes”), which includes any statutes related to identity, identity theft, and/or identity fraud, as well as additional laws that may be used in prosecuting identity crimes (herein called “identity-related statutes”). This chapter identifies all such laws, and analyzes whether the laws adequately cover the five components of the Identity Crime Model: acquisition, production, transfer, possession, and use.5 Note that the identity-related statutes are often not even remotely connected to identity crimes: For example, in the United States, mail fraud and wire fraud statutes are often used by federal prosecutors, and such statutes are discussed in this chapter.6 The United States, which was first to pass identity crime statutes, receives the most in-depth analysis, including a look at the identity crime statutes of its five largest states: California,7 Texas,8 New York,9 Florida,10 and Illinois.11 The United States also has the most extensive case law on the subject, providing a 1 Part 6A. 2 Part 6B. 3 Part 6C. 4 Part 6D. 5 For a discussion of the Identity Crime Model, see Chapter 3. 6 See Parts 6A.3.4, 6A.3.5. 7 Part 6A.5.1. 8 Part 6A.5.2. 9 Part 6A.5.3. 10 Part 6A.5.4. 11 Part 6A.5.5.
© Koninklijke Brill NV, Leiden, 2020 | DOI:10.1163/9789004395978_007
Identity Crime Legislation in the United States
253
glimpse of the activities of identity criminals and the responses of officials. The United States shows us how such laws work, and how they fall short; its legislative history compilations let us see the evolution of the statutory schemes. Because statistical analyes are available, one can also see whether the laws have had an effect on the growth of identity crime. Canada12 has not had a specific identity crime statute for long, but its statute, which came into effect in 2010, can serve as a model for the rest of the world. Canada covers the five components of identity crime, and its statute should be an effective prosecutorial tool. The eventual emergence of case law and crime statistics will tell whether the statute has worked as anticipated. Australia13 has been a leader in combating identity crime. Legislators have done extensive work on creating a comprehensive statute. However, Australia, like the United States, has a federal system, and the Australian states and territories have primacy when it comes to criminal matters. There is no provision in Australia that crimes involving interstate commerce are the domain of federal prosecutors, as in the United States.14 National statutes mostly pertain to objects directly connected with the national government. Thus, this chapter also examines the identity crime statutes of the states of South Australia15 and Queensland,16 which are perhaps more significant than the federal statute. Although the United Kingdom,17 as the birthplace of the Common Law, is the fount from which the other countries herein covered derive their legal systems, the U.K. scheme of identity crime statutes is not well thought out. Nevertheless, its hodgepodge of different statutes has the effect, as shown in the Analysis,18 of covering, to some extent, the five compenents of the Identity Crime Model. One U.K. statute, the Identity Card Act,19 addresses identity crimes specifically; however, aspects of identity crime other than the national identitification card are covered in a variety of other statutes. These four countries are in the vanguard of those recognizing the problem of identity crime, and have passed measures to address the issue.20 Other 12 Part 6B. 13 Part 6C. 14 For the pertinent U.S. provisions on federal jurisdiction, see Part 6A.2.1(b)(1). 15 Part 6C.8. 16 Part 6C.9. 17 Part 6D. 18 Part 6D.2. 19 Part 6D.3. 20 In preparing this book, the author has surveyed a number of countries’ laws, including both civil and common-law countries, and on every continent. No other country has
254
CHAPTER 6
jurisdictions enacting legislation can look to these laws and adopt measures that suit their needs, and that fit within their legal traditions. But what we see is that all these countries lack in adequately covering the identity crime statutes and most importantly do not cover identity crime under a single umbrella. Therefore, a model statute that will incorporate elements of all of these countries will be developed based on the lessons learned from these countries and the identity crime model developed in Chapter 3 of this book.
Part A United States Statutes
6A.1
Introduction
Only the United States and Canada have extensive national identity crime laws that specifically target identity crimes.21 The U.S. statute,22 which dates from the 1980s, was of limited scope, basically covering only the production, possession, and transfer of government-issued identity documents. In 1998, however, the Identity Theft and Assumption Deterrence Act became law,23 extending the scope of identity crimes to using or transferring any “means of identification,” as defined by the statute, if the act is done with the intent of committing, or abetting the commission of, some other illegal act.24 The law was further amended by the Identity Theft Penalty Enhancement Act of 200425 to include “possessing,” in addition to using and transferring.26 A later statute,27 covering “aggravated identity theft,” essentially increased the penalties associated with other specified crimes if identity theft was one of the criminal acts used to commit those other crimes. The latest congressional effort to contain the
21 22 23 24 25 26 27
passed identity theft laws, with the exception of India, which has passed one statute pertaining solely to computer data, the India Information Technology Act 2008, section 66C, “Punishment for Identity Theft.” The other countries surveyed are Argentina, Brazil, Bulgaria, China, France, Germany, Greece, Indonesia, Japan, Malaysia, Mexico, New Zealand, Nigeria, Norway, Pakistan, Russia, Saudi Arabia, Turkey, and Ukraine. Australian states, as well as U.S. states, also have laws that target identity crime. 18 U.S.C. § 1028 (2006). Identity Theft and Assumption Deterrence Act of 1998, Pub. L. No. 105–318, 12 stat. 3007 (1998) (codified as amended at 18 U.S.C. § 1082 (2006)). 18 U.S.C. § 1028(a)(7). Identity Theft Penalty Enhancement Act of 2004, Pub. L. No. 108–275, 118 stat. 831 (2004) (codified as amended at 18 U.S.C. § 1082 (2006)). 18 U.S.C. § 1028(a)(7). Id. § 1028A.
Identity Crime Legislation in the United States
255
spread of identity crimes was the Identity Theft Enforcement and Restitution Act of 2008,28 signed by President George W. Bush in September 2008. That act made it easier for law enforcement officials to punish identity criminals who use computerized methods, and specifies that the victims of cybercrime may be awarded damages for money and time lost because of such crime.29 Identity crime laws have been in place for many years in the United States, but they have not proven particularly effective in decreasing the occurrence of such; in fact, the numbers have been increasing, with 11.1 million Americans identifying themselves as victims of “identity fraud” in 2009, which was up 12 percent from 2008.30 The amount of damage done by such fraud was $54 billion, which increased 12.5 percent from 2008.31 One reason suggested for this increase is the lack of a coordinated national effort to combat such crimes. Although a Presidential Task Force32 was formed in 2008 to coordinate an approach to identity crime among various government agencies,33 the Justice Department’s Office of the Inspector General has found that many of the recommendations of the President’s Task Force have not been implemented, and identity crime initiatives have faded as priorities.34 The Department of Justice (doj) has not developed a coordinated plan to combat identity crime, and doj employees have not received guidance from the doj’s leadership on what to do about it.35 The fbi has not ranked identity crime among its top priorities, even though identity crime is investigated in a significant number 28
29 30
31 32 33 34 35
Identity Theft Enforcement and Restitution Act of 2008, Pub. L. 110–326, § 207, 122 Stat. 3563 (codified as amended in 18 U.S.C. § 130(e)(2)(B)). The titles of the 1998, 2004, and 2008 statutes, all containing the phrase “identity theft,” may well be the reason that the crime is generally called “identity theft” rather than the more accurate “identity fraud” or the preferred term of this book, “identity crime.” See Brian Krebs, New Federal Law Targets ID Theft, Cybercrime, Wash. Post, Oct. 1, 2008, http://voices.washingtonpost.com/securityfix/2 008/10/new_federal_law_targets_id_the. html. Robert Vamosi et al., Javelin Strategy & Research, 2010 Identity Fraud Survey Report: Identity Fraud Continues to Rise – New Accounts Fraud Drives Increase; Consumer Costs at an All-T ime Low (Feb. 2010), available at https://www.javelinstrategy.com/research/brochures/Brochure-170.. Id. Exec. Order No. 13402, 71 Fed. Reg. 27945 (May 15, 2006) (establishing the President’s Task Force on Identity Theft). About the Task Force, Identity Theft is a Crime: Resources from the Government, http://www.idtheft.gov/about.html (last visited May 16, 2010). Office of the Inspector General, Audit Division, U.S. Depart. of Justice, The Department of Justice’s Efforts to Combat Identity Theft, at ii (March 2010), available at http://www.justice.gov/oig/reports/plus/a1021.pdf. Id. at ii-iii.
256
CHAPTER 6
of the fbi’s priority programs, including those targeting computer intrusion, mortgage fraud, and national security investigations.36 Along with recommending that various doj agencies make identity crime a greater priority, the doj’s Inspector General (IG) has addressed the problems with the statistics now available, and recommends that the agencies ensure that identity crime statistics gathered through surveys are reported promptly, and that agencies begin collecting data for individual victims, rather than households, because currently the surveys do not capture data on multiple victims in a household or multiple episodes of identity crime.37 The lack of a plan to combat identity crime is evident when one compares the official Office of the U.S. Courts’ statistics38 to the statistics derived from the survey discussed above, prepared by Javelin Strategy and Research.39 The Javelin Survey reports that 11.1 million U.S. residents experienced identity fraud in 2009.40 The Courts Office reports, however, that the number of prosecutions for fraud involving identity documents was 2,202 for the 12 months ending September 2009, compared with 1,345 in 2008, 1,943 in 2007, 1,077 in 2006, and 1,069 in 2006.41 According to the Courts Office, in 2009, fraud filings became the third-largest offense category, after drug and immigration offenses, surpassing firearms violations. “The increase in fraud filings stemmed from a surge in filings addressing identification documents and information.”42 The disparity between people reporting they were victimized by identity fraud, reflected in the Javelin Survey, and the number of prosecutions is jarring: potentially millions of crimes experienced by U.S. citizens go unprosecuted, even though the U.S. statute is one of the toughest in the world. One aspect of identity crime is barely represented in the statistics: that is the problem of “synthetic identity fraud.” Synthetic identity fraud has, according to surveys,43 become the most common type of identity fraud, surpassing 36 37 38
39 40 41 42 43
Id. at 25. Id. at 28, 30. James C. Duff, Director, Administrative Office of the United States Courts, Judicial Business of the United States Courts: 2009 Annual Report of the Director 219–222 (2009), available at http://www.uscourts.gov/ uscourts/Statistics/JudicialBusiness/2009/JudicialBusinespdfversion.pdf. Vamosi et al., supra note 853. Id. Duff, supra note 861. Id. at 14. Leslie McFadden, Detecting Synthetic Identity Fraud, Bankrate.com (May 16, 2007), http://www.bankrate.com/brm/news/pf/identity_theft_20070516_a1.asp?s=1#tab.
Identity Crime Legislation in the United States
257
“true-name” identity fraud, in which the fraud involves actual persons whose means of identification is taken by others. In 2005, a study showed that synthetic identity fraud accounted for 74 percent of the amount that businesses lost due to identity fraud, and for 88 percent of all identity fraud events, such as new account openings and address changes.44 A comparison with earlier surveys showed that the prevalent mode of identity crime shifted from true-name to synthetic identity fraud over the course of five years.45 Surveys of victims cannot capture statistics on synthetic identity crime, because the combination of a name, address and social security number does not correspond to one particular consumer, and any particular individual is not likely to realize that a piece of identifying information has been stolen. The fraud may go undetected, and financial institutions, the true victims of the fraud, are also unlikely to report the theft.46 6A.1.1 Analysis of the U.S. Identity Crime Statutes and Related Statutes The two U.S. identity theft statutes47 criminalize many of the components of identity crime, but they are not comprehensive, as shown in the table below. However, the identity-crime-specific statutes, combined with several other identity-crime-related statutes, create a comprehensive framework for fighting identity crimes. Even under a regime comprised of all the relevant statutes, however, some acts that could be criminalized are missing: for example, “stealing” someone’s identity is not specifically a crime other than by applying statutes not truly contemplating identity theft, such as fraud or larceny statutes. The table below reveals the key components of identity crime (in the left- hand column) and provides a guide to what statute a prosecutor could look toward in charging an identity criminal:
44 45 46
47
Id. (“ ‘True-name identity fraud was the prevalent identity theft mode about five years ago,’ says Steve Coggeshall, chief technology officer of ID Analytics. ‘Synthetic identity fraud is the dominant mode now.’ ” (citing a 2005 ID Analytics report)). Id. (quoting ID Analytics chief technology officer Steve Coggeshall.). Synthetic ID Theft, Cyber Space Times, http://www.unc.edu/~dubal/idtheft/synthetic. htm (last visited Oct. 31, 2012) (“11.7% of successfully opened fraudulent account applications were opened using a real person’s identity. The remaining 88.3% of the successfully opened fraudulent account applications appeared to be opened using a synthetic identity. Synthetic identity fraud also represented the majority of dollar losses: 73.8% of dollar losses were due to synthetic identity fraud, compared to 26.2% for true-name identity theft.”). 18 U.S.C. §§ 1028, 1028A (2006).
258 table 8
CHAPTER 6 U.S. identity crime related statutes
Component of identity crime
Section of Title 18 of the U.S. Code, or other usc sections
Description of law: Law prohibits …
Production of identity (either associated with a real person, or not so associated)
§§ 470 to 514
Forgery of various specific items
§ 1028(a)(1)
Producing an identification document or authentication feature without lawful authority, or producing a false identification document Producing a document-making implement or authentication feature, intending to use it (a) to produce a false identification document or (b) to produce another document-making implement or authentication feature that will be so used Producing one or more
U.S. v. Ogbemudia, 364 Fed. Appx. 72 (5th Cir. 2010); U.S. v. Popa, 361 Fed. Appx. 854 (9th Cir. 2010); U.S. v Amry, 2003 WL 124678 (S.D.N.Y. Jan. 16, 2003)
counterfeit access devices
(8th Cir. 2009); U.S. v Amry, 2003 WL 124678 (S.D.N.Y. Jan. 16, 2003)
§ 1028(a)(5)
§ 1029(a)(1)
§ 1029(a)(4) § 1037(a)(3) (e-mail fraud)
§ 1037(a)(4) (e-mail fraud)
Producing access device- making equipment Materially falsifying header information in multiple commercial electronic mail messages and intentionally initiating the transmission of such messages Registering falsified e-mail accounts or domain names, and sending messages from such accounts or domain names
Cases
U.S. v. Jenkins-Watts, 574 F.3d 950
U.S. v. Kilbride, 584 F.3d 1240 (9th Cir. 2009)
U.S. v. Kilbride, 507 F. Supp. 2d 1051 (D. Ariz. 2007 (related to 9th Cir. Kilbride case)
Identity Crime Legislation in the United States259 table 8
U.S. identity crime related statutes (cont.)
Component of identity crime
Acquisition
Section of Title 18 of the U.S. Code, or other usc sections
Description of law: Law prohibits …
Cases
42 U.S.C. § 408(a) (7)(C)
Altering or counterfeiting a Social Security card
U.S. v. Persichilli, 608 F.3d 34 (1st Cir. 2010).
§ 641 to 669
Acquiring someone else’s identity may be considered a theft that can be prosecuted under federal law if it involves the federal government in various ways outlined by the statute, or involves an employee benefit plan Intentionally accessing a “protected computer” without authorization or in excess of one’s authorized access to obtain information contained in a bank record, or of a credit card issuer, or contained in a file of a consumer reporting agency on a consumer; or information from a U.S. department or agency; or information from a “protected computer”
U.S. v Amry, 2003 WL 124678 (S.D.N.Y. Jan. 16, 2003)
§ 1030(a)(2)(A), (B), (C)
§ 1037(a) (e-mail fraud)
Falsely representing oneself to be the registrant or the legitimate successor in interest to a registrant of an Internet Protocol addresses, and intentionally initiating the transmission of multiple commercial electronic mail messages from such addresses, or conspiring to do so
U.S. v. Wadford, 331 Fed. Appx. 198 (4th Cir. 2009); U.S. v. Scheller, H.R. Rep. No. 108–528 at 781 (2004)
260 table 8
CHAPTER 6 U.S. identity crime related statutes (cont.)
Component of identity crime
Section of Title 18 of the U.S. Code, or other usc sections
Description of law: Law prohibits …
§ 1039(a)
Knowingly and intentionally obtaining, or attempting to obtain, confidential phone records information of a telecommunications carrier Using the mails for the purpose of executing a scheme or artifice to defraud or to obtain money or property by means of false or fraudulent pretenses, representations, or promises Altering or counterfeiting a U.S. v. Persichilli, 608 F.2d 34 (1st Social Security card Cir. 2010)
§ 1341 (mail fraud)
42 U.S.C. § 408(a) (7)(C) Possession
§ 1002 (fraud on Possession of false papers federal government) with the intent to defraud the United States, in order to obtain money § 1028(a)(3) Possessing, with intent to use or transfer unlawfully, five or more identification documents or authentication features, other than identification documents issued lawfully for the use of the possessor § 1028(a)(4) Possessing an identification document or authentication feature intending to defraud the United States
Cases
U.S. v. Perez-Rodriguez, 358 Fed. Appx. 700 (7th Cir. 2009)
U.S. v. Green-Jones, H.R. Rep. No. 108–528 at 782 (2004)
Identity Crime Legislation in the United States261 table 8
U.S. identity crime related statutes (cont.)
Component of identity crime
Section of Title 18 of the U.S. Code, or other usc sections
Description of law: Law prohibits …
Cases
§ 1028(a)(5)
Possessing a document- making implement or authentication feature, intending to use it (a) to produce a false identification document or (b) to produce another document-making implement or authentication feature that will be so used Possessing an identification document, or an authentication feature, that is or appears to be one authorized by the federal government, or one from a sponsoring entity for an event designated as one of national significance, that is stolen or produced without lawful authority, with knowledge that is it stolen or produced without such authority
U.S. v. Pearce, 65 F.3d 22 (4th Cir. 1995); U.S. v. McCants, 554 F.3d 155 (D.C. Cir. 2009); U.S. v. Castorena-Ibarra, 230 Fed. Appx. 846 (10th Cir. 2007).
Possessing, without lawful authority, a means of identification of another person, with the intent to commit, aid, or abet a violation of federal law, or a felony under state or local law, or in connection with such violation
U.S. v. Berry, 583 F. Supp.2d 749 (E.D. Va. 2008); U.S. v. Berry, 369 Fed. Appx. 500 (4th Cir. 2010); U.S. v. Fergerson, H.R. Rep. No. 108–528 at 782..
§ 1028(a)(6)
§ 1028(a)(7)
U.S. v. Chavez-Quintana, 330 Fed. Appx. 724 (10th Cir. 2009)
262 table 8
CHAPTER 6 U.S. identity crime related statutes (cont.)
Component of identity crime
Section of Title 18 of the U.S. Code, or other usc sections
Description of law: Law prohibits …
Cases
§ 1028A(a)(1), (a)(2)
Possessing, without lawful authority, a means of identification of another person during or in relation to the commission of certain other underlying felonies. This statute adds to the penalties for the underlying felonies. Possessing 15 or more devices that are counterfeit or unauthorized access devices Having control or custody of, or possessing access-device- making equipment Possessing a real or counterfeit Social Security card with intent to alter or sell it
U.S. v. Perez-Rodriguez, 358 Fed. Appx. 700 (7th Cir. 2009); U.S. v. Ogbemudia, 364 Fed. Appx. 72 (5th Cir. 2010); U.S. v. Popa, 361 Fed. Appx. 854 (9th Cir. 2010)
Transferring an identification document or authentication feature with knowledge that it was stolen or produced illegally Transferring a document- making implement or authentication feature, intending to use it (a) to produce a false identification document or (b) to produce another document-making implement or authentication feature that will be so used
U.S. v. Quinteros, 769 F.2d 968 (4th Cir. 1985)
§ 1029(a)(3)
§ 1029(a)(4)
42 U.S.C. § 408(a) (7)(C) Transfer/ Trafficking
§ 1028(a)(2)
§ 1028(a)(5)
U.S. v. Popa, 361 Fed. Appx. 854 (9th Cir. 2010) U.S. v. Lall, 607 F.3d 1277 (11th Cir. 2010); U.S. v. Gurumoorthy, 368 Fed. Appx. 773 (9th Cir. 2010) U.S. v. Persichilli, 608 F.2d 34 (1st Cir. 2010)
U.S. v. Pearce, 65 F.3d 22 (4th Cir. 1995).
Identity Crime Legislation in the United States263 table 8
U.S. identity crime related statutes (cont.)
Component of identity crime
Section of Title 18 of the U.S. Code, or other usc sections
Description of law: Law prohibits …
Cases
§ 1028(a)(7)
Transferring, without lawful authority, a means of identification of another person, with the intent to commit, aid, or abet a violation of federal law, or a felony under state or local law, or in connection with such violation Trafficking in false or actual authentication features to use in false identification documents, document-making implements, or means of identification
U.S. v. Valere, 388 Fed. Appx. 922 (C.A.11 (Fla.),2010; U.S. v Amry, 2003 WL 124678 (S.D.N.Y. Jan. 16, 2003)
Transferring, without lawful authority, a means of identification of another person during or in relation to the commission of certain other underlying felonies. This statute adds to the penalties for the underlying felonies. Trafficking in one or more counterfeit access devices Trafficking in one or more unauthorized access devices during any one-year period, and obtaining anything of value worth $1,000 or more during that period
U.S. v. Luke, 628 F.3d 114, (4th Cir. 2010)
§ 1028(a)(8)
§ 1028A(a)(1), (a)(2)
§ 1029(a)(1) § 1029(a)(2)
U.S. v. Cline, 286 Fed. Appx. 817 (4th Cir. 2008).
U.S. v. Harris, 597 F.3d 242 (5th Cir. 2010); U.S. v. Battles, 156 F.3d 852 (8th Cir. 1998)
264 table 8
CHAPTER 6 U.S. identity crime related statutes (cont.)
Component of identity crime
Section of Title 18 of the U.S. Code, or other usc sections
Description of law: Law prohibits …
§ 1029(a)(6)
Without the authorization of U.S. v. Alvelo-Ramos, 957 the issuer of the access device, F. Supp. 18 (D.P.R.1997) soliciting a person for the purpose of offering an access device; or selling information regarding or an application to obtain an access device Without the authorization of the credit card system member or its agent, causing or arranging for another person to present to the member or its agent, for payment, one or more evidences or records of transactions made by an access device
§ 1029(a)(10)
§ 1030(a)(6)
Trafficking in passwords or similar information through which a computer may be accessed without authorization § 1039(b), Knowingly and intentionally (c) (confidential selling or transferring, or phone records) attempting to sell or transfer, confidential phone records information of common carrier, or receiving such information § 1546(a) Transferring a document for (immigration fraud) entry into United States to one not entitled to that document 42 U.S.C. § 408(a) Buying or selling a real or (7)(C) counterfeit Social Security card
Cases
State Analysis, Inc. v. American Financial Services Assoc., 621 F. Supp. 2d 309 (E.D. Va. 2009).
U.S. v. Andrade-Rodriguez, 531 F.3d 721 (8th Cir. 2008)
Identity Crime Legislation in the United States265 table 8
U.S. identity crime related statutes (cont.)
Component of identity crime
Section of Title 18 of the U.S. Code, or other usc sections
Use
§§ 1001, 1003, 1014, Fraud against U.S. government 1112 § 1015(c) Using an immigration (immigration fraud) document while knowing it was obtained by fraud § 1028(a)(7) Knowingly using, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity
§ 1028A(a)(1), (a)(2)
Description of law: Law prohibits …
Cases
U.S. v. Andrade-Rodriguez, 531 F.3d 721 (8th Cir. 2008)
U.S. v. Berry, 583 F. Supp.2d 749 (E.D. Va. 2008); U.S. v. Wadford, 331 Fed. Appx. 198 (4th Cir. 2009); U.S. v. Opara, H.R. Rep. No. 108–528 at 782 (2004); U.S. v. Maxfield, H.R. Rep. No. 108–528 at 782 (2004); U.S. v. Benavides-Holgun, H.R. Rep. No. 108–528 at 782 (2004). Using, without lawful U.S. v. Cooks, 589 F.3d 173 (5th authority, a means of Cir. 2009) (sentencing guidelines identification of another case); U.S. v. Wadford, 331 person during or in relation Fed. Appx. 198 (4th Cir. 2009); to the commission of certain U.S. v. Perez-Rodriguez, 358 other underlying felonies. This Fed. Appx. 700 (7th Cir. 2009); statute adds to the penalties U.S. v. Gaspar, 344 Fed. Appx. 541 for the underlying felonies. (11th Cir. 2009); U.S. v. Popa, 361 Fed. Appx. 854 (9th Cir. 2010); U.S. v. Jenkins-Watts, 574 F.3d 950 (8th Cir. 2009); U.S. v. Pena, 380 Fed. Appx. 623 (9th Cir. 2010); U.S. v. Blixt, 548 F.3d 882 (9th Cir. 2008); U.S. v. McNeil, 320 F.3d 1034 (9th Cir. 2003); U.S. v. Mobley, 618 F.3d 539 (6th Cir. 2010); U.S. v. Andrade- Rodriguez, 531 F.3d 721 (8th Cir. 2008)
266 table 8
CHAPTER 6 U.S. identity crime related statutes (cont.)
Component of identity crime
Section of Title 18 of the U.S. Code, or other usc sections
Description of law: Law prohibits …
Cases
§ 1029(a)(1)
Using one or more counterfeit access devices Using one or more unauthorized access devices during any one-year period, and obtaining anything of value worth $1,000 or more during that period Effecting transactions, with 1 or more access devices issued to another person or persons, to receive payment or any other thing of value during any 1-year period the aggregate value of which is equal to or greater than $1,000 Unauthorized use of Social Security number by falsely representing that the number was assigned by
U.S. v. Jenkins-Watts, 574 F.3d 950 (8th Cir. 2009) U.S. v. Harris, 597 F.3d 242 (5th Cir. 2010)
§ 1029(a)(2)
§ 1029(a)(5)
§ 1030(a)(7).
§ 1037(a)(2)(e-mail fraud)
the Commissioner of Social Security to him or to another person, when in fact the number was not so issued Using a protected computer U.S. v. Kilbride, 584 F.3d 1240 to relay or retransmit multiple (9th Cir. 2009) commercial electronic mail messages, with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages.
Identity Crime Legislation in the United States267 table 8
U.S. identity crime related statutes (cont.)
Component of identity crime
Section of Title 18 of the U.S. Code, or other usc sections
Description of law: Law prohibits …
§ 1037(a)(3) (e-mail fraud)
Transmitting messages with altered headings, which constitutes the production of false identity. Sending messages from falsified accounts or domain names. Intentionally initiating the transmission of multiple commercial electronic mail messages from an Internet protocol addresses to which one is not entitled Using the mails for the U.S. v. Pena, 380 Fed. Appx. 623 purpose of executing a scheme (9th Cir. 2010); U.S. v. Blixt, 548 or artifice to defraud or to F.3d 882 (9th Cir. 2008) obtain money or property by means of false or fraudulent pretenses, representations, or promises.
§ 1037(a)(4) (e-mail fraud) § 1037(a)(5) (e-mail fraud)
§ 1341 (mail fraud)
§ 1342 (mail fraud)
Cases
In order to conduct a U.S. v. Pena, 380 Fed. Appx. 623 scheme or artifice, using a (9th Cir. 2010); U.S. v. Blixt, 548 fictitious name, or taking on F.3d 882 (9th Cir. 2008) an assumed title, name, or address or a name other than one’s own proper name, or taking or receiving from any post office any letter, postal card, package, or other mail matter addressed to other than a person’s proper name.
268 table 8
CHAPTER 6 U.S. identity crime related statutes (cont.)
Component of identity crime
Section of Title 18 of the U.S. Code, or other usc sections
Description of law: Law prohibits …
Cases
§ 1343 (wire fraud)
Using wire communication, radio or television to obtain money or property by means of false or fraudulent pretenses. Obtaining property owned by or under the control of a financial institution, by means of false or fraudulent pretenses Executing a scheme or artifice to defraud any health care benefit program; or to obtain, by means of false or fraudulent pretenses, any of the money or property owned by, or under the custody or control of, any health care benefit program
U.S. v. McNeil, 320 F.3d 1034 (9th Cir. 2003); U.S. v. Mobley, 618 F.3d 539 (6th Cir. 2010)
§ 1344 (bank fraud)
§ 1347(a) (health care fraud)
§ 1546(a) Obtaining entry to United (immigration fraud) States by impersonating another living or dead person, or through an assumed or fictitious identity § 1546(b) Using a false immigration (immigration fraud) document for verification of employment status 42 U.S.C. § 408(a) (7)(B)
Use of another’s Social Security card or number to obtain benefits for oneself
U.S. v. McNeil, 320 F.3d 1034 (9th Cir. 2003); U.S. v. Pham, 545 F.2d 712 (9th Cir. 2008) U.S. v. Abdelshafi, 592 F.3d 602 (4th Cir. 2010); U.S. v. Omar, 567 F.3d 362 (8th Cir. 2009)
U.S. v. Grajeda-Gutierrez, 372 Fed. Appx. 890 (10th Cir. 2010)
Flores-Figueroa v. U.S., 129 S. Ct. 1886 (2009); Hoffman Plastic Compounds, Inc. v. N.L.R.B., 535 U.S. 137, 122 S. Ct. 1275 (2002) U.S. v. Chavez-Quintana, 330 Fed. Appx. 724 (10th Cir. 2009); U.S. v. Herrera-Martinez, 525 F.3d 60 (1st Cir. 2008)
Identity Crime Legislation in the United States
6A.2
269
Identity-Crime-Specific Statutes
6A.2.1 Fraud and Related Activity in Connection with Identification Documents, Authentication Features, and Information (18 U.S.C. § 1028) The primary American identity crime statute, section 1028 of title 18 of the United States Code, was originally passed in 1982, and has been amended many times since. It is entitled “Fraud and Related Activity in Connection with Identification Documents, Authentication Features, and Information.” In 2004, a separate statute, section 1028A, was added as the separate crime of “Aggravated Identity Theft.”48 A Why the Federal Statute Was Enacted The origins of the federal identity theft statute49 are well-documented. The original statute was the result of a report commissioned by the U.S. Attorney General under former President Gerald Ford, which had concluded that “false identification documents could be obtained readily and inexpensively throughout the United States from a variety of commercial sources, and that genuine government identification documents could be easily obtained from the issuing offices by means of simple misrepresentations.”50 The study emphasized four important findings, which were confirmed by the General Accounting Office:51 1. most illicit hard drugs entering the country were smuggled by persons using false identification; 2. illegal aliens using false identification cost taxpayers over $12 billion per year; 3. most fugitives used false identification, some having over 30 identities; and 4. check and credit card fraud, securities fraud, and embezzlement using false identification cost American business over $1 billion per year.
48 Discussed below. 49 18 U.S.C. § 1028 (2006). 50 The legislative history of the first identity theft statute is contained in a House of Representatives’ report. H.R. Rep. No. 97–802 (1982), reprinted in 1982 U.S.C.C.A.N. 3519. (discussing the False Identification Crime Control Act of 1982). The study quoted in the House Report was submitted to President Ford’s Attorney General, Edward H. Levi, on October 8, 1976. 51 H.R. Rep. No. 97–802 (1982), reprinted in 1982 U.S.C.C.A.N. 3519.
270
CHAPTER 6
Later reports and studies leading to passage of the bill increased the amounts of damage thought to be caused by identity misuse, and suggested solutions to the problem, such the issuance of tamper-resistant social security cards.52 The Attorney General’s report concluded that existing federal laws were not sufficient to deter crimes involving false identification, because: 1. they did not adequately cover state documents –such as drivers’ licenses – which were frequently used to obtain other identification documents; 2. they did not adequately cover criminal conduct relating to specific federal documents; 3. their penalties were not severe enough; and 4. the laws were not a priority of law enforcement officials. In the report, Congress noted surveys finding that nearly half of all aliens applying for unemployment benefits in one state, Illinois, possessed counterfeit cards indicating legal residence in the United States; hence, the taxpayers were paying millions of dollars in undeserved unemployment benefits. The Treasury Department reported to Congress that currency counterfeiters often possess other counterfeit documents, such as social security cards, drivers’ licenses, food stamp identification cards, and voter registration cards. The Bureau of Alcohol, Tobacco and Firearms reported that firearms smugglers routinely use fraudulent drivers’ licenses to acquire firearms. The Customs Service revealed that drug couriers use false identification to avoid the reporting requirements of the Bank Secrecy Act.53 The resulting statute was designed by Congress to provide “a strong deterrent to false identification-related crime and to the manufacturers and distributors of false identification in particular.” The House Report noted, however, that “federal legislation alone cannot eradicate the problem of false identification,” and urged state and local governments and the private sector to implement “appropriate preventive and enforcement measures.”54 B The Offense The criminal offense commonly known as “identity theft”55 is officially entitled “Fraud and related activity in connection with identification documents,
52 53 54 55
Id. Id. Id. It may be that the term “identity theft” is attached to this offense because of its being amended by Acts of Congress containing the term “identity theft,” starting with the Identity Theft and Assumption Deterrence Act of 1998. Pub. L. No. 105–318, 12, stat. 3007 (codified as amended at 18 U.S.C. § 1082 (2006)).
Identity Crime Legislation in the United States
271
authentication features, and information.” The statute requires that a person who commits the crime act “knowingly.”56 One cannot recklessly commit an identity crime, nor can one commit such a crime accidentally or negligently or mistakenly. To be guilty of the crime, a person must intend to commit the crime. Eight specific activities are illegal under the federal identity crime statute if they are committed knowingly.57 They are: 1. producing an identification document58 or authentication feature without lawful authority, or producing a false identification document;59 2. transferring an identification document or authentication feature with knowledge that it was stolen or produced illegally;60 3. possessing, with intent to use or transfer unlawfully, five or more such documents or features, other than identification documents issued lawfully for the use of the possessor;61 4. possessing such document or feature intending to defraud the United States;62 5. producing, transferring, or possessing a document-making implement or authentication feature, intending to use it (a) to produce a false identification document or (b) to produce another document-making implement or authentication feature that will be so used;63 6. possessing an identification document, or an authentication feature, that is or appears to be one authorized by the federal government, or one from a sponsoring entity for an event designated as one of national significance, that is stolen or produced without lawful authority, with knowledge that is it stolen or produced without such authority;64 7. transferring, possessing, or using, without lawful authority, a means of identification of another person, with the intent to commit, aid, or abet a violation of federal law, or a felony under state or local law, or in connection with such violation65 (a single document that contains more than 56 57 58 59 60 61 62 63 64 65
18 U.S.C. § 1028(a)(1)-(8) (2006). Id. Note that an “identification document” must be government-issued or from an organization sanctioned by a government. See discussion below. 18 U.S.C. § 1028(a)(1). Id. § 1028(a)(2). Id. § 1028(a)(3). Id. § 1028(a)(4). Id. § 1028(a)(5). Id. § 1028(a)(6). The language “in connection with” was added by the Identity Theft Penalty Enhancement Act of 2004. See H.R. Rep. No. 108–528, at 786 (2004) reprinted in 2004 U.S.C.C.A.N. 779.
272
CHAPTER 6
one means of identification is considered to be one means of identification66);67 8. trafficking in false or actual authentication features to use in false identification documents, document-making implements, or means of identification.68 A person who attempts or conspires to commit any of the offenses listed is subject to the same penalties as those prescribed for the offense.69 1 Note on Federal Jurisdiction One may commit a federal identity crime only if the federal government has jurisdiction over the crime. The U.S. Constitution limits the power of Congress to pass criminal statutes or, rather, it enumerates the types of law that Congress is allowed to pass.70 In the federal identity crime statute, Congress devotes a section to explaining the circumstances under which the statute may be applied, each of which is a basis for federal jurisdiction.71 Under the jurisdiction provision, the law may be applied: 1. where the identification document, authentication feature, or document- making implement was issued under federal auspices;72 2. where possession of the identification document was with the intent to defraud the United States;73 3. when interstate or foreign commerce is somehow affected by the offense, including transmitting the document or feature electronically;74 or 4. when the U.S. mails are used in the course of committing the offense.75 A statement of the constitutional basis for federal jurisdiction is a pro forma feature of much federal criminal legislation to fend off challenges to its constitutionality. On rare occasions, the Supreme Court has agreed with such a challenge, and ruled that passage of a criminal statute is beyond Congress’s authority because it in no way affects interstate commerce or any other federal interest.76 66 67 68 69 70 71 72 73 74 75 76
18 U.S.C. § 1028(i). Id. § 1028(a)(7). Id. § 1028(a)(8). Id. § 1028(f). U.S. Const. art. I, § 8. 18 U.S.C. § 1028(c). Id. § 1028(c)(1). Id. § 1028(c)(2) (referring to § 1028(a)(4)). Id. § 1028(c)(3)(A). Id. § 1028(c)(3)(B). For example, in U.S. v. Lopez, the Supreme Court held that the establishment of gun-free zones near schools is not within the power of Congress, because the statute had nothing
Identity Crime Legislation in the United States
273
In an identity crime prosecution under 18 U.S.C. § 1028, the interstate commerce component was not satisfied merely by showing that a defendant had used, in his Virginia drug trade, social security numbers that had originated in Maryland and had been issued to persons in New Jersey. In U.S. v. Berry,77 there was no evidence that the defendant’s fraudulent acts had caused the numbers to cross state lines, thus affecting interstate commerce, or that the defendant’s intended goals in the fraudulent use of the numbers would cause him or the numbers to cross state lines. Nor was the interstate commerce element satisfied by showing that the false social security numbers used by the defendant had been entered into a federal database78 serving as a national crime notification service. Any economic effect from entry into the database was purely incidental to the entry of the numbers; traditional government activity of this sort differs significantly from commercial activity.79 Nevertheless, sufficient evidence supported a finding that the defendant’s use of fraudulent social security numbers in his cocaine trade affected interstate commerce. In turn, conviction for a cocaine offense supported the conviction for the federal offense of identity theft. Drug dealing is an inherently economic activity that affects interstate commerce, and the defendant’s use of others’ social security numbers is tied to that drug dealing.80 The interstate commerce element was also met in U.S. v. Pearce,81 where the defendants possessed various document-making implements that were made in another state and other countries, and they possessed identification cards from three other states. C Covered Instruments In carving out a new area of statutory concern, Congress adopted new terminology that would evolve into the parlance of identity theft.82 This terminology describes the items covered by the statute, which are referred to by the Department of Justice as “covered instruments.”83 The statute defines seven crucial terms, marking out the major concerns of the law of identity crime. to do with “commerce” or any sort of economic enterprise, and had no other basis for congressional authority. 514 U.S. 549 (1995). 77 U.S. v. Berry, 583 F. Supp. 2d 749 (E.D. Va. 2008). 78 See Id. 79 U.S. v. Berry, 583 F. Supp. 2d at 755. 80 Id. at 756. 81 U.S. v. Pearce, 65 F.3d 22 (4th Cir. 1995). 82 False Identification Crime Control Act of 1982, Pub. L. No. 97–398, § 2, 96 Stat. 2009 (1982) (codified as amended at 18 U.S.C. § 1028(d)). 83 U.S. Department of Justice, Criminal Resource Manual 1505 [hereinafter “U.S. Criminal Resource Manual”], available at www.justice.gov.
274
CHAPTER 6
1 Means of Identification84 A “means of identification” can be any name or number that, either alone or in conjunction with any other information, identifies a specific individual.85 Among the various means of identification contemplated by the statute are: 1. name, social security number, date of birth, government-issued driver’s license or identification number, alien registration number, government passport number, or an employer or taxpayer identification number;86 2. unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;87 3. unique electronic identification number, address, or routing code;88 or 4. telecommunication identifying information or access device, meaning an electronic serial number or any other number or signal that identifies a specific telecommunications instrument or account, or a specific communication transmitted from a telecommunications instrument.89 The broad language introducing this provision, “any name or number that … identifies a specific individual,” has been given a broad interpretation. Thus, where a defendant used the license numbers of certified real estate appraisers in order to create phony appraisals in order to secure mortgage loans, he was found to have used a “means of identification” under the statute. The loan numbers on the appraised properties were also “means of identification” under the statute.90 Where a defendant accessed other people’s e-mail accounts without authorization, and sent e-mails under their names, he had used a “means of identification” sufficient for conviction of an identity offense.91 In terms of the specifically enumerated items constituting “means of identification,” the evidence is sufficient for conviction where the defendant: 1. used the name and date of birth of another individual to obtain and subsequently use a passport,
84
85 86 87 88 89 90 91
18 U.S.C. § 1028(d)(7) (2006). This term was not part of the original legislation, but was added later, in the Internet False Identification Prevention Act of 2000. Pub. L. No. 106– 578, 114 Stat. 3075. “Telecommunication identifying information or access device” is defined at 18 U.S.C. § 1029(e)(11). 18 U.S.C. § 1028(d)(7). Id. § 1028(d)(7)(A). Id. § 1028(d)(7)(B). Id. § 1028(d)(7)(C). Id. § 1028(d)(7)(D) (referring to the definition of “access device” found in 18 U.S.C. § 1029(e), discussed below). U.S. v. Cooks, 589 F.3d 173 (5th Cir. 2009). U.S. v. Wadford, 331 Fed. Appx. 198 (4th Cir. 2009).
Identity Crime Legislation in the United States
2. 3.
275
used and possessed that individual’s name, date of birth, and social security number in relation to the offense of fraudulent possession of five or more identification documents, and knew he was using identifiers belonging to a real person.92
2 Identification Document An “identification document” is any type of document commonly accepted to identify an individual, or intended to be used for that purpose when completed with information concerning a particular individual. It may be one from the federal government or any other governmental body in the United States. It might come from the sponsoring entity of an event designated as a special event of national significance, a foreign government, or an international governmental or a quasi-governmental organization. Such a document may be made, issued, or authorized by the body responsible for the identification document.93 The Department of Justice has noted, in its instructions to prosecutors,94 that an “identification document” as defined must be issued by a government agency and must identify a person, as opposed to an object. Hence, the term “identification document” does not cover certificates of title or registration for motor vehicles since such documents identify vehicles, not persons.95 Note that a means of identification issued non-governmentally, such as a credit card or utility bill, is not an “identification document” under the terms of this statute. Compare this with the coverage of state laws96 or Canadian law,97 which include a wider range of identification documents. The description of an identification document will normally include such identifying elements as an individual’s name, address, date or place of birth, physical description, photograph, fingerprints, employer, profession, occupation, or any unique number assigned to an individual by a governmental entity.98
92
U.S. v. Perez-Rodriguez, 358 Fed. Appx. 700 (7th Cir. 2009). “Identification document” is defined below. 93 18 U.S.C. § 1028(d)(3). 94 U.S. Criminal Resource Manual, supra note 906, at 1505A. 95 Id. 96 See, e.g., discussion of “personal identification information” in states of California and New York, discussed below. 97 See discussion of Canadian law Part 6B. 98 Id.
276
CHAPTER 6
Blank documents, according to the U.S. Department of Justice, are included within the term “identification document,” if they are intended to be used in the commission of crimes involving identity.99 Whether a document is “intended” to identify an individual is determined by looking at the purpose for which the governmental agency issued it. Examples of such documents would be passports, alien registration cards, Justice Department credentials, etc.100 The term “commonly accepted” is intended to cover identification documents that may not have been intended to serve as an identification document when originally issued, but have, nevertheless, become such documents in common usage. Examples would be birth certificates, drivers’ licenses, social security cards, etc. However, “commonly accepted” does not require that the document be accepted for identification purposes under any and all circumstances, but rather that it is accepted in situations where a document of that nature would reasonably be accepted for identification purposes. An identification document can be both “intended” and “commonly accepted.”101 Although an identification document is usually made of paper or plastic, the term may also include badges for law enforcement officers if such a badge has a unique number on it which is assigned to a particular officer for the purpose of identifying that officer.102 The term “identification document” as used in the statute, it refers to a tangible document and not merely the information contained on such a document. For example, a social security number by itself is not an identification document, although it is a “means of identification.”103 A social security card itself, however, is clearly an identification document.104 An unanswered question under the statute is whether school transcripts are covered, revolving around the question whether a transcript is an identification document. It appears that a transcript is not, because it is not “of a type intended or commonly accepted for the purpose of identification of
99 U.S. Criminal Resource Manual, supra note 906, at 1505A. 100 Id. 101 Id. 102 Id. 103 The use of someone else’s social security number, or a false social security number, with intent to deceive any person for the purpose of obtaining anything of value from such person violates the Social Security Act. 42 U.S.C. § 408(a)(7) (2006). See discussion of unauthorized use of a social security number below. 104 U.S. Criminal Resource Manual, supra note 906, at 1505A (citing U.S. v. Quinteros, 769 F.2d 968 (4th Cir. 1985)).
Identity Crime Legislation in the United States
277
individuals.”105 As to other documents issued by schools, such as identification cards, whether they would be covered under various portions of the act may depend upon whether the school is a government-sponsored school or a private institution. Thus, a school identification card issued by a private school may be covered by 18 U.S.C. § 1028(a)(7), pertaining to any means of identification used to advance a crime, but it would not be considered an “identification document” for the purposes of other sections of the act. 3 Issuing Authority The body that issues a means of identification is called the “issuing authority.”106 The Department of Justice has noted, in its instructions to prosecutors,107 that Congress’s intent was to cover all governmental identification documents regardless of which governmental body in the world issued them. However, 18 U.S.C. § 1028 does not cover identification documents issued by private parties such as private and parochial schools, non-governmental employers, etc. Thus, it does not cover credit cards, bank cards, insurance coverage cards issued by a private insurer, membership cards of private associations, private clubs, or private citizens’ groups, personal name cards, retail business check cashing cards, etc. It does, however, cover the identification documents of the employees of government contractors if such documents are issued by or under the authority of a government agency. The Department of Justice’s Criminal Resource Manual goes to considerable length in describing the issuing authorities covered by the statute. Thus, the “United States Government, a State, political subdivision of a State, a foreign government, political subdivision of a foreign government, an international governmental or an international quasi-governmental organization” are all issuing authorities.108 The Manual contends that this description is expansive and covers all governmental entities, domestic and foreign, state and federal. 4 False Identification Document A “false identification document” is a document intended to be used for identification, but that is not issued by or under the authority of a governmental entity, or was issued under the authority of a governmental entity but was then altered in order to deceive.109 Such a document fits this definition only if it appears to be issued by one of the entities that may issue an identification document. 1 05 18 U.S.C. § 1028(d)(3) (2006). 106 Id. § 1028(d)(6). 107 U.S. Criminal Resource Manual, supra note 906, at 1506. 108 U.S. Criminal Resource Manual, supra note 906, at 1506. 109 18 U.S.C. § 1028(d)(4).
278
CHAPTER 6
The Department of Justice has noted that the term “false identification document” is intended to include counterfeit, forged, or altered identification documents as well as apparent identification documents that seem to have been issued by a government authority, even though that authority may not issue an identification document of that particular type.110 This concept would also apply when an identification document purports to be issued by a governmental entity that does not, in fact, actually exist.111 The Department of Justice sets forth further definitions to describe such documents:112 “Counterfeit” implies an unauthorized reproduction of an original document, which would include a blank. “Altered” would be the unauthorized changing of a material fact contained in the document. “Forged” would relate to the unauthorized execution of the document such as filling in a genuine blank identification document without authority. On the other hand, a “genuine” document is an authentic identification document actually made or issued under the authority of a governmental entity. It includes a genuine blank document, that is, a blank form not yet filled in.113 It is possible for a document to be “genuine” and “false” at the same time, for example, a genuine driver’s license is stolen and the driver’s name is altered; a genuine birth certificate blank form is stolen and is filled in without authorization.114 5 Personal Identification Card115 This is any identification document issued by a state or local government solely for the purpose of identification. The Department of Justice has noted that the definition of a “personal identification card” would appear to limit such documents to those issued to persons who do not for some reason obtain a driver’s license.116 6 Document-Making Implement A “document-making implement” is any implement, impression, template, computer file, computer disc, electronic device, or computer hardware or
1 10 U.S. Criminal Resource Manual, supra note 906, at 1507B. 111 Id. (referring to Pines v. United States, 123 F.2d 825 (8th Cir. 1941)). 112 Id. at 1507B. 113 Id. at 1507A. 114 Id. at 1507B. 115 18 U.S.C. § 1028(d)(8) (2006). 116 U.S. Criminal Resource Manual, supra note 906, at 1508.
Identity Crime Legislation in the United States
279
software specifically configured or primarily used for making an identification document or a false identification document.117 It could also be an implement used to create another document-making implement. The Department of Justice has noted that “document-making implement” includes plates, dyes, stamps, and molds and other tools used to make identification documents.118 Another example of a document-making implement could be a device specially designed or primarily used to produce a small photograph and assemble laminated identification cards. The term may also include any official seal or signature, or text in a distinctive typeface and layout that when reproduced are part of an identification document. In cases in which specialized paper or ink or other materials are used in the production of an identification document, those items would be document-making implements. The term does not, however, include office photocopying machines because such machines are designed for more general purposes (i.e., not “specially designed or primarily used for” making identification and false identification documents). However, persons who use such machines to manufacture false identification documents or who provide them to another for the same purpose could be guilty of other offenses under 18 U.S.C. § 1028.119 7 Authentication Feature120 This may be any hologram, watermark, certification, symbol, code, image, sequence of numbers or letters, or other feature used by the issuing authority on an identification document, a document-making implement, or a means of identification to determine if the document is counterfeit, altered, or otherwise falsified. 8 False Authentication Feature121 This may be: 1. an authentication feature that appears to be genuine but is not; or 2. an authentication feature that originally was genuine but, without authorization of the issuing authority, has been tampered with or altered in order to deceive; or
117 18 U.S.C. § 1028(d)(2), added by the Secure Authentication Feature and Enhanced Identification Defense (SAFE ID) Act of 2003. Pub. L. No. 108–21, Title VI, § 607(a), 117 Stat. 689 (2003). 118 U.S. Criminal Resource Manual, supra note 906, at 1505B. 119 Id. at 1505B. 120 18 U.S.C. § 1028(d)(1). 121 Id. § 1028(d)(5).
280 3.
CHAPTER 6
a genuine authentication feature distributed, or intended for distribution, without the authorization of the issuing authority, and not in connection with a lawfully made identification document, document-making implement, or means of identification to which a genuine authentication feature is intended to be affixed or embedded by the issuing authority.
9 Other Terminology Congress expanded the meaning of the verb “produce,” in the context of identity crimes, so that it includes such acts as altering, authenticating, and assembling a means of identification.122 Congress has specified that “transfer” includes selecting an identification document, false identification document, or document-making implement and placing or directing the placement of it to an online location where it is available to others.123 The term “stolen” is not defined in the identity theft statute, but the U.S. Department of Justice contends that it is intended to cover identification documents obtained by fraudulent means, as well as theft;124 thus, it covers all forms of unlawful takings and is not limited to common law larceny.125 A genuine identification document obtained by fraud from a government agency is considered “stolen” under the statute. Note that stealing (acquiring) is not an offense under the statute. Rather, the offenses are the transfer of a stolen document,126 and the possession of a stolen document.127 Actual theft of a document is illegal under the “theft” portion of the U.S. Code.128 D The Punishment 1 Fines and Imprisonment The federal statute prescribes a series of escalating punishments for identity- related crimes. 1 22 Id.. § 1028(d)(9). 123 Id. § 1028(d)(10). 124 The Justice Department cites the Supreme Court cases of Bell v. U.S., 462 U.S. 356 (1983), and U.S. v. Turley, 352 U.S. 407 (1957). 125 U.S. Criminal Resource Manual, supra note 906, at 1511. 126 18 U.S.C. § 1028(a)(2). 127 Id. § 1028(a)(6). 128 Id. §§ 641–669. Under section 641, one is guilty of “theft” if he “embezzles, steals, purloins, or knowingly converts to his use or the use of another, or without authority, sells, conveys or disposes of any record, voucher, money, or thing of value of the United States or of any department or agency thereof, or any property made or being made under contract for the United States or any department or agency thereof.” Id. §641.
Identity Crime Legislation in the United States
281
One year: The basic punishment, without sentencing enhancements, for a violation of the statute is a fine and/or imprisonment for up to one year.129 This punishment applies if none of the attributes of a longer sentence, as described below, are present. However, it is difficult to discover any criminal act under 18 U.S.C. § 1028 that is not subject to the longer sentences below. In addition, under the “aggravated identity theft” statute, 18 U.S.C. § 1028A(a)(1),130 one who knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for the underlying felony, be sentenced to a term of imprisonment of 2 years. The statute says “shall be sentenced” to 2 years, and not “imprisonment for up to” 2 years, in the phraseology of § 1028. Thus, it appears to be mandatory. Ordinary identity theft under § 1028 is an underlying felony under § 1028A; thus, it would appear that the base minimum sentence for an identity crime is actually two years, unless the prosecutor decides not to charge the defendant with aggravated identity theft. Five years: For certain crimes under the statute, the base sentence, without enhancements, is up to 5 years’ imprisonment and/or a fine. This applies to: 1. the production, transfer, or use of a means of identification, an identification document, an authentication feature, or a false identification document;131 2. knowingly possessing, with intent to use or transfer unlawfully, five or more such documents or features, other than identification documents issued lawfully for the use of the possessor;132 and 3. knowingly transferring, possessing, or using, without lawful authority, a means of identification of another person, with the intent to commit, aid, or abet a violation of federal law, or a felony under state or local law, or in connection with such violation.133 Fifteen years: One may receive a jail term of up to 15 years, and a fine, for 1. producing or transferring an identification document, authentication feature, or false identification document, as defined above, if the document or feature is, or appears to be, issued or authorized by the United States government;134
1 29 Id. § 1028(b)(6). 130 Discussed below. 131 Id. § 1028(b)(2)(a). 132 Id. § 1028(b)(2)(b) (referring to 18 U.S.C. § 1028(a)(3)). 133 Id. § 1028(b)(2)(b) (referring to 18 U.S.C. § 1028(a)(7)). 134 Id. § 1028(b)(1)(A)(i).
282
CHAPTER 6
2.
the production or transfer of any such document if it is or appears to be a birth certificate, driver’s license, or personal identification card;135 3. the production or transfer of more than 5 identification documents, authentication features, or false identification documents;136 4. knowingly producing, transferring, or possessing a document-making implement or authentication feature, intending to use it to produce a false identification document or to produce another document-making implement or authentication feature that will be so used;137 5. knowingly transferring, possessing, or using, without lawful authority, a means of identification of another person, with the intent to commit, aid, or abet a violation of federal law, or a felony under state or local law, or in connection with such violation, if, as a result of the offense, the perpetrator obtains anything of value aggregating $1,000 or more during any one-year period.138 Twenty years: One may receive up to 20 years’ imprisonment, plus a fine, if the offense is committed: 1. to facilitate a drug trafficking crime, in connection with a violent crime, or 2. if one has previously been convicted of fraud in connection with identity documents.139 Thirty years: One may receive up to 30 years’ imprisonment, plus a fine, if the offense is committed to facilitate acts of domestic or international terrorism.140 a
Sentencing Guidelines
Federal Sentencing Guidelines, established by the U.S. Congress in 1984,141 affect the sentences for identity crimes in two ways. First, one of the crimes described above may be subject to an “upward departure”142 if there are aggravating circumstances present, including the status of the victim, the defendant’s role in the offense, and whether the defendant obstructed justice, and whether there are multiple counts.143 Second, if an identity crime was committed in 1 35 136 137 138 139 140 141 1 42 143
Id. § 1028(b)(1)(A)(ii). Id. § 1028(b)(1)(B). Id. § 1028(b)(1)(C) (referring to 18 U.S.C. § 1028(a)(5)). Id. § 1028(b)(1)(D) (referring to 18 U.S.C. § 1028(a)(7)). Id. § 1028(b)(3) (referring to other sections of code defining “drug trafficking crime” and “crime of violence”). Id. § 1028(b)(4) (referring to other sections of code defining acts of domestic and international terrorism). Sentencing Reform Act of 1984, Pub. L. No. 98–473, §§ 211–212, 98 Stat. 1837, 2017–34 (codified as amended at 18 U.S.C. §§ 3661–3673, 28 U.S.C. §§ 991 to 998). U.S. Sentencing Guidelines Manual § 1B1.1 cmt. n.1E (2012). Id. at ch. 3.
Identity Crime Legislation in the United States
283
addition to another crime, then the Guidelines mandate that the sentence for the other crime be increased.144 Under the Sentencing Guidelines, the punishment for a non-identity-crime offense is increased if it involves: 1. the possession or use of any device-making equipment or authentication feature;145 or 2. the production or trafficking of any unauthorized access device or counterfeit access device, or authentication feature;146 or 3. the unauthorized transfer or use of any means of identification unlawfully to produce or obtain any other means of identification;147 or 4. the possession of 5 or more means of identification that unlawfully were produced from, or obtained by the use of, another means of identification.148 The increase in punishment is generally about 6 months’ detention.149 These Guidelines have the effect of increasing the penalty for non-identity crimes when certain types of identity crimes also occur. They have a similar
1 44 Id. § 2B1.1(b)(10). 145 Id. § 2B1.1(b)(10)(A). As to device-making equipment, see 18 U.S.C. § 1029, discussed below. As to authentication features, see 18 U.S.C. § 1028(a)(1), (5), discussed above. 146 U.S. Sentencing Guidelines Manual § 2B1.1(b)(10)(B). As to access devices, see 18 U.S.C. § 1029, discussed below. As to authentication features, see 18 U.S.C. § 1028(a)(1), (5), discussed above. 147 U.S. Sentencing Guidelines Manual § 2B1.1(b)(10)(C)(i). As to knowingly using, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity, see 18 U.S.C. § 1028(a)(7), discussed above. As to transferring, without lawful authority, a means of identification of another person, with the intent to commit, aid, or abet a violation of federal law, or a felony under state or local law, or in connection with such violation, see 18 U.S.C. § 10289(a)(7). See also § 1028A(a)(1), (a)(2), discussed below, which adds penalties to other underlying violations for transferring, without lawful authority, a means of identification of another person during or in relation to the commission of those other underlying felonies. This section of the Guidelines is concerned with “breeding,” whereby a defendant uses another individual’s name, social security number, or some other form of identification to produce or obtain new or additional forms of identification. U.S. Sentencing Guidelines Manual § 2B1.1 cmt. n.19. 148 U.S. Sentencing Guidelines Manual § 2B1.1(b)(10)(C)(ii). As to possessing, with intent to use or transfer unlawfully, five or more identification documents or authentication features, other than identification documents issued lawfully for the use of the possessor, see 18 U.S.C. § 1028(a)(3). 149 The increase is two levels, which usually comes to six months. The minimum punishment is level twelve, which is ten to sixteen months on a first offense. See U.S. Sentencing Guidelines Manual, Sentencing Table ch. 5, pt. A.
284
CHAPTER 6
effect to that of 18 U.S.C. § 1028A, the statute concerned with “aggravated identity crime,” which provides punishments for identity crimes when they are committed in conjunction with other felonies, referred to a “underlying felonies.” Under section 1028A, if identity crime is used to commit an underlying felony, a separate crime called “aggravated identity theft” can be charged, and the punishment for the crime must be added to that for the underlying crime, and may not run concurrently. If a defendant is convicted of violating 18 U.S.C. § 1028A, the statutory sentence is to be applied, and is considered to be the Guideline sentence.150 Thus, the Sentencing Guidelines should not be used when the defendant is given a separate sentence under 18 U.S.C. § 1028A for aggravated identity theft.151 However, the Guidelines may be used for an upward departure when aggravated identity theft is not charged.152 The Official Commentary to the Sentencing Guidelines provides illustrations of the type of “other means of identification” subject to the guideline on the unauthorized transfer or use of any means of identification unlawfully to produce or obtain any “other means of identification.”153 If a defendant obtains an individual’s name and social security number from a piece of mail taken from the individual’s mailbox, and obtains a bank loan in that individual’s name, the account number of the bank loan is the other means of identification that has been obtained unlawfully.154 If a defendant obtains an individual’s name and address from a driver’s license in a stolen wallet, and applies for, obtains, and subsequently uses a credit card in that individual’s name, the credit card is the other means of identification that has been obtained unlawfully.155 However, the Guideline does not apply when, for example, a defendant uses a credit card from a stolen wallet only to make a purchase and not to obtain another means of identification.156 Nor does it apply when a defendant forges another individual’s signature to cash a stolen check, because forging another individual’s signature is not producing another means of identification.157 1 50 U.S. Sentencing Guidelines Manual § 2B1.6(a). 151 U.S. v. Taylor, 2010 WL 1500521 (4th Cir. 2010) (use of social security numbers). 152 U.S. v. Morris, 2010 WL 1752145 (5th Cir. 2010) (presenting a defendant that used his mother’s social security number to obtain other identification, justifying an upward departure under Sentencing Guidelines § 2B1.1(b)(10)(C)(i)). 153 U.S. Sentencing Guidelines Manual § 2B1.1(b)(10)(C)(i). 154 Id. § 2B1.1 cmt. n.9(C)(ii)(I). 155 Id. § 2B1.1 cmt. n.9(C)(ii)(ii). 156 Id. § 2B1.1 cmt. n.9(C)(iii)(i). 157 Id. § 2B1.1 cmt. n. 9(C)(iii)(ii).
Identity Crime Legislation in the United States
285
Caveat: Note that the U.S. Supreme Court has held that, under the principle of due process, any fact, such as the use of a means of identification to produce other means of identification, must be found by a jury beyond a reasonable doubt if it is to be used to enhance a sentence. Thus, a judge cannot increase a penalty based on his finding that the defendant previously committed identity theft, unless that fact is proven before a jury. Facts that have been established by prior convictions of the defendant, or that the defendant has admitted, may be used to increase a sentence. In addition, the Sentencing Guidelines cannot be mandatory; a judge must retain discretion as to the fitting punishment for any crime.158 Even without the prosecution’s charging and proving an identity crime, sentences have been enhanced under sections of the Sentencing Guidelines unrelated to identity.159 Thus, where a man convicted of bank fraud engaged in an “audacious scheme” to assume the identity of a man who was dying of terminal cancer in order to be spared imprisonment, an enhanced sentence was upheld under the Sentencing Guideline that allow upward departures based on circumstances of a kind not adequately taken into consideration by other Sentencing Guidelines.160 2 Forfeiture In all cases, any personal property used or intended to be used to commit the offense must be forfeited to the United States government.161 The court must order the forfeiture and destruction or other disposition of all illicit authentication features, identification documents, document-making implements, or means of identification.162 The court, in imposing sentence on a person convicted of a violation of, or a conspiracy to violate, the identity crime statute, must order that the person forfeit to the United States any property constituting, or derived from, proceeds the person obtained directly or indirectly as the result of such violation.163 If the violation is committed in connection with passport or visa issuance or use, the court must order that the person forfeit to the United States (1) any
1 58 159 160 161
U.S. v. Booker, 543 U.S. 220 (2005). U.S. v. Brown, 320 Fed. Appx. 58 (2d Cir. 2009). U.S. Sentencing Guidelines Manual § 5K2.0(a)(2). 18 U.S.C. § 1028(b)(5) (2006). Forfeiture is governed by 18 U.S.C. § 1028(g), which refers to the criminal forfeiture provisions of 28 U.S.C. § 853, with the exception of that section’s “rebuttable presumption” found at 28 U.S.C. § 853(d). 162 18 U.S.C. § 1028(h). 1 63 Id. § 982(a)(2). “Proceeds” is defined at 18 U.S.C. § 981(a)(2).
286
CHAPTER 6
conveyance, including any vessel, vehicle, or aircraft used to commit the crime; and (2) any property derived from or traceable to the offense, or that was used, or intended to be used, to facilitate the violation.164 If the offense involves telemarketing, the court must order that the convicted person forfeit to the United States (1) any property used or intended to be used to commit, to facilitate, or to promote the commission of the offense, and (2) any property constituting, derived from, or traceable to the gross proceeds that the defendant obtained directly or indirectly as a result of the offense.165 In addition, any property, real or personal, that constitutes or is derived from proceeds traceable to a violation of the identity crime statute is subject to forfeiture to the United States government, which may bring a civil action to obtain the property.166 “Civil forfeiture,” as opposed to criminal forfeiture described in the preceding paragraph, does not depend upon a property owner’s being guilty of a crime; rather, it depends upon the property’s being connected to a criminal act,167 and government’s action is against the property, rather than against the person who committed the crime.168 Thus, one who has not committed a crime but who has obtained the proceeds of the crime may be required to forfeit such proceeds. 3 Restitution A court, when sentencing a defendant, may order that the defendant make restitution to any victim of such offense, or if the victim is deceased, to the victim’s estate. The court may also order, if agreed to by the parties in a plea agreement, restitution to persons other than the victim of the offense.169 The court, in determining whether to order restitution, must consider the amount of the loss sustained by each victim as a result of the offense. The court must also consider the financial resources of the defendant, the financial needs and earning ability of the defendant and the defendant’s dependents, and any other factors the court deems appropriate.170 A court may order that a person who knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, in the commission of a crime,171 or who 1 64 Id. § 982(a)(6). 165 Id. § 982(a)(8). “Telemarketing” is defined at 18 U.S.C. § 2325. 166 Id. § 981(a)(1)(C). “Proceeds” is defined at 18 U.S.C. § 981(a)(2). 167 36 Am.Jur. 2d Forfeitures and Penalties § 19 (2012). 168 Id. § 18. 169 18 U.S.C. § 3663(a)(1)(A). 170 Id. § 3663(a)(1)(B). 171 Id. § 1028(a)(7).
Identity Crime Legislation in the United States
287
commits aggravated identity theft,172 pay an amount equal to the value of the time reasonably spent by the victim in an attempt to remediate the intended or actual harm incurred by the victim from the offense.173 6A.2.2 Aggravated Identity Theft Congress in 2004 added to federal law a section pertaining to “aggravated identity theft,”174 in an act entitled “Identity Theft Penalty Enhancement Act.”175 The statute draws specific links between identity theft and other crimes, and directs that increased penalties must attach when identity theft is perpetrated in connection with those other specific crimes.176 A Why Statute Was Enacted In passing the legislation, Congress expressed concern about the growing number of cases of identity crime since the earlier identity statute was enacted. Statistics cited by Congress showed that nearly 5 percent of households, or 10 million Americans, reported that they had experienced some sort of identity crime.177 Congress further noted estimates from the Federal Trade Commission showing losses to businesses and financial institutions from identity crime to be nearly $50 billion, with losses to individuals of $5 billion.178 The memory of September 11 also influenced Congress in passing the legislation. The official report accompanying the legislation noted that “al-Qaida and other terrorist organizations increasingly turn to stolen identities to hide themselves from law enforcement.” Congress heard testimony from an fbi agent that “terrorists have long utilized identity theft as well as Social Security number fraud to enable them to obtain such things as cover employment and access to secure locations. These and similar means can be utilized by terrorists to obtain driver’s licenses, and bank and credit card accounts, through which terrorism is facilitated.”179
1 72 173 174 175 176 177
Id. § 1028A. Id. § 3663(b)(6). Id. § 1028A. H.R. Rep. No. 108–528, at 780 (2004), reprinted in 2004 U.S.C.C.A.N. 779. 18 U.S.C. § 1028A. H.R. Rep. No. 108–528, at 780 (2004). Compare this figure to the 11.1 million reports of fraud reported in a 2009 survey. Rachel Kim, Javelin Strategy and Research, 2009 Identity Fraud Survey Report: Consumer Version: Prevent, Detect, Resolve 6 (Feb. 2009), available at www.javelinstrategy.com/brochure/113. 178 H.R. Rep. No. 108–528, at 780. 1 79 Id.
288
CHAPTER 6
Congress determined that it needed to find new ways to combat identity crime, because the methods used by identity thieves were expanding. While consumers were being urged to protect themselves by shredding documents and watching their credit reports, identity thieves were going beyond their old dumpster-diving methods.180 Congress expressed concern that, in their normal course of business, employees and others were accessing and using information collected by companies for an authorized purpose. For example, a customer service representative in Long Island, working for a company providing computer hardware and software to financial firms, had accessed the personal information of over 30,000 victims. A Social Security Administration clerk in Atlanta provided fraudulent social security cards to over 1,900 individuals in exchange for $70,000 in payoffs.181 In addition, outside individuals were hacking into computers or stealing paperwork likely to contain personal information.182 Congress was concerned that under the law as it stood, prison time for identity thieves was minimal. The report accompanying the legislation gave examples of defendants who received exceedingly low sentences. Some of the sentences are far below those allowable under 18 U.S.C. § 1028, and may be the result of plea bargains or lenient judges. Nevertheless, they served as the basis for Congress passing enhanced sentences. The incidents cited by the report included: 1. A former employee of a Bally’s Health Club in Cambridge, Mass., Mohamed Amry, had used a skimmer to get credit card data from members of the health club. He provided stolen names, social security numbers, and credit-card information of at least 30 people to a man who pleaded guilty in a conspiracy plot to blow up Los Angeles International Airport. Amry assisted another in creating false green cards and social security cards, and his co-conspirator used the information to open bank accounts where he deposited counterfeit checks. Amry pleaded guilty to numerous counts, including conspiracy to commit identity theft, bank fraud, and access device fraud (18 U.S.C. § 1029), although he was not charged with knowledge of the terrorists’ intentions in obtaining and using the stolen identities. However, his sentence was a mere 15 months in prison.183
1 80 181 182 183
As to the methods, including dumpster-diving, used by identity criminals, see Chapter 3. H.R. Rep. No. 108–528, at 781. Id. at 781. Id. For a judicial ruling concerning the due process afforded to Army, see U.S. v. Amry, 2003 WL 124678 (S.D.N.Y. Jan. 16, 2003).
Identity Crime Legislation in the United States
2.
3.
4.
5.
6.
1 84 185 186 187 188 189
289
A financial institution employee, Suzanne Scheller, used the company’s computer system to find potential customers, including account information, for a friend starting a real estate business. Scheller knew that such unauthorized access was against company policy. Some of the information provided by Scheller was used by others, unknown to Scheller, as part of an identity theft scheme, by which they would steal the identity of the customers and transact business at the financial institution. Scheller pleaded guilty to one count of obtaining unauthorized computer access to customer account information from a financial institution in violation of 18 U.S.C. § 1030. She was sentenced to 36 months’ probation.184 A man, Chuck Opara, engaged in a multimillion dollar fraud scheme. As part of the scheme, he stole the identities of 24 people, and submitted fake income tax returns, seeking refunds of $50,000, to be delivered to mail-drops that Opara had obtained. Opara pleaded guilty to multiple counts of submitting false claims and identity theft, and was sentenced to 15 months’ imprisonment.185 William K. Maxfield assumed the identity of a person named William E. Maxfield, who was not a relation to him. Using William E’s social security information, which he obtained through the auto dealership where he worked, William K. was able to obtain loans and lines of credit. Most of the lenders received payment from William K.; however, William E.’s credit rating suffered, and he had trouble correcting the records from various companies showing his accounts as past due. William K. Maxfield was sentenced to 10 months in prison.186 Diana Fergerson stole someone’s identity; years later, she used the stolen identity to apply for and receive social security benefits and establish credit. She received over $45,000 in social security disability benefits. She pled guilty to several charges, including theft of public money187 and identity theft.188 She was sentenced to 5 years’ probation and restitution.189 Porfirio Benavides-Holguin, a resident of Chihuahua, Mexico, received U.S. government benefits under the name and social security number of H.R. Rep. No. 108–528, at 781. Id. at 782. Id. 18 U.S.C. § 641 (2006). 18 U.S.C. § 1028(a)(7) (2006). H.R. Rep. No. 108–528, at 782.
290
7.
CHAPTER 6
his former brother-in-law, a U.S. citizen. He pled guilty to both counts of a 2-count indictment alleging violations of the Social Security Act, specifically, for knowingly and willfully making a false representation of a material fact for use in determining rights to a Social Security benefit.190 He was sentenced to 10 months’ confinement, 3 years of non-reporting supervised release, and restitution.191 Arnetta Green-Jones received Supplemental Security benefits under her actual social security number while working as a seasonal temporary worker employed by the irs under the social security number of another individual. She pled guilty to violations of the Social Security Act192 and an identity theft statute,193 and was ordered to serve 5 years’ probation and pay restitution.194
B The Offense Under the terms of the aggravated identity theft statute, if, during or in relation to committing certain other, underlying felonies,195 a person knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person, the felon will receive the punishment provided for in that other felony, and also be sentenced to a term of imprisonment of 2 years.196 If that underlying felony is terrorism197 the additional term of imprisonment is 5 years.198 1 “Knowingly” Requirement The requirement that the offense be committed “knowingly” has been taken quite literally. If the deed is done without “knowing,” the 1028A offense cannot stand. 1 90 191 192 193 194 195 196 197
42 U.S.C. § 1383a(2) (2006). H.R. Rep. No. 108–528, at 782. 42 U.S.C. §§ 408(a)(7)(B), 1383a(a)(3)(A). 18 U.S.C. § 1028(a)(4). H.R. Rep. No. 108–528, at 782. See Part 6A.2.2(c). 18 U.S.C. § 1028A(a)(1). An extensive list of felonies considered to be “terrorism” is contained in 18 U.S.C. § 2332b(g)(5)(B). To constitute terrorism, such acts must be “calculated to influence or affect the conduct of government by intimidation or coercion, or to retaliate against government conduct.” Id. § 2332b(g)(5)(A). 198 Id. § 1028A(a)(2). This section also states that, in addition to a “means of identification,” the enhanced penalty applies if one uses a “false identification document.” Id. “False identification document” is defined at 18 U.S.C. § 1028(d)(5) and discussed at Part 6A.2.1(c)(4).
Identity Crime Legislation in the United States
291
A Mexican citizen, Ignacio-Figueroa, presented his employer with counterfeit social security and alien identification registration cards. The cards used Flores-Figueroa’s real name, but the numbers on the cards belonged to other people. The employer reported the request to immigration authorities, who discovered the improper numbers. Flores-Figueroa was charged with illegal immigration, with misusing immigration documents, and with aggravated identity theft. The defendant moved to dismiss the aggravated identity theft charge because the government could not prove that he knew that he was using the numbers of other people. The Supreme Court sided, unanimously, with the defendant.199 A woman, Petrona Gaspar, had purchased a birth certificate from a co- worker at a chicken-packing plant, but the prosecutor was unable to prove that Ms. Gaspar knew that the birth certificate, which she used in applying for a passport, belonged to another person.200 Such knowledge was required to support her conviction for aggravated identity theft under 18 U.S.C.A. § 1028A(a) (1).201 Although Gaspar knew she was using a birth certificate that was not hers, and she stipulated that the birth certificate was in fact a means of identification of a real person, there was no direct evidence that Gaspar knew the birth certificate belonged to an actual person at the time she applied for the passport. She did not stipulate that she knew that the person existed when she used the document to obtain a passport. Thus, the lower court erred in convicting her under the statute. Similarly, it was an error for a court to accept a defendant’s guilty plea to a charge of aggravated identity theft without any evidence on the record that he knew that the identification documents in his possession belonged to actual people.202 2 Synthetic Identity Not Covered Creation and use of “synthetic identity,” that is, an identity created by the defendant in order to commit felonies, but that does not belong to any real person, cannot be prosecuted under 18 U.S.C. § 1028A: it is not made illegal by the statute, which commands that the means of identification must belong to “another person.” As discussed above, the U.S. Supreme Court in
1 99 Flores-Figueroa v. U.S., 129 S. Ct. 1886 (2009). 200 U.S. v. Gaspar, 344 Fed. Appx. 541 (11th Cir. 2009). 201 The underlying offense, essential to maintaining a prosecution under § 1028A, was a violation of the statute prohibiting a false statement in an application for a passport, 18 U.S.C. § 1542. This is an underlying felony by virtue of 18 U.S.C. § 1028A(c)(6). 202 U.S. v. Ogbemudia, 364 Fed. Appx. 72 (5th Cir. 2010).
292
CHAPTER 6
Flores-Figueroa v. U.S., 129 S. Ct. 1886 (2009), held that the government must prove that the defendant knew that the means of identification that he used belonged to another person. By extrapolation, if the identity was synthetic (an issue not discussed by the court), there can be no prosecution because (1) there is no crime, and (2) the defendant cannot be shown to have “known” that the identity belonged to another person, because it did not belong to another person.203 When both a synthetic identity and a stolen identity are used by a defendant, the court must distinguish between the two in order to mete out punishment.204 3 Statutory Fix Required A statutory fix to the problem of synthetic identity fraud is needed, as synthetic identity fraud has become prevalent.205 The “knowingly” problem as applied to the requirement that the means of identification belong to “another person,” and the lack of coverage for synthetic identity, could both easily be solved by a simple change in the statutory language. As currently worded, section 1028A prohibits knowingly transferring, possessing, or using, without lawful authority, a means of identification of another person.206 The words “of another person,” if they were replaced with “that does not belong to the transferor, possessor, or user,” would encompass synthetic identity, and would eliminate the problem of the defendant’s knowledge that the means of identification belong to “another person.” C The Underlying Felonies One can only commit the felony of aggravated identity theft if the identity crime occurs “during and in relation to” certain other felonies, generally, those having to do with embezzlement, immigration, and various forms of and variations upon fraud. Specifically, the underlying felonies are:207
203 In Flores-Figueroa, the identification numbers used by the defendant belonged to other persons; however, the government could not prove that Flores-Figueroa knew that fact. Rather, the government claimed that it need only prove that the defendant knew that the numbers did not belong to him, and that he used them even though he had no right to do so. The Supreme Court disagreed. 129 S. Ct. 1886. 204 U.S. v. Popa, 361 Fed. Appx. 854 (9th Cir. 2010). 205 See discussion of synthetic identity fraud at Part 6A.1. 206 18 U.S.C. § 1028A(a). 207 Id. § 1028A(c)(1) to (11).
Identity Crime Legislation in the United States
293
1.
theft of public money, property or rewards;208 theft, embezzlement or misapplication by a bank officer or employee;209 or theft from an employee benefit plan;210 2. false personation of citizenship;211 3. false statements in connection with the acquisition of a firearm;212 4. any crime found in the “fraud and false statements” section of the United States Code,213 other than those crimes found in the aggravated identity theft statute itself,214 or the section of the primary identity statute dealing with use of a means of identification in connection with committing a federal crime or a felony;215 5. any crime found in the chapter on mail, bank, and wire fraud;216 6. any crime found in the chapter on nationality and citizenship;217 7. any crime in the chapter on passports and visas;218 8. obtaining customer information by false pretenses;219 9. willfully failing to leave the United States after deportation,220 or creating a counterfeit alien registration card;221 10. other various offenses involving undocumented aliens;222 11. provisions relating to false documents under the Social Security Act.223 An example of how underlying felonies work into aggravated identity theft sentencing is provided in a 2009 case, U.S. v. Jenkins-Watts.224 The defendants were convicted of identity theft under 18 U.S.C. § 1028, aggravated identity
2 08 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224
Id. § 641. Id. § 656. Id. § 664. Id. § 911. Id. § 922(a)(6). Id. at ch. 47. Id. § 1028A. Id. § 1028(a)(7). Id. at ch. 63. Id. at ch. 69. Id. at ch. 75. 15 U.S.C. §§ 6821, 6823 (Gramm-Leach-Bliley Act). 8 U.S.C. § 1253. Id. § 1306(d). Id. §§ 1321 to 1328. 42 U.S.C. §§ 408, 1011, 1307(b), 1320a-7b(a), 1383a. U.S. v. Jenkins-Watts, 574 F.3d 950 (8th Cir. 2009). This case involved numerous conspirators and crimes, with overlapping charges and defenses. The fact pattern is simplified here to provide an example of sentencing enhancement under the aggravated identity theft statute, as well as the U.S. Sentencing Guidelines.
294
CHAPTER 6
theft under 18 U.S.C. § 1028A, and access device fraud under 18 U.S.C. § 1029.225 The defendants were co-conspirators in a scheme to identify people with good credit scores and create false drivers’ licenses in their names, then use those licenses to obtain credit cards for department stores. They were charged with numerous frauds, but an “underlying offense” was needed under the aggravated identity theft statute, or else aggravated identity theft could not be charged. That underlying offense was access device fraud.226 A sentence based on the access device fraud sentence was increased by the sentence for aggravated identity theft, and was upheld. In addition, an enhancement of sentence under the U.S. Sentencing Guidelines was upheld, even though an enhancement is not permitted for a violation of § 1028A.227 Rather, the sentence for access device fraud was enhanced under the Guideline concerning the use of authentication features,228 because the drivers’ licenses produced under the scheme contained such a feature, the holographic seal of the State of Kansas.229 D Conspiracy Under the aggravated identity theft statute, any person who attempts or conspires to commit the various types of fraud in the “Fraud and False Statements” chapter of the U.S. Code230 is subject to the same penalties as those prescribed for the object of the attempt or conspiracy.231 Thus, several defendants were convicted of conspiracy to commit identity theft, conspiracy to commit aggravated identity theft, and conspiracy to commit access device fraud.232 The scheme involved instant credit: conspirator Strother and his associates would use counterfeit Kansas drivers’ licenses to apply for instant credit, purchase big-ticket items, and resell them for half their retail value. Strother received credit reports from coconspirators, who acquired the reports from legitimate businesses. Strother chose identity crime victims based on their credit scores. Strother would create counterfeit Kansas drivers’ licenses, using coconspirators’ photos, and provide the licenses to the coconspirators. The coconspirators
2 25 For a discussion of access device fraud, see below. 226 Access device fraud is an underlying offense under 18 U.S.C. § 1028A(c)(4), because it is contained in 18 U.S.C. ch. 47. 227 U.S. Sentencing Guidelines Manual § 2B1.6. Sentencing Guidelines are discussed above. 228 U.S. Sentencing Guidelines Manual § 2B1.1(b)(10)(A)(ii). 229 U.S. v. Jenkins-Watts, 574 F.2d at 956, 962. 230 18 U.S.C. ch. 47. 231 18 U.S.C. § 1049 (2006). 232 U.S. v. Jenkins-Watts, 574 F.3d 950 (8th Cir. 2009), cert. denied, 130 S. Ct. 1915 (2010).
Identity Crime Legislation in the United States
295
would travel to retailers to open instant credit accounts, and spend the entire amount for which he or she was approved. Strother would have buyers lined up to purchase the stolen goods, and frequently told the coconspirators which items to purchase. In this case, all 16 codefendants could be convicted of conspiracy, whether or not they actually participated in the identity thefts or access device fraud. The fact that they knew of the scheme and actively participated in it was sufficient for a conviction. E The Punishment The aggravated identity theft statute exists to provide adequate punishment. The statute instructs judges that they may not place on probation any person convicted of aggravated identity theft.233 Next, judges are told that they may not allow a term of imprisonment for aggravated identity theft to run concurrently with any other term of imprisonment, including any term of imprisonment imposed for the felony during which the means of identification was transferred, possessed, or used.234 The sole exception is when the concurrent term is for a separate violation of § 1028A for which a sentence is being imposed at the same time, so long as judicial discretion in exercised in accordance with the U.S. Sentencing Guidelines.235 A court must adequately explain its decision to impose consecutive sentences for multiple violations of the aggravated identity theft statute.236 1 Effect of the Statute As stated in the title of the bill, the primary concern of Congress was to “enhance” the penalties for identity theft. Primarily, the statute specifies other crimes in which identity theft is frequently used, and mandates that sentences for identity theft and the underlying crime must be consecutive; the sentence for the underlying crime can no longer run concurrently with the sentence for identity theft. If the appropriate sentences are 3 years for the underlying crime and 2 years for identity theft, the sentence must be 5 years –the lesser sentence may not be subsumed in the greater sentence.237
2 33 18 U.S.C. § 1028A(b)(1). 234 Id. § 1028A(b)(2). 235 Id. § 1028A(b)(4); see also U.S. Sentencing Guidelines Manual § 2B1.1(b)(10) (providing relevant guidelines). 236 U.S. v. Lee, 502 F.3d 780 (8th Cir. 2007) (case remanded for re-sentencing). 237 H.R. Rep. No. 108–528, at 785–86 (2004) reprinted in 2004 U.S.C.C.A.N. 779.
296
CHAPTER 6
2 Double Jeopardy in Charging Both 1028 and 1028a Even though sections 1028 and 1028A are separate statutes, they essentially criminalize the same acts. A judge cannot hand out consecutive sentences for a violation of the aggravated identity theft statute and the identity theft statute when both violations consist of the same criminal acts.238 A violation of 18 U.S.C. § 1028(a)(7) –for knowingly transferring, possessing, or using, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law –and a violation 18 U.S.C.A. § 1028A(a)(1) –during and in relation to any of various felony violations, knowingly transferring, possessing, or using, without lawful authority, a means of identification of another person –are essentially one violation, not two. Two convictions for the offense would violate the double jeopardy clause of the U.S. Constitution.239 A federal court of appeals has held that an indictment that charges a defendant with both identity theft and aggravated identity theft, based on the same actions by the defendant, violates the double jeopardy clause of the Fifth Amendment of the U.S. Constitution. The court noted that neither statute contained clear and unambiguous legislative language that allowed cumulative convictions and punishments for the same act. Any offense that constituted aggravated identity theft would also be a crime covered by the identity theft statute. As the court stated, where the same act or transaction constitutes a violation of two distinct statutory provisions, the question that must be asked is whether each provision requires proof of a fact that the other does not. If both provisions require proof of the identical facts, then only one conviction, and one punishment, is allowable.240 6A.3
Identity-Crime-Related Statutes
A variety of different statutes, while not specifically aimed at identity crimes, provide supplemental and alternative means of combating identity crimes. In some instances, such statutes fill in the holes left by the two main identity crime statutes.241 Thus, violation of a statute such as the one prohibiting the unauthorized use of a social security number242 may be charged as an alternative to 2 38 239 240 241 242
U.S. v. Bonilla, 579 F.3d 1233 (11th Cir. 2009). Id. at 1241. U.S. v. Bonilla, 579 F.3d 1233. 18 U.S.C. § 1028, 1028A (2006). 42 U.S.C. § 408(a)(7)(B) (2006) (discussed below).
Identity Crime Legislation in the United States
297
an identification crime charge,243 or in addition to the identity crime charge if the elements that must be proven are not substantially the same.244 A mail fraud, wire fraud, or e-mail fraud charge245 may be used to prosecute an identity crime when a means of perpetrating the fraud is mail, telephone, or e-mail, and also to provide a means for bringing a crime under federal jurisdiction.246 Many statutes may be utilized to prosecute identity crimes. The ones detailed below are those with the most obvious relevance, and those which, in actual practice, are utilized most frequently. 6A.3.1 Access Device Fraud (Fraud Using Credit, Debit or atm Cards, or the Like) One of the most common forms of identity crime arises from obtaining someone else’s credit or debit card information, and assuming that person’s identity in order to obtain something of value.247 The federal statute calls credit cards, debit cards, and the like “access devices,”248 and calls the crime “fraud in connection with access devices.”249 The access device statute may be used in conjunction with the aggravated identity theft statute250 as a tool in prosecuting identity crimes.251 By statutory definition, an “access device” is any card, plate, code, account number, electronic serial number, mobile identification number, personal identification number, or other telecommunications service, equipment, or instrument identifier, or other means of account access that can be used to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds (other than a transfer originated solely by paper instrument).252 A “counterfeit access device” is any access device that is counterfeit, fictitious, altered, or forged.253 An “unauthorized access device” is any access device that is lost, stolen, expired, revoked, canceled, or obtained with 2 43 18 U.S.C. § 1028(a)(7). 244 As to the possibility of double jeopardy in identity crime charges, see Part 6A.2.2(e)(2). 245 18 U.S.C. §§ 1341, 1342 (mail fraud); 18 U.S.C. § 1343 (wire fraud); 18 U.S.C. § 1037 (e- mail fraud). 246 See discussion of federal jurisdiction above, and statutory jurisdictional requirements set forth in 18 U.S.C. § 1028(c)(3)(A). 247 Note that merely using someone else’s credit card to purchase goods is not an identity crime. 248 18 U.S.C. § 1029(e)(1). 249 Id. § 1029. 250 Id. § 1028A. 251 U.S. v. Bonilla, 579 F.3d 1233 (11th Cir. 2009). 252 18 U.S.C. § 1029(e)(1). 253 Id. § 1029(e)(2).
298
CHAPTER 6
intent to defraud.254 “Device-making equipment” is any equipment, mechanism, or impression designed or primarily used for making an access device or a counterfeit access device.255 Acts criminalized by the statute include knowingly and with intent to defraud: 1. producing, using, or trafficking in one or more counterfeit access devices;256 2. trafficking in or using one or more unauthorized access devices during any one-year period, and obtaining anything of value worth $1,000 or more during that period;257 3. possessing 15 or more devices that are counterfeit or unauthorized access devices;258 4. producing or trafficking in, having control or custody of, or possessing device-making equipment;259 5. effecting transactions, with 1 or more access devices issued to another person or persons, to receive payment or any other thing of value during any 1-year period the aggregate value of which is equal to or greater than $1,000;260 6. without the authorization of the issuer of the access device, soliciting a person for the purpose of offering an access device; or selling information regarding or an application to obtain an access device;261 7. without the authorization of the credit card system member or its agent, causing or arranging for another person to present to the member or its agent, for payment, one or more evidences or records of transactions made by an access device;262 8. attempting to do any of the above;263 and 9. conspiring to do any of the above.264
2 54 Id. § 1029(e)(3). 255 Id. § 1029(e)(6). 256 Id. § 1029(a)(1). Note that “produce” includes design, alter, authenticate, duplicate, or assemble. Id. § 1029(e)(4). 257 Id. §1029(a)(2). 258 Id. §1029(a)(3). 259 Id. §1029(a)(4). 260 Id. §1029(a)(5). 261 Id. §1029(a)(6). 262 Id. §1029(a)(10). 263 Id. §1029(b)(1). 264 Id. §1029(b)(2).
Identity Crime Legislation in the United States
299
The penalty for most of the violations listed above is up to 10 years’ imprisonment and/or a fine.265 However, some of the more serious violations are subject to up to 15 years’ imprisonment rather than 10.266 A repeat conviction is subject to up to 20 years’ imprisonment,267 and in all cases, the criminal must forfeit to the United States any personal property used or intended to be used to commit the offense.268 Any person who attempts or conspires to commit access device fraud is subject to the same penalties as that prescribed for the object of the attempt or conspiracy.269 Under the aggravated identity theft statute, access device fraud, as well as attempt and conspiracy to commit access device fraud, are underlying offenses.270 The access device statute may be used in conjunction with the aggravated identity theft statute271 and access device fraud may serve as an “underlying felony”272 to enable prosecutors to charge identity theft. For example, while traveling throughout the United States and overseas, a defendant, Mario Bonilla, would install and hide a software program capable of recording and later transmitting keystrokes on computers located in hotel business centers.273 Bonilla used that software to illegally acquire log-in names, passwords, account data and other personal and financial information of hotel guests using those computers, without their knowledge or consent. Bonilla wound up with hundreds of pieces of personal identification information belonging to others. He used the information to access, via Internet and telephone, payroll, investment banking, and other financial and personal accounts belonging to others. Once he had access to the accounts, he diverted or transferred funds from those accounts to credit cards, debit cards, prepaid cards, bank and investment accounts he had created in his name and/or in the names of those whose personal identification information he obtained without their knowledge or approval. Bonilla used the stolen funds and unauthorized credit and debit cards for travel and to purchase luxury items. Bonilla was charged and convicted of a violation of 18 U.S.C. § 1029(a)(2), pertaining to “trafficking in or using one
2 65 266 267 268 269 270 271 272 273
Id. § 1029(c)(1)(A)(i). Id. § 1029(c)(1)(A)(ii) (referring to 18 U.S.C. § 1029(a)(4), (5), (8), (9)). Id. § 1029(c)(1)(B). Id. § 1029(c)(1)(C). Id. § 1049. Id. § 1028A(c)(5). Id. §1028A. Id. § 1028A(c)(4) (discussed above). U.S. v. Bonilla, 579 F.3d 1233 (11th Cir. 2009).
300
CHAPTER 6
or more unauthorized access devices” (i.e., credit cards). “Aggravated identity theft” was charged because Bonilla had knowingly transferred, possessed, or used, without lawful authority, a means of identification of another person in order to violate the access device statute.274 A Broad Scope of Term “Access Device” Although “device” seems to signify a physical object, particularly one with some electronic or mechanical element, that is not the definition of “access device” in the statute, and a conviction does not depend on using a “device” as a layman might understand the term. In an action brought under the access device statute,275 the defendant, Jenkins, served as an inside connection at a Missouri bank, where she processed four fraudulent applications for loans and credit for a fictitious business, whose name she had made up, and directed electronic fund transfers to be deposited in newly opened accounts. The government proved that Jenkins knowingly and with intent to defraud effected transactions using one or more access devices to receive payments of more than $1000. It was shown that Jenkins had made up the name “Brooke Agency” and altered the dates of the establishment of the businesses to try to get the loan approved. Based on this evidence, the jury could reasonably find that Jenkins knowingly and with the intent to defraud engaged in access device fraud. Jenkins argued that she used only counterfeit paper documents, and not an access device, to initiate the transactions, but the court did not accept this argument. Jenkins had opened two checking accounts using “Jane Doe’s” personal information and then submitted four fraudulent applications for business loans and other forms of credit, directing electronic fund transfers to be deposited in the newly opened accounts. The statutory language includes “account numbers” within the definition of access devices,276 and account numbers are a means of account access, which can be used alone or in conjunction with other access devices to initiate a transfer of funds. The government thus presented sufficient evidence to allow the jury to find that Jenkins effected fraudulent transactions with one or more access devices. The charge of access device fraud provided the necessary underlying felony to charge aggravated identity theft under 18 U.S.C. § 1028A.277
274 18 U.S.C. § 1028A(a)(1). The access device crime is an “underlying felony” under 18 U.S.C. § 1028A(c)(4). 275 U.S. v. Jenkins-Watts, 574 F.3d 950 (8th Cir. 2009). 276 18 U.S.C. § 1029(e)(1). 277 Id. § 1028A(a)(1), (c)(4).
Identity Crime Legislation in the United States
301
B Electronic Fund Transfer Act (efta) Additional protection for consumers’ access devices is provided in the Electronic Funds Transfer Act.278 efta provides consumer protection for all transactions using a debit card or electronic means to debit or credit an account by, among other ways, limiting a consumer’s liability for unauthorized electronic fund transfers.279 In addition, the financial institution holding a consumer’s account must make documentation available to the consumer initiating an electronic transfer at an electronic terminal, which must identify the consumers’ accounts that are involved, and the identity of any third party to whom the funds are being transferred.280 A financial institution may issue, unsolicited, a device for electronic access to a consumer’s account only if it requires validation before it can be used, and validation may only be in response to a request or application from the consumer, upon verification of the consumer’s identity.281 C
Components of Identity Crime Affected by Access Device Fraud Statute Under the Identity Crime Model, several facets of identity crime are made illegal. Acquisition: Under a statutory definition, “traffic” includes obtaining control with intent to transfer or dispose.282 Thus, some types of acquisition of access devices are criminalized. Production: Covered by several elements of access device fraud, specifically parts dealing with production of counterfeit access devices, and production of device-making equipment. Possession: Possession of 15 or more devices that are counterfeit or unauthorized access devices is illegal. Possession of device-making equipment is illegal. Trafficking or Transfer: It is illegal to traffic in counterfeit devices, and to traffic in unauthorized devices and obtain over $1000-worth of payment or things. Trafficking in device-making equipment is also illegal. Unauthorized offering of an access device is illegal, as is selling an application to obtain a device, or information regarding a device.
2 78 279 280 281 282
15 U.S.C. §§ 1693-1693r (2006). Id.. § 1693g. Id. § 1693d(a)(3), (a)(4). Id. § 1693i(b)(1), (b)(4). 18 U.S.C. § 1029(e)(5) (2006).
302
CHAPTER 6
Use: Various uses of access devices are forbidden by the statute.283 Any use of a counterfeit device is illegal, as is use of an unauthorized device to obtain something of value worth over $1000. Using another person’s access device to receive over $1000-worth of payments or things is criminalized. Causing a credit card issuer to bill a member of the credit card system, without a uthorization, is an illegal use. 6A.3.2 Computer Fraud The federal law concerned with computer fraud284 contains specific elements closely related to identity theft. The statute protects information on “protected computers,” a term that simply means computers “protected” by this particular federal statute. “Protected computers” are those exclusively for the use of a financial institution or the U.S. government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the U.S. government. The conduct constituting the offense must affect that use by or for the financial institution or the government.285 Also, a “protected computer” is one used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.286 Under the law, anyone who intentionally accesses a computer without authorization or exceeds one’s authorized access, has violated federal law if he thereby: 1. obtains information contained in a financial record of a financial institution, or of a card issuer,287 or contained in a file of a consumer reporting agency on a consumer;288 or 2. obtains information from any department or agency of the United States; or 3. obtains information from any protected computer.289 It is generally also illegal under the law to access a U.S. government computer without authorization.290 Accessing any protected computer, without 283 See discussion of U.S. v. Jenkins-Watts, 574 F.3d 950 (8th Cir. 2009) and U.S. v. Bonilla, 579 F.3d 1233 (11th Cir. 2009) above. 284 18 U.S.C. § 1030. 285 Id. § 1030(e)(2)(A). 286 Id. § 1030(e)(2)(B). 287 Id. § 1030(a)(2)(A). “Card issuer” means a credit card issuer. 15 U.S.C. § 1602(n) (2006). 288 18 U.S.C. § 1030(a)(2)(B). “Consumer reporting agency” and “consumer” are as defined in the Fair Credit Reporting Act, 15 U.S.C. §§ 1681n-1681o (2006). 289 18 U.S.C. § 1030(a)(2)(C). 290 Id. § 1030(a)(3).
Identity Crime Legislation in the United States
303
authorization, in order to commit fraud and obtaining something of value, is illegal under the statute.291 Causing damage to a protected computer because of unauthorized access is a violation,292 as is trafficking in passwords or similar information through which a computer may be accessed without authorization.293 Finally, the statute makes it illegal, with intent to extort from any person any money or other thing of value, to transmit in interstate or foreign commerce any communication containing: 1. any threat to cause damage to a protected computer; 2. a threat to obtain unauthorized information from a protected computer or impair the confidentiality of information obtained from such computer; or 3. a demand or request for money or some other thing of value in relation to damage to a protected computer, where such damage would be caused to facilitate the extortion.294 Computer fraud is one of the underlying felonies supporting a charge of aggravated identity theft.295 Evidence that a defendant attempted to commit computer fraud, sufficient for conviction of attempted computer fraud, has been held sufficient to support a conviction for aggravated identity theft.296 An indictment under the computer fraud and aggravated identity theft statutes was sufficient where it charged that the defendant slipped a date rape drug into a co-worker’s drink while they were on an interstate business trip, took photographs of her partially naked, unlawfully accessed protected computers,297 and sent false, fraudulent, and threatening e-mails in interstate or foreign commerce to co-workers and attached copies of the photographs.298 The identity fraud portion of the indictment contended that the defendant accessed the work e-mail accounts of former co-workers and sent a series of unauthorized e-mails under their names in an effort to disguise his identity.299 The e-mail charge, along with the charge of accessing protected computers, was the basis of the charge of aggravated identity theft.300
2 91 292 293 294 295 296 297 298 299 300
Id. § 1030(a)(4). Id. § 1030(a)(5). Id. § 1030(a)(6). Id. § 1030(a)(7). Id. § 1028A(c)(4). U.S. v. Wadford, 331 Fed. Appx. 198 (4th Cir. 2009). The computers were used in foreign commerce. U.S. v. Wadford, 331 Fed. Appx. 198. Id. Id.
304
CHAPTER 6
A Components of Identity Crime in the Computer Fraud Statute Acquisition: Acquisition of identity information is a crime under the computer fraud statute,301 with the statute specifically mentioning obtaining information contained in a financial record of a financial institution, or of a credit card issuer, or contained in a file of a consumer reporting agency on a consumer.302 In addition, threatening to obtain unauthorized information from a protected computer or impair the confidentiality of information obtained from such computer is illegal.303 Production: Production of identity is not covered under 18 U.S.C. § 1030. Possession: Possession per se is not illegal under 18 U.S.C. § 1030, although, since acquisition is illegal, it would seem that possession of acquired information would be strong evidence of acquisition. Trafficking or Transfer: Trafficking in passwords or similar information through which a computer may be accessed without authorization is a crime under the computer fraud statute.304 Use: Not specifically covered.305 However, because computer fraud is an underlying felony of aggravated identity fraud,306 use may be prosecuted under the latter charge.307 6A.3.3 E-Mail Fraud A statute that includes offenses for concealing one’s identity in e-mail was enacted in 2003 as part of the Can-Spam Act of 2003.308 The purpose of this legislation was to: 1. prohibit senders of electronic mail for primarily commercial advertisement or promotional purposes from deceiving intended recipients or Internet service providers as to the source or subject matter of their e-mail messages; 2. require such e-mail senders to give recipients an opportunity to decline to receive future commercial e-mail from them and to honor such requests; 3 01 302 303 304 305 306 307 308
See, e.g., U.S. v. Wadford, 331 Fed. Appx. 198 (involving e-mail addresses). 18 U.S.C. § 1030(a)(2) (2006). Id. § 1030(a)(7). Id. § 1030(a)(6). Id. § 1030(a)(3), (4), (5). Id. § 1028A(c)(4). U.S. v. Wadford, 331 Fed. Appx. 198 (4th Cir. 2009). can-s pam Act of 2003 , Pub. L. No. 108–187, 117 Stat. 2699 (Dec. 16, 2003) (codified at 18 U.S.C. § 1037). “Can-Spam” is an acronym for “Controlling the Assault of Non-Solicited Pornography and Marketing.”
Identity Crime Legislation in the United States
3.
305
require senders of unsolicited commercial e-mail to also include a valid physical address in the e-mail message and a clear notice that the message is an advertisement or solicitation; and 4. prohibit businesses from knowingly promoting, or permitting the promotion of, their trade or business through e-mail transmitted with false or misleading sender or routing information.309 According to the Senate Report accompanying the bill, “Consumers who buy products offered through spam face numerous risks, including the exposure and sharing of sensitive personal information over the Internet, and credit card or identity theft.”310 Thus, a particular target of the bill was identity theft. Specifically, the statute prohibits knowingly: 1. accessing a protected computer without authorization, and intentionally initiating the transmission of multiple commercial electronic mail messages from or through such computer; 2. using a protected computer to relay or retransmit multiple commercial electronic mail messages, with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages; 3. materially falsifying header information in multiple commercial electronic mail messages and intentionally initiating the transmission of such messages, 4. registering, by using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiating the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names; and 5. falsely representing oneself to be the registrant or the legitimate successor in interest to the registrant of 5 or more Internet Protocol addresses, and intentionally initiating the transmission of multiple commercial electronic mail messages from such addresses, or conspiring to do so.311 Header information or registration information, under the statute, is materially falsified if it is altered or concealed in a manner that would impair the ability of a recipient of the message, an Internet access service processing the message on behalf of a recipient, a person alleging a violation of the statute, or a law enforcement agency to identify, locate, or respond to a person who initiated the electronic mail message or to investigate the alleged violation.312 3 09 310 311 312
S. Rep. No. 108-1 02 (2003). Id. at 5. 18 U.S.C. § 1037(a) (2006). Id. § 1037(d)(2).
306
CHAPTER 6
An example of such falsification occurred in a 2009 case, U.S. v. Kilbride.313 In that case, the defendants’ employees placed fictitious information in the headers of their bulk emails. One employee created nonsensical domain names and matched them with generic user names to generate a variety of nonfunctional email addresses. The addresses were placed in the “From” field of each email sent out. Another employee designed a program to generate nonfunctioning email addresses in the “From” field by combining the domain name used to send each email with the recipient of the email’s user name. The email address appearing in the “From” field and “Return-Path” field of the headers of the defendants’ emails differed, indicating at least one was false.314 The term of imprisonment under this statute is one year plus a fine, with enhancements to 3 or 5 years depending on certain factors, such as the volume of e-mail generated, the amount of money lost by victims, whether it was part of a conspiracy, whether the offense was committed as part of some other felony, and whether the violation included accessing of a protected computer.315 Penalties also include the forfeiture of gains from the crime.316 Any person who attempts or conspires to commit e-mail fraud is subject to the same penalties as that prescribed for the object of the attempt or conspiracy.317 Under the aggravated identity theft statute, e-mail fraud, as well as attempt and conspiracy to commit e-mail fraud, are underlying offenses.318 A Components of Identity Crime in the E-Mail Fraud Statute Production: Materially falsifying header information in multiple commercial electronic mail messages and intentionally initiating the transmission of such messages is a form of production of false identity punishable by the act.319 Registering falsified e-mail accounts or domain names, and sending messages from such accounts or domain names is illegal.320 Acquisition: Falsely representing oneself to be the registrant or the legitimate successor in interest to a registrant of an Internet Protocol addresses, and intentionally initiating the transmission of multiple commercial electronic mail messages from such addresses, or conspiring to do so, is illegal.321 3 13 314 315 316 317 318 319 320 321
U.S. v. Kilbride, 584 F.2d 1240 (9th Cir. 2009). Id. at 1244–45. 18 U.S.C. § 1037(b). Id. § 1037(c). Id. § 1049. Id. § 1028A(c)(5). Id. § 1037(a)(3). Id. § 1037(a)(4). Id. § 1037(a)(5).
Identity Crime Legislation in the United States
307
Possession: Not covered by the act. Trafficking or Transfer: Not covered by the act. Use: Using a protected computer to relay or retransmit multiple commercial electronic mail messages, with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages, is prohibited by the statute.322 Transmitting messages with altered headings, which constitutes the production of false identity, is a prohibited use.323 Sending messages from falsified accounts or domain names is illegal.324 Intentionally initiating the transmission of multiple commercial electronic mail messages from an Internet protocol addresses to which one is not entitled is illegal.325 6A.3.4 Mail Fraud “Mail fraud” is an act of fraud using the U.S. Postal Service, and is defined as “making false representations through the mail to obtain an economic advantage.”326 The mail fraud statute,327 in essence, criminalizes any use of the United States mail in furtherance of a scheme or artifice to defraud.328 Mail fraud is one of the underlying felonies for purposes of the aggravated identity theft statute.329 Thus, a scheme for receiving checks sent to others through the mail (mail fraud), and cashing the checks by assuming someone else’s identity (identity theft), may be punishable as both mail fraud and aggravated identity theft.330 Depositing checks meant for others into one’s own account by forging someone else’s name (a “means of identification” under the identity theft statute331) constitutes identity crime for the purposes of the aggravated identity theft statute;332 covering up those deposits by sending instructions to an out-of-state office of one’s company constitutes mail fraud; the two actions as part of a single scheme are sufficient to charge and convict a defendant of mail fraud and aggravated identity theft.333
3 22 323 324 325 326 327 328
Id. § 1037(a)(2). Id. § 1037(a)(3). Id. § 1037(a)(4). Id. § 1037(a)(5). Black’s Law Dictionary (9th ed. 2009). 18 U.S.C. §§ 1341, 1342 (2006). The term “scheme or artifice to defraud” includes a scheme or artifice to deprive another of the intangible right of honest services. Id. § 1346. 329 Id. § 1028A(c)(5). 330 U.S. v. Pena, 380 Fed. Appx. 623 (9th Cir. 2010). 331 18 U.S.C. § 1028(d)(7). 332 Id. § 1028A(a)(1). 333 U.S. v. Blixt, 548 F.3d 882 (9th Cir. 2008).
308
CHAPTER 6
The basic statute, entitled “Frauds and Swindles,” was passed in 1948 and has been amended periodically since then. The action made illegal is placing in any post office or authorized depository something to be sent or delivered by the U.S. Postal Service, or placing something with an authorized interstate carrier service to be sent or delivered. It is also illegal to receive something via one of these services. These actions are illegal if the thing being sent or received is for the purpose of executing, or attempting to execute, a scheme or artifice: 1. to defraud, 2. to obtain money or property by means of false or fraudulent pretenses, representations, or promises, 3. to sell, dispose of, loan, exchange, alter, give away, distribute, supply, or furnish or procure for unlawful use any real or purported counterfeit or spurious coin, obligation, security, or other article, for the purpose of executing such scheme or artifice or attempting so to do. The penalty is a fine and/or imprisonment for up to 20 years.334 If the scheme or artifice relates to a presidentially declared major disaster or emergency, or affects a financial institution, the fine may be up to $1 million, and the imprisonment may be up to 30 years. The second part of the mail fraud statute concerns “Fictitious name or address.”335 One who, in order to conduct a scheme or artifice as discussed above, uses a fictitious name, or takes on an assumed title, name, or address or a name other than one’s own proper name, or takes or receives from any post office or authorized depository of mail matter, any letter, postal card, package, or other mail matter addressed to other than a person’s proper name, is subject to fine and/or imprisonment up to 5 years.336 Any person who attempts or conspires to commit mail fraud is subject to the same penalties as that prescribed for the object of the attempt or conspiracy.337 Under the aggravated identity theft statute, mail fraud, as well as attempt and conspiracy to commit mail fraud, are underlying offenses.338 A Components of Identity Crime in Mail Fraud This statute is primarily employed to prosecute the use of someone else’s identity, in conjunction with 18 U.S.C. § 1028A.339 3 34 335 336 337 338 339
18 U.S.C. § 1341. Id. § 1342. Id. Id. § 1049. Id. § 1028A(c)(5). U.S. v. Pena, 380 Fed. Appx. 623 (9th Cir. 2010); U.S. v. Blixt, 548 F.3d 882 (9th Cir. 2008).
Identity Crime Legislation in the United States
309
6A.3.5 Wire Fraud “Wire fraud” is an act of fraud using electronic communications, such as by making false representations on the telephone to obtain money.340 The wire fraud statute341 criminalizes, in essence, any wire, radio, or television communication in interstate or foreign commerce in furtherance of a scheme or artifice to defraud. In the context of identity crimes, the statute can be used in prosecuting criminals for the acquisition, transfer, or use components of identity crime, as illustrated below. The statute, entitled “Fraud by wire, radio, or television,” became part of the U.S. Code in 1948, and has been updated periodically since then. It criminalizes transmitting or causing to be transmitted writings, signs, signals, pictures, or sounds by means of wire, radio, or television communication in interstate or foreign commerce, or the purpose of executing a scheme or artifice. The scheme or artifice must be with the purpose of defrauding, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises.342 Same as for mail fraud, the term of imprisonment is a fine and/ or up to 20 years in prison, or, if the scheme involved disaster relief, or affects a financial institute, up to a $1 million fine and/or up to 30 years’ imprisonment. Any person who attempts or conspires to commit wire fraud is subject to the same penalties as that prescribed for the object of the attempt or conspiracy.343 Under the aggravated identity theft statute, wire fraud, as well as attempt and conspiracy to commit wire fraud, are underlying offenses.344 The amount of electronic transmission sufficient to allow prosecutors to prosecute for wire fraud is quite minimal. In one case, a man, McNeil, acquired a driver’s license and identification card in the name of Ian P. Doe, but with a picture of himself. He opened a bank account in Doe’s name. Using information he obtained from a third party, he was able to request an income tax refund from the irs using Doe’s social security number and McNeil’s bank account number established in the name of Doe. He received the refund from the irs by way of an electronic transfer into the Doe/McNeil account. The electronic transfer to the bank was sufficient under this statute to present a case of wire fraud.345
3 40 341 342 343 344 345
Black’s Law Dictionary (9th ed. 2009). 18 U.S.C. § 1343. Id. § 1343. Id. § 1049. Id. § 1028A(c)(5). U.S. v. McNeil, 320 F.3d 1034 (9th Cir. 2003); see also discussion of bank fraud below.
310
CHAPTER 6
In another case, defendant Mobley was found to have unlawfully used his wife’s identity during and in relation to a wire fraud. Mobley had used his wife’s social security number as part of an expansive scheme to defraud a bank, and as a regular part of that scheme he repeatedly engaged in interstate wire fraud by submitting online applications. Specifically, he submitted fraudulent applications under his wife’s name, using her social security number. Submission of the on-line applications constituted wire fraud, and, since his wife’s identity was used in the commission of the fraud, he could be charged with aggravated identity theft.346 A Components of Identity Crime in Wire Fraud This statute primarily may be used to prosecute the use of stolen identity, as illustrated by the case above, although it might also be applicable to the acquisition or transfer of identity. 6A.3.6 Obtaining Confidential Phone Records A criminal statute in the chapter on fraud and false statements347 prohibits knowingly and intentionally obtaining, or attempting to obtain, confidential phone records information of a telecommunications carrier, either by: 1. making false or fraudulent statements or representations to an employee of the carrier; 2. making such false or fraudulent statements or representations to a customer of the carrier; 3. providing a document to a carrier knowing that such document is false or fraudulent; or 4. accessing customer accounts of a carrier via the Internet, or by means of computer fraud, without prior authorization from the customer to whom such confidential phone records information relates.348 Violation of this statute is punishable by up to 10 years’ imprisonment and a fine.349 Also subject to the same punishment is knowingly and intentionally selling or transferring, or attempting to sell or transfer, confidential phone records information of common carrier, without prior authorization from the customer to whom such confidential phone records information relates, or knowing or
3 46 347 348 349
U.S. v. Mobley, 618 F.3d 539 (6th Cir. 2010). 18 U.S.C. ch. 42. Id. § 1039(a). Id..
Identity Crime Legislation in the United States
311
having reason to know such information was obtained fraudulently.350 Receipt of such information is also a crime, with the same penalty.351 The penalties will be enhanced if the acts are committed as part of a pattern of illegal activity, or if the criminal knows that that information will be used in furtherance of certain specified other crimes.352 Any person who attempts or conspires to obtain confidential phone records is subject to the same penalties as that prescribed for the object of the attempt or conspiracy.353 Under the aggravated identity theft statute, obtaining confidential phone records, as well as attempt and conspiracy to obtain confidential phone records, are underlying offenses.354 A
Components of Identity Crime in Obtaining of Confidential Phone Records The statute is one that implicates the acquisition component of the Identity Crime Model. 6A.3.7 Bank Fraud “Bank fraud” is the criminal offense of knowingly executing, or attempting to execute, a scheme or artifice to defraud a financial institution, or to obtain property owned by or under the control of a financial institution, by means of false or fraudulent pretenses, representations, or promises.355 The statute criminalizes any execution, or attempt to execute, a scheme or artifice to defraud a federally insured financial institution, or to obtain any money under the control or custody of a federally insured financial institution, by using false or fraudulent pretenses, representations, or promises.356 Like the “financial institution” facets of mail fraud and wire fraud,357 the violation carries a fine of up to $1 million, and/or imprisonment up to 30 years. Any person who attempts or conspires to commit bank fraud is subject to the same penalties as that prescribed for the object of the attempt or conspiracy.358 Under the aggravated identity theft statute, bank fraud,
3 50 351 352 353 354 355 356 357 358
Id. § 1039(b). Id. § 1039(c). Id. § 1039(d), (e). Id. § 1049. Id. § 1028A(c)(5). Black’s Law Dictionary (9th ed. 2009). 18 U.S.C. § 1344. Id. §§ 1342–43. Id. § 1049.
312
CHAPTER 6
as well as attempt and conspiracy to commit bank fraud, are underlying offenses.359 The bank fraud statute has been used in a case of identity crime without the prosecution’s charging identity theft. In the McNeil case discussed above under “Wire Fraud,”360 the defendant, by having money wired to the bank from the Internal Revenue Service, was found not only to have committed wire fraud but also bank fraud. Although the bank did not suffer actual or potential loss, the defendant engaged in course of deception toward the bank in order to transfer money from the irs; the defendant had fraudulently applied for the refund under a stolen identity, and it was wired from a bank account that the defendant created under a stolen name to an account in his own name. Convictions of bank fraud and wire fraud were upheld. A more typical bank fraud scheme involving identity crime occurred when a defendant created fraudulent drivers’ licenses and other identifying documents in order to orchestrate counterfeit check cashing activities, the proceeds of which were deposited in his bank account or the account of another scheme leader’s girlfriend.361 A Components of Identity Crime in Bank Fraud This statute primarily may be used to prosecute the use of stolen identity, although it might also be applicable, as shown in the Pham case,362 to the production of false identity when that is part of a scheme to commit the bank fraud. B Other Related Statutes Other statutes in the U.S. Code also pertain to banking transactions. For example, whoever, for the purpose of influencing in any way the action of the Federal Deposit Insurance Corporation, knowingly makes or invites reliance on a false, forged, or counterfeit statement, document, or thing is subject to imprisonment up to 30 years, and a $1 million fine, or both.363 In terms of identity crimes, doing any of these acts would amount to the use of a false identity. There are various prohibitions on bank employees improperly using their authority in monetary schemes. Such statutes prohibit improper certification of checks;364 issuing bank notes or other bank paper fraudulently or without 3 59 360 361 362 363 364
Id. § 1028A(c)(5). U.S. v. McNeil, 320 F.3d 1034 (9th Cir. 2003) (discussed in Part 6A.3.5). U.S. v. Pham, 545 F.2d 712 (9th Cir. 2008). Id. 18 U.S.C. § 1007. Id. § 1004.
Identity Crime Legislation in the United States
313
authorization;365 making false entries in order to defraud the bank;366 receiving benefits from the United States as a result of improper bank activities;367 and fraud on a federal credit institution by an employee or officer of the institution.368 A statute specifically prohibits fraud and false statements in order to obtain Federal Housing Administration loans sanctioned by the Department of Housing and Urban Development, providing for imprisonment up to two years, and a fine.369 Another relates to federal land bank mortgage transactions, with punishment of up to one year in prison, plus a fine.370 6A.3.8 Health Care Fraud The health care fraud statute371 was passed in 1996, and amended in 2010. The statute pertains to anyone who knowingly and willfully executes, or attempts to execute, a scheme or artifice to defraud any health care benefit program; or to obtain, by means of false or fraudulent pretenses, representations, or promises, any of the money or property owned by, or under the custody or control of, any health care benefit program. The scheme or artifice must be in connection with the delivery of or payment for health care benefits, items, or services. One who commits such fraud may be imprisoned up to 10 years and/or fined. If the violation results in serious bodily injury, the term of imprisonment may be up to 20 years. If the violation results in death, one may be imprisoned for life.372 A person need not have actual knowledge of the statute or specific intent to commit a violation of the statute in order to be convicted.373 In addition, one who makes false statements or covers up material facts in connection with the delivery of or payment for health care benefits, items, or services, may be imprisoned up to 5 years and fined.374 Any person who attempts or conspires to commit health care fraud is subject to the same penalties as that prescribed for the object of the attempt or conspiracy.375 Under the aggravated identity theft statute, health care fraud, 3 65 366 367 368 369 370 371 372 373 374 375
Id. § 1005. Id. Id. Id. § 1006. Id. § 1010. Id. § 1111. Id. § 1347. Id. § 1347(a). Id. § 1347(b). Id. § 1035. Id. § 1049.
314
CHAPTER 6
as well as attempt and conspiracy to commit health fraud, are underlying offenses.376 A Components of Identity Crime in Health Care Fraud The identity crime component of use of a false identity is the type of false pretense central to the crime of health care fraud. 6A.3.9 Immigration Fraud Under a statute entitled “Fraud and misuse of visas, permits, and other documents,” when one is applying for a visa, permit, or other document required for entry into the United States, or for admission to the United States, one may not: 1. personate another, 2. falsely appear in the name of a deceased individual, 3. evade or attempt to evade the immigration laws by appearing under an assumed or fictitious name without disclosing one’s true identity, 4. sell or otherwise dispose of, or offer to sell or otherwise dispose of, or utter, such visa, permit, or other document, to any person not authorized by law to receive such document.377 The punishment under the statute is imprisonment up to 10 years for a first or second offense, 15 years for other offenses, 20 years if the act was to facilitate a drug trafficking crime, and 25 years if the act was to facilitate international terrorism. One may also be fined.378 One may be imprisoned up to 5 years for using, in connection with section of the immigration law concerning the alien employment verification system:379 (1) an identification document, knowing, or having reason to know, that the document was not issued lawfully for the use of the possessor; or (2) an identification document knowing, or having reason to know, that the document is false, or (3) a false attestation.380 It is a criminal act knowingly, with intent to avoid any duty or liability imposed or required by law, to deny that one has been naturalized or admitted to be a citizen, after having been so naturalized or admitted.381 It is also illegal to attempt to use any certificate of arrival, declaration of intention, certificate of naturalization, certificate of citizenship or other documentary evidence of 3 76 377 378 379 380 381
Id. § 1028A(c)(5). Id. § 1546(a). Id. § 1546(a). Id. § 1324a(b). Id. § 1546(b). Id. § 1015(b).
Identity Crime Legislation in the United States
315
naturalization or of citizenship, or any duplicate or copy, knowing that it was procured by fraud or false evidence or without a required appearance or hearing of the applicant.382 One may not knowingly make any false certificate, acknowledgment or statement concerning the appearance before him or her, or the taking of an oath or affirmation or the signature, attestation or execution by any person on papers regarding immigration, naturalization, citizenship, or alien registration.383 One may not make any false statement or claim that one is, or at any time has been, a citizen or national of the United States, with the intent to obtain any federal or state benefit or service, or to engage unlawfully in employment in the United States.384 Nor may one make any false statement or claim of being a citizen of the United States in order to register to vote or to vote in any federal, state, or local election.385 Violation of the statute is punishable by up to 5 years imprisonment and a fine.386 Any person who attempts or conspires to commit immigration fraud is subject to the same penalties as that prescribed for the object of the attempt or conspiracy.387 Under the aggravated identity theft statute, immigration fraud, as well as attempt and conspiracy to commit immigration fraud, are underlying offenses.388 Immigration fraud involving identity crimes was the basis for charges against aliens working at the Swift Meat Packing Plant in Marshalltown, Iowa, which was raided by immigration authorities.389 The aliens were using aliases in their employment, and documents using those aliases, including a state identification card and a social security card. The aliens’ photographs were affixed to the identification cards. Swift had issued the aliens employee identification cards and employee numbers under their aliases. They were charged both with immigration fraud and with aggravated identity theft, and convicted of both.390 Evidence that a defendant’s employment eligibility and other personnel documents were improperly signed by the defendant was sufficient to support a defendant’s conviction for fraud and misuse of visas, permits, and other documents. However, a defendant must know that the documents she used 3 82 383 384 385 386 387 388 389 390
Id. § 1015(c). Id. § 1015(d). Id. § 1015(e). Id. § 1015(f). Id. § 1015. Id. § 1049. Id. § 1028A(c)(5), (c)(7). U.S. v. Andrade-Rodriguez, 531 F.3d 721 (8th Cir. 2008). Id.
316
CHAPTER 6
in connection with employment belong to another person to be convicted of aggravated identity theft.391 A Components of Identity Crime in Immigration Fraud Most of the immigration fraud statute is concerned with use of identification to obtain a status, such as employment, citizenship, or entry into the United States. However, the statute also criminalizes selling or otherwise disposing of a visa, permit, or other document, to any person not authorized by law to receive such document,392 thus implicating the Identity Crime Model category of transferring. B Sentencing Guidelines Under the U.S. Sentencing Guidelines, if the primary purpose of an offense under the identity crime statute, 18 U.S.C. § 1028, was to violate, or assist another to violate the law pertaining to naturalization, citizenship, or legal resident status, specific Sentencing Guidelines must be applied.393 Those guidelines pertain to: 1. trafficking in a document relating to naturalization, citizenship, or legal resident status, or a United States passport;394 2. false statements in respect to the citizenship or immigration status of another;395 3. fraudulent marriage to assist an alien to evade the immigration law;396 4. fraudulently acquiring documents relating to naturalization, citizenship, or legal resident status for own use;397 5. false personation or fraudulent marriage by an alien to evade immigration law;398 and 6. fraudulently acquiring or improperly using a United States passport.399 The Guidelines serve to increase the penalty for immigration crimes if other, related crimes are also shown.
3 91 392 393 394 395 396 397 398 399
U.S. v. Grajeda-Gutierrez, 372 Fed. Appx. 890 (10th Cir. 2010). 18 U.S.C. § 1546(a). U.S. Sentencing Guidelines Manual § 2B1.1 cmt. n.9(B). Id. § 2L2.1. Id. Id. Id. § 2L2.2. Id. Id.
Identity Crime Legislation in the United States
317
6A.3.10 Fraud against the United States Government The first statute in the Chapter 47 of Title 18 of the U.S. Code, entitled “Fraud and False Statements,” is the basic U.S. fraud statute.400 The statute provides criminal penalties for anyone who, in any matter within the jurisdiction of the executive, legislative,401 or judicial branch402 of the government of the United States, knowingly and willfully: 1. falsifies, conceals, or covers up a material fact by any trick, scheme, or device; 2. makes any materially false, fictitious, or fraudulent statement or representation; or 3. makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry.403 The punishment is up to 5 years in prison and a fine or, if the offense involves international or domestic terrorism,404 up to 8 years and a fine.405 The statute is intended to promote the smooth functioning of government agencies by ensuring that those who deal with government furnish information on which the government may confidently rely.406 A
Components of Identity Crime in Fraud against the U.S. Government Although other statutes may be better suited for the purpose, as discussed above, 18 U.S.C. § 1001 could be used in various matters involving concealment
4 00 18 U.S.C. § 1001 (2006). 401 As to the legislative branch, this only applies to (1) administrative matters, including a claim for payment, a matter related to the procurement of property or services, personnel or employment practices, or support services, or a document required by law, rule, or regulation to be submitted to the Congress or any office or officer within the legislative branch; or (2) any investigation or review, conducted pursuant to the authority of any committee, subcommittee, commission or office of the Congress, consistent with applicable rules of the House or Senate. 402 This does not apply to a party to a judicial proceeding, or that party’s counsel, for statements, representations, writings or documents submitted by such party or counsel to a judge or magistrate in that proceeding. 18 U.S.C. § 1001(b). 403 Id. § 1001(a). 404 As defined in 18 U.S.C. § 2331. 405 18 U.S.C. § 1001(a). The 8-year punishment also applies to offenses under certain other criminal laws when fraud is involved. Those laws involve sexual crimes and crimes against children (chapters 109A, 109B, 110) transportation for illegal sexual activity (chapter 117), and sex trafficking of children (18 U.S.C. § 1591). 406 U.S. v. Arcadipane, 41 F.3d 1 (1st Cir. 1994).
318
CHAPTER 6
of true identity if such concealment is considered a trick, scheme or device. Thus, this statute is primarily concerned with the use of such artifices. Related to the statute described above, a further law prohibits the possession of false papers with the intent to defraud the United States, in order to obtain money.407 This relates to the identity crime component of possession, and carries a term of imprisonment of up to 5 years, plus a fine.408 In addition, one who uses a false, forged or counterfeited power of attorney, authority, or instrument in order to demand or attempt to obtain U.S. government securities, or to have any annuity, dividend, pension, wages, gratuity, or other debt due from the United States, or any part thereof, is subject to imprisonment up to five years, and a fine.409 6A.3.11 Offenses Involving Social Security Cards and Numbers Under federal statute, unauthorized use of a social security number by falsely representing that the number was assigned by the Commissioner of Social Security to him or to another person, when in fact the number was not so issued, is illegal if the number is used to obtain payment or a benefit to which a person is not entitled.410 The punishment is up to five years’ imprisonment and/or a fine, and restitution.411 Knowingly altering a social security card issued by the Commissioner of Social Security, buying or selling such a card, counterfeiting a Social Security card, or possessing a social security card or counterfeit social security card with intent to sell or alter it is also illegal and subject to the same punishment.412 The social security offenses described in this section are underlying felonies for purposes of the aggravated identity theft statute.413 Evidence that a defendant intends to alter a social security card found in his motel room is sufficient to support a conviction for knowingly possessing a social security card with intent to alter it under 42 U.S.C. § 408(a)(7)(C).414 The defendant’s wife, who was indicted as a coconspirator, testified that the defendant counterfeited currency by bleaching and scrubbing the ink off $1 bills and then printing an image of a $100 bill from his computer onto the
4 07 408 409 410 411 412 413 414
18 U.S.C. § 1002. Id. § 1002. Id. § 1003. 42 U.S.C. § 408(a)(7)(B) (2006). Id. § 408(a), (b). Id. § 408(a)(7)(C). 18 U.S.C. § 1028A(c)(11). U.S. v. Persichilli, 608 F.2d 34 (1st Cir. 2010).
Identity Crime Legislation in the United States
319
blank currency paper. In addition, she testified that the defendant and a coconspirator discussed their plans to use someone else’s social security card and a birth certificate to obtain a driver’s license in a new name. There was evidence that the defendant had digital images of a social security card with altered numbering.415 A Components of Identity Crime in Social Security Offenses In terms of the components of identity crime, this statute covers production, acquisition, possession, transfer, and use of a social security card. It appears, from the wording of the statute, that it covers synthetic identity, in that counterfeiting a social security card (production) and possession of such a card, with intent to sell, are illegal. 6A.3.12 Forgery Forgery is the act of fraudulently making a false document or altering a real one to be used as if genuine.416 Various forgeries are federal crimes, but there is not one overarching crime of forgery that encompasses a broad array of activities. The United States Code groups crimes of forgery with crimes of counterfeiting.417 The latter group of these statutes, starting with section 493, regarding “bonds and obligations of certain lending agencies,”418 mention forgery as part of a list of activities that are illegal when perpetrated against the United States. The list includes falsely making, counterfeiting, and altering, in regard to various specific items. Those items are: the bonds and obligations of certain lending agencies;419 contractors’ bonds, bids, and public records;420 contracts, deeds, and powers of attorney;421 documents required for importing goods;422 letters patent;423 military or naval discharge certificates;424 military, naval, or official passes;425 money orders;426 seals of U.S. departments or agencies;427
4 15 416 417 418 419 420 421 422 423 424 425 426 427
Id. at 36- 37. Black’s Law Dictionary (9th ed. 2009). 18 U.S.C. §§ 470–514. Id. § 493. Id. § 493. Id. § 494. Id. § 495. Id. § 496. Id. § 497. Id. § 498. Id. § 499. Id. § 500. Id. § 506.
320
CHAPTER 6
transportation requests of the U.S. government;428 and endorsements on Treasury checks or bonds or securities of the United States.429 Various postal offenses are illegal, whether they involve the U.S. or some other government: forging postage stamps, postage meter stamps, and postal cards;430 forging postage and revenue stamps of foreign governments;431 and postmarking stamps.432 Forging seals of court or a signature of a judge or court officer of any court in the United States,433 and forging a ship’s papers for a ship under the authority of the United States,434 are illegal. One may not make or pass as genuine a false or fictitious instrument, document, or other item appearing to be an actual security or other financial instrument issued under the authority of a government or an organization, when the intent is to defraud.435 Knowingly removing, obliterating, tampering with, or altering an identification number for a motor vehicle or motor vehicle part; or, with intent to further the theft of a motor vehicle, doing the same to a decal or device affixed to a motor vehicle, is an offense subject to a fine and/or five years in prison.436 Affixing to a motor vehicle a theft prevention decal or other device, or a replica unless authorized to do so, is subject to a fine of up to $1000.437 The federal forgery statutes are only remotely concerned with identity crime. Acts of forgery are not underlying felonies under the aggravated identity theft statute.438 However, state statutes provide more direct linkage. For instance, under the Texas statute, “forgery” encompasses altering, making, completing, executing, or authenticating any writing so that it purports to be the act of another who did not authorize that act.439 It is easy to see how forgery, as described, can also be identity crime, in that one person forges a writing and holds it out to be the writing of another person.
4 28 429 430 431 432 433 434 435 436 437
Id. §§ 508–09. Id. § 510. Id. § 501. Id. § 502. Id. § 503. Id. § 505. Id. § 507. Id. § 514. Id. § 511. Id. § 511A; see also Id. § 512 (addressing the forfeiture of vehicles or parts upon which the vin has been tampered with). 438 Id. § 1028A. 4 39 Tex. Penal Code Ann. § 32.21(a)(1)(A)(i) (West 2012) (discussed in the state statutory sections below).
Identity Crime Legislation in the United States
321
A Components of Identity Crime under Forgery Statutes The federal forgery statute is only remotely connected with identity crimes, although the state statutes may cover a broader range of forgeries, as illustrated by the Texas statute. Under such a statute, forgery would involve the production of a identity document, which must be associated with another person. 6A.3.13 Theft; Larceny Theft is the felonious taking and removing of another’s personal property with the intent of depriving the true owner of it. Broadly, it is any act or instance of stealing, including larceny, burglary, embezzlement, and false pretenses.440 The U.S. Code groups “theft” with “embezzlement,” and makes both theft and embezzlement federal crimes when performed under particular circumstances involving the federal government, or involving employee benefit plans.441 Some crimes involving theft or larceny are punished more severely when they are combined with identity crimes under the aggravated identity theft statute,442 discussed above. Specifically, the identity theft must be “during and in relation to” the non-identity-related theft or embezzlement.443 The thefts specified by the statute are theft of public money, property or rewards;444 theft, embezzlement or misapplication by a bank officer or employee;445 and theft from an employee benefit plan.446 Statistics place employment-related identity crime as the third leading type of identity crime in the United States, following credit card fraud and fraud for the purpose of obtaining government benefits.447 In that regard, the federal theft statute states that any person who embezzles, steals, or unlawfully and willfully abstracts or converts to his own use or to the use of another, any of the moneys, funds, securities, premiums, credits, property, or other assets of any employee welfare benefit plan or employee pension benefit plan, or of any fund connected an employee befit plan, is criminally liable.448 As stated in the 4 40 441 442 443 444 445 446 447
Black’s Law Dictionary (9th ed. 2009). 18 U.S.C. §§ 641 to 669. Id. § 1028A. Id. § 1028A(a)(1), (c)(1). Id. § 641. Id. § 656. Id. § 664. Federal Trade Commission, Consumer Sentinel Network Data Book for January-D ecember 2008, (Feb. 2009) [hereinafter “ftc 2009 Data Book”], available at http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2008. pdf. 448 18 U.S.C. § 664.
322
CHAPTER 6
previous paragraph, the liability is greater when identity crime is also involved and charges are brought under the aggravated identity theft statute.449 State laws are more expansive when dealing with theft, such as New York’s law, which criminalizes the stealing of property when, with intent to deprive another of property or to appropriate the same to himself or to a third person, one wrongfully takes, obtains or withholds such property from an owner.450 A Components of Identity Crime under Theft and Larceny Statutes Under the federal theft and larceny statutes, the acquisition of someone else’s identity may be considered a theft that can be prosecuted under federal law if it involves the circumstances outlined in the statute, namely, involving the federal government in various ways, or involving an employee benefit plan. Use of identity documents is also covered, in that penalties are increased when identity crime occurs “during and in relation to” other crimes that may involve a decree of deception. Employee benefit plans receive particular attention in this statute, and the use of false identity is a means of obtain benefits from such plans. 6A.4
Civil Statutes to Prevent Identity Crimes and Recover Identity
6A.4.1 Fair and Accurate Credit Transactions Act The United States, as well as certain of the states, has implemented extensive rules and procedures to prevent identity crime and to warn victims of its occurrence. The primary federal statute providing such protection is called the Fair and Accurate Credit Transactions Act of 2003 (facta).451 The statute adds identity crime protections to the Commerce and Trade title of the United States Code,452 which chiefly serves to outline the powers of the Federal Trade Commission. The sections most relevant to identity crime are a section called “Identity Theft Prevention; Fraud Alerts and Active Duty Alerts,”453 which pertains
4 49 Id. § 1018A(c)(1). 450 N.Y. Penal Law § 155.05 (McKinney 2012); see also Cal. Penal Code § 484 (West 2012). 451 Fair and Accurate Credit Transactions Act of 2003, Pub. L. No. 108–159, 117 Stat. 1952 (2003) (codified as amended in scattered sections of 15 U.S.C. §§ 1681a-1681x). 452 15 U.S.C. §§ 1-8495 (2006). 453 Fair and Accurate Credit Transactions Act of 2003 §112 (codified at 15 U.S.C. § 1681c-1).
Identity Crime Legislation in the United States
323
to consumer reporting agencies, and a section entitled “Establishment of Procedures for the Identification of Possible Instances of Identity Theft,”454 dealing with identity theft “Red Flags” that financial institutions and creditors must look out for.455 A Consumer Reporting Agencies’ Responsibilities 1 One-Call Fraud Alerts (Initial Fraud Alerts) A section of the facta statute is called “One-Call Fraud Alerts.”456 The derivation of the title is not discussed in the statute, but it apparently refers to the fact that a consumer need make a call to only one consumer reporting agency in order to initiate action to protect himself from identity theft and related crimes. The agency called must then make sure that other such agencies are alerted. The U.S. Code provides that when a consumer or his representative asserts in good faith a suspicion that the consumer has been or is about to become a victim of fraud or related crime, including identity theft, a consumer reporting agency that maintains a file on the consumer and has received appropriate proof of the identity of the requester must: 1. include a fraud alert in the file of that consumer. The consumer reporting agency must also provide that alert along with any credit score generated in using that file, for a period of at least 90 days, beginning on the date of the request, unless the consumer requests it to be removed before 90 days, and the agency receives appropriate proof of the identity of the requester for such purpose. 2. refer the information to all other consumer reporting agencies.457 A consumer reporting agency is an agency that regularly engages in the practice of assembling or evaluating, and maintaining, each of the following regarding consumers residing nationwide: (1) public record information, and (2) credit account information from persons who furnish that information regularly and in the ordinary course of business. The information maintained by the consumer reporting agency is for the purpose of furnishing consumer reports to third parties bearing on a consumer’s creditworthiness, credit standing, or credit capacity.458
4 54 455 456 457 458
Id. § 114. 15 U.S.C. § 615(e) (2006). Id. § 1681c-1(a). Id. § 1681c-1(a)(1). Id. § 1681a(p).
324
CHAPTER 6
If a consumer contacts a consumer reporting agency of some other type, one that is not described above, to communicate a suspicion that the consumer has been or is about to become a victim of fraud or related crime, including identity theft, the agency must provide information to the consumer on how to contact the ftc and the consumer reporting agencies described above, to obtain more detailed information and request alerts.459 2 Access to Free Reports Whenever a consumer reporting agency includes a fraud alert in the file of a consumer, the agency must inform the consumer of the availability of a free copy of his or her file; and provide to the consumer certain required disclosures, without charge to the consumer. The report and disclosure must be provided within three business days after a request.460 3 Notification Each initial fraud alert, as well as an active duty alert (discussed below) must include information that notifies all companies that might use a consumer report on the consumer that the consumer does not authorize: 1. the establishment of any new credit plan or extension of credit, other than under an open-end credit plan, in the name of the consumer, or 2. issuance of an additional card on an existing credit account requested by a consumer, or 3. any increase in credit limit on an existing credit account requested by a consumer.461 A “consumer report” is any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living meant to be used to establish a consumer’s eligibility for, among other purposes, and subject to exclusions: 1. credit or insurance to be used primarily for personal, family, or household purposes; or 2. employment purposes.462 An “open end credit plan” is a plan under which: 1. the creditor reasonably contemplates repeated transactions, 2. the plan prescribes the terms of such transactions, and 4 59 460 461 462
Id. § 1681c-1(g). Id. § 1681c-1(a)(2). Id. § 1681c-1(h)(1)(A). Id. § 1681a(d).
Identity Crime Legislation in the United States
3.
325
the plan provides for a finance charge computed from time to time on the outstanding unpaid balance.463
4 Limitations on Companies Using Consumer Reports If a consumer report includes an initial fraud alert (or an active duty alert, as described below464), a company using that report in order to grant credit may not grant specific types of credit unless it has policies leading it to a reasonable belief that the person making the request is actually the consumer. Specifically, the company cannot: 1. establish a new credit plan or an extension of credit, other than under an open end credit plan, in the name of the consumer; 2. issue an additional card on an existing credit account requested by a consumer 3. grant any increase in credit limit on an existing credit account requested by a consumer.465 5 Verification of Consumer’s Identity If the consumer requesting the alert gave a telephone number for identification verification purposes before authorizing any new credit, a company using the consumer report must contact the consumer using that number, or take other reasonable steps to verify the consumer’s identity. The company must confirm that the application for a new credit plan is not the result of identity crime.466 B Extended Alerts When a consumer submits an identity theft report to a consumer reporting agency, and the agency has received appropriate proof of the identity of the requester, the agency must: 1. include a fraud alert in the file of that consumer;467 2. provide that alert along with any credit score generated in using that file, during the seven-year period beginning on the date of the request, unless the consumer requests that the alert be removed before the end of the period and the agency receives appropriate proof of the identity of the requester;468 4 63 464 465 466 467 468
Id. § 1602(i). See Part 6A.4.1(b)(4). 15 U.S.C. § 1681c-1(h)(1)(B)(i). Id. § 1681c-1(h)(1)(B)(ii). Id. § 1681c-1(b)(1)(A). Id.
326 3.
4.
CHAPTER 6
for five years from the date of the request, exclude the consumer from any list of consumers prepared by agency and provided to any third party wishing to offer credit or insurance to the consumer as part of a transaction that was not initiated by the consumer, unless the consumer requests that the exclusion be rescinded before the end of the five years;469 and refer the information regarding the extended fraud alert to other consumer reporting agencies, in accordance with appropriate procedures.470
1 Notification An extended alert must include information that provides any prospective user of a consumer report relating to a consumer with notification that the consumer does not, unless properly verified (see below), authorize: 1. the establishment of any new credit plan or extension of credit, other than under an open-end credit plan (defined above), or 2. issuance of an additional card on an existing credit account requested by the consumer, or 3. any increase in credit limit on an existing credit account requested by the consumer.471 The extended alert must include a telephone number or other reasonable contact method designated by the consumer.472 2 Limitations on Companies Using Consumer Reports If a consumer report includes an extended fraud alert, a company using the report may not, unless authorized: 1. establish a new credit plan or extension of credit, other than under an open-end credit plan (defined above), in the name of the consumer; or 2. issue an additional card on an existing credit account requested by the consumer; or 3. increase the credit limit on an existing credit account requested by the consumer. 3 Verification of Consumer’s Identity The company using the report is not authorized to do any of the above unless the company contacts the consumer in person, or using the verification
4 69 470 471 472
Id. § 1681c-1(b)(1)(B). Id. § 1681c-1(b)(1)(C). Id. § 1681c-1(h)(2)(A)(i). Id. § 1681c-1(h)(2)(A)(ii).
Identity Crime Legislation in the United States
327
method described above (pertaining to initial fraud reports), to confirm that the request is not made by someone who committed identity crime.473 4 Active Duty Military Personnel (Active Duty Alerts) Special procedures apply to active duty military personnel.474 If requested, a consumer reporting agency must include an active duty alert in the file of any active duty military consumer, and provide the alert along with any credit score generated in using that file. The alert must be provided for at least 12 months, or such longer period if required by the ftc, beginning on the date of the request, unless the active duty military consumer requests that the alert be removed before the end of that period, and the agency receives proof of the identity of the requestor.475 For two years from the date of the request, the agency must exclude the active duty military consumer from any list of consumers provided to any third party to offer credit or insurance to the consumer as part of a transaction that was not initiated by the consumer, unless the consumer requests that such exclusion be rescinded before the end of the two years.476 The agency must refer the information regarding the extended fraud alert to other consumer reporting agencies, in accordance with appropriate procedures.477 An active duty alert must notify companies using consumer reports in the same manner as notifications in initial fraud alerts.478 Companies using consumer reports to decide whether to extend credit are limited by active duty alerts the same as they are limited by initial fraud alerts.479 An “active duty alert” is a statement in the file of a consumer that notifies all prospective users of a consumer report that the consumer is an active duty military consumer. An “active duty military consumer” is a consumer in military service that is on active duty or is a reservist performing duty under a call or order to active duty, and is assigned to service away from the usual duty station of the consumer.
4 73 474 475 476 477 478 479
Id. § 1681c-1(h)(2)(B). Id. § 1681c-1(c). Id. § 1681c-1(c)(1). Id. § 1681c-1(c)(2). Id. § 1681c-1(c)(3). Id. § 1681c-1(h)(1)(A) (discussed above). Id. § 1681c-1(h)(1)(B) (discussed above).
328
CHAPTER 6
C Procedures Must Be Developed by Agencies Every consumer reporting agency must establish policies and procedures to comply with these requirements, including procedures that inform consumers of the availability of initial, extended, and active duty alerts and procedures that allow consumers to request initial, extended, or active duty alerts, as applicable, in a simple and easy manner, including by telephone.480 D Referrals from Other Agencies When a consumer reporting agency receives a referral of a fraud alert or active duty alert from another consumer reporting agency, it must treat the referral as though the agency received the request from the consumer directly.481 A reseller must include in its report any fraud alert or active duty alert placed in the file of a consumer by another consumer reporting agency.482 A “reseller” is a consumer reporting agency that assembles and merges information contained in the database of other consumer reporting agencies concerning any consumer in order to sell such information to a third party. A reseller does not maintain a database of the assembled or merged information from which new consumer reports are produced.483 E Responsibility to Block Information Derived from Identity Theft A consumer reporting agency must block the reporting of any information in the file of a consumer who reports the information as having resulted from identity crime. The blocking must take place no more than four business days after agency receives: 1. appropriate proof of the identity of the consumer; 2. a copy of an identity theft report; 3. the identification of such information by the consumer; and 4. a statement by the consumer that the information is not information relating to any transaction by the consumer.484 The consumer reporting agency must promptly notify whoever furnished such information of the effective dates of the block, and that: 1. the information may be a result of identity theft; 2. an identity theft report has been filed; and 3. a block has been requested.485 4 80 481 482 483 484 485
Id. § 1681c-1(d). Id. § 1681c-1(e). Id. § 1681c-1(f). Id. § 1681a(u). Id. § 1681c-2(a). Id. § 1681c-2(b).
Identity Crime Legislation in the United States
329
The consumer reporting agency may refuse to block, or may rescind the block, if it determines: 1. the information was blocked in error or a block was requested by the consumer in error; 2. the consumer lied in order to have the information blocked; or 3. the consumer obtained possession of goods, services, or money as a result of the blocked transaction.486 If a block of information is declined or rescinded, the affected consumer must be notified promptly, in writing (or by other means, if authorized by the consumer), not later than five business days after the decline or rescission of the block.487 If a consumer reporting agency rescinds a block, the presence of information in the file of a consumer prior to its blocking is not evidence that the consumer knew that he or she obtained possession of goods, services, or money as a result of the block.488 Certain resellers (defined above) are exempted from these requirements,489 and the requirements usually do not apply to check verification companies.490 Consumer reporting agencies are not required to prevent law enforcement agencies from accessing blocked information in a consumer file to which the agency could otherwise obtain access.491 F Disposal of Consumer Information Under regulations put out by federal banking agencies and the ftc, any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose, must properly dispose of any such information or compilation.492 G
Responsibilities of Financial Institutions and Creditors (Red Flag Rules) 1 Congressional Mandate The Red Flag Rules, outlining indications of identity theft that a bank or creditor must note, and act upon, were authorized by Congress under the Fair and Accurate Credit Transactions Act of 2003 (facta) in 2003. The statute requires
4 86 487 488 489 490 491 492
Id. § 1681c-2(c)(1). Id. § 1681c-2(c)(2). Id. § 1681c-2(c)(3). Id. § 1681c-2(d). Id. § 1681c-2(e). Id. § 1681c-2(f). Id. § 1681w(a)(1).
330
CHAPTER 6
federal banking agencies, the National Credit Union Administration, and the Federal Trade Commission to jointly provide regulations, dubbed the “Red Flag Rules,”493 that must be followed by banks and other creditors.494 The regulations must establish reasonable policies and procedures for implementing the guidelines, and to identify possible risks to account holders or customers, or to the safety and soundness of the institution or customers.495 In particular, Congress requires regulations to ensure that, if a credit card issuer receives notification of a change of address for an existing account, and within 30 days receives a request for an additional or replacement card for the same account, the card issuer may not issue the new card unless the card issuer promptly notifies the cardholder.496 The agencies responsible for the Red Flag Rules must identify patterns, practices, and specific forms of activity that indicate the possible existence of identity crime.497 A Red Flag is a pattern, practice, or specific activity that indicates the possible existence of identity crime.498 2 Effective Date Although Congress wanted the Red Flag rule to become effective sooner, its enforcement had been delayed until December 31, 2010.499 A
Who Must Comply with the Red Flag Rules
The need for compliance with the Red Flag Rules is widely known among industries affected by the rules, and an Internet search of the terms “Red Flag” and ftc will reveal a large number of organizations seeking to help implement the rules, with names such as SecureWorks.com, IntegraSystems.net, and Veratad.com. Such a search also reveals entities outside of the financial sector 493 Note that the statute mandating red flags calls them “guidelines”; ftc literature refers to them as “rules.” 494 15 U.S.C. § 1681m(e)(1)(A). 495 Id. § 1681m(e)(1)(B). 496 Id. § 1681m(e)(1)(C). 497 Id. § 1681m(e)(2). 498 16 C.F.R. § 681.1(b)(9) (2011). 499 See Fighting Fraud with the Red Flag Rules, ftc, http://www.ftc.gov/bcp/edu/microsites/ redflagsrule/index.shtml (last visited Mar. 17, 2011). According to the site, on December 18, 2010, President Obama signed into law the Red Flag Program Clarification Act. Red Flag Program Clarification Act of 2010, Pub. L. No. 111–319, 124 Stat. 3457 (codified as amended at 15 U.S.C. § 1681m(e)(4)). The new law limits the circumstances in which creditors are covered by the Red Flags Rule. The ftc is revising the materials on its website to reflect the change in the law.
Identity Crime Legislation in the United States
331
that expect to be required to implement a Red Flag program. For example, the American Veterinary Medicine Association warns its members that they may need to comply with the Red Flag Rules if they are “creditors” with at least one “covered account,” as defined below.500 Colleges are warned that the Red Flag Rules will affect them.501 County commissioners have been told that, if they “provide emergency transport/ambulance service, utilities and other services for a fee, they are required to take action if they have not already done so.”502 The Red Flags Rules apply to financial institutions and creditors with covered accounts.503 1. A financial institution is: a) a state or national bank, b) a state or federal savings and loan association, c) a mutual savings bank, d) a state or federal credit union, or e) any other entity that holds a transaction account belonging to a consumer.504 2. A transaction account is a deposit or other account from which the owner makes payments or transfers, including a) checking accounts, b) negotiable order of withdrawal accounts, c) savings deposits subject to automatic transfers, and d) share draft accounts. 3. A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include: 500 Guide for Veterinary Practices to Comply with ftc “Red Flag” Rules, American Veterinary Medical Association, https://www.avma.org/PracticeManagement/Administration/ Pages/Guide-for-Veterinary-Practices-to-Comply-with-FTC-Red-Flags-Rule.aspx (last updated Jan. 2011). 501 Elizabeth B. Meers & Daniel S. Meade, ftc’s Red Flag Rule Likely to Affect Colleges, nacubo (Sept. 23, 2008), http://www.nacubo.org/Initiatives/Initiatives_News/FTCs_ Red_Flag_Rule_Likely_to_Affect_Colleges.html. 502 ftc Red Flag Rules, Association of County Commissioners of Georgia, http:// www.accg.org/content.asp?ContentId=978 (last visited Fed. 11, 2012). 503 “Red Flag Rules”, TX Dept. of Mortgage Lending, http://www.sml.texas.gov/tdsml_ red_flag_rules.html (last visited Oct. 31, 2012). 504 Id.
332
CHAPTER 6
a) b) c) d) e) f)
finance companies automobile dealers mortgage brokers utility companies telecommunications companies non-profit and government entities that defer payment for goods or services505 4. A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include: a) credit card accounts b) mortgage loans c) automobile loans d) margin accounts e) cell phone accounts f) utility accounts g) checking accounts h) savings accounts i) accounts for which there is a foreseeable risk of identity crime –for example, small business or sole proprietorship accounts.506 3 Complying with the Rules Under the Red Flag Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs –or “red flags” –of identity crime. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.507 4 Specific Indications of Identity Theft It is up to each covered entity to create its own set of red flags based on its own experience. The only requirement is that each institution maintains a list of red flags and implements that list. Red flags should be based on: 5 05 Id. 506 Id. 507 Id.
Identity Crime Legislation in the United States
333
1. The types of covered accounts the entity offers or maintains; 2. The methods it provides to open its covered accounts; 3. The methods it provides to access its covered accounts; and 4. Its previous experiences with identity crime.508 While it is up to each institution to come up with its own red flags, the regulations adopted by the agencies responsible for the red flag rule suggest categories of information that might indicate that an account should be red-flagged. Each of those categories is accompanied by a list of specific indicia that might mean that an account may have an identity crime problem. The categories are indicated by the headings below.509 a
Alerts, Notifications or Warnings from a Consumer Reporting Agency
b
Suspicious Documents
Financial institutions and creditors may consider the following to be Red Flags. 1. A fraud or active duty alert is included with a consumer report.510 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.511 3. A consumer reporting agency provides a notice of address discrepancy. A notice of address discrepancy is a notice sent to a user by a consumer reporting agency that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address in the agency’s file for the consumer.512 4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a) A recent and significant increase in the volume of inquiries; b) An unusual number of recently established credit relationships; c) A material change in the use of credit, especially with respect to recently established credit relationships; or d) An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor. Financial institutions and creditors may also consider the following to be Red Flags. 5 08 509 510 511 512
16 C.F.R. pt. 681 app. A(ii)(a) (2011). Id. pt. 681 app. A supp. A. As to the definition of a “consumer report,” see §16A.2. As to the definition of a “consumer reporting agency,” see §16A.2. 16 C.F.R. § 641.1(b).
334 1. 2. 3. 4. 5. c
CHAPTER 6
Documents provided for identification appear to have been altered or forged. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled. Suspicious Personal Identifying Information
Financial institutions and creditors may also consider the following to be Red Flags. 1. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example: a) The address does not match any address in the consumer report; or b) The social security number has not been issued, or is listed on the Social Security Administration’s Death Master File. 2. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the ssn range and date of birth. 3. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a) The address on an application is the same as the address provided on a fraudulent application; or b) The phone number on an application is the same as the number provided on a fraudulent application. 4. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a) The address on an application is fictitious, a mail drop, or a prison; or
Identity Crime Legislation in the United States
5. 6. 7. 8. 9.
d
335
b) The phone number is invalid, or is associated with a pager or answering service. The ssn provided is the same as that submitted by other persons opening an account or other customers. The address or telephone number provided is the same as or similar to the address or telephone number submitted by an unusually large number of other persons opening accounts or by other customers. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. Unusual Use of, or Suspicious Activity Related to, the Covered Account
Financial institutions and creditors may also consider the following to be Red Flags. 1. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account. 2. A new revolving credit account is used in a manner commonly associated with known patterns of fraud. For example: a) The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or b) The customer fails to make the first payment or makes an initial payment but no subsequent payments. 3. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example: a) Nonpayment when there is no history of late or missed payments; b) A material increase in the use of available credit; c) A material change in purchasing or spending patterns; d) A material change in electronic fund transfer patterns in connection with a deposit account; or
336 4. 5. 6. 7. e
CHAPTER 6
e)
A material change in telephone call patterns in connection with a cellular phone account. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors). Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account. The financial institution or creditor is notified that the customer is not receiving paper account statements. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer’s covered account. Notification that a Fraudulent Account Has Been Opened
The final category indicating identity crime is when a financial institution or creditor is notified by a customer, a victim of identity crime, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity crime. 5 Preventing and Mitigating Theft The regulations suggest appropriate responses to the Red Flags that the financial institution or creditor has detected, depending upon the degree of risk posed.513 In determining an appropriate response, a financial institution or creditor should consider aggravating factors that may heighten the risk of identity crime. Such an event may be a data security incident that results in unauthorized access to a customer’s account records. Or an institution or creditor may receive notice that a customer has provided information related to a covered account to someone fraudulently claiming to represent the entity, or to a fraudulent website. Appropriate responses may include the following: 1. Monitoring an account for evidence of identity theft; 2. Contacting the customer; 3. Changing any passwords, security codes, or other security devices that permit access to the account; 4. Reopening the account with a new account number; 5. Not opening a new account; 6. Closing the existing account;
513 16 C.F.R. Pt. 681 app. A(iv).
Identity Crime Legislation in the United States
337
7.
Not attempting to collect on the account or not selling a covered account to a debt collector; 8. Notifying law enforcement; or 9. Determining that no response is warranted under the particular circumstances. 6A.4.2 Other Statutes Pertaining to Information on Consumers In addition to the Fair and Accurate Credit Transactions Act (facta),514 other U.S. statutes include provisions to protect the privacy information of consumers. A Electronic Fund Transfer Act The Electronic Fund Transfer Act515 (efta) was passed in 1978 at a time when the use of electronic systems to transfer funds was starting to take hold; however, due to the unique characteristics of such systems, the application of existing consumer protection legislation was found by Congress to be unclear, “leaving the rights and liabilities of consumers, financial institutions, and intermediaries in electronic fund transfers undefined.”516 The purpose of the law is to provide a basic framework establishing the rights, liabilities, and responsibilities of participants in electronic fund and remittance transfer systems.517 The law requires banks to make extensive disclosures to customers about specific electronic fund transfer (eft) transactions.518 Banks must notify customers of their rights, liabilities, charges, and procedures connected with eft services, and who to contact if an unauthorized transfer is suspected. For preauthorized periodic transfers, the bank must provide either notice as to whether payments are being made on schedule. Banks must provide detailed procedures for the resolution of any inaccuracies in customer accounts, and are liable for their errors in transmitting or d ocumenting transfers.519
5 14 515 516 517 518
See Part 6A.4.1. 15 U.S.C. §§ 1693-1693r. Id. § 1693(a). Id. § 1693(b). See BBBOnLine, Inc. & The Council of Better Business Bureaus, Inc., A Review of Federal and State Privacy Laws (n.d.), available at http://tcclawgroup. com/fed_statePrivLaws.pdf. 519 Id.
338
CHAPTER 6
B Equal Credit Opportunity Act The Equal Credit Opportunity Act520 (ecoa) restricts inquiries into a credit applicant’s sex, race, color, religion, or marital status.521 It prohibits the retention and preservation of certain information by creditors and requires the preservation of certain specified records relating to credit transactions. The ecoa regulates the manner in which information collected by creditors may be used in making decisions regarding the extension of credit. It requires that, when credit is denied or revoked, the applicant must be either notified of the reasons for the decision or informed of his or her right to learn the reasons. In a suit brought for violations of the Equal Credit Opportunity Act, successful plaintiffs may recover actual damages, punitive damages, attorney fees and court costs. Individual or class action suits may be maintained. C Fair Credit Billing Act The Fair Credit Billing Act522 (fcba) was passed in 1974, and requires creditors, at the request of individual consumers, to investigate alleged billing errors and provide documentary evidence of the individual’s indebtedness.523 It prohibits creditors from taking action against individuals as to disputed debts while the disputes are under investigation. The fcba also imposes criminal liability on any person who knowingly and willfully gives false or inaccurate information, fails to disclose required information, or otherwise violates any requirement of the act. D Fair Debt Collection Practices Act The Fair Debt Collection Practices Act,524 passed in 1977, limits the communications that debt collection agencies may make about the debtors whose accounts they are attempting to collect.525 It is intended to curtail abusive, deceptive, and unfair debt collection practices, which “contribute to the number of personal bankruptcies, to marital instability, to the loss of jobs, and to invasions of individual privacy.”526 It prohibits communication with a consumer in connection with the collection of a debt at unusual times or places; if the debt
5 20 521 522 523 524 525 526
15 U.S.C. §§ 1691-1691f. See A Review of Federal and State Privacy Laws, supra note 1341. 15 U.S.C. §§ 1666-1666j. See A Review of Federal and State Privacy Laws, supra note 1341. 15 U.S.C. §§ 1692-1692p. See A Review of Federal and State Privacy Laws, supra note 1341. 15 U.S.C. § 1692(a).
Identity Crime Legislation in the United States
339
collector knows that the consumer is represented by an attorney with respect to the debt; or at the consumer’s place of employment if the debt collector has reason to know that the employer prohibits the consumer from receiving such communication.527 E Financial Services Modernization Act (Gramm-Leach-Bliley Act) The Financial Services Modernization Act of 1999,528 also called the Gramm- Leach-Bliley Act, makes it “the policy of Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”529 Thus, various agencies530 must establish appropriate standards for financial institutions subject to their jurisdiction: (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.531 Specifically, the statute regulates the privacy of personally identifiable, nonpublic financial information disclosed to non-affiliated third parties by financial institutions. The requirements also apply to non-affiliated third parties to whom they transfer this information. The law requires written or electronic notice of the categories of nonpublic personal information collected, categories of people to whom the information will be disclosed, consumer opt-out rights, and the company’s confidentiality and security policies. The legislation creates a consumer right to opt out of disclosures to nonaffiliated parties before the disclosure occurs, subject to exceptions.532 The law requires administrative, technical and physical safeguards to maintain the security, confidentiality, and integrity of the information, and prohibits disclosure of account numbers and access codes for credit, deposit or transaction accounts to a nonaffiliated party for marketing purposes.533
5 27 528 529 530 531 532 533
Id. § 1692c(a). Pub. L. No. 106-102, 113 Stat. 1338 (codified as amended in 15 U.S.C. §§ 6801 to 6827). 15 U.S.C. § 6801(a). Specified at 15 U.S.C. § 6805(a). Id. § 6801(b). The exceptions are at 15 U.S.C. § 6802(b)(2). See A Review of Federal and State Privacy Laws, supra note 1341.
340
CHAPTER 6
F Authentication of Identity Information of Account Holders The usa Patriot Act of 2001534 amended a statute by adding that the Secretary of the Treasury must prescribe regulations setting forth the minimum standards for identifying a customer who opens an account at a financial institution. The financial institution and the customer must comply with reasonable procedures for: 1. verifying the identity of any person seeking to open an account to the extent reasonable and practicable; 2. maintaining records of the information used to verify a person’s identity, including name, address, and other identifying information; and 3. consulting lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency to determine whether a person seeking to open an account appears on any such list.535 6A.4.3 Statutes Protecting Information Gathered by Providers of Internet, Cable, Telecommunications, and Video Services A Children’s Online Privacy Protection Act The Children’s Online Privacy Protection Act of 1998536 (coppa) requires any website directed at children under 13 years of age to obtain parental consent before collecting personal information online from children. The coppa regulations537 define the term “collects” to encompass providing a child with the ability to have an e-mail account or the ability to post to a chat room, bulletin board, or other online forum. coppa also requires a covered website to disclose in a notice its online information collection and use practices with respect to children, and provide parents with the opportunity to review the personal information collected online from their children.538 B Video Privacy Protection Act The Video Privacy Protection Act,539 passed in 1988, affords users and purchasers of commercial videotapes rights similar to those of patrons of libraries. It
534 Pub. L. No. 107–56, 151 Stat. 272 (2001) (codified as amended in scattered sections of the U.S.C.). “usa patriot” is an acronym for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act.” 535 31 U.S.C. § 5318(l) (2006). 536 15 U.S.C. §§ 6501–6506; 16 C.F.R. pt. 312 (2011). 537 16 C.F.R. pt. 312. 538 See A Review of Federal and State Privacy Laws, supra note 1341. 539 18 U.S.C. § 2710 (2006).
Identity Crime Legislation in the United States
341
prohibits videotape sale or rental companies from disclosing customer names and addresses, and the subject matter of their purchases or rentals for direct marketing use, unless the customers have been notified of their right to prohibit such disclosures. The law restricts videotape companies from disclosing personal data about customers without their consent or court approval. It requires that subscribers be notified and provided with an opportunity to contest a data request prior to a judicial determination.540 C Cable Communications Policy Act The Cable Communications Policy Act, passed in 1984, includes a provision541 that requires cable television operators to inform their subscribers annually about the nature of personal data collected, data disclosure practices, and subscriber rights to inspect and correct errors in such data. It prohibits a cable television company from using the cable system to collect personal information about its subscribers without their prior consent, and generally bars the cable operator from disclosing such data.542 D
Customer Proprietary Network Information Provision of Telecommunications Act The provision on customer proprietary network information543 was enacted as part of the Telecommunications Act of 1996.544 The provision restricts private- sector access and use of customer data. It prohibits the disclosure of individualized customer data obtained for purposes of providing telecommunications service unless there has been customer approval, and imposes restrictions on the use of such data in aggregate form.545 E Telephone Consumer Protection Act The Telephone Consumer Protection Act546 requires entities that use the telephone to solicit individuals to provide such individuals with the ability to prevent future telephone solicitations. It requires those who engage in telephone solicitations to maintain and honor lists of individuals for 10 years after such individuals request not to receive solicitations. The act prohibits unsolicited
5 40 541 542 543 544 545 546
See A Review of Federal and State Privacy Laws, supra note 1341. 47 U.S.C. § 551 (2006). See A Review of Federal and State Privacy Laws, supra note 1341. 47 U.S.C. § 222. Pub. L. No. 104-104, § 702, 110 Stat. 56 (1996). See A Review of Federal and State Privacy Laws, supra note 1341. 47 U.S.C. § 227.
342
CHAPTER 6
commercial telephone calls from using an artificial or pre-recorded voice without consumer consent, and prohibits the sending of unsolicited advertisements to fax machines.547 An amendment effective in 2010548 makes it illegal to cause a caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value, unless such deception occurs in connection with law enforcement or under a court order.549 6A.4.4 Statutes Constraining Government A Privacy Act The Privacy Act550 mandates that, when the federal government collects personal data, it be collected as much as practicable directly from the subject individual.551 The act prohibits the collection of information about an individual’s exercise of First Amendment rights, such as the freedom of speech, assembly, and religion.552 When an agency requests information about an individual, it must notify the individual of (1) the agency’s authorization and purpose for collecting information,553 (2) the routine uses that may be made of the data collected,554 and (3) the consequences to the individual for failing to provide the information.555 The Privacy Act requires agencies, on request, to provide individuals with access to records pertaining to them and an opportunity to correct or challenge the contents of the records.556 The Act restricts federal agencies from disclosing personal data except for specifically enumerated purposes.557 Federal agencies must account for extra-agency disclosures;558 instruct record management personnel in the requirements of the act and the rules for its implementation;559 and establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records.560 5 47 548 549 550 551 552 553 554 555 556 557 558 559 560
See A Review of Federal and State Privacy Laws, supra note 1341. Truth in Caller ID Act of 2009, Pub. L. No. 111–331 § 2,124 Stat. 3572. 47 U.S.C. § 227(e). 5 U.S.C. § 552a (2006). Id. § 552a(e)(2). Id. § 552a(e)(7). Id. § 552a(e)(3)(A), (B). Id. § 552a(e)(3)(C). Id. § 552a(e)(3)(D). Id. § 552a(d). Id. § 552a(b). Id. § 552a(c). Id. § 552a(e)(9). Id. § 552a(e)(10).
Identity Crime Legislation in the United States
343
B Freedom of Information Act The Freedom of Information Act561 provides individuals with access to many types of records that are exempt from access under the Privacy Act,562 including many categories of personal information. C Right to Financial Privacy Act The Right to Financial Privacy Act563 prohibits federal agencies from obtaining financial records of individuals unless they have obtained authorization from the customer of a financial institution, whose records they seek, or have obtained a warrant or subpoena, or have made a formal written request.564 The act prohibits an agency that has obtained access to an individual’s financial records from disclosing the records to another agency without (1) notifying the individual and (2) obtaining certification from the receiving agency that the records are relevant to a legitimate law enforcement inquiry of the receiving agency.565 A financial institution may not release the financial records of a customer until the agency seeking such records certifies in writing to the financial institution that it has complied with the applicable provisions of the act.566 A financial institution may, however, notify a government authority that it has information that may be relevant to a possible violation of a statute or regulation.567 D Census Confidentiality The census confidentiality statute568 prohibits any use of census data for other than its original statistical purpose. It also prohibits any disclosure of census data that would allow an individual to be identified, except to sworn officers and employees of the Census Bureau.569 E Driver’s Privacy Protection Act The Driver’s Privacy Protection Act,570 passed as part of the Violent Crime Control and Law Enforcement Act of 1994,571 prohibits state departments of motor 5 61 562 563 564 565 566 567 568 569 570 571
Id. § 552. Exemptions from the Privacy Act are listed at 5 U.S.C. § 552a(j), (k). 12 U.S.C. §§ 3401–3422 (2006). 12 U.S.C. § 3402. For the requirements for the formal written request, see Id. § 3408. Id. § 3412. Id. § 3403(b). Id. § 3403(c). 13 U.S.C. § 9 (2006). Id. § 9(a). 18 U.S.C. § 2721 (2006). Pub. L. No. 103–322, 108 Stat. 1796 (1994).
344
CHAPTER 6
vehicles (dmv s) from releasing personal information from drivers’ licenses and motor vehicle registration records. However, the act permits the release of dmv information to those who use it for a purpose specifically enumerated in the act.572 The information may be released to a requester if the requester demonstrates it has obtained the written consent of the individual to whom the information pertains.573 The dmv may mail a copy of a request for information to a licensee, informing the licensee of the request, together with a statement that the information will not be released unless the licensee waives the right to privacy provided by the law.574 The act imposes record-keeping requirements on the resellers of such information.575 The Driver’s Privacy Protection Act does not interfere with the ability of states to enact laws furnishing greater privacy protection to their drivers and vehicle owners.576 F Internal Revenue Code Portions of the Internal Revenue Code require that information provided to the Internal Revenue Service is confidential.577 For example, with specific exceptions, returns and return information are confidential, and no one with access to the returns may disclose any return or return information obtained in connection with services pertaining to federal taxation.578 Statistics compiled by the irs may not identify, directly or indirectly, a particular taxpayer.579 Extensive judicial procedures pertain to the discovery in court hearings of irs information.580 G Federal Information Security Provisions A section of the U.S. Code concerned with information security protects the data maintained in government computers.581 All federal information systems must provide for “information security.” “Information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:
5 72 573 574 575 576 577 578 579 580 581
18 U.S.C. § 2721(b). Id. § 2721(b)(13). Id. § 2721(d). Id. § 2721(c). Id. § 2721(e). 26 U.S.C. §§ 6103, 6108, 7609 (2006). Id. § 6103. Id. § 6108. Id. § 7609. 40 U.S.C. § 11331 (2006).
Identity Crime Legislation in the United States
345
1.
integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; 2. confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; 3. availability, which means ensuring timely and reliable access to and use of information; and 4. authentication, which means utilizing digital credentials to assure the identity of users and validate their access.582 Within the Office of Management and Budget (omb) is an Office of Information and Regulatory Affairs (obira). The Administrator of obira is the principal adviser to the Director of the omb on federal information resources management policy.583 The information security standards are implemented by the Director of omb, on the basis of proposed standards of the National Institute of Standards and Technology, and in consultation with the Secretary of Homeland Security.584 The head of each federal agency is responsible for implementing the standards as they apply to disclosure of information, as well as other aspects of handling the information.585 H Criminal Justice A section of the U.S. Code on criminal justice information systems586 requires federally funded state and local criminal justice information systems to include information on the disposition of any arrest, and permits individuals to see, copy, and correct information about themselves in the system. I National Center for Health Statistics A portion of the U.S. Code regarding the Public Health Service587 prohibits disclosure of data collected by the National Center Health Statistics that would identify an individual in any way, unless that individual has consented to such disclosure.
5 82 44 U.S.C. § 3532 (2006) (referred to in 40 U.S.C. § 11331). 583 Id. §§ 3503, 3544. 584 40 U.S.C. § 11331(b)(1)(A). Further details regarding the duties of the Director of omb are provided at 44 U.S.C. § 3543. 585 44 U.S.C. § 3534. 586 42 U.S.C. § 3789g (2006). 587 Id. § 242m(d).
346
CHAPTER 6
J Family Educational Rights and Privacy Act The Family Educational Rights and Privacy Act588 permits a student or the parent of a minor student to inspect and challenge the accuracy and completeness of educational records that concern the student. The act prohibits government access to personal data in educational records without a court order or lawfully issued subpoena, unless the government is seeking access to the records for a specified education-related purpose. The act provides for termination of Federal funds if an institution violates the Act and compliance cannot be secured voluntarily. 6A.4.5 Privacy in Electronic Communication The Electronic Communications Privacy Act589 prohibits persons from tampering with computers or accessing certain computerized records without authorization.590 The act also prohibits providers of electronic communications services from disclosing the contents of stored communications.591 However, a governmental entity may require the disclosure under a warrant or some other form of judicial process.592 Other wiretap statutes593 prohibit the use of eavesdropping technology and the interception of electronic mail, radio communications, data transmission and telephone calls without consent or appropriate judicial process.594 The Communications Assistance for Law Enforcement Act595 preserves law enforcement’s ability to engage in lawful electronic surveillance in the face of new technological developments. It increases the protections against governmental intrusions into the privacy of electronic communications, and requires that the government obtain a court order before obtaining tracking information or location information about subscribers from mobile service providers and explicitly states that it does not limit the rights of subscribers to use encryption.596
5 88 20 U.S.C. § 1232g (2006). 589 Electronic Communications Privacy Act of 1986, Pub. L. No. 99–508, 100 Stat. 1848 (1986) (codified at 18 U.S.C. §§ 2701–2712). 590 18 U.S.C. § 2701 (2006). 591 Id. § 2702. 592 Id. § 2703. 593 Id. §§ 2510–2522, 2701–2712; 47 U.S.C. § 605 (2006). 594 See A Review of Federal and State Privacy Laws, supra note 1341. 595 Pub. L. No. 103–414 § 101, 108 Stat. 4279 (1994) (codified as amended at 47 U.S.C. §§ 1001–1010. 596 See A Review of Federal and State Privacy Laws, supra note 1341.
Identity Crime Legislation in the United States
347
6A.4.6 Privacy of Health Information The Health Insurance Portability and Accountability Act (hipaa),597 which went into effect in 2003 (although many regulations were implemented later), applies to individually identifiable health information that has been maintained or transmitted by a covered entity. It applies directly to three types of entities: 1. health plans, 2. health care clearinghouses, and 3. health care providers who transmits health information in electronic form.598 The provisions also apply to the business associates of the covered entities.599 “Health information” means any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.600 The term includes genetic information.601 hipaa requires health plans and health care providers to provide a written notice of how protected health information about an individual will be used, as well as an accounting of the circumstances surrounding certain disclosures of the information. hipaa prohibits covered entities from disclosing covered information in a manner inconsistent with the notice.602 hipaa requires covered entities to obtain a patient’s opt-in via consent form for both use and disclosure of protected information for treatment, payment, or health care operations.603 It also requires covered entities to obtain a patient’s more detailed opt-in via an authorization form for both use and disclosure of protected information for purposes other hipaa than treatment, payment, or health care operations.604 hipaa permits several forms of marketing and 597 Pub. L. No. 104–191 §§ 262, 264, 110 Stat. 1936 (1996) (codified primarily at 42 U.S.C. §§ 1320d-1320d-9); see also 45 C.F.R. pt. 164 (2001) (presenting regulations under the act pertaining to the security of information). 598 45 C.F.R. §§ 164.104, 164.105 (2011). 599 Id. § 164.104. 600 42 U.S.C. § 1320d(4) (2006). 601 Id. § 1320d-9. This section was added by the Genetic Information Nondiscrimination Act of 2008, Pub. L. No. 110–233 § 105(a), 122 Stat. 881 (2008). 602 45 C.F.R. § 164.520. 603 Id. § 164.506. 604 Id. § 164.508.
348
CHAPTER 6
fundraising uses of protected information subject to receipt of written consent and subsequent provision of an opportunity to opt out. It requires patient authorization for transfers of protected information for routine marketing by third parties.605 It provides a right to access, copy, and amend the information in designated record sets, including in a business associate’s records if not a duplicate of the information held by the provider or plan.606 6A.4.7 Immigration Information Verification The usa Patriot Act of 2001607 amended the Immigration title of the U.S. Code by allowing access by the Department of State and the U.S. Citizenship and Immigration Services to certain identifying information in the criminal history records of visa applicants and applicants for admission to the United States.608 The Patriot Act requires the Attorney General and the Secretary of State to develop and certify a technology standard, including appropriate biometric identifier standards, that can be used to verify the identity of persons applying for a U.S. visa, or persons seeking to enter the United States pursuant to a visa, in order to conduct background checks, confirm identity, and ensure that a person has not received a visa under a different name or such person seeking to enter the United States pursuant to a visa.609 The usa Patriot Act expresses the sense of Congress that the Attorney General, in consultation with the Secretary of State, should fully implement an integrated entry and exit data system for airports, seaports, and land border ports of entry.610 The term “integrated entry and exit data system” means an electronic system that: 1. provides access to, and integrates, alien arrival and departure data that are (A) authorized or required to be created or collected under law; (B) in an electronic format; and (C) in a data base of the Department of Justice or the Department of State, including those created or used at ports of entry and at consular offices; 2. uses available data to produce a report of arriving and departing aliens by country of nationality, classification as an immigrant or nonimmigrant, and date of arrival in, and departure from, the United States; 6 05 Id. 606 Id. §§ 164.524, 164.526. 607 Pub. L. No. 107–56, 115 Stat. 272 (2001). “usa patriot” is an acronym for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act. 608 8 U.S.C. § 1105(b) (2006). 609 Id. § 1379(1). 610 Id. § 1365a note.
Identity Crime Legislation in the United States
349
3.
matches an alien’s available arrival data with the alien’s available departure data; 4. assists in identifying, through on-line searching procedures, lawfully admitted nonimmigrants who may have remained in the United States beyond the period authorized by the Attorney General; and 5. otherwise uses available alien arrival and departure data to permit the Attorney General to make the required reports.611 The Enhanced Border Security and Visa Entry Reform Act of 2002612 amended the immigration title to require machine-readable, tamper-resistant entry and exit documents. The Attorney General and the Secretary of State must establish document authentication standards and biometric identifier standards to be employed on visas and other travel and entry documents from among those biometric identifiers recognized by domestic and international standards organizations.613 6A.5
State Statutes
Federal statutes cannot cover every occurrence of identity crime. Although federal jurisdiction is broad,614 crimes that occur within the borders of a state may not even be subject to federal jurisdiction. And even if prosecution of a crime is within the power of the federal government, the federal government might choose not to prosecute it. State legislatures may choose to outlaw activities not included in the federal law, and may be aware of activities that occur as part of an identity crime scheme, but which Congress has not yet recognized. In the interplay of federal and state governments, states often copy from federal statutes, and Congress is informed by that which states choose to criminalize. State statutes, therefore, can play a large part in the prosecution of identity crimes. This survey looks at the laws of each of the five most populated U.S. states. Each of the states has its own approach to identity crimes. 6A.5.1 California California’s criminal law, the Penal Code, eschews use of the term “fraud” in its criminal grouping, and instead dubs the family that includes identity crimes as “False Personation and Cheats.” “Personation,” a word rarely used in the English
6 11 612 613 614
Id. § 1365a(b). Pub. L. No. 107–173, 116 Stat. 543 (2002). 8 U.S.C. § 1732. As to the jurisdiction federal courts under 18 U.S.C. § 1028, see Part 6A.2.1(b)(1).
350
CHAPTER 6
language aside from criminal law, is merely a synonym for the more common English word, “impersonation.”615 California’s identity theft statutes are in addition to its statutes for false personation, which forbid various acts performed by one person as though he or she were another person, by which that other person may become liable to suit or prosecution, or to pay a sum of money, or to incur a charge, forfeiture, or penalty, or whereby a benefit might accrue to the party personating, or to some other person.616 Receiving money or property intended to be delivered a person being personated, with the intent to retain that money or property or convey it to some other person, or to deprive the true owner, is subject to the same penalties as those for larceny.617 California’s statutory identity crime scheme is notable for the extensive remedies and protections available to the victims of such crimes. A study of identity crimes in California618 shows that there were 42,209 identity crime complaints from California victims in 2009. These incidents break down as follows: table 9
Identity crime California 2009
Rank
Identity crime type
Complaints Percentage (some crimes were reported under more than one category)
1 2 3 4 5
Credit Card Fraud Employment-Related Fraud Government Documents or Benefits Fraud Phone and Utilities Fraud Bank Fraud, including fraud involving checking and savings accounts and electronic fund transfers. Loan Fraud Other Attempted Identity Crime
7,536 6,979 6,020 5,483 4,512
18% 17% 14% 13% 11%
1,579 10,094 2,388
4% 24% 6%
6
6 15 616 617 618
Black’s Law Dictionary (8th ed. 2004). Cal. Penal Code § 529 (West 2011). Id. § 530. ftc 2009 Data Book, supra note 1270.
Identity Crime Legislation in the United States351
The numbers have decreased somewhat from those shown in the 2008 study.619
table 10
Identity crime California 2008
Rank
Identity theft type
Complaints
1 2 3 4 5 6
Employment-Related Fraud Credit Card Fraud Government Documents or Benefits Fraud Bank Fraud Phone or Utilities Fraud Loan Fraud Other Attempted Identity Theft
10,330 10,197 6,26 5,653 5,404 2,214 12,556 2,737
Percentage 20% 20% 12% 11% 11% 4% 25% 5%
A Identity-Crime-Specific Statutes 1 Unauthorized Use of Personal Identifying Information California’s criminal statutes make illegal the “unauthorized use of personal identifying information of another person.”620 Anybody who willfully obtains the personal identifying information of another person, and uses that information for any unlawful purpose without the consent of that person, has committed the offense, and is subject to fines and imprisonment. The illegal uses to which that information may not be used include, as specified by the statute, to obtain, or attempt to obtain credit, goods, services, real property, or medical information.621 Penalties are recommended for various activities involving such information, specifically: 6 19 There were 51,140 complaints in 2008, according to the ftc report published in 2009. 620 Cal. Penal Code § 530.5. 621 Cal. Penal Code § 530.5(a). The statute has been held not unconstitutionally vague as applied to a defendant who used a copy of a social security card and birth certificate of another, without permission, in an attempt to cash a check made payable to the other person, but constituting wages for work performed by the defendant under the other person’s name. The statute includes within “use for unlawful purpose” the defendant’s very act, attempting to obtain credit, goods, or services, in the name of another person without the consent of that person. See People v. Hagedorn, 127 Cal. App. 4th 734, 25 Cal. Rapt. 3d 879 (5th Dist. 2005).
352
CHAPTER 6
1.
acquiring and retaining possession of the information, with the intent to defraud;622 2. selling, transferring, or conveying the information, either with knowledge that the information will be used unlawfully, or with the intent to defraud.623 Under the terms of the Identity Crime Model, the California state statute specifically deals with the acquisition, possession, transfer, and use of the identity information. It does not deal specifically with production of identity documents, although the prohibition against using the information for an unlawful purpose, such as forgery, is illegal. The phrase “personal identifying information,” under California’s criminal laws, covers a broad swath of information, and California’s statutory list could well serve as a compendium of the type of information that must be protected in order to combat identity crimes. Personal identify information is any of the following which is assigned to an individual person,624 or any equivalent form of identification:625 1. name 2. address 3. telephone number 4. health insurance number 5. taxpayer identification number 6. school identification number 7. state or federal driver’s license, or identification number 8. social security number 9. place of employment 10. employee identification number 11. professional or occupational number 12. mother’s maiden name 13. demand deposit account number 14. savings account number 15. checking account number 16. pin (personal identification number) or password 17. alien registration number 6 22 Cal. Penal Code § 530.5(c)(1)-(c)(3). 623 Id. § 530.5(d)(1), (d)(2). 624 Cal. Penal Code §s 530.55(a) (“ ‘Person’ means a natural person, living or deceased, firm, association, organization, partnership, business trust, company, corporation, limited liability company, or public entity, or any other legal entity.”). 625 Cal. Penal Code § 530.55(b).
Identity Crime Legislation in the United States
353
18. government passport number 19. date of birth 20. unique biometric data including fingerprint, facial scan identifiers, voiceprint, retina or iris image, or other unique physical representation 21. unique electronic data including information identification number assigned to the person address or routing code 22. telecommunication identifying information or access device 23. information contained in a birth or death certificate, or 24. credit card number. A court has held that a provision of the statute barring the unauthorized use of personal identifying information does not require intent to defraud; the statute does not indicate that the provision was meant to reach only those with such an intent. On the other hand, the statute does indicate that intent to defraud is required in a prosecution for acquiring and retaining possession of the information, and may be a requirement in a prosecution for selling, transferring, or conveying the information.626 Although the statute states that a person must “use” the identity information unlawfully, merely intending to use it and taking steps to achieve that use is enough to violate the statute. Thus, a woman who unlawfully obtained credit reports and personal identifying information of several police officers was properly convicted of “unauthorized use” of personal identifying information even though the information was never used for the illegal surveillance of their homes, as the defendant intended.627 The victim of a violation of the identity statute is the person whose identity is stolen; the victim of a theft carried out through the use of a stolen identity is the person who owned the property that was stolen. Thus, a court has held that when a person misrepresents herself as another to obtain a credit card in order to obtain a rental vehicle and then fails to return the vehicle, the offenses have different victims: (1) the rental agency and (2) the person whose identity the defendant stole. This leads to the conclusion that two separate sentences for the two offenses may be imposed, and that the scheme is not a single course of conduct subject to one sentence.628 2 Identification Cards and Drivers’ Licenses Every person who alters, falsifies, forges, duplicates or in any manner reproduces or counterfeits any driver’s license or identification card issued by a governmental 6 26 People v. Hagedorn, 127 Cal. App. 4th 734, 25 Cal. Rptr. 3d 879 (5th Dist. 2005). 627 People v. Tillotson, 157 Cal. App. 4th 517, 69 Cal. Rptr. 3d 42 (4th Dist. 2007). 628 People v. Andra, 156 Cal. App. 4th 638, 67 Cal. Rptr. 3d 439 (3d Dist. 2007).
354
CHAPTER 6
agency with the intent that such driver’s license or identification card be used to facilitate the commission of any forgery, has committed an offense.629 Every person who manufactures, sells, offers for sale, or transfers any document, not amounting to counterfeit, purporting to be a government-issued identification card or driver’s license, which by virtue of the wording or appearance thereon could reasonably deceive an ordinary person into believing that it is issued by a government agency, and who knows that the document is not a government-issued document, has committed an offense.630 Possession of such a document is also an offense.631 Any person who obtains, or assists another person in obtaining, a driver’s license, identification card, vehicle registration certificate, or any other official document issued by the Department of Motor Vehicles, with knowledge that the person obtaining the document is not entitled to the document, is guilty of a misdemeanor.632 B Identity-Crime-Related Statute 1 Access Card Crimes An “access card” in California is any card, plate, code, account number, or other means of account access that can be used, alone or in conjunction with another access card, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds, other than a transfer originated solely by a paper instrument.633 The access device need not be currently valid.634 Even though the statute uses the word “card,” the provisions cover intangible information in addition to tangible objects.635 In a provision similar to the federal statute concerning access devices,636 any person who, with intent to defraud, sells, transfers, or conveys an access card, without the cardholder’s or issuer’s consent, is guilty of grand theft.637 (“Grand theft” under California law occurs when one steals something valued at over $400, takes something from the person of another, or in certain other specified circumstances.)638 6 29 Cal. Penal Code § 470a. 630 Id. § 529.5(a), (b). The punishment is up to one year in prison and/or a fine of up to $1000, or $5000 upon a subsequent offense. 631 Id. § 529.5(c). 632 Id. § 529.7. This is punishable by up to one year in prison and/or a $1000 fine. 633 Id. § 484d(2). 634 People v. Molina, 120 Cal. App. 4th 507, 15 Cal. Rptr. 3d 493 (2d Dist. 2004). 635 Id. 636 18 U.S.C. § 1029 (2006). 637 Cal. Penal Code § 484e(a). 638 Id. § 487.
Identity Crime Legislation in the United States
355
Anyone who, with the intent to defraud, acquires or retains possession of an access card without the cardholder’s or issuer’s consent, with the intent to use, sell, or transfer it to a person other than the cardholder or issuer is guilty of petty theft.639 Anyone who acquires or retains possession of access card account information as to an access card validly issued to another person, without the cardholder’s or issuer’s consent, with the intent to use it fraudulently, is guilty of grand theft.640 Anyone other than the issuer who, within any consecutive 12-month period, acquires access cards issued in the names of four or more persons that the person has reason to know were taken or retained under circumstances constituting a violation of one of the other parts of the statute is also guilty of grand theft.641 Thus, one may be sentenced for only one crime when one has acquired numerous access cards during a 12-month period; it is only one offense under this provision no matter how many victims’ devices have been acquired, if the number of devices is four or more.642 Anyone who, with the intent to defraud, designs, makes, alters, or embosses a counterfeit access card or utters or otherwise attempts to use a counterfeit access card, is guilty of forgery.643 Even so, “forgery” of an access card transaction is not a necessarily an offense included within the offense of “forgery,”644 for the purpose of sentencing; thus, a defendant may be convicted of both forgery and theft through the use of an access card because the latter offense can be committed by signing of the name of another, while the former offense may be committed by publishing or passing an item regardless of whether it was signed.645 A person other than the cardholder or a person authorized by the cardholder who, with the intent to defraud, signs the name of another or of a fictitious person to an access card, sales slip, sales draft, or instrument for the payment of money which evidences an access card transaction, is guilty of forgery.646 Anyone who, with the intent to defraud, (a) uses, for the purpose of obtaining money, goods, services, or anything else of value, an access card or access card account information that has been altered, obtained, or retained, or an access card that he or she knows is forged, expired, or revoked, or (b) obtains money, goods, services, or anything else of value by representing without the 6 39 640 641 642 643 644 645 646
Id. § 484e(c). Id. § 484d(d). Id. § 484e(b). People v. Shabtay, 138 Cal. App. 4th 1184, 42 Cal. Rptr. 3d 227 (2d Dist. 2006). Cal. Penal Code § 484f(a). Forgery is a crime under Cal. Penal Code § 470. People v. Mitchell, 164 Cal. App. 4th 442, 78 Cal. Rptr. 3d 855 (3d Dist. 2008). Cal. Penal Code § 484f(b).
356
CHAPTER 6
consent of the cardholder that he or she is the holder of an access card and the card has not in fact been issued, is guilty of theft. If the value of all money, goods, services, and other things of value obtained in violation of this section exceeds $950 in any consecutive six-month period, then the act constitutes grand theft.647 A retailer or other person who accepts an access card and provides goods or services knowing that the access card has been counterfeited, forged, expired, or revoked, and who receives payment from the issuer, is guilty of theft.648 An access card is “incomplete” if part of the matter other than the signature of the cardholder which an issuer requires to appear on the access card before it can be used by a cardholder has not been stamped, embossed, imprinted, or written on it.649 Anyone who possesses an incomplete access card, with intent to complete it without the consent of the issuer, is guilty of a misdemeanor.650 Anyone who, with the intent to defraud, makes, alters, varies, changes, or modifies access card account information on any part of an access card, including information encoded in a magnetic stripe or other medium on the access card not directly readable by the human eye, or who authorizes or consents to alteration, variance, change, or modification of access card account information by another, in a manner that causes transactions initiated by that access card to be charged or billed to a person other than the cardholder to whom the access card was issued, is guilty of forgery.651 Anyone who designs, makes, possesses, or traffics in card-making equipment or incomplete access cards with the intent that the equipment or cards be used to make counterfeit access cards, is punishable by imprisonment in a county jail for not more than one year, or by imprisonment in the state prison.652 Anyone who publishes the number or code of an existing, canceled, revoked, expired, or nonexistent access card, personal identification number, computer password, access code, debit card number, bank account number, or the numbering or coding which is employed in the issuance of access cards, with the intent that it be used or with knowledge or reason to believe that it will be used to avoid the payment of any lawful charge, or with intent to defraud or aid another in defrauding, is guilty of a misdemeanor.653
6 47 648 649 650 651 652 653
Id. § 484g. Id. § 484h(a). Id. § 484d(6). Id. § 484i(a). Id. § 484i(b). Id. § 484i(c). Id. § 484j.
Identity Crime Legislation in the United States
357
2 False or Counterfeit Certificate of Birth or Baptism Every person who manufactures, produces, sells, offers, or transfers to another any document purporting to be either a certificate of birth or certificate of baptism, knowing such document to be false or counterfeit and with the intent to deceive, is guilty of a crime, and subject to imprisonment for up to one year.654 Every person who offers, displays, or has in his or her possession such false or counterfeit certificates, or any genuine certificate of birth that describes a person then living or deceased, with the intent to represent himself or herself as another or to conceal his or her true identity, is also guilty of a crime subject to up to one year in prison.655 3 Forgery Every person who, with the intent to defraud, knowing that he or she has no authority to do so, signs the name of another person or of a fictitious person to any of a list of items contained in the statute, is guilty of forgery,656 as is every person who, with the intent to defraud, counterfeits or forges the seal or handwriting of another.657 The items listed in the statute are various forms for drawing money from an account, such as checks and money orders.658 C
Components of Identity Crime Recognized under California Statutes California’s identity crime statutes criminalize all of the components of the Identity Crime Model. Acquisition: Under Cal. Penal Code § 530.5(c), acquiring identifying information with the intent to defraud is a violation. Acquisition of an access card without the cardholder’s or issuer’s consent, with the intent to use, sell, or transfer it to a person other than the cardholder or issuer, is an offense.659 Acquisition of a cardholder’s information can also be illegal.660 Acquisition of a driver’s license or identity card for use by someone not entitled to it is also an offense, as is assisting someone to acquire such a document.661 Production: Various acts concerning access cards constitute production of such cards, and are illegal.662 For example, anyone who, with the intent to 6 54 655 656 657 658 659 660 661 662
Id. § 529a. Id. § 529a. Id. § 470(a). Id. § 470(b). Id. § 470(d). Id. § 484e(c). Id. § 484d(d). Id. § 529.7. This is punishable by up to one year in prison and/or a $1000 fine. Id. §§ 484i, 484j.
358
CHAPTER 6
defraud, designs, makes, alters, or embosses a counterfeit access card is guilty of forgery.663 Anyone who designs, makes, possesses, or traffics in card-making equipment or incomplete access cards with the intent that the equipment or cards be used to make counterfeit access cards is guilty of a misdemeanor.664 Possession: Under Cal. Penal Code § 530.5(c), retaining possession of identifying information with the intent to defraud is a violation. Retaining possession of an access card or its information is illegal in the same manner as acquiring the card or its information.665 Trafficking or Transfer: Under Cal. Penal Code § 530.5(d), selling, transferring, or conveying the personal identifying information of another is an offense. Selling an access card without its owner’s permission is an offense.666 Selling false drivers’ licenses, identification cards, and birth certificates are also offenses.667 Use: The very name of the California statute, “Unauthorized use of personal identifying information of another person,” makes it clear that this is a statute chiefly concerned with use. Illegal uses include (but are not limited to) obtaining, or attempting to obtain, credit, goods, services, real property, and medical information without the consent of the person whose identifying information is used.668 Use of an access card to obtain things of value is also illegal.669 D Protection of the Victim California law contains provisions that the victim of an identity crime can use to protect his or her identity, and to minimize the damage done by the identity criminal. The primary California identity crime statute670 provides that, in any case in which a person willfully obtains the personal identifying information of another person and uses that information to commit a crime in addition to the identity crime, and is convicted of that crime, the court records must reflect that the person whose identity was falsely used to commit the crime did not commit the crime.671 A person who has learned or reasonably suspects that his or her personal identifying information has been unlawfully used by another may initiate a 6 63 664 665 666 667 668 669 670 671
Id. § 484f(a). Id. § 484i(c). Id. §§ 484d(d), 484e(c). Id. § 484e(a). Id. § 529.5(a), (b), 329a. Id. § 530.5(a). Id. § 484g. As discussed above in Part 6A.5.1(a)(1). Cal. Penal Code § 530.5(b).
Identity Crime Legislation in the United States
359
law enforcement investigation by contacting the local law enforcement agency that has jurisdiction over his or her residence or place of business. Local authorities must take a police report of the matter, provide the complainant with a copy of that report, and begin an investigation of the facts.672 The identity crime victim may petition a court for an expedited judicial determination of his or her innocence:673 1. where the perpetrator of the identity crime was arrested for, cited for, or convicted of a crime under the victim’s identity, or 2. where a criminal complaint has been filed against the perpetrator in the victim’s name, or 3. where the victim’s identity has been mistakenly associated with a record of criminal conviction.674 If the court determines that the victim’s request has merit, and that there is no reasonable cause to believe that the victim committed the offense, or that the victim was mistakenly associated with a record of criminal conviction, the court must find the victim innocent of that offense, and issue an order certifying this determination.675 Once the court has issued a determination of innocence, it may order the name and associated personal identifying information contained in court records, files, and indexes deleted, sealed, or labeled to show that the data is impersonated and does not reflect the defendant’s identity.676 The court may also vacate its determination if the victim’s request, or any information submitted in support of the request, is found to contain any material misrepresentation or fraud.677 The State of California’s Department of Justice is required to establish a data base of identity crime victims, and access to the data base must be provided to victims of identity crime.678 To be included in the data base, the victim must submit to the Department of Justice a court order obtained pursuant to any provision of law, a full set of fingerprints, and any other information prescribed by the Department.679 The Department of Justice must verify the identity of the 672 Id. § 530.6(a). If the suspected crime was committed in a different jurisdiction, the local law enforcement agency may refer the matter to the law enforcement agency where the suspected crime was committed for further investigation of the facts. 673 Id. § 530.6(b). The court may also act on its own motion, or on the motion of the prosecutor. 674 Id. § 530.6(b). 675 Id. 676 Id. § 530.6(c). 677 Id. § 530.6(d). 678 Cal. Penal Code § 530.7(c). 679 Id. § 530.7(a).
360
CHAPTER 6
victim against any driver’s license or other identification record maintained by the Department of Motor Vehicles,680 and must establish and maintain a toll- free telephone number to provide access to the information in the data base.681 The data base, entitled “Id Theft Registry,” and the requirements for obtaining access to the data base, have been established by the California Department of Justice. Requirements for gaining access to the data base are posted on the Internet.682 1 Further Rights of Victim to Receive Information California provides further rights to the victims of identity crime; specifically, they are entitled to receive information related to any application submitted or account opened in their name, including a copy of any unauthorized person’s application or application information and a record of transactions or charges associated with the application or account.683 The California statute specifies that this right is available in cases when an application is submitted, or an account opened, for the following: 1. bank, trust company, savings association, or credit union account 2. loan 3. credit line or account 4. credit card 5. charge card 6. public utility service 7. mail receiving or forwarding service 8. office or desk space rental service Upon the request of the victim, the person or entity with which the application was filed (the “account provider”) must inform the victim of the categories of identifying information that the unauthorized person used to complete the application or to open the account. The account provider must provide copies of all paper records, records of telephone applications or authorizations, or records of electronic applications or, without charge, within 10 business days of receipt of the victim’s request, and submission of the required copy of the police report and identifying information.684
6 80 Id. § 530.7(b). 681 Id. § 530.7(d). The toll-free number is (888) 880-0240. 682 Registry Application Process, CA Dept. of Justice, http://caag.state.ca.us/idtheft/ packet.php (last visited Oct. 31, 2012). 683 Cal. Penal Code § 530.8. 684 Id. § 530.8(a). Subsections 530.8(b) and (c) impose further requirements upon the identity crime victim.
361
Identity Crime Legislation in the United States
If the account provider fails to produce the required records, the victim may request a prosecutor to bring a court action. The court must hold a hearing, and will order the release of records to the victim.685 The victim may bring a civil action against the account provider for damages, injunctive relief or other equitable relief, and a penalty of $100 per day of noncompliance, plus reasonable attorney fees.686 6A.5.2 Texas Texas, the second largest state, has a limited identity crime statute; however, protections that a victim may use are contained in other, non-criminal Texas statutes.687 A study of identity crimes in Texas688 shows that there were 28,844 identity crime complaints from Texas victims in 2009. These incidents break down as follows:
table 11
Identity crime Texas 2009
Rank Identity crime type
Complaints
Percentage (some crimes were reported under more than one category)
1 2 3 4 5
7,058 5,709 3,557 3,483 3,046
24% 20% 12% 12% 11%
1,285 5,523 1,151
4% 19% 4%
6
6 85 686 687 688
Employment-Related Fraud Government Documents or Benefits Fraud Phone and Utilities Fraud Credit Card Fraud Bank Fraud, including fraud involving checking and savings accounts and electronic fund transfers. Loan Fraud Other Attempted Identity Crime
Id. § 530.8(d)(1). Id. § 530.8(d)(2). Discussed in Part 6A.5.2(e). ftc 2009 Data Book, supra note 1270, at 63.
362
CHAPTER 6
The numbers have decreased somewhat from those shown in the 2008 study.689 table 12
Identity crime Texas 2008
Rank
Identity theft type
Complaints
Percentage
1 2 3 4 5 6
Employment-Related Fraud Government Documents or Benefits Fraud Credit Card Fraud Bank Fraud Phone or Utilities Fraud Loan Fraud Other Attempted Identity Theft
8,545 5,596 4,620 3,418 3,204 1,401 6,455 1,224
27% 18% 15% 11% 10% 4% 20% 4%
A Identity-Specific Crime Texas includes identity crimes in its “Fraud” chapter,690 amid a group entitled “Other Deceptive Practices.”691 The primary (as opposed to “other”) deceptive practices under the fraud chapter are forgery and offenses involving credit.692 Under Texas law, a person commits the offense of “Fraudulent Use or Possession of Identifying Information” if that person, with the intent to harm or defraud another, obtains, possesses, transfers, or uses an item of: 1. identifying information of another person without the other person’s consent; or 2. information concerning a deceased natural person, including a stillborn infant or fetus, that would be identifying information of that person were that person alive, if the item of information is obtained, possessed, transferred, or used without legal authorization; or 3. identifying information of a child younger than 18 years of age.693
689 There were 31,708 complaints in 2008, breaking down as shown below, according to the ftc report published in 2009. 690 Tex. Penal Code Ann. ch. 32 (West 2011). 691 Tex. Penal Code Ann. subchapter 32D. 692 Tex. Penal Code Ann. subchapters 32B, 32C. 693 Tex. Penal Code Ann. § 32.51(b).
Identity Crime Legislation in the United States
363
If such conduct also is an offense under any other law, the person who commits the offense may be prosecuted under this law, the other law, or both.694 “Identifying information” means information that alone or in conjunction with other information identifies a person, including a person’s: 1. name and social security number, date of birth, or government-issued identification number; 2. unique biometric data, including the person’s fingerprint, voice print, or retina or iris image; 3. unique electronic identification number, address, routing code, or financial institution account number; and 4. telecommunication identifying information or access device.695 In one Texas case,696 a violation of the statute was upheld when officers found a store’s billing list on the back-seat floorboard of a vehicle that the defendant was driving when stopped for a traffic violation. An ex-employee of the store testified that the defendant knew of the billing list and had assisted in using it to make fraudulent cards. In addition, items in the defendant’s wallet connected him to evidence in the vehicle relating to an identity crime scam, and a laptop computer that was plugged into the cigarette lighter contained templates for creating fraudulent identifications. A “telecommunication access device” is further defined under the Texas statute as a device used to obtain money, goods, services, or other thing of value, or to initiate a transfer of funds other than solely by using a paper instrument. Such a device may be a card, plate, code, account number, personal identification number, electronic serial number, mobile identification number, or other telecommunications service, equipment, or instrument identifier or means of account.697 Intent to harm or defraud another: A person is presumed to have the intent required under Texas law if the person possesses the identifying information of three or more other persons, or three or more deceased persons.698 The Texas statute has been found not to apply to fictitious identities. In Ford v. State,699 a conviction was not warranted because the defendant did not 6 94 Id. § 32.51(e). 695 Id. § 32.51(a)(1). Compare id., with California’s more comprehensive list presented in Part 6A.5.1(a)(1), and the list under Texas’s civil statute, below in Part 6A.5.2(e). 696 Richardson v. State, 309 S.W.3d 20, 2010 WL 3193558 (Tex. Crim. App. 2010). 697 Tex. Penal Code Ann. § 32.51(a)(2). 698 Id. § 32.51(b-1). The presumption established does not apply to a business or other commercial entity or a government agency that is engaged in a business activity or governmental function that does not violate Texas penal law. Id. § 32.51(b-2). 699 Ford v. State, 282 S.W.3d 256 (Tex. Crim. App. 2009).
364
CHAPTER 6
obtain, possess, transfer, or use identifying information of any living human being. The names, dates of birth, identification numbers, and account numbers on counterfeit checks and false identity cards possessed and used by the defendant identified no individuals, as they were fictitious identities. Because these identities, including bank accounts, were shown to be fictitious, and because the defendant was shown to have known that they were fictitious, the defendant could not have violated the statute on “Fraudulent Use or Possession of Identifying Information.” One cannot defraud or harm a person who is fictitious. Penalties under the Texas statute increase depending upon number of items obtained, possessed, transferred, or used.700 They are further increased if the offense was committed against an elderly individual.701 Restitution: A court may order the defendant to reimburse the victim for lost income or other expenses, other than attorney fees, incurred as a result of the offense.702 B Identity-Related Crime 1 Forgery Under Texas law, “forge” means to alter, make, complete, execute, or authenticate any writing so that it purports to be the act of another who did not authorize that act; to have been executed at a time or place or in a numbered sequence other than was in fact the case; or to be a copy of an original when no such original existed. To “forge” is also to issue, transfer, register the transfer of, pass, publish, or otherwise distribute a writing that is forged; or to possess a writing that is forged with intent to distribute it. “Writing” includes printing or any other method of recording information.703 A person commits an offense of “forgery” if he forges a writing with intent to defraud or harm another.704 2 Credit Card or Debit Card Abuse Offenses that are known as access card fraud under federal and California laws, discussed above, come under the heading of “credit card or debit card abuse” under Texas law. The following are felonies under Texas law:705 7 00 701 702 703 704 705
Tex. Penal Code Ann. § 32.51(c). Id. § 32.51(c-1). Id.§ 32.51(d). Id. § 32.21(a). Id. § 32.21(b). Id. § 32.31(b).
Identity Crime Legislation in the United States
1.
2. 3. 4. 5. 6. 7.
365
with intent to obtain a benefit fraudulently, presenting or using a credit card or debit card with knowledge that the card, whether or not expired, has not been issued to the person using it, and is not used with the effective consent of the cardholder; with intent to obtain a benefit, using a fictitious card or the pretended number or description of a fictitious card; receiving a benefit in violation of this statute; stealing a card or knowingly receiving a stolen card with the intent to use it, to sell it, or to transfer it to a person other than the issuer or the cardholder; knowingly buying a card from a person who is not the issuer, or selling a card; possessing a card, without knowledge or consent of the cardholder, with intent to use it; possessing incomplete cards not issued to the possessor with intent to complete them without the effective consent of the issuer.
C Victims’ Rights One who has filed a criminal complaint alleging the crime of fraudulent use or possession of identifying information is defined as a “victim of identity theft,”706 and may file an application with a Texas court for an order declaring that the person is a victim of identity theft. Such an application may be filed whether or not the victim is able to identify each person who allegedly transferred or used the person’s identifying information in an unlawful manner.707 The applicant is presumed to be a victim of identity theft if the person charged with fraudulent use or possession of identifying information is convicted of the offense.708 A court may take any actions needed to prevent additional harm to a victim, and prevent dissipation of the victim’s assets, and may issue orders to correct public and private records.709 A business notified that a person is a victim of identity theft may not deny the individual an extension of credit, including a loan, in the individual’s name or restrict or limit the credit extended solely because the individual has been a 706 Tex. Bus. & Com. Code Ann. § 523.001(a) (2011) (unless the report of identity theft is knowingly false under Tex. Penal Code Ann. § 37.08). 707 Tex. Bus. & Com. Code Ann. § 521.101. As to the content of such an order, see discussion of non-criminal law. 708 Id. § 521.102, referring to Tex. Penal Code § 32.51, discussed above. 709 Id. § 521.151(e).
366
CHAPTER 6
victim of identity theft. (A lender or business may refuse loans or credit for any other legitimate reason.)710 Texas mandates that financial institutions act to protect victims of identity theft when notified of the offense by the victim. For example, when a bank customer notifies a bank that he or she has been the victim of identity theft, the bank must notify check verification entities (consumer reporting agencies that compile and maintain, for businesses in Texas, files on consumers nationwide regarding their check-writing history), which must then refrain from approving checks written on the accounts identified.711 A financial institution must process as forgeries checks received on the account of a victim of identity theft if the victim: 1. closes the account at the financial institution as a result of the identity theft; 2. notifies the financial institution that the identity theft is the reason for closing the account; 3. provides the financial institution with a copy of the criminal; and 4. requests that the financial institution return checks with the notation “forgery.”712 The victim may not then assert that the financial institution is liable for wrongfully dishonoring a check, and must hold the financial institution harmless for acting in accordance with the victim’s request.713 D Components of Identity Crime Recognized under Texas Statutes Texas’s identity crime statute criminalizes all of the components of the Identity Crime Model. Specifically, the statute states that one who obtains, possesses, transfers, or uses an item of identifying information of another person without the other person’s consent, is guilty of the crime of “Fraudulent Use or Possession of Identifying Information,” as discussed above. The component of “production” is covered by Texas’s forgery law, discussed above, which covers any altering, making, completing, executing, or authenticating of any writing so that it purports to be the act of another who did not authorize that act. Under the law on credit and debit card abuse, acquisition, transfer, possession, and use of a credit or debit card that does not belong to the holder are all criminal offenses. 7 10 711 712 713
Id. § 523.001(b). Id. § 523.052. Id. § 523.051(b). Id. § 523.051(c).
Identity Crime Legislation in the United States
367
E Non-criminal Law Texas statutes contain a comprehensive civil scheme, largely enacted in 2009, allowing a victim of identity theft to bring an action against a person using a victim’s identity without authorization. This legislative scheme is contained in Texas’s Business and Commerce Code, under a subtitle entitled “Identity Theft.”714 Under the Texas Business and Commerce Code, a person may not obtain, possess, transfer, or use personal identifying information of another person without the other person’s consent, with the intent to obtain a good, a service, insurance, an extension of credit, or any other thing of value in the other person’s name.715 “Personal identifying information” under the Business and Commerce Code is information that identifies an individual, and includes an individual’s: 1. name, social security number, date of birth, or government-issued identification number; 2. mother’s maiden name; 3. unique biometric data, including the individual’s fingerprint, voice print, and retina or iris image; 4. unique electronic identification number, address, or routing code; and 5. telecommunication access device,716 which is a card, plate, code, account number, personal identification number, electronic serial number, mobile identification number, or other telecommunications service, equipment, or instrument identifier or means of account access that alone or in conjunction with another telecommunication access device may be used to: 6. obtain money, goods, services, or other thing of value; or 7. initiate a transfer of funds other than a transfer originated solely by paper instrument.717 Texas law includes further protection of “sensitive personal information,” which means: 7 14 Id. subtitle 11B. 715 Id. § 521.051(a). Safe harbors are provided for persons or entities that require such information for business. Texas provide that a violation of this provision is a “deceptive trade practice,” which may be actionable under other sections of Texas law. Id. § 521.152 (referring to Id. subchapter 17E entitled “Deceptive Trade Practices and Consumer Protection”). An additional section of the Texas statute forbids using a scanning device or re-encoder to access, read, scan, store, or transfer information encoded on the magnetic strip of a payment card without the consent of an authorized user of the payment card, and with intent to harm or defraud another. Id. § 522.002(a). 716 Id. § 521.002(a)(1). 717 Tex. Penal Code Ann. § 32.51(a)(2) (West 2011).
368
CHAPTER 6
1.
an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted: (i) social security number; (ii) driver’s license number or government-issued identification number; or account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or 2. information that identifies an individual and relates to (i) the physical or mental health or condition of the individual; (ii) the provision of health care to the individual; or (iii) payment for the provision of health care to the individual.718 Penalties: A person who violates Texas’s non-criminal provisions regarding the unauthorized use or possession of personal identifying information to a fine of between $2,000 and $50,000 for each violation. The attorney general may bring an action to recover the fine.719 The attorney general may recover reasonable expenses, including attorney fees, court costs, and investigatory costs, incurred in enforcing this law.720 Injunction: If the attorney general thinks that a person is engaging in, has engaged in, or is about to engage in the unauthorized use or possession of personal identifying information, the attorney general may bring an action to restrain the violation by a temporary restraining order or an injunction.721 1 Businesses’ Duty regarding Sensitive Personal Information Businesses in Texas, including nonprofit athletic or sports associations, must implement and maintain reasonable procedures to protect, from unlawful use or disclosure, all sensitive personal information collected or maintained by the business in the regular course of business. Each business has a duty to take appropriate corrective actions.722 Specifically a business must destroy or arrange for the destruction of customer records containing sensitive personal information within the business’s custody or control that are not to be retained by the business, either by shredding them, erasing them, or otherwise modifying the sensitive personal information in the records to make the information unreadable or indecipherable through any means.723 7 18 719 720 721 722 723
Tex. Bus. & Com. Code Ann. § 521.002(a)(2). Id. § 521.151(a). Id. § 521.151(f). Id. § 521.151(b). Id. § 521.052(a), (d). Id. § 521.052(b). The statute contains a safe harbor for financial institutions.
Identity Crime Legislation in the United States
369
A person who conducts business in Texas and who owns or licenses computerized data that includes sensitive personal information must disclose any breach of system security,724 after discovering or receiving notification of the breach, to any resident of Texas whose sensitive personal information may have been acquired by an unauthorized person. The disclosure must be made as quickly as possible, unless the police request a delay so as not to delay a criminal investigation, or if a delay is needed to determine the scope of the breach and restore the reasonable integrity of the data system.725 One who maintains data including sensitive personal information must inform the owner of that data as soon as he or she discovers a breach of system security, if the sensitive personal information may have been acquired by an unauthorized person.726 The required notices may be written or electronic,727 but if such notice would cost over $250,000, or the number of affected persons exceeds 500,000, or the one required to give notice does not have sufficient contact information, the notice may be given by email, posting on the website of the person required to give notice, or via major statewide media.728 If the person required to give notice maintains an information security policy for the treatment of sensitive personal information, and promptly gives notice in accord with that policy, that person is in compliance with the law.729 If more than 10,000 persons must be notified, consumer reporting agencies must also be notified.730 “Breach of system security” under Texas law means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data. Good faith acquisition of sensitive personal information by an employee or agent of the person for the purposes of the person is not a breach of system security unless the person uses or discloses the sensitive personal information in an unauthorized manner.
7 24 Defined below. 725 Tex. Bus. & Com. Code Ann. § 521.053(b), (d). 726 Id. § 521.053(c). 727 Tex. Penal Code Ann. § 521.053(e) (West 2011). 728 Id. § 521.053(f). 729 Id. § 521.053(g). 730 Id. § 521.053(h) (referring to consumer reporting agencies as defined by 15 U.S.C. § 1681a).
370
CHAPTER 6
2 Businesses’ Responsibilities toward Victims of Identity Crime If a Texas business receives notification of a “security alert” in connection with a request for a consumer report for the approval credit, the business may not extend credit without taking reasonable steps to verify the consumer’s identity.731 If a consumer has included with a security alert a specified telephone number to be used for identity verification purposes, the business receives that number must take reasonable steps to contact the consumer using that number before extending credit.732 A “security alert” is a notice placed on a consumer file that alerts a recipient of a consumer report involving that consumer file that the consumer’s identity may have been used without the consumer’s consent to fraudulently obtain goods or services in the consumer’s name.733 A “consumer report” is a communication or other information by a consumer reporting agency relating to the credit of a consumer.734 3 Victim’s Rights One who has been injured by breach in a security system may file an application with a Texas court for an order declaring that the person is a victim of identity theft. Such an application may be filed whether or not the victim is able to identify each person who allegedly transferred or used the person’s identifying information in an unlawful manner.735 The applicant is presumed to be a victim of identity theft if the person charged with criminal identity theft is convicted of the offense.736 If the court, after a hearing, is convinced that the applicant is indeed a victim of identity theft, it must issue an order containing: 1. any known information identifying the person committing the theft; 2. any specific personal identifying information used in the theft; 3. identification of documents used to commit the theft; and 4. information identifying any financial account or transaction affected by the alleged violation or offense, including the financial institution or merchant; relevant account numbers, dollar amount affected; and date of the violation.737
7 31 732 733 734 735 736 737
Tex. Bus. & Com. Code Ann. § 523.002(a). Id. § 523.002(b). Id. § 20.01(7). Id. § 20.01(4). Id. § 521.101. Id. § 521.102 (referring to Tex. Penal Code § 32.51, discussed above). Id. § 521.103.
371
Identity Crime Legislation in the United States
The order is confidential, and must be sealed, for release only in limited circumstances such as in connection with civil proceedings brought by the victim, or to assist the victim in correcting his or her financial accounts.738 The order may be cancelled by the court if the alleged victim has made misstatement in order to obtain the order.739 6A.5.3 New York New York, the third largest state, includes “identity theft” among its enumeration of various types of criminal fraud.740 New York also makes “criminal impersonation” a criminal act.741 A study of identity crimes in New York742 shows that there were 18,906 identity crime complaints from New York victims in 2009. These incidents break down as follows:
table 13
Identity crime New York 2009
Rank Identity crime type
Complaints Percentage (some crimes were reported under more than one category)
1 2 3 4 5
4,180 3,120 2,935 1,800 1,540
22% 17% 16% 10% 8%
630 3,900 1,326
3% 21% 7%
6
Employment-Related Fraud Government Documents or Benefits Fraud Phone and Utilities Fraud Credit Card Fraud Bank Fraud, including fraud involving checking and savings accounts and electronic fund transfers. Loan Fraud Other Attempted Identity Crime
7 38 Id. § 521.104. 739 Id. § 521.105. 740 N.Y. Penal Law tit. K (McKinney 2011) (“Offenses Involving Fraud”). “Identity theft” is within an article entitled “Other Frauds.” Id. art. 190. 741 Id. §§ 190.25–190.26. 742 ftc 2009 Data Book, supra note 1270, at 50.
372
CHAPTER 6
The numbers have decreased somewhat from those shown in the 2008 study.743
table 14
Identity crime New York 2008
Rank
Identity theft type
Complaints
Percentage
1 2 3 4 5 6
Credit Card Fraud Government Documents or Benefits Fraud Phone or Utilities Fraud Bank Fraud Employment-Related Fraud Loan Fraud Other Attempted Identity Theft
5,414 3,860 3,683 2,072 1,921 849 4,853 1,438
24% 17% 16% 9% 8% 4% 21% 6%
A Identity-Crime-Specific Statutes 1 Identity Theft New York’s identity crime statute is divided into three degrees. The basic crime is “identity theft in the third degree”; the second and first degrees of the crime include certain aggravating factors.744 In addition, the crime of “aggravated” identity theft creates additional penalties based on impersonating a member of the U.S. Armed Forces.745 Further offenses have been added pertaining to possession of personal identification information,746 and unlawful possession of a skimmer device.747 The crux of New York’s identity theft statute pertains to obtaining and using “personal identifying information.” Like California, New York’s identity theft statute includes a long list of items that constitute such information.748 Those items are a person’s:
7 43 There were 22,647 complaints in 2008, according to the ftc report published in 2009. 744 N.Y. Penal Law § 190.78 to 190.80. 745 Id. § 190.80-a. As for the federal aggravated identity theft statute, which is quite different, see § 16.2. 746 Id. § 190.81 to 190.83. 747 Id. § 190.85 and 190.86. 748 Id. § 190.77(1).
Identity Crime Legislation in the United States
373
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20.
name address telephone number date of birth driver’s license number social security number place of employment mother’s maiden name financial services account number or code savings account number or code checking account number or code brokerage account number or code credit card account number or code debit card number or code automated teller machine number or code taxpayer identification number computer system password signature or copy of a signature electronic signature unique biometric data that is a fingerprint, voice print, retinal image or iris image of another person 21. telephone calling card number 22. mobile identification number or code 23. electronic serial number or personal identification number 24. any other name, number, code or information that may be used alone or in conjunction with other such information to assume the identity of another person. New York makes it an offense, “Identity Theft in the Third Degree,” to assume the identity of another person by presenting oneself as that other person, by acting as that other person, or by using personal identifying information of that other person, in order to obtain goods, money, property or services, or to use credit in the name of the other person, or to cause financial loss to that person or someone else.749 In order to be a criminal violation, the act must be done knowingly and with intent to defraud.750 It is also an offense to commit another crime or misdemeanor while acting as that other person.751 7 49 Id. § 190.78(1). 750 Id. § 190.78. “Knowingly” is a defined culpable mental state requiring that a person be “aware” that his or her conduct is of the nature described in a statute. Id. § 15.05(2). 751 Id. § 190.78(2).
374
CHAPTER 6
The statute carries with it a misdemeanor penalty,752 which, in New York, can mean a jail sentence of up to one year, and a fine of up to $1,000.753 The higher degrees of identity theft are more serious crimes, and carry greater punishments. Note that whether an offense is considered a misdemeanor or a felony can make a difference in the amount of restitution available to a victim.754 A conviction of the offense of identity theft in the third degree was upheld where the defendant held a joint bank account with her elderly grandmother, and opened a credit card account in her name, where: 1. there was evidence that a credit card account was opened in grandmother’s name and with her identifying information, and that three charges were made, and the grandmother testified that she never applied for the credit card or purchased anything with it; and 2. the defendant’s power of attorney did not authorize the defendant to apply for a credit card on the grandmother’s behalf.755 “Identity Theft in the Second Degree” is comprised of the same elements as the third-degree version of the offense, but the perpetrator obtains over $500-worth of benefit, or causes someone else over $500-worth of loss. It is a second-degree offense to commit identity theft in order to be an accessory to the commission of a felony, or to commit identity theft after previously being convicted of an identity crime, or grand larceny. The second-degree crime carries with it a felony penalty.756 The highest degree of identity theft applies to those who gain over $2000- worth of benefit, or cause $2000-worth of loss, commit the crime as accessory to a high-level felony, or after having previously been convicted of a high-level identity crime, or high-level grand larceny.757 The New York statute on “aggravated identity theft” increases the penalty for identity theft when the perpetrator knows that the victim is a member of the Armed Forces and is deployed outside of the continental United States. The offense is essentially the same as identity theft in the second degree, but with a harsher penalty.758
7 52 753 754 755 756 757 758
Id. § 190.78 (Class A misdemeanor). Id. §§ 70.15(1), 80.5(1). See discussion of restitution below. People v. Vandermuelen, 42 A.D.3d 667, 839 N.Y.S.2d 835 (App. Div. 2007). N.Y. Penal Law § 190.79. Id. § 190.80. Id. § 190.80-a.
Identity Crime Legislation in the United States
375
The crimes of identity theft in the second degree759 and criminal possession of a forged instrument in the second degree,760 arising out of a defendant’s attempt to use a forged credit card, are distinct and arise from separate acts; therefore, imposition of consecutive sentences for the two crimes is warranted.761 Fair Credit Reporting Act. In addition to the criminal law, under New York’s Fair Credit Reporting Act, no person, firm, partnership, corporation, or association or employee thereof may knowingly and with the intent to defraud, obtain, possess, transfer, use, or attempt to obtain, possess, transfer, or use credit, goods, services or anything else of value in the name of another person without his or her consent.762 2 Unlawful Possession of Personal Identification Information “Unlawful possession of personal identification information” is an offense under New York law.763 Like identity theft, there are three degrees of unlawful possession. At its most basic the offense consists of knowingly possessing one or more items of personal identification information. The list of items consisting of personal identification information is a slightly shorter version of the list of items in the identity theft statute.764 The difference between the third-and second-degree crimes is that the second degree requires that the possession be of 250 or more items of personal identification information.765 Possession in the first degree requires, as one way to violate the statute, that the offender act with the intent to further the commission of identity theft in the second degree, and that the offender supervise more than three accomplices.766 (This appears to be directed at a criminal organization that is engaged in the illegal enterprise of identity crime.)767 A second way to violate the statute is to be a recidivist and possess items of a personal nature. A recidivist is a person who has been previously convicted within the past five years of various identity crimes, or grand larceny.768 7 59 760 761 762 763 764 765 766 767
Id. § 190.79 (discussed above). Id. § 170.20 (discussed below). People v. Hayes, 71 A.D.3d 1187, 896 N.Y.S.2d 225 (App. Div. 2010). N.Y. Gen. Bus. Law § 380-s (McKinney 2011). N.Y. Penal Law § 190.81. See preceding section. N.Y. Penal Law § 190.82. Id. § 190.83(1). Identity theft in the second degree, Id. § 190.79, is discussed above. William C. Donnino, Supplementary Practice Commentary to the Identity Theft Laws, N.Y. Penal Laws § 190.77 (McKinney 2011). 768 N.Y. Penal Law § 190.83(2).
376
CHAPTER 6
A third way to violate the statute is to knowingly victimize a member of the Armed Forces stationed overseas, with the intent to further the commission of identity theft in the second degree, and supervising more than two accomplices.769 The three levels of the violation carry with them penalties for a Class A misdemeanor, a Class E felony, and a Class D felony.770 a
Knowledge of Criminal Intent May be Inferred From Circumstances of Possession
A case of possession of personal identification information requires only, in addition to possession, knowledge that the information is intended to be used in the commission of a crime.771 In a case tried in criminal court, the arresting officer alleged that he observed the defendant, Essalek, holding loose marijuana inside a public playground, and recovered seven pieces of paper from Essalek’s wallet (presumably under a search incident to arrest). The arresting officer additionally alleged that he observed personal identification information written on the pieces of paper, which information included three credit card numbers with expiration dates and security codes, and one social security number. Essalek stated that “they are credit card numbers but I don’t know whose they are.” The defendant was charged with unlawful possession of personal identification,772 but argued that there was no proof that the personal identification information was actually used or attempted to be used in a crime. Moreover, the charge did not say what specific crime was intended to be committed using the personal identification information (hereinafter “the numbers”). Nor did the state charge that the defendant knew that the numbers were intended to be used in the commission of a crime. The court, however, determined that it was only logical that the defendant either had knowledge of his own criminal purpose in possessing the numbers, or had knowledge that the numbers eventually would be used to commit a crime. “The inference of knowledge is so strong as to be all but inescapable.”773 The judge remarked that, unlike circumstances where a defendant possesses a stranger’s actual plastic credit card, for which there may be a reasonable explanation such as temporary and innocent possession after finding lost property, 7 69 Id. § 190.83(3). 770 Id. §§ 190.77, 190.81–190.83. For allowable penalties for various classes of crimes, see id. §§ 70.00–70.15, 80.05. 771 People v. Essalek, 17 Misc. 3d 835, 847 N.Y.S.2d 421 (Crim. Ct. 2007) (interpreting N.Y. Penal Law § 190.81). 772 N.Y. Penal Law § 190.81. 773 People v. Essalek, 847 N.Y.S.2d 421.
Identity Crime Legislation in the United States
377
there is no reasonable explanation for the possession of a stranger’s credit card numbers, security codes or social security number (unless the possessor is a financial institution or legitimate merchant). However, when a person possesses a stranger’s social security number and credit card numbers, and the numbers have been handwritten, transcribed or otherwise imprinted onto separate pieces of paper, the very fact that the numbers have been copied demonstrates an affirmative step in furtherance of a reasonably inferred criminal purpose. The numbers could have been copied from any number of sources, such as actual credit cards, receipts, account summaries, or the Internet. But all innocence pertaining to the numbers is erased by the overt act of copying the numbers onto paper, which act goes beyond the stage of mere preparation. The court further noted that once the numbers were copied, whether by the defendant or by another, the defendant then retained the numbers in his wallet, conventionally a secure location where important information necessary for future activity is kept. The court saw this as an indicator of guilt. Taken together, the facts of this case were sufficient for the court to conclude that Essalek knew that the numbers were intended to be used to commit a crime. Whether that criminal purpose was imminent or sometime in the future was not important. There is no requirement that unlawful intent must be immediate or contemporaneous. The intent to use the numbers unlawfully is not an element of the offense; rather, the criminal state of mind for this offense is knowledge that the numbers are intended to be used for any crime, at any time, in any place and manner, by any person, none of which have to be specifically alleged or proven. 3 Unlawful Possession of a Skimmer Device New York’s statutes define a “skimmer device” as a device designed or adapted to obtain personal identifying information from a credit card, debit card, public benefit card, access card or device, or other card or device that contains personal identifying information.774 One is guilty of unlawful possession of such a device in New York, in the second degree, when such possession is accompanied by an intent to use it to further the commission of the crime of identity theft or unlawful possession of personal identification information.775 One who has previously been convicted of an identity crime or grand larceny, who then commits the offense of possession a skimmer device, has committed the offense in the first degree.776 7 74 N.Y. Penal Law § 190.85(1). 775 Id. § 190.85(2). 776 Id. § 190.86.
378
CHAPTER 6
4 Criminal Impersonation New York’s statutes forbid “criminal impersonation,” which is when a person impersonates another in order to obtain a benefit or to injure or defraud another; or when a person pretends to be a representative of some person or organization to obtain a benefit, or to injure or defraud another.777 The broad scope of the provision was demonstrated in a case where an attorney intercepted telephone messages left for another firm in order to solicit potential clients for himself. Merely pretending to be an attorney with the other firm was sufficient for a criminal conviction, as well as disbarment.778 A court upheld a conviction of criminal impersonation where the defendant pretended to be a crime victim when calling the police, in an effort to terminate a criminal case against her. The defendant left her home phone number so the police could contact the faux victim, but, during the call, the actual victim was present at the police station, and the person the police spoke with on the phone could not possibly have been the victim.779 The statute also addresses the offense of pretending to be a public servant in order to get another person to submit to pretended official authority, to solicit funds, or to cause another to act on that authority.780 Also specifically outlawed is impersonating another on an Internet website or other electronic means for a benefit or to injure another.781 A higher degree of that crime occurs when one impersonates a law enforcement officer, when one impersonates some other official in order to commit a felony, or when one impersonates a doctor in order to obtain prescription drugs from a pharmacy.782 A conviction of criminal impersonation does not require that the impersonator take the identity of an actual person. Thus, whether a foreign passport was issued to the actual person named in the passport is not relevant to a charge of criminal impersonation, and the prosecution need not demonstrate that the named person was an actual person issued a foreign passport.783 Impersonation of a public servant in order to cause another to act on that public servant’s authority784 occurs, and is subject to criminal prosecution, 777 Id. § 190.25(1), (2). The term “defraud,” as used in the statute, cannot be cabined neatly, as misguided human deviousness attempts constantly to explore and lend to fraud new outlets for expression. People v. Chive, 189 Misc. 2d 653, 734 N.Y.S.2d 830 (N.Y. Crim. Ct. 2001). 778 In re Pimsler, 286 A.D.2d 82, 731 N.Y.S.2d 51 (App. Div. 2001). 779 People v. Hooks, 71 A.D.3d 1184, 896 N.Y.S.2d 501 (App. Div. 2010). 780 N.Y. Penal Law § 190.25(3). 781 Id. § 190.25(4). 782 Id. § 190.26. 783 People v. Chive, 189 Misc. 2d 653, 734 N.Y.S.2d 830 (Crim. Ct. 2001). 784 N.Y. Penal Law § 190.25(3) (discussed above).
Identity Crime Legislation in the United States
379
when one shows a police badge or detective shield in an effort to influence leniency when subject to a traffic stop.785 Even if there are no specific facts establishing that defendant intended to induce a traffic officer to act in reliance upon the pretense, one can infer from the defendant’s actions an intent to use the deception as a means of gaining favorable treatment from a police officer.786 B Identity-Crime Related Statutes 1 Forgery A person is guilty of forgery in New York when, with intent to defraud, deceive or injure another, he falsely makes, completes or alters a written instrument.787 A person is guilty of criminal possession of a forged instrument in the third degree when, with knowledge that it is forged and with intent to defraud, deceive, or injure another, he utters or possesses a forged instrument.788 These are Class A misdemeanors. 2 Unlawful Use of Credit Card, Debit Card or Public Benefit Card A person is guilty of unlawful use of credit card, debit card, or public benefit card when in the course of obtaining or attempting to obtain property or a service, he uses or displays a credit card, debit card, or public benefit card which he knows to be revoked or cancelled.789 This is a Class A misdemeanor. 3 Computer-Related Crimes A person is guilty of unlawful duplication of computer-related material when, having no right to do so, he or she copies, reproduces, or duplicates in any manner: (1) any computer data or computer program and thereby intentionally and wrongfully deprives or appropriates from an owner an economic value or benefit; or (2) any computer data or computer program with an intent to commit or attempt to commit or further the commission of any felony.790 A person is guilty of criminal possession of computer related material when, having no right to do so, he knowingly possesses, in any form, any copy, reproduction, or duplicate of any computer data or computer program which was copied, reproduced, or duplicated illegally, with intent to benefit himself or a person other than an owner of the data.791 7 85 786 787 788 789 790 791
People v. Makwana, 17 Misc. 3d 296, 844 N.Y.S.2d 607 (Crim. Ct. 2007). Id. at 299–300. N.Y. Penal Law § 170.05. Id. § 170.20. Id. § 165.17. Id. § 156.30. Id. § 156.35.
380
CHAPTER 6
C
Components of Identity Crime Recognized under New York Statutes New York’s identity crime statutes criminalize several of the components of the Identity Crime Model. Acquisition: “Assuming” the identity of another for the purpose of committing fraud is illegal under New York’s identity theft statute.792 Acquisition of particular items is not covered by the statute, and may require resort to larceny laws. The acquisition of computer data, which may include passwords or other identifying information, is illegal under laws specific to computers.793 Production: The production element may be covered under the forgery statute under which, with intent to defraud, deceive or injure another, the false making, completing, or altering of a written instrument is illegal.794 Possession: Possession of items of personal information of another is a crime under New York law when the possessor has the intent to further the commission of identity theft.795 Possession of a skimmer device is also illegal.796 Transfer: There is nothing specific in the New York statutes concerning the transfer of identity information of documents, although “use” (see below) of such information in order to obtain goods, money, property or service, as stated by the statute, may be construed to include transferring such information for gain. Use: When one personates another, one is using someone else’s identity, or the status of one authorized to act for the government or an organization, in order to defraud another and benefit oneself or another.797 It is an offense to use personal identifying information of another person, without permission, in order to obtain goods, money, property or services, or to use credit in the name of the other person, or to cause financial loss to that person or someone else.798 D Restitution New York provides for restitution to the victims of crimes. The term “victim” specifically includes any person who has suffered a financial loss as a direct result of the acts of a defendant who violates the prohibitions against identity theft or possession of personal identifying information.799 7 92 793 794 795 796 797 798 799
Id. §§ 190.77–190.80. Id. § 156.30. Id. § 170.05. Id. § 190.83. Id. § 190.95. Id. § 190.25. Id. § 190.78(1). Id.§ 60.27(4)(b).
Identity Crime Legislation in the United States
381
In sentencing for any crime, a judge must consider restitution or reparation to the victim of the crime.800 For violations of the identity crime laws, the victim is eligible to be reimbursed for any costs or losses incurred due to any adverse action taken against the victim.801 “Adverse action” is the actual loss incurred by the victim, including an amount equal to the value of the time reasonably spent by the victim attempting to remediate the harm incurred from the offense, and the consequential financial losses from such action.802 The district attorney must, if appropriate, advise the court at or before the time of sentencing that the victim seeks restitution or reparation, the extent of injury or economic loss or damage of the victim, and the amount of restitution or reparation sought by the victim. The court must hear and consider the information presented by the district attorney in this regard.803 If the court requires restitution or reparation to be made, it must make a finding as to the dollar amount of the fruits of the offense and the actual out-of-pocket loss to the victim caused by the offense. In making this finding, the court must consider any victim impact statement provided to the court. If the record does not contain sufficient evidence to support such finding, or upon request by the defendant, the court must conduct a hearing upon the issue.804 The amount of restitution or reparation required by the court may not exceed $15,000 for a felony, or $10,000 for a misdemeanor.805 However, the court may impose restitution or reparation in excess of those amounts if the amount in excess is limited to the return of the victim’s property, including money, or the equivalent value; and reimbursement for medical expenses actually incurred by the victim prior to sentencing as a result of the offense committed by the defendant.806 E Victim’s Rights New York has some protections for persons whose identities have been stolen. New York’s General Business Law details those protections in an article entitled “Debt Collection Procedures Related to Identity Theft.”807
8 00 801 802 803 804 805 806 807
Id. § 60.27(1). Id. Id. Id. Id. § 60.27(2). Id. § 60.27(5)(a). Id. § 60.27(5)(b). N.Y. Gen. Bus. Law art. 29-HH.
382
CHAPTER 6
When a principal creditor receives notification that a person has been a victim of identity theft, the creditor must cease collection activities until a review has taken place, as required by the statute.808 Notification must be in the form of a copy of a police report concerning the identity theft, and the debtor’s written statement that the debtor claims to be the victim of identity theft with respect to the specific debt being collected by the principal creditor.809 The written statement must be either a signed FTC ID theft victim’s affidavit,810 or a written statement that certifies that the representations are true, correct, and contain no material omissions of fact to the best knowledge and belief of the person submitting the certification.811 The statement must include or be accompanied by the following, if relevant: 1. a statement that the debtor is a victim of identity theft; 2. a copy of the debtor’s driver’s license or identification card, as issued by the state; 3. any other identification document that supports the statement of identity theft; 4. specific facts supporting the claim of identity theft, if available; 5. any explanation showing that the debtor did not incur the debt; 6. any available correspondence disputing the debt after transaction information has been provided to the debtor; 7. documentation of the residence of the debtor at the time of the alleged debt, including copies of bills and statements, such as utility bills, tax statements, or other statements from businesses sent to the debtor, showing that the debtor lived at another residence at the time the debt was incurred; 8. a telephone number for contacting the debtor concerning any additional information or questions, or direction that further communications to the debtor be in writing only, with the mailing address specified in the statement; 9. to the extent the debtor has information concerning who may have incurred the debt, the identification of any person whom the debtor believes is responsible; and
8 08 Id. § 604-a(1). 809 Id. 810 Id. § 604-a(2)(a); see also Identity Theft Victim’s Complaint and Affidavit, ftc, http://www. ftc.gov/bcp/edu/resources/forms/affidavit.pdf (last visited Mar. 2, 2012) (providing a voluntary from for filing a report with law enforcement, and disputes with credit reporting agencies and creditors about identity theft-related problems. 811 Id. § 604-a(2)(b).
Identity Crime Legislation in the United States
383
10. an express statement that the debtor did not authorize the use of the debtor’s name or personal information for incurring the debt.812 A “principal creditor” is any entity to which a consumer claim is owed, due, or asserted to be due or owed, or any assignee for value of such entity. It includes a debt collection agency.813 When a principal creditor receives notification as described above, it must review and consider all of the information provided by the debtor and other information relevant to the review. The principal creditor may restart its debt collection activities only if it makes a good faith determination that the information that it has collected does not establish that the debtor is not responsible for the specific debt in question. The debt collector must notify the debtor in writing of that determination and the basis for the determination before proceeding with any further collection activities.814 The principal creditor’s determination that a debt is valid or invalid does not create a waiver of any right or defense of the debtor or debt collector.815 A principal creditor that ceases collection activities and does not recommence those collection activities, must, within five business days of the cessation of collection activities, notify a consumer credit reporting agency to delete any adverse information that the principal creditor has furnished to the agency, and notify the creditor that debt collection activities have been terminated based upon the debtor’s claim of identity theft.816 1 Penalties for Creditors Who Violate the Statute The attorney general may petition the court to issue an injunction against any creditor that violates the statute to stop such violation. The court can impose a civil penalty between $500 and $1000 for each violation. A principal creditor has no civil liability if, within 15 days either after discovering a violation which is able to be cured, or after the receipt of a written notice of such violation, the principal creditor notifies the debtor of the violation, and makes whatever adjustments or corrections are necessary to cure the violation. The creditor is not liable for a violation if it can show by a preponderance of the evidence that the violation was not intentional and resulted from a bona fide error made notwithstanding the maintenance of procedures reasonably adopted to avoid such error.817 8 12 813 814 815 816 817
Id. § 604-a(2)(b). Id. § 604(3). Id. § 604-a(5). Id. § 604-a(6). Id. § 604-a(7). Id. § 604-b.
384
CHAPTER 6
6A.5.4 Florida In Florida, the fourth-largest state, identity offenses are primarily contained in a single statute entitled “Criminal use of personal identification information,”818 in a chapter entitled “Fraudulent Practices.”819 The statute includes the basic violation, which is a third degree felony, and gradations upward depending on the severity of the offense. A third degree felony generally is punishable by up to five years imprisonment,820 and a $5000 fine821 or a higher amount equal to double the pecuniary gain derived from the offense by the offender or double the pecuniary loss suffered by the victim.822 Recidivists receive higher sentences and fines,823 as do those who commit degrees of the crime. A study of identity crimes in Florida824 shows that there were 22,664 identity crime complaints from Florida victims in 2009. These incidents break down as follows: table 15
Identity crime Florida 2009
Rank Identity crime type
Complaints Percentage (some crimes were reported under more than one category)
1 2 3
4,081 3,614 3,168
18% 16% 14%
2,542 2,046 755 5,747 1,526
11% 9% 3% 25% 7%
4 5 6
8 18 819 820 821 822 823 824
Government Documents or Benefits Fraud Credit Card Fraud Bank Fraud, including fraud involving checking and savings accounts and electronic fund transfers. Employment-Related Fraud Phone and Utilities Fraud Loan Fraud Other Attempted Identity Crime
Fla. Stats. § 817.468 (2011). Fla. Stats. ch. 817. Fla. Stats. § 775.082(3)(d). Id. § 775.083(1)(c). Id. § 775.083(1)(f). Id. § 775.084. ftc 2009 Data Book, supra note 1270, at 50.
385
Identity Crime Legislation in the United States
The numbers have decreased somewhat from those shown in the 2008 study.825 table 16
Identity crime Florida 2008
Rank
Identity theft type
Complaints
Percentage
1 2 3 4 5 6
Credit Card Fraud Government Documents or Benefits Fraud Bank Fraud Employment-Related Fraud Phone or Utilities Fraud Loan Fraud Other Attempted Identity Theft
4,973 4,466 3,135 2,413 2,327 1,010 6,199 1,432
20% 18% 13% 10% 10% 4% 25% 6%
A Identity-Crime-Specific Statutes 1 Criminal Use of Personal Identification Information “Personal identification information” under Florida law is any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any: 1. name 2. postal or electronic mail address 3. telephone number 4. social security number 5. date of birth 6. mother’s maiden name 7. official state-issued or United States-issued driver’s license or identification number 8. alien registration number 9. government passport number 10. employer or taxpayer identification number 11. Medicaid or food assistance account number 12. bank account number 13. credit or debit card number 825 There were 24,440 complaints in 2008, according to the ftc report published in 2009.
386
CHAPTER 6
14. personal identification number or code assigned to the holder of a debit card by the issuer to permit authorized electronic use of such card 15. unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation 16. unique electronic identification number, address, or routing code 17. medical records 18. telecommunication identifying information or access device 19. other number or information that can be used to access a person’s financial resources.826 Under Florida law, the basic violation of “fraudulent use of personal identification information” is a third-degree crime, and is committed by any person who uses, or possesses with intent to fraudulently use, personal identification information concerning an individual, without first obtaining that individual’s consent.827 Such use or possession must be done willfully and without authorization.828 If consent is given, or a lack of consent is not proven, there can be no fraudulent use of personal identification information.829 If one commits the basic violation, as described above, and the pecuniary benefit, value of services received, payment sought to be avoided, or amount of injury or fraud perpetrated is $5,000 or more, the crime becomes second- degree, with a mandatory minimum sentence of three years’ imprisonment.830 The same punishment applies if offender fraudulently uses the personal identification information of 10 or more individuals, but fewer than 20 individuals, without their consent.831 A first-degree felony is committed if the amount involved is $50,000 or more or if the offender fraudulently uses the personal identification information of 20 or more individuals, but fewer than 30 individuals, without their consent.832 A mandatory minimum sentence of 5 years’ imprisonment must then be imposed.833 If the amount is $100,000 or more, or if the offender fraudulently uses the personal identification information of 30 or more 8 26 Fla. Stats. § 817.568(1)(f). 827 Id. § 817.568(2)(a). A conviction was upheld in State v. Fagan where a worker at a health spa Fagan worked at a health spa used the personal information of one of the spa’s clients to procure fraudulent credit cards, which she then used to make purchases and obtain funds. 857 So. 2d 320 (Fla. Dist. Ct. App. 2003). 828 Fla. Stats. § 817.568(2)(a). 829 Townshend v. State, 965 So. 2d 236 (Fla. Dist. Ct. App. 2007). 830 Fla. Stats. § 817.568(2)(b). 831 Id. 832 Fla. Stats. § 817.568(3)(c). 833 Id.
Identity Crime Legislation in the United States
387
individuals without their consent, the mandatory minimum sentence is 10 years’ imprisonment.834 A court has held that the monetary threshold ($5000, or $50,000, or $100,000) can be applied only to fraudulent use of a single individual’s information, and does not allow for aggregation of harms to separate victims. The multiple-victim factor is separate and distinct from the monetary threshold as a means of defining first-degree felony conduct. In Armas v. State,835 the defendant, Mariela Armas, tried to cash a counterfeit check for about $5000, made out to Linda Coutts. Armas presented a Florida driver’s license in Coutts’s name but displaying Armas’s photograph. The police determined that Armas was connected to 14 other illegal check-cashing transactions in which she used the same method (counterfeit check, fake Florida driver’s license). The checks ranged in value from $2800 to $18,000, and totaled $52,000. They were drawn on the bank accounts of eight individuals and four local business entities. Because the amount totaling over $50,000 was not from a single entity, it could not be used in order to charge Armas with first degree fraudulent use of personal identification information. She could have been charged with second- degree fraudulent use because the number of victims was over 10 but less than 20, or because the amount from some of the entities was over $5,000. However, the prosecution did not ask for second-degree fraudulent use as an alternative, and the court instead allowed a plea bargain imposing a third-degree fraudulent use conviction.836 Any Florida identity crime is punished more severely if it is committed by using a public record.837 The court may reduce or suspend the sentence of any person convicted of an identity crime in Florida if that person provides substantial assistance in the identification, arrest, or conviction of any of that person’s accomplices, accessories, coconspirators, or principals or of any other person engaged in fraudulent possession or use of personal identification information.838 Sentences for fraudulent use of identification information may run consecutively with sentences for fraud under another section of the Florida statutes, where each crime contains elements that the other does not. Organized fraud839 requires proof of an ongoing course of conduct and a deprivation of 8 34 835 836 837 838 839
Id. Armas v. State, 947 So. 2d. 675 (Fla. Dist. Ct. App. 2007). Id. at 681. Fla. Stats. § 817.568(5). Id. § 817.568(11). Id. § 817.034(4).
388
CHAPTER 6
property, while fraudulent use of personal identification information requires proof of using or possessing someone’s personal identification information.840 a Restitution
In sentencing a defendant convicted of an identity crime, the court may order that the defendant make restitution to any victim of the offense.841 In addition to the victim’s out-of-pocket costs, restitution may include payment of any other costs, including attorney fees incurred by the victim in clearing the victim’s credit history or credit rating, or any costs incurred in connection with any civil or administrative proceeding to satisfy any debt, lien, or other obligation of the victim arising as the result of the actions of the offender.842 b
Correcting the Record
A Florida court may issue any orders necessary to correct any public record that contains false information given in violation of the identity crime statute.843 2 Harassment Under the Florida law, one who commits the basic identity offense, and who does so for the purpose of harassing the individual whose identity was used, commits the offense of harassment by the use of personal identification information, which is a misdemeanor.844 To “harass” means to engage in conduct directed at a specific person that is intended to cause substantial emotional distress to such person and serves no legitimate purpose.845 It does not mean to use personal identification information for accepted commercial purposes. The term does not include constitutionally protected conduct, such as organized protests or the use of personal identification information for accepted commercial purposes.846 3 Use of Minor’s Identity One who willfully and without authorization fraudulently uses personal identification information concerning an individual who is less than 18 years of age without first obtaining the consent of that individual or of his or her legal
8 40 841 842 843 844 845 846
Sibley v. State, 955 So. 2d 1222 (Fla. Dist. Ct. App. 2007). Fla. Stats. § 817.568(13)(a). Id. Id. § 817.568(13)(b). Id. § 817.568(4). Id. § 817.568(1)(c). Id.
Identity Crime Legislation in the United States
389
guardian commits a second-degree felony.847 A parent or legal guardian who willfully and fraudulently uses personal identification information of the minor under his or her supervision commits a second-degree felony.848 4 Use of Identity of Deceased Person One who willfully and fraudulently uses, or possesses with intent to fraudulently use, personal identification information concerning a deceased individual commits a third-degree felony.849 Penalties are increased for this offense if the value of using the deceased person’s identity is over certain amounts, or if the offender uses the identities of multiple deceased persons.850 5 Use of Counterfeit or Fictitious Information Florida law makes it illegal to willfully and fraudulently create or use, or to possess with intent to fraudulently use, counterfeit or fictitious personal identification information concerning a fictitious individual. It is also illegal to create, use, or possess such information concerning a real individual without first obtaining that real individual’s consent.851 It is a third-degree felony to commit or facilitate a fraud on another person using such counterfeit or fictitious information.852 “Counterfeit or fictitious personal identification information” means any counterfeit, fictitious, or fabricated personal identification information (as described above) that is so similar that, although not truthful or accurate, it would in context lead a reasonably prudent person to credit its truthfulness and accuracy.853 6 Misrepresenting Oneself If one commits an identity crime in Florida, and in order to obtain identification information, misrepresents oneself to be certain other people, the punishment for the crime will be more severe.854 The persons whom one may not impersonate under this statute are: 1. a law enforcement officer 2. an employee or representative of a bank, credit card company, credit counseling company, or credit reporting agency 8 47 848 849 850 851 852 853 854
Id. § 817.568(6). Id. § 817.568(7). Id. § 817.568(8)(a). Id. § 817.568(8)(b) to (c). Id. § 817.568(9). Id. Id. § 817.568(1)(g). Id. § 817.568(10).
390 3.
CHAPTER 6
one who is seeking to assist the victim with a problem with a victim’s credit history.855
7 Unlawful Possession of Identification Documents Within a chapter of Florida statutes entitled “Criminal Gang Enforcement and Prevention,”856 it is a second-degree felony for any person to possess or manufacture any blank, forged, stolen, fictitious, fraudulent, counterfeit, or otherwise unlawfully issued identification document for the purpose of benefiting, promoting, or furthering the interests of a criminal gang.857 An “identification document” includes, but is not limited to, a social security card or number, a birth certificate, a driver’s license, an identification card issued in lieu of a driver’s license, a naturalization certificate, an alien registration number, a passport, and any access credentials for a publicly operated facility or an infrastructure facility protected under federal antiterrorism laws.858 B Identity-Crime-Related Statutes 1 False Statement as to Identity to Procure Credit Card A person who makes any false statement as to a material fact in writing, knowing it to be false and with intent that it be relied on respecting his or her identity or that of any other person, firm, or corporation for the purpose of procuring the issuance of a credit card, commits an offense.859 2 Obtaining Credit Card through Fraudulent Means A person who takes a credit card from the person, possession, custody, or control of another without the cardholder’s consent or who, with knowledge that it has been so taken, receives the credit card with intent to use it, to sell it, or to transfer it to a person other than the issuer or the cardholder, is guilty of credit card theft.860 One who receives a credit card that he or she knows to have been lost, mislaid, or delivered under a mistake as to the identity or address of the cardholder and who retains possession with intent to use it, to sell it, or to transfer it to a person other than the issuer or the cardholder is also guilty of credit card theft.861 A person other than the issuer who sells a credit card or a person who buys a credit card from a person other than the issuer commits an 8 55 856 857 858 859 860 861
Id. § 817.568(19). Fla. Stats. ch. 874. Fla. Stats. § 874.12(b). Id. § 874.12(a). Id. § 817.59. Id. § 817.60(1). Id. § 817.60(2).
Identity Crime Legislation in the United States
391
offense.862 A person other than the issuer who, during any 12-month period, receives two or more credit cards issued in the name or names of different cardholders, which cards he or she has reason to know were taken or retained under circumstances that constitute illegality, has committed an offense.863 A person who, with intent to defraud a purported issuer or a person or organization providing money, goods, services, or anything else of value or any other person, falsely makes, falsely embosses, or falsely alters in any manner a credit card or utters such a credit card or who, with intent to defraud, has a counterfeit credit card or any invoice, voucher, sales draft, or other representation or manifestation of a counterfeit credit card in his or her possession, custody, or control is guilty of credit card forgery.864 A person other than an authorized manufacturer or issuer who possesses two or more counterfeit credit cards is presumed to have violated this statute.865 A person other than the cardholder or a person authorized by him or her who, with intent to defraud the issuer or a person or organization providing money, goods, services, or anything else of value or any other person, signs a credit card, commits an offense.866 C Components of Identity Crime Recognized under Florida Statutes Florida’s identity crime statutes criminalize several of the components of the Identity Crime Model. Acquisition: If one commits an identity crime in Florida, and in order to obtain identification information, misrepresents oneself to be certain other people, the punishment for the crime will be more severe.867 Obtaining a credit card through fraudulent means is an offense.868 Production: The willful and fraudulent creation of counterfeit or fictitious personal identification information is illegal under Florida law, whether it concerns a fictitious or a real individual.869 It is also illegal to manufacture any blank, forged, stolen, fictitious, fraudulent, counterfeit, or otherwise unlawfully issued identification document for the purpose of benefiting, promoting, or furthering the interests of a criminal gang.870 Under the credit card fraud 8 62 863 864 865 866 867 868 869 870
Id. § 817.60(3). Id. § 817.60(5). Id. § 817.60(6(a). Id. § 817.60(6)(b). Id. § 817.60(7). Id. § 817.568(10). Id. § 817.60. Id. § 817.568(9). Id. § 874.12(b).
392
CHAPTER 6
statute, a person who falsely embosses, or falsely alters in any manner a credit card, is guilty of credit card forgery.871 Possession: Possession of personal identification information with the intent to use it fraudulently is an offense under Florida law.872 It is also illegal to possess any blank, forged, stolen, fictitious, fraudulent, counterfeit, or otherwise unlawfully issued identification document for the purpose of benefiting, promoting, or furthering the interests of a criminal gang.873 Possession of counterfeit credit cards with the intent to use them to defraud a person or organization is an offense.874 Transfer: There is nothing specific in the Florida statutes concerning the transfer of identity information or documents, although “use” (see below) of such information for gain may be construed to include transferring such information for gain. Use: The main Florida identity crime statute, Fla. Stats. § 817.568, is entitled “Criminal use of personal identification information,” thus, “use” is the main focus of the Florida law. The statute itemizes uses that are illegal in Florida. 6A.5.5 Illinois Illinois, the fifth-largest state, has enacted a series of identity crime statutes under the grouping “Identity Theft Law.”875 The Illinois Legislature, in passing the legislation, declared that the substantial burden placed upon the economy of Illinois because of the rising incidence of identity crime, and the negative effect of identity crime on the state of Illinois and on the victims of the crime, are matters of grave concern. Illinoisans have the right to be protected from the effects of identity crime, which must be identified and dealt with swiftly and appropriately, considering its onerous nature.876 The Legislature concluded that the widespread availability and unauthorized access to personal identification information have led and will lead to a substantial increase in identity crime related crimes.877 A study of identity crimes in Illinois878 shows that there were 12,113 identity crime complaints from Illinois victims in 2009. These incidents break down as follows: 8 71 Id. § 817.60(6(a). 872 Id. § 817.568. 873 Id. § 874.12(b). 874 Id. § 817.60. 875 720 Ill. Comp. Stats. art. 16G (2011). 876 Id. § 5/16G-5(a). 877 Id. § 5/16G-5(b). 878 ftc 2009 Data Book, supra note 1270, at 31.
393
Identity Crime Legislation in the United States table 17
Identity crime Illinois 2009
Rank Identity crime type
Complaints Percentage (some crimes were reported under more than one category)
1 2 3 4 5
2,171 2,166 1,987 1,477 1,261
18% 18% 16% 12% 10%
473 2,378 716
4% 20% 6%
6
Phone or Utilities Fraud Government Documents or Benefits Fraud Credit Card Fraud Employment-Related Fraud Bank Fraud, including fraud involving checking and savings accounts and electronic fund transfers. Loan Fraud Other Attempted Identity Crime
The numbers have decreased somewhat from those shown in the 2008 study.879
table 18
Identity crime Illinois 2008
Rank Identity theft type
Complaints
Percentage
1 2 3 4 5 6
2,608 2,382 1,970 1,919 1,350 581 3,080 768
19% 17% 14% 14% 10% 4% 22% 6%
Credit Card Fraud Government Documents or Benefits Fraud Phone or Utilities Fraud Employment-Related Fraud Bank Fraud Loan Fraud Other Attempted Identity Theft
879 There were 13,726 complaints in 2008, according to the ftc report published in 2009.
394
CHAPTER 6
A Identity-Crime-Specific Statutes 1 Identity Theft In Illinois, a person commits the offense of “identity theft” when he or she knowingly: 1. uses any personal identifying information or a personal identification document of another person (a) to fraudulently obtain credit, money, goods, services, or other property, or (b) with the intent to commit any felony theft or other felony; 2. obtains, records, possesses, sells, transfers, purchases, or manufactures any personal identification information or personal identification document of another (a) with intent to commit or to aid or abet another in committing any felony theft or other felony, or (b) knowing that the information or documents were stolen or produced without lawful authority; 3. uses, transfers, or possesses document-making implements to produce false identification or false documents with knowledge that they will be used to commit any felony theft or other felony; 4. uses any personal identification information or personal identification document of another to portray himself or herself as that person, or otherwise, in order to gain access to the information or documents of that person without the prior express permission of that person; 5. uses any personal identification information or personal identification document of another for the purpose of gaining access to any record of the actions taken, communications made or received, or other activities or transactions of that person, without the prior express permission of that person.880 In one Illinois court case, the evidence was sufficient to support a conviction for identity theft, where they knowingly obtained the victim’s name and social security number to obtain employment, and the defendant earned more than $50,000 in wages. As part of her employment, she was issued an insurance policy in the victim’s name, through which she received approximately $31,000 in medical services.881 Aggravated identity theft: A person commits the offense of “aggravated identity theft” by committing the offense against a person 60 years of age or older or a disabled person, or in furtherance of the activities of an organized gang.882 “Personal identifying information” under Illinois law means any of the following information:883 8 80 720 Ill. Comp. Stats. § 5/16G-15(a). 881 People v. Montoya, 373 Ill. App.3d 78, 868 N.E.2d 389 (Ill. App. Ct. 2007). 882 720 Ill. Comp. Stats. § 5/16G-20(a). 883 Id. § 5/16G-10(b).
Identity Crime Legislation in the United States
1. 2. 3. 4. 5.
395
a person’s name a person’s address a person’s date of birth a person’s telephone number a person’s driver’s license number or State of Illinois identification card as assigned by the Secretary of State of the State of Illinois or a similar agency of another state 6. a person’s social security number 7. a person’s public, private, or government employer, place of employment, or employment identification number 8. the maiden name of a person’s mother 9. the number assigned to a person’s depository account, savings account, or brokerage account 10. the number assigned to a person’s credit or debit card, commonly known as a “Visa Card,” “Master Card,” “American Express Card,” “Discover Card,” or other similar cards whether issued by a financial institution, corporation, or business entity 11. personal identification numbers 12. electronic identification numbers 13. digital signals 14. user names, passwords, and any other word, number, character or combination of the same usable in whole or part to access information r elating to a specific individual, or to the actions taken, communications made or received, or other activities or transactions of a specific individual 15. any other numbers or information that can be used to access a person’s financial resources, or to identify a specific individual, or the actions taken, communications made or received, or other activities or transactions of a specific individual.884 “Personal identification document” under Illinois law means:885 1. a birth certificate 2. a driver’s license 3. a state identification card 4. a public, government, or private employment identification card 5. a social security card 6. a firearm owner’s identification card 7. a credit card
8 84 Id. 885 Id. § 5/16G-10(a).
396
CHAPTER 6
8. a debit card 9. a passport issued to or on behalf of a person other than the offender 10. any document made or issued, or falsely purported to have been made or issued, by or under the authority of the United States Government, the State of Illinois, or any other state political subdivision of any state, or any other governmental or quasi-governmental organization, that is of a type intended for the purpose of identification of an individual 11. any document made or altered in a manner that it falsely purports to have been made on behalf of or issued to another person or by the authority of one who did not give that authority.886 Sentencing: Sentences for the primary identity theft offense range from those appropriate for a Class 4 felony (1 to 3 years imprisonment, plus fine and restitution),887 to those for a Class X felony, which is more serious than a Class 1 felony.888 The sentencing statute is exceedingly complex, with a different range for each of the enumerated actions constituting identity theft. In general, the class of felony becomes more serious depending on whether the value of the property involved was under $300, between $300 and $2000, between $2000 and $10,000, between $10,000 and $100,000, or over $100,000.889 Other factors include whether the offender is a recidivist with a prior record of committing other specified crimes, and whether the victim was an active-duty member of the Armed Forces or the National Guard.890 Additional penalties apply to the use of identity information documents to purchase methamphetamine manufacturing materials.891 A separate sentencing scheme applies to aggravated identity theft.892 An Illinois court has held that prosecutors may not aggregate multiple acts of identity theft into one offense. Thus, the court would not allow a Class X sentence when the prosecution improperly added together $45,000 from one victim, and $71,000 from another, in order to charge the defendant with aggravated identity theft of over $100,000.893
8 86 887 888 889 890 891 892 893
Id. § 16G-10(a). Id. § 5/16G-15(d)(1)(A) (referring to sentences at 730 Ill. Comp. Stats. § 5/5-4.5-45). Id. § 16G-15(d)(1)(E), referring to sentences at 730 Ill. Comp. Stats. § 5/5-4.5-25. Id. § 5/16G-15(d)(1) to (4). Id. Id. § 5/16G(d)(5). Id. § 5/16G-20(e). People v. Elcock, 396 Ill. App. 3d 524, 919 N.E.2d 984 (Ill. App. Ct. 2009). The charge was “aggravated” because the victims were over 60 years old.
Identity Crime Legislation in the United States
397
2 Facilitating Identity Theft Illinois’ identity theft statutes include the crime of “facilitating identity theft.” The offender targeted by the statute is one who, in the course of employment or official duties, has access to the personal information of another person in the possession of the State of Illinois –-whether written, recorded, or on computer disk. To have committed the offense, the offender must knowingly, with the intent of committing an identity crime or some other financial crime, dispose of that item in a receptacle, trash can, or other container that the public could gain access to, without shredding the information, destroying the recording, or wiping the computer disk so that the information is either unintelligible or destroyed.894 As is evident from the wording of the statute, this is not aimed at one who carelessly tosses out papers or disks; one must have the intent to commit a crime. The offense is a serious misdemeanor, and becomes a felony if it is repeated.895 In People v. Jackson,896 a court held that the prosecution proved that a defendant had the intent to promote or facilitate identity theft. A codefendant had used someone else’s name and Social Security number to purchase a home from the defendant and then procure another home in which the defendant lived after the purchase. The defendant remained intimately involved in deals with the codefendant, and the defendant knew that the codefendant used personal information of another person to purchase both homes and to procure mortgage loans. Thus, he facilitated identity theft. “Personal information,” as used in this statute, is different from “personal identifying information” in the identity theft acts. “Personal information” consists of an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:897 1. social security number. 2. driver’s license number or state identification card number. 3. account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. 8 94 720 Ill. Comp. Stats. § 5/16G-13(a). 895 Id. § 5/16G-13(b). 896 People v. Jackson, 391 Ill. App. 3d 11, 908 N.E.2d 72 (Ill. App. Ct. 2009). The case report does not indicate that the defendants were prosecuted under the statute in question. 897 720 Ill. Comp. Stats. § 5/16G-13(c) (referring to definition of “personal information” in the Personal Information Protection Act, found at 815 Ill. Comp. Stats. § 530/5 (2011)).
398
CHAPTER 6
3 Transmission of Personal Identifying Information The Illinois statute on transmission of personal identifying information targets a person who is not a party to a transaction involving a “financial transaction device.” Such person commits an offense by secretly or surreptitiously capturing information from such a device without the consent of the owner of information. The capture may be by photographing, or otherwise capturing or recording, electronically or by any other means. It is also an offense to distribute, disseminate, or transmit, electronically or by any other means, the information gained.898 The statute does not prohibit the capture or transmission of personal identifying information in the ordinary and lawful course of business; and it does not apply to a peace officer of Illinois, or of the federal government, or the officer’s agent, while in the lawful performance of the officer’s duties.899 Violation of the statute is a serious misdemeanor.900 A “financial transaction device” can be any of the following: 1. electronic funds transfer card 2. credit card 3. debit card 4. point-of-sale card901 If it is not merely a paper instrument, a financial transaction device can also be any instrument, device, card, plate, code, account number, personal identification number, or a record or copy of a code, account number, or personal identification number or other means of access to a credit account or deposit account, or a driver’s license or state identification card used to access a proprietary account. The device must be one that can be used alone or in conjunction with another access device, for any of the following purposes: 1. obtaining money, cash refund or credit account, credit, goods, services, or any other thing of value. 2. certifying or guaranteeing to a person or business the availability to the device holder of funds on deposit to honor a draft or check payable to the order of that person or business. 3. providing the device holder access to a deposit account for the purpose of making deposits, withdrawing funds, transferring funds between deposit accounts, obtaining information pertaining to a deposit account, or making an electronic funds transfer.902 8 98 899 900 901 902
Id. § 5/16G-14(a). Id. § 5/16G-14(b). Id. § 5/16G-14(c). Id. § 5/16G-10(d). Id. § 5/16G-10(d).
Identity Crime Legislation in the United States
399
B Identity-Crime-Related Statutes 1 Online Theft by Deception A person commits the offense of online theft by deception when he or she uses the Internet to purchase or attempt to purchase property from a seller with a mode of payment that he or she knows is fictitious, stolen, or lacking the consent of the valid account holder.903 2 Forgery A person commits forgery when, with intent to defraud, he knowingly: 1. makes or alters any document apparently capable of defrauding another in such manner that it purports to have been made by another or at another time, or with different provisions, or by authority of one who did not give such authority; or 2. issues or delivers such document knowing it to have been thus made or altered; or 3. possesses, with intent to issue or deliver, any such document knowing it to have been thus made or altered; or 4. unlawfully uses the digital signature of another; or 5. unlawfully uses the signature device of another to create an electronic signature of that other person.904 C Components of Identity Crime Recognized under Illinois Statutes Illinois’ identity crime statutes criminalize several of the components of the Identity Crime Model. Acquisition: It is an offense under Illinois law to obtain or record any personal identification information or personal identification document of another knowing that the information or documents were stolen or produced without lawful authority.905 Secretly or surreptitiously capturing information from a financial transaction device without the consent of the owner of information is an offense under Illinois law.906 Production: It is an offense in Illinois to manufacture any personal identification information or personal identification document of another with intent to commit or to aid or abet another in committing any felony theft or other felony violation, or knowing that the information or document was produced
9 03 904 905 906
Id. § 5/16J-15. Id. § 5/17-3. Id. § 16G-15(a)(3). Id. § 5/16G-14(a).
400
CHAPTER 6
without lawful authority.907 The crime of forgery is also relevant to the production of false identity documents.908 Possession: It is an offense in Illinois to possess any personal identification information or personal identification document of another with intent to commit or to aid or abet another in committing any felony theft or other felony violation, or knowing that the information or document was stolen or produced without lawful authority.909 It is also an offense to possess document- making implements knowing that they will be used feloniously.910 Transfer: Transferring any personal identification information or personal identification document of another knowing that the information or documents were stolen or produced without lawful authority is illegal, as is transferring document-making implements to produce false identification or false documents with knowledge that they will be used to commit any felony theft or other felony.911 Secretly or surreptitiously capturing information from a financial transaction device without the consent of the owner of information, and distributing, disseminating, or transmitting, electronically or by any other means, the information gained, is an offense under Illinois law.912 Use: Use for gain is the primary focus of Illinois’ identity theft law.913 D Civil Remedies and Victims’ Rights Illinois’ criminal identity theft statutes include a civil remedy, a specific action that victims may utilize against identity thieves. A person convicted of an identity crime is made liable by the statute to any person who suffered damages as a result of the violation.914 The person suffering damages may recover court costs, attorney fees, lost wages, and actual damages. If the offender has been convicted of using a victim’s personal information or documents in order to gain access to other information or documents,915 in the absence of proof of actual damages, the victim whose information or identification documents were used may recover damages of $2,000.916 9 07 908 909 910 911 912 913 914 915 916
Id. § 5/16G-15(a)(3), (4). Id. § 5/17-3. Id. § 5/16G-15(a)(3), (4). Id. § 5/16G-15(a)(5). Id. § 5/16G-15(a)(3), (4). Id. § 5/16G-14(a). Id. § 5/16G-15(a). Id. § 5/16G-21. Id. § 5/16G-15(a)(6) and (7). Id. § 5/16G-21.
Identity Crime Legislation in the United States
401
Illinois mandates that law enforcement agencies accept and provide reports relating to identity theft.917 A person who has learned or reasonably suspects that personal identifying information has been unlawfully used by another may initiate a law enforcement investigation by contacting the local law enforcement agency. The police must take a report of the matter, provide the complainant with a copy of that report, and begin an investigation of the facts. If the suspected crime was committed in a different jurisdiction, the local police must refer the matter to the law enforcement agency where the suspected crime was committed.918 A person who reasonably believes that he or she is the victim of financial identity theft919 may petition a court for an expedited judicial determination of factual innocence, in the following instances: 1. where the perpetrator of the financial identity theft was arrested for, cited for, or convicted of a crime under the victim’s identity; 2. where a criminal complaint has been filed against the perpetrator in the victim’s name; 3. where the victim’s identity has been mistakenly associated with a criminal conviction.920 Determinations of factual innocence are based on relevant and reliable information as determined by the judge. The judge must find the victim factually innocent of the crime if he or she determines that the petition has merit, and either: 1. there is no reason to believe that the victim committed the offense for which a perpetrator was arrested, cited, or convicted, or was subject to a criminal complaint in the victim’s name, and/or 2. that the victim’s identity has been mistakenly associated with a record of criminal conviction. If the victim is found factually innocent, the court must issue an order certifying this determination.921 The court may order the name and associated personal identifying information contained in court records, files, and indexes to be sealed, deleted, or labeled to show that the data is impersonated and does not reflect the defendant’s identity.922 Court orders may be rescinded
9 17 Id. § 5/16G-30. 918 Id. § 5/16G-30(a). 919 Note that the crime now called “identity theft” formerly was called “financial identity theft.” This particular section of the law has not, however, been changed. 920 720 Ill. Comp. Stats. § 5/16G-30(b). 921 Id. § 5/16G-30(b). 922 Id. § 5/16G-30(c).
402
CHAPTER 6
if the alleged victim has obtained such an order by misrepresenting the truth.923 1 Debt collection When a debt collector or collection agency in Illinois receives particular information from a debtor, the debt collector must cease collection activities until completion of a review.924 Note that this provision is substantially similar to New York’s provision, discussed above. The collector must receive both of these items of information before it is required to cease collection activities: 1. A copy of a police report filed by the debtor alleging that the debtor is the victim of an identity theft crime for the specific debt being collected by the debt collector;925 and 2. The debtor’s written statement claiming identity theft with respect to the specific debt being collected by the debt collector, including one of the following: a) a Federal Trade Commission’s Affidavit of Identity Theft;926 or b) an Illinois Attorney General ID Theft Affidavit;927 or c) a written statement that certifies that the representations are true, correct, and contain no material omissions of fact to the best knowledge and belief of the person submitting the certification.928 This written statement must include each of the following, if relevant to the particular debt: i. a statement that the debtor is a victim of identity theft; ii. a copy of the debtor’s driver’s license or identification card, as issued by Illinois; iii. any other identification document that supports the statement of identity theft; iv. specific facts supporting the claim of identity theft, if available; v. any explanation showing that the debtor did not incur the debt; 9 23 Id. 924 225 Ill. Comp. Stats. § 425/9.4(a) (2011). 925 225 Ill. Comp. Stats. § 425/9.4(a)(1). 926 Identity Theft Victim’s Complaint and Affidavit, ftc, http://www.ftc.gov/bcp/edu/ resources/forms/affidavit.pdf (last visited Mar. 2, 2012) (providing a voluntary from for filing a report with law enforcement, and disputes with credit reporting agencies and creditors about identity theft-related problems. 927 Illinois Attorney General, Identity Theft Victim Kit (n.d.), available at http:// illinoisattorneygeneral.gov/publications/pdf/victim.pdf (last visited Mar. 1, 2012). 928 225 Ill. Comp. Stats. § 425/9.4(a)(2) (2011).
Identity Crime Legislation in the United States
403
vi. any available correspondence disputing the debt after transaction information has been provided to the debtor; vii. documentation of the residence of the debtor at the time of the alleged debt, which may include copies of bills and statements, such as utility bills, tax statements, or other statements from businesses sent to the debtor and showing that the debtor lived at another residence at the time the debt was incurred; viii. a telephone number for contacting the debtor concerning any additional information or questions or direction that further communications to the debtor be in writing only, with the mailing address specified in the statement; ix. to the extent the debtor has information concerning who may have incurred the debt, the identification of any person whom the debtor believes is responsible; x. an express statement that the debtor did not authorize the use of the debtor’s name or personal information for incurring the debt.929 When a principal creditor receives notification as described above, it must review and consider all of the information provided by the debtor and other information relevant to the review. The principal creditor may restart its debt collection activities only if it makes a good faith determination that the information that it has collected does not establish that the debtor is not responsible for the specific debt in question. The debt collector must notify the debtor in writing of that determination and the basis for the determination before proceeding with any further collection activities.930 The principal creditor’s determination that a debt is valid or invalid does not create a waiver of any right or defense of the debtor or debt collector.931 A debt collector or collection agency must notify a consumer credit reporting agency to delete adverse information about the debtor if the debt collector: 1. ceases collection activities because of a notification of identity theft; 2. does not recommence those collection activities; and 3. has furnished adverse information to that consumer credit reporting agency.932
9 29 930 931 932
Id. § 425/9.4(a)(2). Id. § 425/9.4(d). Id. § 425/9.4(e). Id. § 425/9.4(f).
404
CHAPTER 6
2 Denial of Credit or Utility Service Consumers may not be denied credit or public utility service, nor may their credit limits be reduced, solely because the consumer has been a victim of identity theft.933 This provision will only apply if the consumer: 1. has provided a copy of an identity theft report evidencing the consumer’s claim of identity theft; 2. has provided a properly completed copy of a standardized affidavit of identity theft, as described above regarding debt collectors; 3. has obtained placement of an extended fraud alert in his or her file maintained by a nationwide consumer reporting agency, in accordance with the requirements of federal law; and 4. is able to establish his or her identity and address to the satisfaction of the person providing credit or utility services.934 E Other Illinois Statutes Various other Illinois statutes also apply to identity theft. Notification from tax authorities: The Illinois Department of Revenue must notify an individual if the Department discovers or reasonably suspects that another person has used that individual’s social security number.935 Identity theft insurance: The Illinois Department of Insurance must develop an appropriate consumer fact sheet to be provided to consumers, either via the Department’s website or by hard copy if requested, regarding identity theft insurance. The fact sheet must include, at a minimum, information on what is generally covered under identity theft insurance and on how to protect oneself from identity theft.936
Part B Canadian Statutes
6B.1
Introduction
Under Canada’s federal system, the central government is the sole source of laws on unemployment insurance, banks, and criminal and privacy matters. The provinces legislate on other matters, but also may pass laws on privacy. In
9 33 505 Ill. Comp. Stats. § 505/2VV (2011). 934 Id. 935 20 Ill. Comp. Stats. § 2505/2505–680 (2011). 936 5 Ill. Comp. Stats. § 155.42 (2011).
Identity Crime Legislation in the United States
405
British Columbia, Quebec, and Alberta, the provincial privacy laws override the federal privacy laws.937 Statutes pertaining to identity primarily appear in the Canadian Criminal Code, and in privacy and consumer protection legislation. The Criminal Code includes statutes that are specific to identity theft and identity fraud, as well as other statutes related to identity crimes.938 The Criminal Code also provides for restitution to victims of identity crimes.939 Privacy legislation regulates the collection and disclosure of personal information.940 Consumer statutes, chiefly enacted by the provinces, protect those whose identity has already been stolen by limiting liability to creditors and stopping collection agencies from harassing those who have suffered a breach of identity.941 The Canadian Parliamentary Information and Research Service, in advising Parliament before passing the bill to make “identity theft” and “identity fraud” crimes under the Canadian Criminal Code, noted that statistics on identity crime are “fairly unreliable” because victims often do not report identity crime, and they may not even realize that such a crime has occurred.942 The Service depends on statistics on statistics from PhoneBusters, a Canadian anti-fraud call center operated by several governmental agencies, which is Canada’s main source of data on identity crime, even though it relies strictly on callers providing it with information.943 According to PhoneBusters, the number of identity crime complaints rose from 10,637 in 2007 to 11,979 in 2009. The number of reported victims rose from 10,328 in 2007 to 11,109 in 2009. The amount reported lost to identity crime rose from $6.5 million in 2007 to $10.9 million in 2009.944 Estimates of losses using methods not based
937 Canadian Internet Policy and Public Interest Clinic (cippic), Legislative Approaches to Identity Theft: An Overview (CIPPIC ID Theft Series, Working Paper No.3, 2007) [hereinafter “cippic, Legislative Approaches”], available at http://www.cippic.ca/sites/default/ files/bulletins/Legislation.pdf. 938 Criminal Code, R.S.C. 1985, c. C-46 §§ 56.1–58, 402.1–403 (Can.) (discussed below). 939 Id. § 738(1) (discussed below). 940 Privacy Act, R.S.C., 1985 c. P-21 (1980–1983) (Can.) (discussed below). 941 cippic, Legislative Approaches, supra note 1760. 942 Nancy Holmes & Dominique Valiquet, Bill S-4: An Act to amend the Criminal Code(identity theft and related misconduct, Document No. LS-637E , at 3 (April 14, 2009), available at http://www2.parl.gc.ca/Sites/LOP/LegislativeSummaries/Bills_ls.asp?lang=E&ls=s4&source=library_prb&Parl=40&Ses=2 (last modified June 5, 2009). 943 Id. 944 Canadian Anti- F raud Centre Criminal Intelligence Analytical Unit, Annual Statistical Report 2009, Mass Marketing Fraud & ID Theft
406
CHAPTER 6
upon self-reporting give higher figures: for example, the Canadian Council of Better Business Bureaus has estimated that identity crime may cost Canadian consumers, banks, credit card companies, stores and other businesses more than $2 billion annually.945 The Canadian Parliament, cognizant of statistics such as these, also noted that the courts had been holding that “the elements of theft and fraud are not satisfied in cases where only the confidentiality of personal information is violated. This means that copying personal information, even for future criminal use, [was] not an offense under the Code.”946 Parliament also took note of the fact that “prior to the computer and Internet, a typical case of identity fraud involved one person stealing the identification and then using it for his or her gain. Today, technology has facilitated the involvement of numerous people along a continuum of criminal activity with no one player having committed all the elements of the fraud.”947 The leading case holding that Canadian laws were not totally applicable to the stealing of personal information, what would now be called identity theft, arose in 1988 when the Supreme Court of Canada decided R. v. Stewart.948 The Supreme Court was asked to decide whether the taking of confidential personal information was subject to the general laws on theft and fraud. The court held that “appropriat[ing] confidential information without taking a physical object evidencing it” was not theft under the Criminal Code, nor was appropriating it fraud. Unless the appropriated personal information was used criminally, its possession was legal. Thus, prosecutors were left without tools to prosecute the acquisition, transfer, and possession of identity information, all key components of identity crime. Over 15 years later, Stewart was still the leading holding, as illustrated by two British Columbia cases: R. v. Harris949 in 2004 and R. v. McNeil950 in 2006. In R. v. Harris, the defendant’s notebook contained the information for 39 credit card accounts belonging to other people; however, Harris was not criminally charged or convicted for possessing that information because
9 45 946 947 948 9 49 950
Activities, 23 (2009), available at http://www.phonebusters.com/english/documents/ AnnualStatisticalReport2009_001.pdf . Holmes & Valiquet, supra note 1765. Id. at 4. Id. R. v. Stewart, [1988] 1 S.C.R. 963 (Can.). In Canadian case titles, “R.” stands for the Crown, which is prosecuting the case, and specifically the King or Queen (Rex or Regina). R. v.Harris, [2004] B.C.J. No. 2847, 2004 bcpc 532 (Can. Prov. Ct. Crim. Div.). R. v. McNeil, [2006] B.C.J. No. 187, 2006 bcpc 32 (Can. C.A.).
Identity Crime Legislation in the United States
407
he had never used the numbers for an illicit purpose. (Possession of that information was relevant, however, in a judge’s sentencing of Harris for using false credit cards to make purchases, because it evidenced planning.) In R. v. McNeil, the defendant was accused of possessing another person’s driver’s license, health card, address, phone numbers, date of birth, and bank and line of credit balances. But he was charged solely with the possession of a homemade mail key. McNeil had yet not used the information to commit further offenses. An Alberta court recognized, in 2005, that the actions of a defendant in obtaining documents in the victim’s name and using them to commit fraud and impersonate the victim were identity theft, but that there was no legal definition to call the defendant’s actions “identity theft.”951 Various laws were used to prosecute identity theft before implementation of the identity theft and identity fraud statute in 2010. Thus, “Personation with Intent” was the charge when the accused acquired a birth certificate in the name of someone else and used it to obtain other identification information for himself.952 Forgery was the charge when a defendant presented to merchants an Alberta’s driver’s license in the name of another person but with his own picture on it, along with a fake sin card as supporting documentation.953 Thus, before passage of the identity theft and identity fraud statute, an individual could only be found guilty of an offense if some other crime, such as fraud or forgery, had been committed using identity information obtained from another person. Such was the situation when Parliament took up the identity crime bill. The law is so new that case law is not yet developed under the statute, but the coverage of the law appears to be designed to fill in the gaps left by prior legislation, as indicated by the pre-statute decisions. 6B.2
Analysis of Canada’s Identity Crime Statutes and Related Statutes
Canada has the most comprehensive statutes pertaining to identity crimes of any nation. The identity-crime-specific statutes, combined with the identity- crime-related statutes, create a comprehensive framework for fighting identity crimes, yet some elements of a comprehensive statute are missing.
9 51 R. v. Thiel, [2005] A.J. No. 698, 2005 abpc 149 (Alta. Prov. Ct. Crim. Div.). 952 R. v. Boyle, [2005] B.C.J. No. 2501, 2005 bcca 537 (Can.). 953 R. v. Walowina, [2006] B.C.J. No. 830 (Can. Prov. Ct. Crim. Div.).
408
CHAPTER 6
Canada’s Parliament has used the terms “identity theft” and “identity fraud” separately and distinctly, defining the former to refer to actions rightfully called “theft,”954 and the latter to describe actions rightfully called “fraud.”955 This is in contrast to the widespread practice of using “identity theft” to refer to all aspects of the crime, such as acquiring, collecting and transferring personal information, and then using the information to attempt to commit, or to actually commit, a crime.956 The Canadian law also defines “identity documents”957 and “identity information.”958 The listing of identity documents is not exhaustive: an identity document may also be “any other similar document issued by a federal or provincial government department or agency or a foreign government.” The listing of identity information likewise is open to expansion, and the term mere “includes” the specifically listed items. (Note that the Canadian statute does not use the term “identity crime.”) The statute is comprehensive: all of the components of identity crime are subject to criminal penalties. Those components are Producing, Acquiring, Transferring, Possessing, and Using identity information. However, some aspects of identity crime are covered in identity-crime-related statutes, rather than identity-crime-specific statutes. The specific sections where these five components are covered are identified below. The law also provides restitution and recovery for the victims,959 including expenses to reestablish identity, replace identity documents, and correct credit histories and ratings. The statute specifically refers to paying back a “person” for expenses, but it is unclear whether a “person” includes a store, a bank, or some other corporate entity. 6B.3
Criminal Code
The criminal laws of Canada are contained in the Canadian Criminal Code, consisting of 28 parts numbered I to xxviii and various schedules and forms.960
9 54 955 956 957 958 959 960
Criminal Code, R.S.C. 1985, c C-46 § 402.2(1) (Can.). Id. § 403(1) (formerly regarding “Personation with Intent”). Holmes & Valiquet, supra note 1765, at 2. Id. § 56.1(3). Id. § 402.1. Id. § 738(1)(d). Criminal Code, R.S.C. 1985, c C-46 (Can.).
Identity Crime Legislation in the United States table 19
Canada’s identity crime statutes and related statutes
Component of identity crime
Section of Canadian Criminal Code
Production § 56.1(1) of identity or identity document, either associated with a real person or not § 56.1(4) § 57(2) § 342(1)(b)
§ 366(1)
§ 368.1 Acquisition
409
§§ 322, 356 § 342(1)(a) §§ 348, 349 § 356 § 402.2(1)
Description of law: Law prohibits …
Cases (all decided before current identity crime law put into place)
Procuring to be made an identity document purporting to relate to another person, or actually relating to another person Forging a passport Making misleading statement to obtain or alter passport Forging or falsifying a credit card (not identity-crime- specific)
New Law, Effective 8 Jan 2010
Theft (not identity-crime- specific) Stealing a credit card (not identity-crime-specific) Breaking and entering (not identity-crime-specific) Theft from the mail (not identity-crime-specific) Identity Theft: Obtaining another person’s identity information to commit indictable offense
R. v. Stewart, [1988] 1 S.C.R. 963
R. v. Mayer, [2006] A.J. No. 324, 2006 abpc 30 (Alta. Prov. Ct. (Crim. Div.)) Forgery: making a false R. v. Taft, [2003] B.C.J. document, knowing it to be No. 444, 2003 bcca false, and intending that it 104 (B.C. C.A.); R. v. should be acted upon as though Thiel, [2005] A.J. No. it were genuine 698, 2005 abpc 149 (Alta. Prov. Ct. (Crim. Div.)) Making, repairing, buying, or importing forger instruments.
R. v. Bradley, 2004 CarswellAlta 1529 New Law, Effective 8 Jan 2010
410 table 19
CHAPTER 6 Canada’s identity crime statutes and related statutes (cont.)
Component of identity crime
Section of Canadian Criminal Code
Description of law: Law prohibits …
Cases (all decided before current identity crime law put into place)
Possession
§ 56.1(1)
Possessing identity document of another Possessing forged passport (not identity-crime-specific)
New Law, Effective 8 Jan 2010 R. v. Taft, [2003] B.C.J. No. 444, 2003 bcca 104 (B.C. C.A.)
§ 57(3)
§ 342(1)(c)
§ 342(3)
§ 342.1(1)(d)
§ 354
§ 368(1)(d)
§ 368.1 § 402.2(1)
Possessing a credit card knowing it was obtained, made or altered by committing an offense (not identity-crime- specific) Possession of credit card data R. v. Naqvi, [2005] A.J. No. 1593, 2005 abpc 339 (Alta. Prov. Ct. (Crim. Div.)) Possession of another’s R. v. Lavoie, 2000 computer password (not IIJCan 14437 (Qc. C.Q.) identity-crime-specific) Possession of property R. v. Taft, [2003] B.C.J. obtained by crime (not No. 444, 2003 bcca 104 identity-crime-specific) (B.C. C.A.); R. v. Tonks, [2003] B.C.J. No. 3042, 2003 bcpc 475 (B.C. Prov. Ct. (Crim. Div.)) Possessing a forged document New Law, Effective 8 with the intent to use it or Jan 2010 traffic in it Possessing forgery instruments (not identity-crime-specific) Identity Theft: Possessing New Law, Effective 8 another person’s identity Jan 2010 information to commit indictable offense
Identity Crime Legislation in the United States411 table 19
Canada’s identity crime statutes and related statutes (cont.)
Component of identity crime
Section of Canadian Criminal Code
Description of law: Law prohibits …
Cases (all decided before current identity crime law put into place)
Transfer/ Trafficking
§ 56.1(1)
Selling or offering for sale identity document of another Trafficking in credit card (not identity-crime-specific) Trafficking in computer passwords (not identity-crime- specific) Trafficking in credit card data (not identity-crime-specific) Selling or exporting forgery instruments Identity Theft: Trafficking in identity information
New Law, Effective 8 Jan 2010
§ 342(1)(c) § 341.1(1)(d)
§ 343(3) § 368.1 § 402.2(2) Use
New Law, Effective 8 Jan 2010
§ 342(1)(c)
Use of a forged or falsified R. v. Mayer, [2006] A.J. credit card (not identity-crime- No. 324, 2006 abpc 30 specific) (Alta. Prov. Ct. (Crim. Div.))
§ 342.1(1)(d)
Use of another’s computer password (not identity-crime- specific) Use of credit card data (not identity-crime-specific)
§ 342(3)
§ 362 to 365
False pretense crimes (not identity-crime-specific)
R. v. Mayer, [2006] A.J. No. 324, 2006 abpc 30 (Alta. Prov. Ct. (Crim. Div.)) Canada (Minister of Public Safety & Emergency Preparedness) v. Oladameji, 2008 CarswellNat 2003 (Immig. & Refugee Bd. of Canada (Immig. Div.) 2008).
412 table 19
CHAPTER 6 Canada’s identity crime statutes and related statutes (cont.)
Component of identity crime
Section of Canadian Criminal Code
Description of law: Law prohibits …
§ 368(1)(a), (b)
Using, dealing with or acting on a forged document, or causing or attempting to cause any person to use, deal with or act on it Sending out a telegram, cablegram or radio message in the name of some other person, intending that the message should be acted upon as though it were sent by the other person Fraud (not identity-crime- R. v. Taft, [2003] B.C.J. specific) No. 444, 2003 bcca 104 (B.C. C.A.); R. v. Jubbal, [2004] B.C.J. No. 2207, 2004 bcpc 389 (B.C. Prov. Ct. (Crim. Div.)) Identity Fraud: Fraudulently Newly Renamed Law, personating another person, Effective 8 Jan 2010 living or dead, to gain advantage, obtain property, cause disadvantage, or avoid arrest. Personating a candidate at a competitive or qualifying examination Acknowledging an instrument in a false name
§ 371
§ 380 to 387
§ 403(1)
§ 404
§ 405
Cases (all decided before current identity crime law put into place)
Identity Crime Legislation in the United States
413
Note: Under the Criminal Code, minor crimes are subject to “summary convictions.” Unless otherwise provided by law, anyone convicted of an offense punishable on summary conviction is liable to a fine of no more than $5000 or to a term of imprisonment not exceeding 6 months, or to both. Also note that Canadian spellings of legal terms have been eschewed in favor of U.S. spellings. 6B.3.1 Identity-Crime-Specific Statutes A Identity Theft and Identity Fraud Some of the most recent additions to the Canadian Criminal Code were the result of “Bill S-4: An Act to amend the Criminal Code (identity theft and related misconduct),”961 which became effective on January 8, 2010.962 The statute affects Part X, Fraudulent Contracts Relating to Contracts and Trade, by adding a new subpart, “Identity Theft and Identity Fraud,” at sections 402.1 to 405. It also affects a subpart called “Official Documents” in Part ii, “Offenses Against Public Order,” by adding a new section 56.1, “Identity Documents.” Bill S-4, in addition to the provisions below, adds identity theft, identity fraud, and trafficking in identity information to the list of crimes that may be investigated by using various techniques to intercept private communications.963 1
Illegally Possessing or Trafficking in Government [Identity] Documents The Canadian Criminal Code includes a wide-ranging definition of “identity documents,” which lists a number of specific documents, but also instructs that the definition encompasses “any other similar document issued by a federal or provincial government department or agency or a foreign government.”964 The specific documents are: 1. Social Insurance number card 2. driver’s license 3. health insurance card 4. birth certificate 5. death certificate
9 61 Holmes & Valiquet, supra note 1765 . 962 Kathleen Lau, Bill S-4 tightens noose around identity thieves, IT World Canada ( Jan. 11, 2010), http://www.itworldcanada.com/news/bill-s-4-tightens-noose-around-identity- thieves/139723. 963 Criminal Code, R.S.C. 1985, c C-46 §§ 183–84 (Can.). For definition of “offense,” see Id. at lxx.1 to lxx.3. 964 Id. § 56.1(3).
414
CHAPTER 6
6. passport 7. any document that simplifies the formalities of entry into Canada 8. certificate of citizenship 9. document indicating immigrant status in Canada 10. certificate of Indian status 11. employee identity card bearing the employee’s photograph and signature965 Regarding such documents, one commits an offense when, without lawful excuse, one procures to be made, possesses, transfers, sells or offers for sale an identity document that relates or purports to relate, in whole or in part, to another person.966 However, this does prohibit any act carried out (a) in good faith, in the ordinary course of a person’s business or employment or in the exercise of the duties of office; (b) for genealogical purposes; (c) with the consent of, or authorization for, the person to whom the identity document relates, or the authorization of the entity that issued the identity document; or (d) for a legitimate purpose related to the administration of justice.967 One who commits the crime is subject to imprisonment up to five years, or may be punishable on a summary conviction.968 2 Offenses Involving Passports and Citizenship Certificates Other crimes in the subpart entitled “Official Documents” predate enactment of the statute on identity crimes. Those crimes pertain to passports and certificates of citizenship. One who forges a passport or uses a forged passport is guilty of an offense and may be sentenced for up to 14 years’ imprisonment.969 Also, one who knowingly makes a false or misleading statement in order to obtain or alter a passport commits an offense.970 Possession of a forged passport or a passport obtained by making a false statement is also an offense.971 One may not use a certificate of citizenship or a certificate of naturalization for a fraudulent purpose, or knowingly part with one’s certification of citizenship, intending that it be used for a fraudulent purpose.972 9 65 966 967 968 969
Id. § 56.1(3). Id. § 56.1(1). Id. § 56.1(2). Id. § 56.1(4). Id. § 57(1). Note that other crimes pertaining to forgery are discussed below, under “Forgery.” 970 Id. § 57(2). The punishment for this offense is up to 2 years’ imprisonment, or summary conviction. 9 71 Id. § 57(3). The punishment for this offense is up to 5 years’ imprisonment. 972 Id. § 58. The punishment for this offense is up to 2 years’ imprisonment.
Identity Crime Legislation in the United States
415
3 Identity Theft The 2010 law on identity theft and identity fraud pertains to items considered to be “identity information,” meaning any information of a type that is commonly used, alone or in combination with other information, to identify or purport to identify an individual, including biological or physiological information. This includes: 1. fingerprints 2. voice prints 3. retina images 4. iris images 5. dna profiles 6. names 7. addresses 8. dates of birth 9. written signatures 10. electronic signatures 11. digital signatures 12. user names 13. credit card numbers 14. debit card numbers 15. financial institution account numbers 16. passport numbers 17. Social Insurance numbers 18. health insurance numbers 19. driver’s license numbers, and 20. passwords973 In order to commit the offense of “identity theft” under the new law, one must knowingly obtain or possess another person’s identity information (one or more of the items on the above list) where it is reasonable to infer that the information is intended to be used to commit an indictable offense that includes fraud, deceit, or falsehood as an element of the offense.974 One commits the offense of “trafficking in identity information” by transmitting, making available, distributing, selling or offering for sale another person’s identity information, or possessing it for that purpose, knowing or being reckless about the fact that the information might be used to commit an indictable offense.975 9 73 Id. § 402.1. 974 Id. § 402.2(1). The punishment for this offense is up to 5 years’ imprisonment, or a lesser sentence on summary conviction. Id. § 402.2(5). 975 Id. § 402.2(2). The punishment for this offense is up to 5 years’ imprisonment, or a lesser sentence on summary conviction. Id. § 402.2(5).
416
CHAPTER 6
An “indictable offense” under the preceding two paragraphs would be commission of:976 1. forgery977 2. fraudulent use of a certificate of citizenship978 3. personating a peace officer979 4. perjury980 5. theft, forgery, etc. of a credit card981 6. false pretense or false statement982 7. forgery983 8. use, trafficking, or possession of a forged document984 9. fraud985 10. identity fraud986 4 Identity Fraud The section formerly called “Personation with Intent” has been replaced with one called “Identity Fraud.” The 2010 statute expands upon the former one. In order to commit “identity fraud,” one must fraudulently personate another person, living or dead, with one of the following intents: 1. to gain advantage; 2. to obtain any property or an interest in any property; 3. to cause disadvantage to the person being personated or another person; or 4. to avoid arrest or prosecution or to obstruct, pervert or defeat the course of justice.987 The statute replicates the former statute, but adds the last item regarding avoiding arrest or obstructing justice. “Personating a person,” under the statute, includes pretending to be the person or using the person’s identity information –whether by itself or in 9 76 977 978 979 980 981 982 983 984 985 986 987
Id. § 402.2(3). Id. § 57 (discussed above). Id. § 58 (discussed above). Id. § 130 (discussed below). Id. § 131. Id. § 342 (discussed below). Id. § 362 (discussed below). Id. § 366 (discussed below). Id. § 368 (discussed below). Id. § 380 (discussed below). Id. § 403 (discussed below). Id. § 403(1). The punishment for this offense is up to 10 years’ imprisonment, or a lesser sentence on summary conviction.
Identity Crime Legislation in the United States
417
combination with identity information pertaining to any person –as if it pertains to the person using it.988 5 Personation at Examination, or Personating a Police Officer A longstanding offense now appears under the heading of “Identity Theft and Identity Fraud”: “Personation at Examination” occurs when one personates a candidate at a competitive or qualifying examination held under the authority of law or in connection with a university, college or school or who knowingly avails himself of the results of such personation.989 In a different section of the criminal code, “Personating a Peace Officer” is illegal. The offense consists of falsely representing oneself to be a peace officer or a public officer; or, not being a peace officer or public officer, using a badge or article of uniform or equipment in a manner likely to cause persons to believe that one is a peace officer or a public officer.990 6 Acknowledging Instrument in False Name “Acknowledging an instrument in false name,” also under the heading of “Identity Theft and Identity Fraud,” occurs when one without lawful authority or excuse acknowledges, in a judicial setting, certain legal pleas or documents in the name of another person.991 7 Restitution Bill S-4 provides for restitution to the victim of an identity crime. A court imposing sentence on or discharging an offender may, in addition to any other measure imposed on the offender, order that the offender make restitution992 by paying the expenses of a person who, as a result of an identity crime, incurs expenses to re-establish identity. This includes expenses to replace identity documents and to correct a credit history and credit rating. The reimbursement must not be more than the amount of those expenses, to the extent that they are reasonable, if the amount is readily ascertainable.993
9 88 Id. § 403(2). 989 Id. § 404. This is punishable on summary conviction. 990 Id. § 130. This is punishable on summary conviction, or on indictment, in which case the term of imprisonment may be up to 5 years. 991 Id. § 405. The punishment up to 5 years’ imprisonment. 992 Id. § 738(1). 993 Id. § 738(1)(d).
418
CHAPTER 6
6B.3.2 Identity-Crime-Related Statutes Until the identity-crime-specific statute was implemented in 2010, prosecutors had to rely on a variety of different statutes, such as the ones set forth below, to prosecute actions that clearly constitute identity crimes. For example, in R. v. Taft,994 the accused, Anthony Taft, obtained personal information from individuals by advertising jobs in a local newspaper. When applicants applied for the jobs, he informed them that they had been placed on a short list, and that they must provide Taft with copies of identification documents. After he received a document from an applicant, Taft would attach his own photograph and forge or apply for identification in the name of the applicant. Using the identification, he would open bank accounts under the name of the applicant and deposit forged checks in the accounts. While Taft was being investigated for the bank account scheme, he set up a website, using the assumed identities, in order to offer to sell false identification. Upon arrest, Taft presented false names to the police, who had to establish his identity using fingerprints. The investigation of Taft revealed numerous other instances of his applying for and obtaining false identities, and using such identities to obtain funds. Taft was convicted of personation (§ 403); fraud (§ 380), uttering a forged document (§ 368); forgery (§ 366); possession of property obtained by the commission of an offense (§ 354); forging a passport (§ 57); and possession of a forged passport (§ 57). Despite all of these charges, Taft was sentenced for a mere 27 months, which the appellate judge called lenient. The charges are clearly also within the realm of both identity theft995 for obtaining and possessing the applicants’ information, and then trafficking in that information,996 and identity fraud997 for fraudulently personating the applicants in order to obtain property. Had the new identity crime statute been in effect at the time of his conviction, Taft would also have faced multiple charges under the statute. The crime itself includes every component of the Identity Crime Model discussed at Chapter 3: acquisition of identity information, possession of that information, production of false documents, trafficking in information, and use of the information to obtain funds. The scattered sections of the Canadian Criminal Code where that apply to a case such as this are now centralized under the heading of “Identity Theft and Identity Fraud.”998 The classification of the crimes as involving “identity” 9 94 995 996 997 998
R. v. Taft, [2003] B.C.J. No. 444, 2003 bcca 104 (Can. B.C. C.A.). Criminal Code, R.S.C. 1985, c C-46 § 402.2(1) (Can.). Id. § 402.2(2). Id. § 403(1). Taft was convicted of personation under the predecessor to this statute. Id. § 402.1 to 405.
Identity Crime Legislation in the United States
419
would the prosecution to a statutory hub or framework, to focus upon. Acts that might not have been chargeable, such as obtaining the identity information from the job applicants, are now clearly established as indictable offenses. The statutes described below remain vital pieces of the framework to prosecute identity crimes, which now is centered on the specific crimes of identity theft and identity fraud. A False Pretenses 1 Definitions “False pretense”: A false pretense is a representation of a matter of fact either present or past, made by words or otherwise, that is known by the person who makes it to be false and that is made with a fraudulent intent to induce the person to whom it is made to act on it.999 “Check”: In addition to its ordinary meaning, the term “check” includes a bill of exchange drawn on any institution that makes it a business practice to honor bills of exchange or any particular kind thereof drawn on it by depositors.1000 “Credit card”: A credit card is any card, plate, coupon book or other device issued or otherwise distributed for the purpose of being used on presentation to obtain money, goods, services, or any other thing of value, or, in an atm or similar device, to obtain any of the services offered by the device.1001 “Document”: A document is any paper, parchment or other material on which is recorded or marked anything that is capable of being read or understood by a person, computer system or other device. It includes a credit card, but does not include trademarks on articles of commerce or inscriptions on stone or metal or other like material; “False document”: A false document is a document that purports, in whole or part, to be made by or on behalf of a person who did not make it or authorize it, or who does not exist. It can also be one made by or on behalf of a person who purports to make it but that is false in some respect. It can also be a document made by someone, or under his authority, fraudulently intending that it be made by someone other than the person who made it.1002 “Passport”: A passport is a document issued by or under the authority of the Canadian Minister of Foreign Affairs for the purpose of identifying its holder.1003 9 99 1000 1001 1002 1003
Id. § 361(1). Id. § 362(5). Id. § 321. Id. § 321. Id. § 57(5).
420
CHAPTER 6
“Revenue paper”: Revenue paper is used to make stamps, licenses or permits or for any purpose connected with the public revenue.1004 “Utter”: Note that Canadian statutes use the word “utter” in the sense, as explained by Black’s Law Dictionary, of putting or sending a document into circulation. This usage is particularly apt when used in the sense of circulating a forged note as if genuine.1005 2 Offenses The Criminal Code makes it a crime to obtain something by false pretense when obtaining that thing is the equivalent of theft.1006 It is also an offense to obtain credit by false pretense or by fraud.1007 One commits an offense by making a false statement of one’s financial condition or one’s ability to pay in order to obtain: 1. the delivery of personal property, 2. the payment of money, 3. the making of a loan, 4. the grant or extension of credit, 5. the discount of an account receivable, or 6. the making, accepting, discounting or endorsing of a bill of exchange, check, draft or promissory note.1008 It is also an offense if one knows that a false statement has been made in order to obtain one of the items listed above, and procures that item on the strength of that statement.1009 When items are obtain by way of a check that is dishonored for insufficient funds on deposit or the like, the law presents a statutory presumption that the items were obtained by a false pretense. It is up to the accused to prove that he thought the check would be honored if presented for payment within a reasonable time after it was issued.1010 The Canadian Criminal Code contains a specific offense of obtaining the execution of a valuable security by fraud, which occurs when one uses false 1 004 Id. § 321. 1005 Black’s Law Dictionary (9th ed. 2009). 1006 Criminal Code, R.S.C. 1985, c C-46 § 362(1)(a) (Can.). The punishment for this offense is up to 10 years’ imprisonment if the property obtained is a testamentary instrument or the value is over $5000, or, if the value is less than $5000, the punishment is up to 2 years, with a lesser punishment on a summary conviction. 1007 Id. § 362(1)(b). The punishment for this offense is up to 10 years’ imprisonment. 1008 Id. § 362(1)(c). The punishment for this offense is up to 10 years’ imprisonment. 1009 Id. § 362(1)(d). The punishment for this offense is up to 10 years’ imprisonment. 1010 Id. § 362(4).
Identity Crime Legislation in the United States
421
pretense to sign over a security, or to sign a paper that might later be converted into or used as a security.1011 It is also an offense fraudulently to obtain food, a beverage or accommodation at any place that is in the business of providing those things.1012 In such a case, it is statutorily presumed that the items were taken fraudulently when one does not pay for them, and: 1. makes a false or fictitious show or pretense of having baggage, 2. has any false or pretended baggage, 3. surreptitiously removes baggage or any material part of it, 4. absconds or surreptitiously leaves the premises, 5. knowingly makes a false statement to obtain credit or time for payment, or 6. offers a worthless check, draft or security in payment for the food, beverage or accommodation.1013 Also in the category of false pretense is pretending to practice witchcraft, sorcery, enchantment, or conjuration; fortune-telling for money; or pretending to be able, through supernatural powers, to tell where stolen or lost property may be found.1014 Case Note: In Canada (Minister of Public Safety & Emergency Preparedness) v. Oladameji,1015 the accused, Seyitan Oladameji, had been convicted of, inter alia, identity theft in the United States. She sought admission to Canada. The court had to make a determination as to whether the U.S. crimes committed were also crimes in Canada, thus making Ms. Oladameji inadmissible to Canada. In the United States, one of the crimes the accused was convicted of was identity theft. The accused had, according to a police report, “entered Sam’s Club and opened a club membership in the name ‘Laurie Zirkle.’ [She] applied for and was granted $1500.00 in store credit. She presented a Massachusetts driver’s license and a Discover credit card for identification purposes. [She] then purchased $1356.70 in furniture and left the store.” (It is not clear from the facts of the case whether Laurie Zirkle was a real or a fictitious person.) The judge found that the act committed falls within the parameters of the offense of obtaining credit by false pretenses.1016 “Ms. Oladameji knowingly, by
1 011 Id. § 363. The punishment for this offense is up to 5 years’ imprisonment. 1012 Id. § 364(1) (punishable on summary conviction). 1013 Id. § 364(2). 1014 Id. § 365 (punishable on summary conviction). 1015 Canada (Minister of Public Safety & Emergency Preparedness Oladameji,) v. 2008 CarswellNat 2003 (Immig. & Refugee Bd. of Canada (Immig. Div.) 2008). 1016 Criminal Code, R.S.C. 1985, c C-46 § 362(1)(b) (Can.).
422
CHAPTER 6
presenting identification in the name of Laurie Zirkle, presented false information with the aim of inducing Sam’s Club to grant her a club membership which she used to purchase furniture. I find that Ms. Oladameji actions were based on both knowledge and a fraudulent intent and this falls within the elements of obtaining credit by false pretense.” The new identity crime statute would add little to the criminal charges available, assuming that Laurie Zirkle is a fictitious person. One commits the offense of illegally possessing or trafficking in government identity documents when, without lawful excuse, one procures to be made, possesses, transfers, sells or offers for sale an identity document that relates or purports to relate, in whole or in part, to another person.1017 Thus, procuring to be made and possessing the driver’s license of a fictitious person, Laurie Zirkle, would be a crime. However, the crime is not identity theft, because nothing was taken from another person, and not identity fraud, because that involves personating “another person, living or dead”; a fictitious person is presumably not “another person, living or dead.” Yet, four of the five elements of the Identity Crime Model discussed in chapter 3 are present (production, acquisition, possession, use), and it may be advisable to expand the law to include crimes involving fictitious identities. B Forgery One commits the offense of “forgery” by making a false document, knowing it to be false, and intending that it should be acted upon as though it were genuine, or that someone be induced to do something or refrain from doing something.1018 Making a false document includes: 1. materially altering a genuine document; 2. making a material addition to a genuine document or adding a false date, attestation, seal or other thing that is material; or 3. erasing or obliterating some part of a genuine document.1019 A forgery is complete as soon as the document is made with the required knowledge and intent, even if the maker does not intend that any particular person should use or act on it as genuine.1020 The forgery is complete even 1 017 Id. § 56.1(1). 1018 Id. § 366(1). The punishment for this offense and the other section 366 violations is up to 10 years’ imprisonment, unless there is a summary conviction. Id. § 367. There is an exception for an official doing undercover work. Id. § 368.2. The is also an exception for one who commits forgery when, in good faith, making a false document at the request of a police force, the Canadian Forces or a department or agency of the federal government or of a provincial government. Id. § 366(5). 1019 Id. § 366(2). 1020 Id. § 366(3).
Identity Crime Legislation in the United States
423
if the false document is incomplete or does not purport to be a document binding in law.1021 One commits an offense when, knowing that a document is forged, one uses, deals with or acts on it, or causes or attempts to cause any person to use, deal with or act on it.1022 One also commits the offense by transferring, selling, or offering to sell a forged document, or making it available, to any person, knowing that or being reckless as to whether an offense will be committed.1023 It is also illegal to possess a forged document with the intent to commit one of the offenses described above.1024 The place where a document was forged is not material.1025 One is guilty of a crime involving forgery instruments if, without lawful authority or excuse, one makes, repairs, buys, sells, exports from Canada, imports into Canada or possesses any instrument, device, apparatus, material, or thing that one knows has been used, or knows is adapted or intended for use, by any person to commit forgery.1026 A variation on a “forged document” offense makes it a criminal act to send out a telegram, cablegram or radio message in the name of some other person, when one has no authority to do so, intending that the message should be acted upon as though it were sent by the other person.1027 It is also an offense to cause alarm or injury by sending out such a message containing false information.1028 One commits an offense when, with intent to defraud and without lawful authority, one makes, executes, draws, signs, accepts or endorses a document in the name or on the account of another person, or knowingly uses such document.1029 1 021 Id. § 366(4). 1022 Id. § 368(1)(a), (b). The punishment for this offense is up to 10 years’ imprisonment, unless summarily convicted. Id. § 368(1.1). There is an exception for an official doing undercover work. Id. § 368.2. 1023 Id. § 368(1)(c). This was added in 2010 by Bill S-4, An Act to amend the Criminal Code (identity theft and related misconduct), discussed above. The punishment for this offense is up to 10 years’ imprisonment, unless summarily convicted. Id. § 368(1.1). There is an exception for an official doing undercover work. Id. § 368.2. 1024 Id. 1025 Id. § 368(2). 1026 Id. § 368.1. The offense carries a punishment of up toe 14 year’s imprisonment, or it is punishable on summary conviction. There is an exception for an official doing undercover work. Id. § 368.2. 1027 Id. § 371. The punishment for this offense is up to 5 years’ imprisonment. 1028 Id. § 372(1). The punishment for this offense is up to 2 years’ imprisonment. 1029 Id. § 374. The punishment for this offense is up to 14 years’ imprisonment.
424
CHAPTER 6
One who demands, receives or obtains anything because of an instrument issued under the authority of law, knowing that it is based on a forged document, has committed an offense.1030 Case Note: In R. v. Thiel,1031 the defendant used a document in someone else’s name to obtain a further document in that person’s name. With these documents and the complainant’s social insurance card, the accused was then able to embark on a series of frauds, committed on different days over the next week. In doing so, the accused impersonated the complainant and, through the combined use of checks and identification, obtained illegally, the defendant stole over $5000. The primary charge in this prosecution, which occurred before passage of the identity crime law, was brought under the personation statute, now the identity fraud statute.1032 He was also prosecuted for possession of a forged document1033 and fraud.1034 These statutes were sufficient for the prosecution. Under the new identity crimes law, taking and possession of the identity information and documents would also be criminal.1035 The fact pattern includes instances of four of the five components of the Identity Crime Model discussed in chapter 3: acquisition, possession, production, and use. C Fraud It is an offense under the Canadian Criminal Code to defraud the public or any person of property, money, a valuable security, or any service. The fraud may be by deceit, falsehood, or other fraudulent means, whether or not it is a false pretense as defined, and whether or not ascertained.1036 Intentionally committing a fraud that affects the public market price of stocks, shares, merchandise or anything that is offered for sale to the public is also an offense.1037 The sentences may be increased where the circumstances are aggravated because: 1 030 Id. § 375. The punishment for this offense is up to 14 years’ imprisonment. 1031 R. v. Thiel, [2005] A.J. No. 698 (Can. Alta. Crim. Div.). 1032 Criminal Code, R.S.C. 1985, c C-46 § 403(a) (Can.). 1033 Now, Id. § 368(1)(d). 1034 Id. § 380(1)(b) (discussed below). 1035 Id. §§ 56.1, 402.2. 1036 Id. § 380(1). The punishment for this offense is up to 14 years’ imprisonment where the subject-matter of the offense is a testamentary instrument or the value of the subject- matter of the offense exceeds $5000. If the not one of those, then it may be punished by up to 2 years’ imprisonment, or it may be treated as a summary conviction. 1037 Id. § 380(2). The punishment for this offense is up to 14 years’ imprisonment.
Identity Crime Legislation in the United States
1. 2.
425
the value of the fraud committed exceeded $1 million; the offense adversely affected the stability of the Canadian economy or financial system; 3. the offense involved a large number of victims; and 4. in committing the offense, the offender took advantage of the high regard in which the offender was held in the community.1038 The court may not consider as mitigating circumstances the offender’s employment, employment skills or status or reputation in the community if those circumstances were relevant to, contributed to, or were used in the commission of the offense.1039 In addition to the above offense, stock manipulation is also a specific criminal offense. One is guilty of the offense by: 1. buying or selling a security that involves no change in the beneficial ownership of it, or 2. entering an order for the purchase or sale of a security, knowing that a nearly identical order has been or will be entered by or for the same or a different persons. These offenses must be through the use of a stock exchange, curb market or other market, and the offender must have the intent to create a false or misleading appearance of active public trading in a security, or the intent to create a false or misleading appearance with respect to the market price of a security.1040 Anyone who knows of an unregistered prior sale or of an existing unregistered grant, mortgage, hypothec, privilege or encumbrance of or on real property, but fraudulently sells the property or any part of it, is guilty of an offense.1041 The mails may not be used in order to transmit or deliver letters or circulars concerning schemes devised or intended to deceive or defraud the public, or for the purpose of obtaining money under false pretenses.1042 Case Note: In R. v. Jubbal,1043 a judge enhanced a sentence because the crime involved identity theft, even though identity theft per se was not yet a crime. The conviction was based upon, inter alia, fraud.1044 The judge called identity theft an “aggravating factor which I ought properly to take into account.” The 1 038 1039 1040 1041 1042 1043 1044
Id. § 380.1(1). Id. § 380.1(2). Id. § 382. The punishment for this offense is up to 10 years’ imprisonment. Id. § 387. The punishment for this offense is up to 2 years’ imprisonment. Id. § 381. The punishment for this offense is up to 2 years’ imprisonment. R. v. Jubbal, [2004] B.C.J. No. 2207, 2004 bcpc 389 (Can. B.C. Crim. Div.). Criminal Code, R.S.C. 1985, c C-46 § 380.1 (Can.).
426
CHAPTER 6
“crime involved not only fraud but the use of documents obtained as the result of identity-theft. This is a growing and serious problem in this and other communities in Canada, and indeed throughout the world and could ultimately threaten the integrity and stability of the economic order upon which we all depend.” Under the current statutes, identity theft could be one of the charges, and not just an aggravating factor.1045 D Theft The crime of “theft” requires a conversion of the property of another person, intending: 1. to deprive the owner or an interested party of the thing or of his property or interest in it; 2. to pledge it or deposit it as security; 3. to lend it out conditionally (for example, as security for a loan), without certainty that the condition for its return can be met; or 4. to handle it in such a way that it cannot be restored to the condition it was in when it was converted.1046 The theft is committed at the time when the thing converted is moved, or when the offender begins to cause it to become movable.1047 Such a taking may be fraudulent even if done without secrecy or concealment.1048 Possession by the one who converted the property is not relevant to the question whether there has been a conversion.1049 Case Note: Prior to passage of the Canadian identity crime statutes, the Supreme Court had ruled that the theft statutes were not apropos to the stealing of identity information. In R. v. Stewart,1050 the Supreme Court of Canada considered the case of a self-employed consultant, who was hired by a purported labor union to obtain the names and addresses of the employees of a hotel. He offered to pay a security guard to obtain the information, but the guard had no access to the information, and reported the defendant to authorities. The defendant did not want any physical object, only the information. He was charged with counseling to commit the offenses of theft and fraud. The court held that “information” as such was not subject to theft laws because there is no proprietary right to it. One cannot own confidentiality. 1 045 1046 1047 1048 1049 1050
Id. § 402.2(1). Id. § 322(1). Id. § 322(2). Id. § 322(3). Id. § 322(4). R. v. Stewart, [1988] 1 S.C.R. 963.
Identity Crime Legislation in the United States
427
Under the current statute, the theft of identity information, including names and addresses, is an offense, but only if the purpose of the theft is to commit an indictable offense that entails fraud, deceit or falsehood.1051 Thus, it is likely that theft of the information involved in the Stewart case is legal, even under the identity theft statutes, because the purpose of taking the names would merely have been to provide union organizers with the names of employees, which is not necessarily a fraudulent purpose. The court warned against criminalization of such conduct, stating: The criminalization of certain types of conduct ought not to be done lightly because there could be far-reaching consequences that a Court would not be in a position to contemplate. For instance, the existence of such an offense as theft of confidential information would have serious implications for the mobility of labor. An employee leaving a job and taking information with him could face criminal sanctions if he misjudged and inadvertently crossed over a line which is sufficiently obscure that Judges have had great difficulty in drawing it with precision.1052 1 Theft from Mail It is an offense under the Canadian Criminal Code to steal anything sent by post after it is deposited at a post office and before it is delivered. It is also an offense to steal a bag, sack, or other container or covering in which mail is conveyed, whether or not it contains mail, or a key suited to a lock adopted for use in the Canada Post Corporation.1053 Making, possessing, or using a copy of a key suited to a lock adopted for use by the Canada Post Corporation, or a key suited to obtaining access to a receptacle or device provided for the receipt of mail, with the intent to steal mail before it is delivered, is outlawed.1054 Knowingly possessing anything stolen in the manner described above is also an offense,1055 as is fraudulently redirecting, or causing to be redirected, anything sent by post.1056 Case Note: In the case of R. v. Bradley,1057 a Nigerian man, as part of an international criminal enterprise, stole the identity information of an innocent
1 051 Criminal Code, R.S.C. 1985, c C-46 § 402.2(1) (Can.). 1052 R. v. Stewart, 1 S.C.R. 1968. 1053 Criminal Code, R.S.C. 1985, c C-46 § 356(1)(a) (Can.). The punishment for this offense is up to 10 years’ imprisonment. 1054 Criminal Code, R.S.C. 1985, c C-46 § 356(1)(a.1) (Can.). 1055 Id. § 356(1)(b). 1056 Id. § 356(1)(c). 1057 R. v. Bradley, [2004] A.J. No. 1278 (Can. Alta. C.A.).
428
CHAPTER 6
Alberta man. In sentencing the man, the court scolded: “You used the identity and residence address of an innocent Calgary man for mail drop purposes, and possessed a Visa card, social insurance card, and driver’s license in that person’s name. That poor man, an innocent man, was investigated and interrogated by the police. No doubt they thought he was part of this enterprise as well.” The defendant was prosecuted under mail theft and forgery statutes; under the identity crimes statutes,1058 he could be prosecuted for identity theft. It included three components of the Identity Crime Model discussed at chapter 3: acquisition, possession, and use, and all were done with a fraudulent purpose. E Credit Card Crimes It is an offense under the Canadian Criminal Code to steal, forge, or falsify a credit card.1059 It is also an offense to possess, use, or traffic in a credit card knowing that it was obtained, made or altered by committing an offense, or something that would be an offense if it occurred in Canada.1060 Further, it is an offense to use a credit card knowing that it has been revoked or cancelled.1061 It is also an offense fraudulently and without color of right to possess, use, traffic in or permit another person to use credit card data, whether or not authentic, that would enable a person to obtain items or take advantage of the credit card issuer’s services. “Data” includes personal authentication information.1062 “Traffic”: In relation to a credit card or credit card data, to “traffic” means to sell, export from or import into Canada, distribute or deal with in any other way.1063 “Personal authentication information”: In relation to a credit card, this means a personal identification number or any other password or information that a credit card holder creates or adopts to be used to authenticate the holder’s identity in relation to the credit card.1064 1 058 Criminal Code, R.S.C. 1985, c C-46 § 402.2(1) (Can.). 1059 Id. § 342(1)(a), (b). The punishment for the offenses in this section is up to 10 years’ imprisonment, or a lesser sentence on summary conviction. Id. § 342(1)(e), (f). 1060 Id. § 342(1)(c). 1061 Id. § 342(1). 1062 Id. § 342(3). The punishment for this offense is up to 10 years’ imprisonment, or a lesser sentence on summary conviction. Note that the Canadian Bankers Association has recommended that use of the term “credit card” is too narrow, in that credit cards, while predominant now, may become an outdated form of payment. The bankers recommend that “credit card” be replaced with “payment method.” See analysis at the end of this chapter. 1063 Id. § 342(4). 1064 Id.
Identity Crime Legislation in the United States
429
It is also a crime in Canada to deal with devices intended be used to forge or falsify credit cards, including making or repairing such devices, buying or selling them, importing them, or possessing them.1065 Such devices must be forfeited to the government, and disposed as the attorney general directs.1066 Case Note: Under the credit card statutes above, the defendant in R. v. Naqvi1067 was convicted of skimming debit and credit cards to sell the information. He had been given a skimming device by a high school friend. He skimmed around 175 cards and sold the information for $17,700, but did not create fake credit cards or use any such cards. He was sentenced to 18 months of imprisonment and ordered to pay restitution to the banks according to their proportion of the losses. Under the new identity crime statute, the defendant could also have been convicted of identity theft, because a user’s name and credit card number are “identity information” covered by the statute.1068 He engaged in two components of the Identity Crime Model, discussed in chapter 3: acquisition of information, and trafficking in that information. In a more serious case, R. v. Mayer,1069 the defendant not only skimmed the card information, but also used it. The defendant pled guilty to 28 charges of using forged debit cards and debit card data. The fraud involved five different financial institutions, six businesses where the cards were skimmed and 34 different card holders. The defendant was sentenced, however, to only 12 months’ imprisonment, to run concurrently with any other sentence. Under the new identity crime statute, the defendant could also have been convicted of identity theft, because a user’s name and credit card number are “identity information” covered by the statute.1070 As there were 34 different cardholders involved, he could have been charged with 34 counts of identity theft. However, it is difficult to see how a charge of identity theft would increase the sentence: the potential punishment for a credit card crime is more severe than that for identity theft, 1065 Id. § 342.01(1). The punishment for this offense is up to 10 years’ imprisonment, or a lesser sentence on summary conviction. Id. § 342(3). The punishment for this offense is up to 10 years’ imprisonment, or a lesser sentence on summary conviction. Note that the Canadian Bankers Association has recommended that use of the term “credit card” is too narrow, in that credit cards, while predominant now, may become an outdated form of payment. The bankers recommend that “credit card” be replaced with “payment method.” See analysis at the end of this chapter. 1066 Id. § 342.01(2). 1067 R. v. Naqvi, [2005] A.J. No. 1593, 2005 abpc 339 (Can. Alta. Crim. Div.). 1068 Criminal Code, R.S.C. 1985, c C-46 §§ 402.1, 402.2 (Can.). 1069 R. v. Mayer, [2006] A.J. No. 324, 2006 abpc 30 (Can. Alta. Crim. Div.). 1070 Criminal Code, R.S.C. 1985, c C-46 §§ 402.1, 402.2 (Can.).
430
CHAPTER 6
yet the perpetrator received a mere 12 months’ jail time. The crime has at least three components of the Identity Crime Model discussed in chapter 3: acquisition of identity information, production of identity documents, and use of those documents. Note that in the two cases above, the more serious crime was punished much more leniently. This points to the need for more uniformity in sentencing for crimes of this sort. F Computer Crimes 1 Definitions “Computer password”: A computer password is any data by which a computer service or computer system is capable of being obtained or used. “Computer program”: A computer program is data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function. “Computer service”: “Computer service” includes data processing and the storage or retrieval of data. “Computer system”: A computer system is a device that, or a group of interconnected or related devices one or more of which, contains computer programs or other data, and, pursuant to computer programs, performs logic and control, and may perform any other function. “Data”: Data are representations of information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer system. “Electromagnetic, acoustic, mechanical or other device”: An electromagnetic, acoustic, mechanical or other device is any device or apparatus that is used or is capable of being used to intercept any function of a computer system, but does not include a hearing aid used to correct subnormal hearing of the user to not better than normal hearing. “Function”: “Function” includes logic, control, arithmetic, deletion, storage and retrieval and communication or telecommunication to, from or within a computer system. “Intercept”: “Intercept” includes listen to or record a function of a computer system, or acquire the substance, meaning or purport thereof. “Traffic”: In respect to a computer password, “traffic” means to sell, export from or import into Canada, distribute or deal with in any other way.1071
1071 Id. § 342.1(2).
Identity Crime Legislation in the United States
431
2 Unauthorized Use of Computer It is an offense under the Canadian Criminal Code, fraudulently and without color of right, to: 1. obtain, directly or indirectly, any computer service; 2. by means of an electromagnetic, acoustic, mechanical or other device, intercept any function of a computer system; 3. use a computer system intending to commit one of the offenses above, or the offense of “Mischief” (discussed below) in relation to data or a computer system; or 4. use, possess, traffic in or permit another person to have access to a computer password that would enable him to commit one of the offenses above.1072 The possession of a device to commit the above offenses, without lawful justification or excuse, is also a violation of the Canadian Criminal Code, if it is likely that the device was or will be used to commit the offense.1073 Such devices must be forfeited to the government, and disposed as the attorney general directs.1074 Case Note: The defendant in R. v. Lavoie,1075 pleaded guilty to one count of possession of a computer password that would permit entry into governmental and telecommunication computer systems.1076 A website published by the defendant was used to publish passwords to access government, military or telecommunication organizations’ sites, and intrusions were detected at such sites, but it could not be proven that the intrusions were committed by the accused. Under the new identity crime statute, a password is considered to be “identity information.”1077 Obtaining or possessing a password where it is reasonable to infer that the password is intended to be used to commit an indictable offense that includes fraud, deceit or falsehood as an element of the offense is an offense carrying a 5 year sentence of imprisonment.1078 Thus, the charge of identity theft could be added to the charge of unauthorized use of a computer. Only one component of the Identity Crime Model discussed in chapter 3 was proven: possession. Even though the passwords published on the website had been acquired from others, and by publishing them, they were 1072 Id. § 342.1(1). The punishment for this offense is up to 10 years’ imprisonment, or a lesser sentence on summary conviction. 1073 Id. § 342.2(1). The punishment for this offense is up to 2 years’ imprisonment, or a lesser sentence on summary conviction. 1074 Id. § 342.2(2). 1075 R. v. Lavoie, 2000 IIJCan 14437 (Can. Que. C.Q.). 1076 Criminal Code, R.S.C. 1985, c C-46 § 342.1(1)(d) (Can.). 1077 Id. § 402.1. 1078 Id. § 402.2.
432
CHAPTER 6
trafficked, neither of these acts were shown to have been done for financial gain, and the defendant could plausibly allege that they were not done for the purpose of fraud, but rather, to pursue a hobby. 3 Mischief in Relation to Data Unrelated to data, Canadian law considers it to be the offense of “mischief” when one willfully: 1. destroys or damages property; 2. renders property dangerous, useless, inoperative, or ineffective; 3. obstructs, interrupts, or interferes with the lawful use, enjoyment, or operation of property; or 4. obstructs, interrupts, or interferes with any person in the lawful use, enjoyment, or operation of property.1079 In relation to data, one commits mischief when one willfully: 1. destroys or alters data; 2. renders data meaningless, useless, or ineffective; 3. obstructs, interrupts or interferes with the lawful use of data; or 4. obstructs, interrupts or interferes with any person in the lawful use of data or denies access to data to any person who is entitled to access thereto.1080 If the mischief causes actual danger to life, the offender may be imprisoned for life.1081 Generally, the punishment is not as severe.1082 G Possession of Property Obtained by Crime One commits an offense under the Canadian Criminal Code by knowingly possessing any property or thing, or any proceeds of any property or thing, obtained through the commission of an act that is an indictable offense under Canadian law (whether or not the act occurred in Canada).1083 A police officer carrying out his duties cannot be convicted under this statute.1084 1 079 1080 1081 1082
Id. § 430(1). Id. § 380(1). The punishment for this offense is imprisonment for life if the. Id. § 380(2). Id. § 380(3) specifies imprisonment for up to 10 years for mischief relating to a testamentary instrument or when the value exceeds $5000, or a lesser sentence on summary conviction. For other property, the punishment is up to 2 years’ imprisonment, unless there is a summary conviction. Id. § 380(4). 1083 Id. § 354(1). The punishment for this offense is up to 10 years’ imprisonment if the property obtained is a testamentary instrument or the value is over $5000, or, if the value is less than $5000, the punishment is up to 2 years, with a lesser punishment on a summary conviction. Id. § 355(1), (b). 1 084 Id. § 354(4).
Identity Crime Legislation in the United States
433
Evidence that a person possesses a motor vehicle, or part, with an obliterated or removed vehicle identification number (vin) is, in the absence of any evidence to the contrary, proof that the vehicle or part was obtained through the commission of a Canadian offense.1085 Case Note: In R. v. Tonks,1086 Scott Tonks was convicted of multiple counts of possession of property obtained by a crime. Among the charges were three counts of possessing a debit card that had been stolen from the mail. Using the cards, Tonks had obtained nearly $30,000 in cash and goods. Under the new identity crime law, Tonks could also have been convicted of identity theft for obtaining and possessing debit card information knowing that it will be used to commit a further crime involving fraud, deceit, or falsehood.1087 He committed three of the components of the Identity Crime Model discussed in chapter 3: acquisition, possession, and use. 6B.4
Privacy Act
The Canadian Privacy Act, passed in 1985, limits the federal government’s ability to collect and use personal information of Canadians, thereby reducing the risk of identity theft.1088 The statute does not, however, require safeguards for information, and does not control access to the information.1089 “Personal information” under the Privacy Act is information about an identifiable individual that is recorded in any form, and includes: 1. information relating to the race, national or ethnic origin, color, religion, age or marital status of the individual; 2. information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved; 3. any identifying number, symbol or other particular assigned to the individual; 4. the address, fingerprints or blood type of the individual;
1 085 Id. § 354(2). 1086 R. v. Tonks, [2003] B.C.J. No. 3042, 2003 bcpc 475 (Can. B.C. Crim. Div.). 1087 Criminal Code, R.S.C. 1985, c C-46 § 402.2(1) (Can.). 1088 Canadian Internet Policy and Public Interest Clinic (cippic), Canadian Legislation Relevant to Identity Theft: An Annotated Review 6 (CIPPIC ID Theft Series, Working Paper No. 3A, March 2007) [hereinafter “cippic, Identity Theft Review”], available at http:// www.cippic.ca/sites/default/files/bulletins/Techniques.pdf. 1089 Id.
434 5.
CHAPTER 6
the personal opinions or views of the individual except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution or a part of a government institution specified in the regulations; 6. correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence; 7. the views or opinions of another individual about the individual; 8. the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual by an institution or a part of an institution, but excluding the name of the other individual where it appears with the views or opinions of the other individual, and 9. the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual.1090 However, because of Canada’s Access to Information Act (the equivalent of the U.S.’s Freedom of Information Act), “personal information” does not include certain information about government officers and employees, including: 1. the fact that the individual is or was an officer or employee of the government institution, 2. the title, business address and telephone number of the individual, 3. the classification, salary range, and responsibilities of the position held by the individual, 4. the name of the individual on a document prepared by the individual in the course of employment, and 5. the personal opinions or views of the individual given in the course of employment. 6. “Personal information” under the Privacy Act also does not include: 7. information about an individual who is or was performing services under contract for a government institution that relates to the services performed; 8. information relating to any discretionary benefit of a financial nature, including the granting of a license or permit, conferred on an individual, including the name of the individual and the exact nature of the benefit; and
1090 Privacy Act, R.S.C., 1985 c. P-21 § 3 (Can.).
Identity Crime Legislation in the United States
9.
435
information about an individual who has been dead for more than twenty years.1091 Under the Privacy Act, personal information under the control of a government institution may not, without the consent of the individual to whom the information relates, be used by the institution except for the purpose that it was gathered for, or certain other purposes specified in the statute,1092 or be disclosed except in accordance with the statute.1093 Personal information held by a government institution may only be disclosed:1094 1. for the purpose for which it was obtained; 2. to comply with a statute or regulation; 3. to comply with a court order; 4. to the Attorney General for use in legal proceedings; 5. to an investigative body to enforce the law; 6. to an institution of a provincial, tribal, or foreign government, or an international organization, to enforce the law of carry out an investigation; 7. to a member of Parliament for the purpose of assisting the individual to whom the information relates in resolving a problem; 8. to government bodies involved in auditing for tax purposes; 9. to the Library and Archives of Canada for archival purposes; 10. to any person or body for research or statistical purposes, in deemed necessary for the research and if the person or body agrees not to disclose the information further; 11. to associations of aboriginal persons and Indians to research claims, disputes or grievances; 12. to locate a person who owes taxes; and 13. for any other purpose when it is in the public interest, or disclosure would clearly benefit the individual to whom the information relates.1095 The head of a government institution must include in “personal information banks” any personal information under the control of the government institution that has been used, is being used, or is available for use for an administrative purpose; or is organized or intended to be retrieved by the name of an individual or by an identifying number, symbol or other particular assigned to an individual.1096 Information about those banks and the 1 091 1092 1093 1094 1095 1096
Id. Id. § 7 (the additional purposes are in § 8(2)). Id. § 8(1). Id. § 8(2). Id. § 8(2). Id. § 10(1).
436
CHAPTER 6
type of information kept in them must be published at least annually by the government.1097 Canadian citizens and permanent residents have a right to access the information contained about them held by the government,1098 and may seek corrections and appropriate annotations.1099 6B.5
Personal Information Protection and Electronic Documents Act
Canada’s Personal Information Protection and Electronic Documents Act (“pipeda”) was intended to improve information collection, management, and disclosure practices on the part of businesses.1100 It does not apply to government institutions, which are covered by the Privacy Act, discussed above. pipeda’s official stated purpose is “to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”1101 A study paper has pointed out that “the principles are drafted in very broad terms, offering a lot of flexibility to organizations, and the statute lacks both strong enforcement powers and penalties for noncompliance. Experience has shown that its provisions are widely ignored by retailers.”1102 Further, pipeda lacks a provision that persons with information at risk be notified when a security breach occurs.1103 6B.5.1 Statutory Provisions Under pipeda, “personal information” is information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.1104 “Personal health information” is, with respect to an individual, whether living or deceased: 1 097 Id. § 10(2). 1098 Id. § 12(1). 1099 Id. § 12(2). 1100 cippic, Identity Theft Review, supra note 1911, at 5. 1101 Personal Information Protection and Electronic Documents Act (pipeda), S.C. 2000, c. 5 § 3 (Can.). 1102 cippic, Identity Theft Review, supra note 1911, at 5. 1103 Id. 1104 pipeda, S.C. 2000, c. 5 § 2 (Can.).
Identity Crime Legislation in the United States
1. 2. 3.
437
information on the physical or mental health of the individual; information on any health service provided to the individual; information on the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual; 4. information that is collected in the course of providing health services to the individual; or 5. information that is collected incidentally to the provision of health services to the individual.1105 pipeda applies to organizations that collect personal information, but it does not apply to government institutions (covered by the Privacy Act), individuals, or organizations collecting information for journalistic, artistic, or literary purposes.1106 The act is limited to personal information collected, used, or disclosed in the course of commercial activities; and information about employees of the organization that the organization collects, uses, or discloses in connection with the operation of a federal work, undertaking, or business.1107 Under pipeda, an organization may collect personal information without the knowledge or consent of the individual only if the collection: 1. is clearly in the interests of the individual and consent cannot be obtained in a timely way; 2. is such that knowledge or consent would compromise the availability or accuracy of the information, and the collection is reasonable to investigate a breach of contract or of the law; 3. is solely for journalistic, artistic, or literary purposes; 4. is solely of information that is publicly available and is specified by the regulations; or 5. is for the purpose of making a disclosure regarding national security or that is required by law.1108 An organization may, without the knowledge or consent of the individual, use personal information only: if necessary for a criminal investigation; in a major emergency; for statistical, scholarly, or research purposes (if essential for the purpose, and with safeguards on re-release of the information); if it is publicly available and specified by regulations; or was collected under paragraphs (a), (b), or (e) above.1109 1 105 1106 1107 1108 1109
Id. § 2. Id. § 4(2). Id. § 4(1). Id. § 7(1). Id. § 7(2).
438
CHAPTER 6
An organization may, without the knowledge or consent of the individual, disclose personal information only if the disclosure is: 1. made to the organization’s attorney; 2. for the purpose of collecting a debt; 3. required by a court; 4. made to a government institution for national security purposes, to enforce the law or investigate a crime, to administer a law, or for certain purposes having to do with money laundering; 5. made on the initiative of the organization to an investigative body, a government institution or a part of a government institution in relation to a breach of contract, a crime, or national security; 6. made to a person who needs the information because of an emergency; 7. for statistical, or scholarly study or research, purposes; 8. made to an institution whose functions include the conservation of records of historic or archival importance; 9. made after the earlier of 100 years after the record containing the information was created or 20 years after the death of the individual whom the information is about; 10. of information that is publicly available and is specified by the regulations; 11. made by an investigative body in the course of investigating a crime; or 12. required by law.1110 6B.5.2 Principles for the Protection of Personal Information The Personal Information Protection and Electronic Documents Act includes a set of principles for the protection of personal information, which includes principles on accountability,1111 indentifying purposes,1112 consent,1113 limiting the collection of information,1114 limiting the use, disclosure and retention of information,1115 accuracy,1116 safeguards,1117 openness,1118 individual access,1119 and challenging compliance.1120 1 110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120
Id. § 7(3). Id. at sched. 1 § 4.1 (Principle 1). Id. at sched. 1 § 4.2 (Principle 2). Id. at sched. 1 § 4.3 (Principle 3). Id. at sched. 1 § 4.4 (Principle 4). Id. at sched. 1 § 4.5 (Principle 5). Id. at sched. 1 § 4.6 (Principle 6). Id. at sched. 1 § 4.7 (Principle 7). Id. at sched. 1 § 4.8 (Principle 8). Id. at sched. 1 § 4.9 (Principle 9). Id. at sched. 1 § (Principle 10).
Identity Crime Legislation in the United States
439
Under the principles, an organization is responsible for personal information under its control and must designate an individual accountable for the organization’s compliance with the principles.1121 The purposes for which personal information is collected must be identified by the organization at or before the time the information is collected.1122 The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.1123 The collection of personal information must be limited to that which is necessary for the purposes identified by the organization. It must be collected by fair and lawful means.1124 Personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information must be retained only as long as necessary for the fulfillment of those purposes.1125 Personal information must be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.1126 Personal information must be protected by security safeguards appropriate to the sensitivity of the information.1127 An organization must make readily available to individuals specific information about its policies and practices relating to the management of personal information.1128 Upon request, an individual must be informed of the existence, use, and disclosure of his or her personal information and given access to that information. An individual must be able to challenge the accuracy and completeness of the information and have it amended as appropriate.1129 An individual must be able to address a challenge concerning compliance with the above principles to the designated individual accountable for the organization’s compliance.1130
1 121 1122 1123 1124 1125 1126 1127 1128 1129 1130
Id. at sched. 1 § 4.1. Id. at sched. 1 § 4.2. Id. at sched. 1 § 4.3. Id. at sched. 1 § 4.4. Id. at sched. 1 § 4.5. Id. at sched. 1 § 4.6. Id. at sched. 1 § 4.7. Id. at sched. 1 § 4.8. Id. at sched. 1 § 4.9. Id. at sched. 1 § 4.10.
440 6B.6
CHAPTER 6
Changes Recommended by Concerned Organizations
6B.6.1 Recklessness In the lead-up to passage of the bill that created the identity crime sections of the Canadian Criminal Code, some urged caution because of the use of the word “reckless” in regard to the offense of trafficking in identity information. One commits the offense, according to the statute, by trafficking or possessing the information knowing or being reckless about the fact that the information might be used to commit an indictable offense.1131 Howard Simkevitz, a lawyer at Lang Michener llp in Toronto, has warned that the term “reckless” involves the absence of precautions in securing customers’ personal data, thus, organizations must have policies and procedures to make sure that such data is secured. Businesses should use common sense and exercise good corporate values in dealing with personal data, he said. Simkevitz added, “The risk of running afoul is at least minimalized [by precautions], but there are tons of issues here, and the fact that now there are criminal sanctions that could be applied, is an issue.”1132 “Recklessness” applies to actions that are more than negligent; rather it applies to those who “turn a blind eye” to securing personal data, said David Canton of Harrison Penza llp in London, Ontario.1133 A rogue employee might steal data in order to commit fraud, and a company could be found reckless for not sufficiently protecting the data. On the other hand, if the company can show that it took action to mitigate the risk of someone pilfering date, the company may have a sufficient defense.1134 The company might still be held vicariously liable for the actions of employees, but its liability would be civil, rather than criminal. In light of the statute’s use of the recklessness standard, bankers had expressed the fear, prior to the bill’s passage, that the requirement for restitution of victims1135 would make bankers and other businesses liable for action merely deemed “reckless.”1136 The Canadian Bankers Association believes that the 1 131 Id. § 402.2(2). 1132 Kathleen Lau, Reckless data handling could violate ID theft law, IT World Canada (Nov. 26, 2007), http://www.itworldcanada.com/news/reckless-data-handling-could-violate- id-theft-law/01580. 1133 Id. 1134 Id. 1135 Criminal Code, R.S.C. 1985, c C-46 § 738(1)(d) (Can.). 1136 Canadian Bankers’ Association, cba Submission to the Standing Committee on Legal and Constitutional Affairs, Bill S-4, An Act to amend the Criminal Code (identity theft related misconduct) (June 3, 2009) [hereinafter “Bankers’ Submission”], available at https:// web.archive.org/web/20130320164541/http://www.cba.ca/contents/files/submissions/ sub_20090603_01_en.pdf.
Identity Crime Legislation in the United States
441
restitution section must be clarified to state that banks and retailers caught in identity theft schemes cannot be subject to restitution orders. With recklessness undefined, innocent parties (such as financial institutions) may be pursued for restitution by those who claim that any theft of personal information is evidence of an undefined “recklessness” on the part of the institution, even where that institution has taken appropriate measures to protect personal data. Note, however, that although the Canadian statutes do not define “criminal recklessness,” a well-regarded Supreme Court case, R. v. Sansregret,1137 has established a Canadian legal definition for the term: The concept of recklessness as a basis for criminal liability has been the subject of much discussion. … In accordance with well-established principles for the determination of criminal liability, recklessness, to form a part of the criminal mens rea, must have an element of the subjective. It is found in the attitude of one who, aware that there is a danger that his conduct could bring about the result prohibited by the criminal law, nevertheless persists, despite the risk. It is, in other words, the conduct of one who sees the risk and who takes the chance.1138 In R. v. Hamilton,1139 the Supreme Court of Canada equated recklessness with the conscious disregard of “substantial and unjustified risk.” Critics note that application of the recklessness standard to criminal offenses has always been restricted to individuals, and not to corporations or other organizations.1140 Courts could, under the statute, use standards to deem an organization “reckless” for employing generally accepted business practices. Thus, it may be best to remove the recklessness standard from the law, or apply that standard only to individuals, not to businesses.1141 6B.6.2 “Credit Cards” vs. “Payment Methods” Use of the term “credit card” in the identity crime statutes has been criticized as too narrow, in that credit cards, while predominant now, may become an outdated form of payment. Thus, where the law states that every person who,
1 137 1138 1139 1140 1141
R. v. Sansregret, [1985] 1 S.C.R. 570. Id. ¶ 16. R. v. Hamilton, 2005 S.C.C. 47. Bankers’ Submission, supra note 1959, at 6. Id.
442
CHAPTER 6
fraudulently and without color of right, possesses, uses, traffics in or permits another person to use credit card data, is guilty of the unauthorized use of credit card data,1142 the bankers would replace “credit card” with “payment method.” The same replacement would be made where the law states that dealing with devices intended be used to forge or falsify credit cards is a crime.1143?A “payment method” is “any card, plate, coupon book or other device, issued, activated or otherwise distributed for the purpose of being used: (a) on presentation to (i) obtain, on credit, money, goods, services or any other thing of value, (ii) obtain, on payment, goods, services or any other thing of value, or (iii) transfer funds to a third party, or (b) in an automated teller machine, a remote service unit, or a similar automated banking device to obtain any of the services offered through the machine, unit, or device.1144 6B.6.3 Restitution to Banks Under the current statute, there is no provision for orders for restitution for corporations and organizations, only for “persons.” Such a provision would add to the effectiveness of the statute.1145 6B.6.4 Solicitation of Information Canadian law, including the new identity crime statutes, does not prohibit the act of soliciting personal information for the purposes of committing identity fraud, “for example, when individuals are approached by fraudsters asking them to obtain personal information and offering money for its sale.” Such a problem should be addressed in further legislation.1146 6B.6.5 Attempts and Counseling A fear has been expressed that the net cast by the identity crime statutes is too wide.1147 Specifically, they believe that an “attempt” to commit a crime 1 142 Criminal Code, R.S.C. 1985, c C-46 § 342(3) (Can.). 1143 Id. § 342.01. 1144 Bankers’ Submission, supra note 1959, at 3, 4. This definition would replace the definition of “credit card” in Criminal Code, R.S.C. 1985, c C-46 § 321 (Can.). 1145 Bankers’ Submission, supra note 1959, at 4, 5, referring to Criminal Code, R.S.C. 1985, c C-46 § 738(1)(d). 1146 Bankers’ Submission, supra note 1959, at 5. 1147 Canadian Bar Association, Bill S-4 Criminal Code Amendments (Identity Theft) (June 2009) [hereinafter “cba Recommendations”], available at https://web.archive.org/ web/20130425072818/http://www.cba.org/CBA/submissions/pdf/09-31-eng.pdf.
Identity Crime Legislation in the United States
443
involving identity documents, or “counseling” someone to commit a crime involving identity documents,1148 should be specifically excluded from the criminal activities covered by the statute. Rather, they would be covered by the general attempt1149 and counseling1150 statutes, which carry lesser penalties than the statutes covering the primary offense. Certain of the acts prohibited by the identity crime law are precursors or preparatory to identity crimes, which are quite similar to the general offenses of attempt and counseling. For example, obtaining or possessing identity information is a crime, where it is reasonable to infer that a further crime will be committed.1151 The relationship between the new offenses and the general offenses may require further clarification.1152 6B.6.6 De Minimis Crimes De minimis crimes involving identity documents are now punishable under the identity crime laws; perhaps they should not be. For example, a young person using false identity documents to be admitted to an establishment with age restrictions is technically an identity crime, but prosecution under the identity crime laws strikes some as draconian.1153 6B.6.7 Expansion of Protected Identity Information Certain identity information has not specifically been included in the law. “Photographs” are not included as identity information, nor is “biologically or digitally rendered personal information.” These are items that the legislature should consider including.1154 6B.6.8 Exceptions for Law Enforcement Parts of the statute that provide exceptions for undercover work carried out by law enforcement agencies need not be included in the identity crime laws,1155 since they are already covered by general statutes,1156 under the heading
1 148 1149 1150 1151 1152 1153 1154 1155 1156
For identity document crimes, see Criminal Code, R.S.C. 1985, c C-46 § 56.1 (Can.). Criminal Code, R.S.C. 1985, c C-46 § 463 (Can.). Id. § 464. Id. § 402.2(1). cba Recommendations, supra note 1970, at 3. Id. Id. at 3–4. Criminal Code, R.S.C. 1985, c C-46 §§ 366(5), 368.2 (Can.). Id. §§ 25.1 to 25.3.
444
CHAPTER 6
“Protection of Persons Administering and Enforcing the Law,” and no special additional provisions are needed.1157
Part C Australia
6C.1
Introduction
Australia has done a great deal to study its identity crime problems. Australia’s Standing Committee of Attorneys-General has issued a comprehensive paper outlining the scope of the problem and solutions that can be implemented.1158 The Australian attorneys-general realize that the incidence, extent, and cost of identity crimes are increasing. This may be attributed to such factors as: 1. the rise in high-speed information flows 2. globalization 3. the increased use of remote communications to transact at a distance rather than traditional face-to-face interactions 4. the ease with which documents can be forged using high-tech methods, and 5. the widespread collection and dissemination of data about individuals by private sector and other organizations, providing opportunities for easier access to personal information.1159 The report notes polls showing that Australians are not vigilant in protecting the privacy of their personal information, but that two-thirds of Australians are quite concerned about unauthorized access to or misuse of their personal information. Meanwhile, identity crime is seriously affecting Australian victims, impacting the Australian economy, and facilitating more serious crimes such as terrorism and people smuggling.1160 Statistics showing this, however,
1 157 cba Recommendations, supra note 1970, at 6–7. 1158 Model Criminal Law Officers’ Committee of the Standing Committee of Attorneys-G eneral, Final Report: Identity Crime (March 2008), available at http://www.lawlink.nsw.gov.au/lawlink/SCAG/ll_scag.nsf/vwFiles/MCLOC_MCC_Chapter_ 3_Identity_Crime_-_Final_Report_-_PDF.pdf/$file/MCLOC_MCC_Chapter_3_Identity_ Crime_-_Final_Report_-_PDF.pdf. 1159 Id. at 9. 1160 Id.
Identity Crime Legislation in the United States
445
are sketchy, and can only roughly estimate the cost of the crime to A ustralia.1161 The attorneys general cite U.S. and U.K. studies to extrapolate the effect of identity crimes in Australia.1162 The Australian government’s Institute of Criminology has conducted studies, using questionnaires, of identity fraud and identity theft. The questionnaire presented a series of questions on subjects’ awareness and experience of these crimes. The study showed that more persons were concerned with identity crimes in 2007 than in 2004. Nine percent had been a victim of identity crime, and 17 percent said they knew a victim. Respondents aged 34 to 49 were most likely to have been a victim, while those aged under 24 years were the least likely, although they were very likely to know someone who had been a victim. Higher-income people were more likely to be and to know a victim. Sixty percent of respondents said they were concerned or very concerned about identity crime. Half believed that using the Internet and online banking and purchases were the most likely way for identity crimes to occur.1163 The crux of the attorneys-general report is its recommendations of model offenses to be adopted by the states. Those model offenses are:1164 1. making, supplying or using identification information with the intention of committing an indictable offense, which should be punishable by up to 5 years’ imprisonment 2. possessing identification information with the intention of committing an indictable offense, punishable by up to 3 years’ imprisonment 3. possessing equipment capable of being used to make identification information with the intention of using, or allowing another person to use, that equipment for the purpose of committing an identity crime offense, punishable by up to 3 years’ imprisonment.
1161 Id. (citing a report conducted by the Securities Industry Research Centre of Asia–Pacific (sirca) for financial intelligence agency (austrac), which reported that identity fraud cost Australian large business $ 1.1 billion in 2001–2002). 1162 Id. at 11. 1163 Australian Institute of Criminology, Identity fraud and theft in Australia (Crime Facts Info. No. 164) (Feb. 2008), available at http://www.aic.gov.au/en/publications/current%20 series/cfi/161–180/cfi164.aspx. 1164 Final Report, supra note 1981.
446
CHAPTER 6
6C.1.1 Analysis of Australian Identity Crime Statutes and Related Statutes table 20
Australian identity crime statutes and related statutes
Component of identity crime
Australian lawa
Production of acc 73.8 identity (either associated with a acc 73.9 real person, or not so associated) acc 101.5 acc 135.1 acc 135.2 acc 135.4 acc 136.1
Description of law: Law prohibits …
Exemplary cases
Making, providing or possessing a false travel or identity document Providing or possessing a travel or identity document issued or altered dishonestly or as a result of threats Collecting or making documents likely to facilitate terrorist acts General dishonesty to obtain a gain or cause a loss Obtaining a financial advantage for which one is not eligible. Conspiracy to defraud
acc 144.1
Making false or misleading statements in applications for government licenses or benefits. Making false or misleading statements, generally Forgery
acc 144.4(5),
Making a false Commonwealth
JOD v. The
(7)
document.
Queen, [2009] nswcca 205.
acc 145.3
Possession, making or adaptation of devices etc. for making forgeries Falsification of documents
acc 137.1
acc 145.4 apa 29, 30 apa 31
afpa 18, 19, 20
Making false or misleading statements in relation to Australian travel documents Producing false or misleading documents in relation to an application for an Australian travel document Giving false or misleading statements, information, or documents, in, or in connection with, foreign passport applications
Identity Crime Legislation in the United States447 table 20
Australian identity crime statutes and related statutes (cont.)
Component of identity crime
Australian lawa
Description of law: Law prohibits …
Exemplary cases
afpa 22(2)
Making a false foreign travel document
Stevens v The Queen, [2009] nswcca 260; 262 alr 91; 2009 WL 3536630; [2010] almd 3006
SA 144D
Producing prohibited material (anything that enables a person to assume a false identity) nswca 192G. Dishonestly making or publishing false or misleading statements to obtain property. tcca 257B Using a computer with intent to defraud. Brown v. Tasmania, [2008] tassc 33 Acquisition
acc 73.11
acc 101.5 acc 131 acc 132 acc 134.1 acc 135.1 acc 135.2 acc 135.4 acc 136.1
acc 137.1
Taking possession of or destroying another person’s travel or identity document Collecting or making documents likely to facilitate terrorist acts Theft of property Receiving stolen property. Obtaining property by deception General dishonesty to obtain a gain or cause a loss Obtaining a financial advantage for which one is not eligible. Conspiracy to defraud Making false or misleading statements in applications for government licenses or benefits. Making false or misleading statements, generally
448 table 20
CHAPTER 6 Australian identity crime statutes and related statutes (cont.)
Component of identity crime
Australian lawa
Description of law: Law prohibits …
acc 471.1
Theft of mail receptacles, articles or postal messages
Exemplary cases
acc 471.2
Receiving stolen mail receptacles, articles or postal messages acc 471.3 Taking or concealing of mail receptacles, articles or postal messages acc 477.1 to Various computer offenses involving 477.3, 478.1 to access to, modification and impairment 478.4 of information held on computers acc 480.4, Dishonestly obtaining or dealing in 480.6 personal financial information, and related offenses apa 35(1) Obtaining an Australian travel document dishonestly or by threats SA 144B Assuming a false identity with intent to commit serious offense Q 408D(1) tcca 257B
Possession
acc 73.8 acc 73.9
acc 73.10
acc 132 acc 145.2 acc 145.3 acc 471.2
Obtaining identity information, for commission of indictable offense Using a computer with intent to defraud.
Making, providing or possessing a false travel or identity document Providing or possessing a travel or identity document issued or altered dishonestly or as a result of threats Providing or possessing a travel or identity document to be used by a person who is not the rightful user Receiving stolen property. Possessing a forged document Possession, making or adaptation of devices etc. for making forgeries Receiving stolen mail receptacles, articles or postal messages
Brown v. Tasmania, [2008] tassc 33
Identity Crime Legislation in the United States449 table 20
Australian identity crime statutes and related statutes (cont.)
Component of identity crime
Australian lawa
Description of law: Law prohibits …
acc 478.3
Possession or control of data with intent to commit a computer offense Possession or control of a thing with the intent to dishonestly obtain or deal in personal financial information. Possessing or controlling an Australian travel document knowing that it was not issued to the person using it. Possessing a false Australian document knowing that the document is false Bringing, taking or sending a false Australian travel document across international borders (or a true document not issued to the person carrying it) Forgery Possession, making or adaptation of devices etc. for making forgeries
acc 480.5
apa 32(4)
apa 36(1) apa 37(1)
acc 144.1 acc 145.3 afpa 21(4) afpa 22(1)
SA 144D(1)
SA 144D(3) Q 408D(1A)
Exemplary cases
Possession or control of another’s foreign travel document Knowingly possessing a false foreign Stevens v The travel document Queen, [2009] nswcca 260; 262 alr 91; 2009 WL 3536630; [2010] almd 3006. Possessing prohibited material (anything that enables a person to assume a false identity) Possessing equipment to make prohibited material Possessing equipment to commit an indictable offense involving acquisition, transfer, or use of identity information
450 table 20
CHAPTER 6 Australian identity crime statutes and related statutes (cont.)
Component of identity crime
Australian lawa
Description of law: Law prohibits …
Transfer/ Trafficking
acc 73.8
Making, providing or possessing a false travel or identity document
acc 73.9
Providing or possessing a travel or identity document issued or altered dishonestly or as a result of threats Providing or possessing a travel or identity document to be used by a person who is not the rightful user Dishonestly obtaining or dealing in personal financial information, and related offenses Providing another person with one’s own Australian travel document. Selling an Australian travel document Providing another person with one’s own foreign travel document
acc 73.10
acc 480.4, 480.6 apa 32(3) apa 33 afpa 21(3) afpa 22(2) SA 144D
Q 408D(1) Use
acc 135.1 acc 135.2 acc 145.5 acc 145.1
ftra 24
Exemplary cases
Providing another with a false foreign travel document. Selling or giving away prohibited material (anything that enables a person to assume a false identity) Dealing with identity information, for commission of indictable offense General dishonesty to obtain a gain or cause a loss Obtaining a financial advantage for which one is not eligible. Giving information derived from false or misleading documents Using a forged document JOD v. The Queen, [2009] nswcca 205. Opening account in a false name JOD v. The Queen, [2009] nswcca 205.
Identity Crime Legislation in the United States451 table 20
Australian identity crime statutes and related statutes (cont.)
Component of identity crime
Australian lawa
Description of law: Law prohibits …
Use of an Australian travel document by a person other than one to whom it was issued afpa 21(1), (2) Use of a cancelled foreign travel document, or one issued to another person. SA 144C Misuse of personal identification information, for commission of serious criminal offense Q 408D(1) Dealing with identity information, for commission of indictable offense nswca 192E Using deception to dishonestly obtain property belonging to another, or obtain financial advantage or cause financial disadvantage.
Exemplary cases
apa 32(2)
tcca 257B tcca 257D tcca 257E
Using a computer with intent to defraud. Unauthorized access to computer Introducing into, recording, or storing in, a computer false or misleading information as data
Stevens v The Queen, [2009] nswcca 260; 262 alr 91; 2009 WL 3536630; [2010] almd 3006; JOD v. The Queen, [2009] nswcca 205; Darren Mark Cranshaw v. The Queen, 2007/ 15103, 2009 nswcca 80 Brown v. Tasmania, [2008] tassc 33
a (acc=Aust. Criminal Code; apa=Aust. Passports Act; afpa = Aust. Foreign Passports Act; SA = South Aust. Criminal Law Consolidation Act; Q = Queensland Criminal Code Act); nswca = New South Wales Crimes Act; ftra = Financial Transaction Reports Act; tcca= Tasmania Criminal Code Act
452 6C.2
CHAPTER 6
National Identity Security Strategy
Unique among nations, Australia has devised a National Identity Security Strategy. The national Attorney-General’s Department deems identity security “central to Australia’s national security, law enforcement and economic interests, and vital in protecting Australian citizens from the theft or misuse of their identities.”1165 The AG links identity crime to terrorism and its financing, other criminal activity and its financing, border control problems, and citizenship controls. The victims of identity crimes are seen as bearing tremendous costs. Thus, Australia must make sure that the identities of persons accessing government services, benefits, official documents, and positions of trust, can be accurately verified.1166 The National Identity Security System is a strategy (in fact, referred to by government documents as “The Strategy”) to “combat the misuse of stolen or assumed identities in the provision of government services.” The Strategy does not just focus on criminal law, or on national law, but crosses all governmental lines. Its goals are: 1. improving standards and procedures for enrollment and registration for the issue of proof of identity (poi) documents 2. enhancing the security features on poi documents to reduce the risk of incidence of forgery 3. establishing mechanisms to enable organizations to verify the data on key poi documents provided by clients when registering for services 4. improving the accuracy of personal identity information held on organizations’ databases 5. enabling greater confidence in the authentication of individuals using online services, and 6. enhancing the national inter-operability of biometric identity security measures.1167 Key to The Strategy is the National Document Verification Service (dvs): The dvs is a secure, electronic, on-line system that can be used to check, in real time, whether a particular proof-of-identity document that has been presented by a person applying for a high value benefit or service is authentic, accurate and up-to-date. The dvs does not store any personal information. Requests to verify a document are encrypted and sent via a secure 1165 Identity Security, Australia Attorney-G eneral’s Department, http://www.ag.gov. au/identitysecurity (last visited Jan. 28, 2010). 1166 Id. 1167 Id.
Identity Crime Legislation in the United States
453
communications pathway to the document issuing agency. If a document “matches” information held by the issuing agency, a “yes” response is transmitted to the querying agency; otherwise, a “no” response is returned indicating that the document details were not verified. No personal data is transferred from the document-issuing agency. The dvs has been designed to be accessible by Australian Government, State and Territory agencies, and potentially by the private sector. [It] is being progressively implemented, with more agencies planning to commence using the dvs during 2009/10. Currently, passports, visas and drivers licenses are among the proof-of-identity documents that can be verified using the dvs. With the assistance of the Office of the Privacy Commissioner, a Privacy Impact Assessment (pia) has guided the development of the dvs and its supporting processes and frameworks. This reflects the Australian Government’s commitment to recognizing, and appropriately managing, privacy impacts that may result from its projects and policies.1168 Inherent in any national system for verifying identity is the protection of individuals’ privacy. Thus, the principles announced in the Privacy Impact Assessment, mentioned above, are particularly important:1169 1. The Document Verification System (dvs) will replace current verification practices but will not change the way in which agencies deal with personal information. 2. Document issuing agencies will maintain ownership and control of their data and systems. 3. The dvs will provide a means of verifying that the document being checked has identical information to the document originally issued. 4. The dvs will only seek to verify information from the proof of identity (poi) document with the issuing agency. It will not retrieve any other information held by the issuing agency. 5. The function of the dvs is not to store information, but to act as a conduit for the verification of information that is already held by issuing agencies. 1 168 Id. 1169 Australian Attorney-G eneral’s Department, Privacy Impact Assessment: National Document Verification System (June 2007), available at https:// web.archive.org/web/20120228061352/http://www.ag.gov.au/Documents/FINAL%20 PIA%20for%20publication%20on%20webpage%20-%20June%202007.pdf.
454
CHAPTER 6
6.
Information sent to or from the dvs will be transmitted using secure, encrypted methods of communication. 7. A querying agency will not base a decision to grant or refuse enrollment for a benefit or service solely on the basis of a response from the dvs. 8. A response received from the dvs will only be used for the purpose of verifying information included on a poi document. 9. Standards and protocols will govern the administration, access to and use of the dvs. 10. The National Identity Security Coordination Group will provide high level oversight and guidance to the development and implementation of the dvs. 6C.3
Federal System –State and Territorial Laws
Australia has a federal system, thus, many crimes must be prosecuted on a state or territorial level. Often, Commonwealth laws are only applicable to “Commonwealth persons,” or “Commonwealth computers.” A good compilation of other statutes, on a state and territorial level, that may be used against identity crimes is available in the attorneys-general report.1170 There, one learns, for example, of an act in New South Wales against impersonating the owner of stock or property,1171 and the Victoria statute prohibiting the taking of property by deception,1172 and many other such state and territorial statutes. There is no federal law that is identity-crime specific. However, the state of South Australia has passed laws1173 that directly target identity crime. The offenses were established by the Criminal Law Consolidation (Identity Theft) Amendment Act 2003 (SA) which amended South Australia’s criminal statutes.1174 The identity theft statute makes it an offense to: 1. assume a false identity intending to commit, or help commit, a serious criminal offense. 2. falsely pretend to have particular qualifications, or to be entitled to act in a particular capacity, and to intend to commit, or help commit, a serious criminal offense.
1 170 1171 1172 1173 1174
Final Report: Identity Crime, supra note 1981, at 18–24. Crimes Act 1900 (nsw) § 184A (Austl.). Crimes Act 1958 (Vic) § 81 (Austl.). See Part 6C.8. For discussion of the South Australia act, see Part 6C.8.
Identity Crime Legislation in the United States
455
3.
use another person’s personal identification information intending to commit, or help commit, a serious criminal offense. 4. produce or possess material that would enable someone to assume a false identity or exercise a false right of ownership to a benefit, with criminal intent. 5. sell or give material that would enable someone to assume a false identity, or represent a false right of ownership of a benefit, knowing that it is likely to be used criminally. 6. possess equipment for making material that would enable someone to assume a false identity, or to exercise a false right of ownership of a benefit, intending to use it to commit one of the above offenses.1175 The criminalized behavior chiefly is in preparation to commit some other offense, and thus does not overlap with existing offenses. For example, a cashier might be convicted of transferring credit card information to a blank card, using a “skimming” device. The cashier has not yet committed the offense of “fraud” under Australian law, but would be guilty of an identity crime, if it could be shown that the cashier intended to use the card to commit a serious criminal offense, such as theft.1176 Queensland has enacted the Criminal Code and Civil Liability Amendment Act 2007 (Qld),1177 which created new section 408D of Queensland’s Criminal Code 1899.1178 It consists of a broad identity crime statute pertaining to people who possess identification information for the purpose of committing or facilitating an indictable offense.1179 Its definition of “identification information” covers a broad range of the conduct associated with identity crime. Notably, the act covers identity-related conduct notwithstanding whether the entity is alive or dead; whether the entity exists or does not exist; or whether the entity consents to the use of the identification information or does not.1180 The Act contains an extensive list of items considered “identification information.”
1175 Jeremy Douglas-Stewart, South Australian Laws Target Identity Theft, Privacy Law and Policy Reporter, available at http://www.austlii.com/au/journals/PLPR/2004/8.html (last visited Feb. 1, 2010). 1176 Id. 1177 See Part 6C.9. 1178 See discussion of The Queensland Act in Part 6C.9. 1179 Final Report: Identity Crime, supra note 1981, at 17–18. 1180 Id.
456 6C.4
CHAPTER 6
Australian Criminal Code
The Australian Criminal Code contains a number of provisions relevant to identity crime. Note: Criminal laws applicable to the entire Commonwealth of Australia often contain, as an element of the crime, that the item taken must be property that belongs to a “Commonwealth entity.”1181 A “Commonwealth entity” is “the Commonwealth [of Australia] or a Commonwealth authority,” which is “a body established by or under a law of the Commonwealth.”1182 Thus, these statutes do not apply to property owned by a nonofficial person or company. For such statutes, one must look to individual states in Australia.1183 However, the Commonwealth scheme is instructive in determining the types of actions criminalized throughout Australia, and the penalties available for those crimes. 6C.4.1 Theft A person is guilty of theft if he dishonestly appropriates property belonging to another with the intention of permanently depriving the other of the property.1184 The penalty can be 10 years’ imprisonment.1185 The “appropriation of property” is any nonconsensual assumption of the rights of an owner to ownership, possession or control of property.1186 Under the Identity Crime Model, the acquisition of identity information or identity documents could be prosecuted under the theft statute. 6C.4.2 Receiving Stolen Property The offense of “receiving” occurs when a person dishonestly receives stolen property, knowing or believing the property to be stolen. The term of imprisonment can be 10 years.1187 The statute goes on to describe in some detail what constitutes “stolen property.” In the main, “stolen property” has been appropriated in the course of theft and is possessed by the person who appropriated it,
1181 E.g., Criminal Code Act, 1995, § 131.1(1)(b) (Austl.) (regarding theft); Id. § 132.4(1)(b) (regarding burglary). 1182 Criminal Code Act, 1995, ch. 10 Dictionary (Austl.). 1183 For example, in South Australia and Queensland, identity crime statutes pertaining to all citizens are in effect. See discussion at Part 6C8-6C9. 1184 Criminal Code Act, 1995, § 131.1(1)(a) (Austl.). The property stolen must belong to a Commonwealth entity. 1185 Id. § 131.1. 1186 Id. § 131.3. 1187 Id. § 132.1(1).
Identity Crime Legislation in the United States
457
or is possessed by a person who obtained it from the appropriator.1188 It ceases to be stolen property after it is restored to one who rightfully may possess it.1189 “Stolen property” also includes “tainted property,” a term that covers the proceeds of stolen property.1190 If a person causes money to be transferred from the account of one person to the account of another, without authorization, it can constitute the offense of receiving stolen property.1191 Under the Identity Crime Model, the acquisition and possession of identity information or identity documents could be prosecuted under the statute prohibiting the reception of stolen property. 6C.4.3 Offenses Involving Fraud A Definitions “Account” means an account (including a loan account, a credit card account, or a similar account) with a bank or other financial institution.1192 “Deception” may be intentional or reckless, by words or other conduct, and whether as to fact or as to law. It includes deception as to the intentions of the person using the deception or any other person; and conduct by a person that causes a computer, a machine, or an electronic device to make a response that the person is not authorized to cause it to do.1193 B Obtaining Property by Deception One commits the offense of obtaining property by deception by dishonestly obtaining property belonging to another with the intention of permanently depriving the other of the property. The sentence of imprisonment can be 10 years..1194 One can “obtain” property either directly or by inducing someone else to obtain it.1195 One may be guilty even if one is willing to pay for the property.1196 The purpose of permanently depriving a person of property need not be present at the time of obtaining the property; such intention may arise
1 188 1189 1190 1191 1 192 1193 1194 1195 1196
Id. § 132.1(3) to (5). Id. § 132.1(6). Id. § 132.1(7). Id. § 132.1(8) (referring to the offense of obtaining money by deception via money transfer in § 134.1(9)). Id. § 133.1. Id. Id. § 134.1(1). The property must belong to a Commonwealth entity. Id. § 134.1(3). Id. § 134.1(5).
458
CHAPTER 6
later.1197 The intention to permanently deprive someone of property may be one that arises after borrowing someone else’s property, and then not returning it, and treating it as one’s own.1198 Money transfers: If one causes an amount to be transferred from an account held by another person to one’s own account, the amount still belongs to the other person, and the one who causes the transfer is taken to have permanently deprived the other person of the property. The same is true of the money is transferred to the account of a third party.1199 A person is taken to “cause” a transfer if the person induces another person to make the transfer.1200 General deficiency: A person may be convicted because of a general deficiency in money or property even if the deficiency is made up of any number of transactions over a period of time.1201 C Obtaining a Financial Advantage by Deception One is guilty of obtaining a financial advantage by deception if, by a deception, one dishonestly obtains a financial advantage from another person. The term of imprisonment may be 10 years.1202 D General Dishonesty One is guilty of “general dishonesty” by doing anything with the intent of dishonestly gaining from another person. The term of imprisonment may be five years.1203 One is guilty of “causing a loss” if one does anything with the intention of dishonestly causing a loss to another person. The term of imprisonment may be five years.1204 It is also an offense if one person dishonestly causes a loss, or a risk of loss, to another person, while knowing or believing that the loss will occur or that there is a substantial risk of the loss occurring.1205 A further provision deals with dishonestly influencing a public official in the exercise of his duties.1206 1 197 1198 1199 1200 1201 1202 1 203 1204 1205 1206
Id. § 134.1(6); see also Id. § 134.1(8) (addressing property held in trust or as a bailment). Id. § 134.1(7). Id. § 134.1(9)-(10). Id. § 134.1(12). Id. § 134.1(13), (14). Id. § 134.2. The other person must be a Commonwealth entity. The crime need not occur in Australia. Id. § 135.1(1). The other person must be a Commonwealth entity. Id. § 135.1(3). The other person must be a Commonwealth entity. Id. § 135.1(5). The other person must be a Commonwealth entity. Id. § 135.1(7).
Identity Crime Legislation in the United States
459
E Obtaining Financial Advantage One commits the offense of “obtaining financial advantage” by engaging in conduct as a result of which a person receives a financial advantage from another person to which he is not eligible,1207 or gets such advantage for a third party.1208 The term of imprisonment is 12 months.1209 F Conspiracy to Defraud Conspiring to defraud is an offense. Such conspiring must be with the intent to dishonestly gain from a third party, or cause a loss to a third party. The term of imprisonment is 10 years.1210 Conspiring to dishonestly cause a loss, or to dishonestly cause a risk of loss, to a third person is an offense when one knows or believes a loss will occur or that there is a substantial risk of loss occurring. The term of imprisonment is also 10 years.1211 A further offense involves conspiring to dishonestly influence a public official in the exercise of his duties.1212 Conspiracy, as is made illegal under this section of the law, means that: 1. a person must have entered into an agreement with one or more other persons; and 2. the person and at least one other party to the agreement must have intended to do the thing pursuant to the agreement; and 3. the person or at least one other party to the agreement must have committed an overt act pursuant to the agreement.1213 In a conspiracy to defraud, it does not matter if the ultimate goal of the conspiracy is impossible; if one of the parties is a corporation; if any of the parties are not criminally responsible; or if all other parties have been acquitted. One may still be convicted of such a conspiracy.1214 However, one cannot be found guilty if all other parties have been acquitted, and a finding of guilt would be inconsistent with their acquittal.1215 One also cannot be found guilty if one withdrew from the agreement and took all reasonable steps to prevent the goal of the conspiracy from occurring.1216
1 207 1208 1209 1210 1211 1212 1213 1214 1215 1216
Id. § 135.2(1). The other person must be a Commonwealth entity. Id. § 135.2(2). The other person must be a Commonwealth entity. Id. § 135.2(1)-(2). Id. § 135.4(1), (3). The other person must be a Commonwealth entity. Id. § 135.4(5). The other person must be a Commonwealth entity. Id. § 135.4(7). Id. § 135.4(9). Id. § 135.4(10). Id. § 135.4(11). Id. § 135.4(12).
460
CHAPTER 6
G False or Misleading Statements in Applications For all of the following offenses involving false or misleading information, the information must pertain to a “material particular.” The applications referred to in this offense are those for: 1. a license, permit or authority 2. registration 3. a benefit 4. accreditation under the wheat export accreditation scheme.1217 A person is guilty of an offense if the person makes the statement (whether orally, in a document or in any other way); and does so knowing that the statement is false or misleading as to a material particular; or omits any matter or thing without which the statement is misleading as to material particular.1218 The term of imprisonment for this offense can be 12 months.1219 A similar offense to the above applies to making the same sort of statement recklessly, with a penalty of imprisonment for 6 months.1220 H False or Misleading Information One is guilty of giving false or misleading information by giving that information to someone who does not know that the information is false or misleading, or that it omits something, making it misleading. This is only a crime if the information is given to a Commonwealth entity, or to one exercising Commonwealth powers, or by one acting in order to comply with Commonwealth law.1221 The prescribed term of imprisonment is 12 months.1222 1 False or Misleading Documents One is guilty of producing false or misleading documents by producing a document to another person, in order to comply with a Commonwealth law, and knowing that the document is false or misleading. The prescribed term of imprisonment is 12 months.1223
1217 Id. § 136.1(1)(c). The statement in the application must be made to a Commonwealth entity or one carrying out Commonwealth functions, or be made in compliance with Commonwealth law. 1218 Id. § 136.1(1)(a), (1)(b), (2), (3). 1219 Id. § 136.1. 1220 Id. § 136.1(4)-(6). 1221 Id. § 137.1(1). 1222 Id. § 137.1. 1223 Id. § 137.2.
Identity Crime Legislation in the United States
461
I
Components of the Identity Crime Model That Can Be Prosecuted under Fraud Statute Production: Australia’s fraud statute criminalizes making false or misleading statements in applications for government licenses or benefits, and making false or misleading statements generally, both of which are aspects of the production of a false identity and false identification documents. Acquisition: Australia’s fraud statute criminalizes obtaining property by deception, which would cover, among other things, the acquisition of benefits by using a false identity. General dishonesty to obtain a gain or cause a loss is also a crime under the fraud statute, as is obtaining a financial advantage for which one is not eligible. Making false or misleading statements in applications to acquire government licenses or benefits is criminalized, as is making false or misleading statements generally. Finally, conspiracy to defraud is a crime under the fraud statute. Possession: The element of “possession” could only be said to receive coverage under the fraud statute in that possession is the result of acquisition, and acquisition through fraudulent means is covered, as stated above. Transfer or Trafficking: Trafficking is not covered under the fraud statute. Use: The element of “use” is covered under the fraud statute in that general dishonesty to obtain a gain or cause a loss is illegal, and obtaining a financial advantage for which one is not eligible. Both of these could be said to arise when one uses a false identity to obtain that to which one is not entitled. 6C.4.4 Forgery and Related Offenses A Definitions “Document,” as it pertains to the section of forgery, includes any paper or other material on which there is writing, or on which there are marks, figures, symbols, or perforations capable of being given a meaning by persons qualified to interpret them, or by machines or electronic devices. A document is also any article or material (for example, a disk or a tape) from which information is capable of being reproduced with or without the aid of any other article or device.1224 “Document” includes a credit card, a debit card, and a card by means of which property can be obtained.1225 “False document”: A document is a “false document” if the document, or any part of it, was not made in its form or terms by the person purported to have made it. It is also false if it is purported to have been altered by a person
1 224 Id. § 143.1(1). 1225 Id. § 143.1(2).
462
CHAPTER 6
(existing or nonexistent) who did not alter it, or on that person’s authority. It is also a false document if it purports to have been made or altered on a particular date when in fact it was not made or altered on that date.1226 “False Commonwealth document”: A separate definition concerns false documents that purport to be official documents of the Commonwealth of Australia, and is similar to the provisions on other false documents.1227 “Make”: A person is taken to make a false document if the person alters a document so as to make it a false document (even if it was already a false document).1228 B Forgery One commits the crime of forgery by making a false document with the intention of using it to dishonestly induce a Commonwealth public official to accept it as genuine and, once accepted, to dishonestly obtain a gain, cause a loss, or influence the exercise of a public duty or function. The punishment for this crime is imprisonment for 10 years.1229 It is also a crime to make a false document to dishonestly cause a computer, a machine or an electronic device to respond to the document as if the document were genuine; and thus to dishonestly obtain a gain, cause a loss, or influence the exercise of a public duty or function. The punishment for this crime is imprisonment for 10 years.1230 Similar crimes to those described above apply to the making of false Commonwealth documents, as defined above.1231 1 Using a Forged Document One commits the offense of using a forged document if one knows that it is falls and uses it in order to dishonestly induce another person, in his capacity as a Commonwealth public official, to accept it as genuine, and if it is so accepted, to dishonestly obtain a gain, cause a loss, or influence the exercise of a public duty or function. The punishment for this crime is imprisonment for 10 years.1232 A similar crime applies to using a false document to cause a computer, machine, or electronic device to respond to the document as if it
1 226 1227 1228 1229 1230 1231 1232
Id. § 143.2(1). Id. § 143.3. Id. § 143.2(2). Id. § 144.1(1). Id. § 144.1(3). Id. § 144.1(5), (7). Id. § 145.1(1).
Identity Crime Legislation in the United States
463
were genuine.1233 And similar crimes involve the use of false Commonwealth documents.1234 Case: A defendant, referred to as jod, went to various financial institutions and presented false documents in order to open bank accounts in false names, to withdraw money from existing genuine bank accounts, or to make fraudulent claims in relation to credit cards or loans. He assumed the identities of natural persons and companies. Under the name of one company, jod made multiple applications to various financial institutions for credit. In support of these credit applications jod presented counterfeit employment histories and pay slips. jod also instructed other offenders. jod was convicted of, among other offenses, the making of a false Commonwealth document,1235 in violation of § 145.1(5) of the Criminal Code, for the component of use of a false Commonwealth document. (The case report does not specify the particular document used.) 2 Possession of Forged Document In addition to the crimes discussed above, possession of a forged document is a crime, if one knows that the document is a false document and possesses it intending to use it to dishonestly induce a third person in the third person’s capacity as a Commonwealth public official to accept it as genuine, and thus, to dishonestly obtain a gain, cause a loss, or influence the exercise of a public duty or function. The punishment for this crime is imprisonment for 10 years.1236 A similar crime applies to possession a false document intending to use it to cause a computer, machine, or electronic device to respond to the document as if it were genuine.1237 And similar crimes involve the possession of false Commonwealth documents.1238 C
Possession, Making or Adaptation of Devices etc. for Making Forgeries Possession of a device, material, or thing with the intention of using it to commit a forgery is an offense, if the offender knows that the device, material, or other thing is designed or adapted for that purpose. The punishment for this
1 233 1234 1235 1236 1237 1238
Id. § 145.1(3). Id. § 145.1(5), (7). JOD v. The Queen, [2009] nswcca 205. Criminal Code Act, 1995, § 145.2(1) (Austl.). Id. § 145.2(3). Id. § 145.2(5), (7).
464
CHAPTER 6
crime is imprisonment for 10 years.1239 Knowingly adapting such an object for the purpose of committing a forgery is also an offense.1240 One is guilty of an offense if one has a device, material, or thing in one’s possession, without a reasonable excuse, and knows that the object is designed or adapted for the making of a false Commonwealth document (whether or not the object is designed or adapted for another purpose). It is also a crime to adapt a device, material or other thing for this use. The punishment for these crimes is imprisonment for 2 years.1241 D Falsification of Documents etc. A person is guilty of an offense if the person dishonestly damages, destroys, alters, conceals, or falsifies a document that is: 1. kept, retained or issued for the purposes of a law of the Commonwealth; or 2. made by a Commonwealth entity or a person in the capacity of a Commonwealth public official; or 3. held by a Commonwealth entity or a person in the capacity of a Commonwealth public official. For this to be an offense, the person must have the intent to obtain a gain or cause a loss. The punishment for this offense is imprisonment for seven years.1242 A person is guilty of an offense if the person dishonestly damages, destroys, alters, conceals or falsifies a document, with the intent to obtain a gain from another person or cause a loss. The punishment for this offense is imprisonment for seven years.1243 E Giving Information Derived from False or Misleading Documents A person is guilty of an offense if the person dishonestly gives information to another person; and the information was derived, directly or indirectly, from a document that the person knew was false or misleading in a material particular. To be guilty of this offense, the document must have been: 1. kept, retained or issued for the purposes of a law of the Commonwealth; or 2. made or held by a Commonwealth entity or a person in the capacity of a Commonwealth public official. 1 239 1240 1241 1242 1243
Id. § 145.3(1). Id. § 145.3(2). Id. § 145.3(3), (4). Id. § 145.4(1). Id. § 145.4(2). The other person must be a Commonwealth entity.
Identity Crime Legislation in the United States
465
The intent of the person must have been to obtain a gain or cause a loss. The punishment for this offense is imprisonment for seven years.1244 A person is guilty of an offense if the person dishonestly gives information to another person; and the information was derived, directly or indirectly, from a document that the person knew was false or misleading in a material particular. The person’s intent must have been to obtain a gain from another person, or create a loss to that person. The punishment for this offense is imprisonment for seven years.1245 F
Components of the Identity Crime Model That Can Be Prosecuted under Forgery Statute Production: Forgery, obviously, is chiefly a crime of production. Thus, Australia’s forgery statute criminalizes the production of certain types of identifying documents, as well as possession of devices to commit forgery, and the act of falsifying documents.1246 Falsification of a document is another form of production of false identity that is illegal under Australian law.1247 Acquisition: The element of acquisition is not covered by Australia’s forgery statute. Possession: Under Australia’s forgery statute, possession of a forged document is a crime, as is possessing a device for making forgeries.1248 Transfer or Trafficking: This element is not specifically covered by the forgery statute. Use: Giving information derived from a false or misleading document, in order to obtain a gain or cause a loss, is a use forbidden under the Australian forgery law.1249 6C.4.5 Postal Offenses A Theft of Mail Receptacles, Articles or Postal Messages One is guilty of the offense of “theft of mail receptacles, articles or postal messages” when one dishonestly appropriates a mail receptacle, a piece of mail that has been posted, or a postal message, intending to deprive another person of the same. The sentence is imprisonment for 10 years.1250 A person’s
1 244 1245 1246 1247 1248 1249 1250
Id. § 145.5(1). Id. § 145.5(2). The other person must be a Commonwealth entity. Id. §§ 144.1, 144.3. Id. § 145.4. Id. §§ 145.2–145.3. Id. § 145.5. Id. § 471.1(1).
466
CHAPTER 6
appropriation is dishonest even if one is willing pay for the receptacle, mail, or message.1251 One has the intent to permanently deprive the other of the item even if one does not intend that the other permanently lose the item, and even if one’s only intent is to treat the thing as one’s own to dispose of, regardless of the other’s rights.1252 B Receiving Stolen Mail Receptacles, Articles or Postal Messages One is guilty of the offense of “receiving stolen mail receptacles, articles or postal messages” by doing so while knowing or believing the property to be stolen. The sentence is imprisonment for 10 years.1253 The offense includes property that is merely “tainted.”1254 “Tainted property” arises from the proceeds from the original stolen property that is in the possession or custody of the person who appropriated the original stolen property.1255 C
Taking or Concealing of Mail Receptacles, Articles or Postal Messages One is guilty of the offense of “taking or concealing of mail receptacles, articles or postal messages” by doing any of those acts dishonestly. The sentence is imprisonment for 10 years.1256 D
Components of the Identity Crime Model That Can Be Prosecuted under Forgery Statute The identity crime components of acquisition and possession may be prosecuted as postal offenses. Theft of the mail is a basic way to acquire information on people’s identities. Possession of identity information may be prosecuted once such identities have been acquired. 6C.4.6 Telecommunications Offenses A Definitions An “interception device” is an apparatus or device that: 1. is of a kind that is capable of being used to enable a person to intercept a communication passing over a telecommunications system; and
1 251 1252 1253 1254 1255 1256
Id. § 471.1(2). Id. § 471.1(3). Id. § 471.2(1). Id. § 471.2(2). Id. § 471.2(5). Id. § 471.3.
Identity Crime Legislation in the United States
467
2.
could reasonably be regarded as having been designed for use in connection with the interception of communications passing over a telecommunications system; and 3. is not designed principally for the reception of communications transmitted by radio communications.1257 A “telecommunications device identifier” is an electronic identifier of a mobile telecommunications device that is installed in the device by the manufacturer, and is capable of being used to distinguish that particular device from other mobile telecommunications devices. For example, gsm mobile phones use an industry-recognized International Mobile Equipment Identity (imei) number. This number identifies the particular phone, as compared to the sim card number which identifies a particular telecommunications account. Carriers are able to block service to lost and stolen mobile phones based on their imei numbers. A “telecommunications device identifier” can also be any other form of identifier that is prescribed by the regulations as a telecommunications device identifier.1258 A “telecommunications network” is a system, or series of systems, that carries, or is capable of carrying, communications by means of guided and/or unguided electromagnetic energy.1259 A “carriage service” is means a service for carrying communications by means of guided and/or unguided electromagnetic energy.1260 B Interception Device Offenses One is guilty of an offense if one 1. manufactures; 2. advertises, displays or offers for sale; 3. sells; or 4. possesses an interception apparatus or device (whether in an assembled or unassembled form). The sentence for the offense is imprisonment for 5 years.1261 One whose possession of such a device is in the course of one’s duties under the law, or whose use of the device is authorized by regulations, does not commit an offense. The burden of proof is on the one so claiming.1262 1 257 1258 1259 1260 1261 1262
Id. § 473.1 (definitional section). Id. Id. (referring to Telecommunications Act 1997 definitional section). Id. Id. § 474.4(1). Id. § 474.4(2), (3).
468
CHAPTER 6
C Wrongful Delivery of Communications One is guilty of an offense if one causes a communication to be received by a person or carriage service other than the person or service to which it is directed. The punishment for this offense is imprisonment for one year.1263 It is not an offense if one is authorized to commit the act either by the person to whom the communication was directed, or by the carriage service. The offender has the burden of proof to assert this defense.1264 6C.4.7 Computer Offenses A Unauthorized Access, Modification or Impairment With Intent to Commit a Serious Offense One is guilty of the offense of “unauthorized access, modification or impairment with intent to commit a serious offense” by causing any unauthorized: 1. access to data held in a computer; or 2. modification of data held in a computer; or 3. impairment of electronic communication to or from a computer. To commit the offense, the unauthorized access, modification or impairment must be caused by means of a carriage service, and the person committing the offense must know that what he is doing is unauthorized. In addition, the offender must intend to commit or facilitate a serious offense against the laws of the Commonwealth, a state, or a territory.1265 It is not necessary to show that the offender knew that it was such an offense.1266 A similar offense has the same elements as above without the necessity for the use of a carriage service.1267 The penalty for violations may not be more than that applicable to the serious offense,1268 and it is not a defense that committing the offense is impossible.1269 A serious offense is an offense punishable by imprisonment for life or a period of 5 years or more.1270 B Unauthorized Modification of Data to Cause Impairment One is guilty of the offense of “unauthorized modification of data to cause impairment” if one causes any unauthorized modification of data held in a 1 263 1264 1265 1266 1267 1268 1269 1270
Id. § 474.5(1). Id. § 474.5(2). Id. § 477.1(1). Id. § 477.1(3). Id. § 477.1(4). Id. § 477.1(6). Id. § 477.1(7). Id. § 477.1(9).
Identity Crime Legislation in the United States
469
computer, knowing the modification is not authorized; and acting recklessly as to whether the modification will impair access to data held in any computer, or the reliability, security or operation, of any such data. In addition, there must be a connection between the data and a Commonwealth computer, or the modification must be cause by using a carriage service. The penalty for the offense is imprisonment for 10 years.1271 No actual impairment to data is required for this offense to apply.1272 C Unauthorized Impairment of Electronic Communication One is guilty of the offense of “unauthorized impairment of electronic communication” when one knowingly causes any unauthorized impairment of electronic communication to or from a computer; and the electronic communication is sent to or from the computer by means of a carriage service; and the electronic communication is sent to or from a Commonwealth computer. The penalty for the offense is imprisonment for 10 years.1273 D Unauthorized Access to, or Modification of, Restricted Data One is guilty of the offense of “unauthorized access to, or modification of, restricted data” by intentionally causing any unauthorized access to, or modification of, restricted data, knowing that the access or modification is unauthorized, and the data either is held by or for a Commonwealth computer, or the offense is committed by means of a carriage service. The penalty for the offense is imprisonment for two years.1274 E Unauthorized Impairment of Data Held on a Computer Disk etc. One is guilty of the offense of “unauthorized impairment of data held on a computer disk” by intentionally causing any unauthorized impairment of the reliability, security, or operation of data held on a computer disk, credit card, or another device used to store data by electronic means, knowing that the impairment is unauthorized. The computer disk, credit card, or other device must be one owned or leased by a Commonwealth entity. The penalty for the offense is imprisonment for two years.1275
1 271 1272 1273 1274 1275
Id. § 477.2(1). Id. § 477.2(3). Id. § 477.3(1). Id. § 478.1(1). Id. § 478.2(1).
470
CHAPTER 6
F
Possession or Control of Data with Intent to Commit a Computer Offense One is guilty of the offense of “possession or control of data with intent to commit a computer offense” by possessing or controlling data, intending that the data be used in committing or facilitating a serious computer offense. A “serious computer offense” is any offense under Division 477 (described above). The penalty for the offense is imprisonment for three years.1276 “Possession or control of data” refers to possession or control of a data storage device holding the data, or a document in which the data is recorded, or controlling data held in a computer possessed by another person (whether or not in Australia).1277 G
Producing, Supplying or Obtaining Data with Intent to Commit a Computer Offense One is guilty of the offense of “producing, supplying or obtaining data with intent to commit a computer offense” by doing so with the intention that the data be used to commit a serious computer offense, or to facilitate the commission of such an offense. The penalty for the offense is imprisonment for three years1278 One may be found guilty of committing the offense even if committing the serious computer offense is impossible.1279 H
Components of the Identity Crime Model That Can Be Prosecuted under Computer Offense Statute Various computer offenses involving access to, modification and impairment of information held on computers implicate the acquisition component of the identity crime model. 6C.4.8 Financial Information Offenses A Dishonestly Obtaining or Dealing in Personal Financial Information One is guilty of the offense of dishonestly obtaining or dealing in personal financial information by doing so without the consent of the person to whom the information relates. The term of imprisonment for the offense is 5 years.1280
1 276 1277 1278 1279 1280
Id. § 478.3(1). Id. § 478.3(4). Id. § 478.4(1). Id. § 478.4(2). Id. § 480.4.
Identity Crime Legislation in the United States
471
B
Possession or Control of Thing with Intent to Dishonestly Obtain or Deal in Personal Financial Information One is guilty of the offense of “possession or control of a thing with intent to dishonestly obtain or deal in personal financial information” when one has possession or control of any particular thing, with the intent of committing the offense of dishonestly obtaining or dealing in personal financial information.1281 The term of imprisonment for the offense is three years.1282 One may be found guilty of committing the offense even if committing the underlying offense is impossible.1283 C
Importation of Thing with Intent to Dishonestly Obtain or Deal in Personal Financial Information One is guilty of the offense of “importation of a thing with intent to dishonestly obtain or deal in personal financial information” by importing something into Australia intending that it be used to commit the offense of dishonestly obtaining or dealing in personal financial information.1284 The term of imprisonment for the offense is three years.1285 D
Components of the Identity Crime Model That Can Be Prosecuted under Financial Information Statute Production: These crimes are not relevant to the production of identity information. Acquisition: Dishonestly obtaining personal financial information is an offense that can be prosecuted under these statutes, and personal financial information is part of one’s identity.1286 Possession: The statute makes illegal the possession or control of a thing with the intent to dishonestly obtain or deal in personal financial information.1287 Transfer or Trafficking: “Dealing” in financial information dishonestly obtained is illegal under these statutes.1288 Use: Use of the information obtained is not made illegal under these statutes.
1 281 1282 1283 1284 1285 1286 1287 1288
Id. § 480.5(1) (referring to Id. § 480.4, discussed above). Id. § 480.5(1). Id. § 480.5(2). Id. § 480.6 (referring to Id. § 480.4, discussed above). Id. § 480.6. Id. §§ 480.4, 480.6. Id. § 480.5. Id. §§ 480.4, 480.6.
472 6C.5
CHAPTER 6
Financial Transaction Reports Act 1988
6C.5.1 Opening Account etc. in False Name The Financial Transaction Reports Act states that a person may not open or operate an account with a financial institution in a false name.1289 In addition, a person may not operate, or authorize the operation of, an account with a financial institution if the account is in a false name.1290 If a person is commonly known by 2 or more different names, the person may not use one of those names in opening or operating an account unless the person has previously disclosed the other name or names to the cash dealer.1291 If a person using a particular name in dealings with a cash dealer discloses to the dealer a different name by which the person is commonly known, the dealer must make a record of the disclosure and, upon request in writing from Australian banking authorities, give the authorities a copy of the record.1292 The sentence for violation of these provisions is up to 2 years’ imprisonment.1293 Case: A defendant, referred to as jod, went to various financial institutions and presented false documents in order to open bank accounts in false names, to withdraw money from existing genuine bank accounts or to make fraudulent claims in relation to credit cards or loans. He assumed the identities of natural persons and companies. Under the name of one company, jod made multiple applications to various financial institutions for credit. In support of these credit applications jod presented counterfeit employment histories and pay slips. jod was convicted, among other offenses, of opening accounts in false names,1294 in violation of § 24 of the Australian Financial Transaction Reports Act, for the component of use of a false identity. A
Components of the Identity Crime Model That Can Be Prosecuted under Computer Offense Statute This provision of the Australian Financial Transaction Reports Act 2008 relates to the use of identity information.
1 289 1290 1291 1292 1293 1294
Financial Transaction Reports Act 1988 (Cth) s 24(1), (2) (Austl.). Id. s 24(2A). Id. s 24(3), (4). Id. s 24(5). Id. s 24(6). JOD v. The Queen, [2009] nswcca 205.
Identity Crime Legislation in the United States
6C.6
473
Travel Document Offenses
Both the Australian Criminal Code and the Australian Passports Act 2005 contain identity-related provisions regarding travel documents. 6C.6.1 Under the Australian Passports Act 2005 A False or Misleading Statements or Documents used in Obtaining Travel Documents Under the Australian Passports Act 2005, it is illegal to make false or misleading statements in relation to Australian travel documents. Such a statement must be made in, or in connection with, an application for an Australian travel document. The penalty for making such a statement is imprisonment for 10 years, 1000 penalty units, or both.1295 Under the same act, it is illegal to give false or misleading information in relation to Australian travel document applications. The penalty is the same as for the former offense.1296 The information given must be false or misleading in regard to a material particular.1297 The same act makes it illegal to produce false or misleading documents in relation to Australian travel document applications, if the documents relate to a material particular. The statute comes with the same penalty.1298 However, the act does not apply to a person who produces a document if the document is accompanied by a written statement signed by the person, or an officer of a corporation, stating that the document is, to the knowledge of that person, false or misleading in a material particular; and specifying the material particular in which the document is false or misleading.1299 B
Improper Use or Possession of an Australian Travel Document, or Selling or Damaging the Document “Improper use or possession of an Australian travel document” is an offense consisting of use of a cancelled Australian travel document, or a document not issued to the person using it, in connection with travel or identification.1300 It is also an offense to provide another person with one’s own Australian travel document recklessly disregarding whether the document will be used by the 1 295 1296 1297 1298 1299 1300
Australian Passports Act 2005, (Cth) s 29(1) (Austl.). Id. s 30(1). Id. s 30(2). Id. s 31(1), (2). Id. s 31(3). Id. s 32(1), (2).
474
CHAPTER 6
other person in connection with travel or identification.1301 Lastly, it is an offense to possess or control an Australian travel document knowing that it was not issued to the person using it.1302 The sentence for these offenses is imprisonment for 10 years, and/or 1000 penalty units.1303 Selling an Australian travel document is also an offense, with the same penalty.1304 Damaging or destroying such a document is also an offense, with the same punishment, unless one has a reasonable excuse.1305 C
Dishonestly Obtaining an Australian Travel Document, or Possession of a False Document Obtaining an Australian travel document dishonestly or by threats is an offense with the same punishment as the offenses above.1306 “Obtaining” includes obtaining for another person, and inducing a third person to do something that results in another person obtaining a travel document. A threat may be express, implied, conditional, or unconditional.1307 It is also an offense to possess a false Australian document knowing that the document is false, unless one has a reasonable excuse. The identical punishment applies.1308 D
Bringing, Taking or Sending a Document across International Borders Bringing, taking or sending a document across international borders is an offense, if one knows that the document is a false Australian travel document, or that the document is a true Australian travel document that was not issued to the person bringing, taking, or sending it. The sentence for this offense is the same as that for the offenses discussed above.1309 6C.6.2 Under the Australian Foreign Passports (Law Enforcement and Security) Act 2005 A separate statute criminalizes identity- related acts concerning foreign passports. 1 301 1302 1303 1304 1305 1306 1307 1308 1309
Id. s 32(3). Id. s 32(4). Id. s 32. Id. s 33. Id. s 34(1). Id. s 35(1). Id. s 35(3). Id. s 36(1). Id. s 37(1).
Identity Crime Legislation in the United States
475
A “foreign passport” is a passport issued by or on behalf of the government of a foreign country.1310 A “false foreign travel document” is a document that purports to be a passport issued by or on behalf of the government of a foreign country but that was not issued by or on behalf of that government; or that purports to be a document of identity issued for travel purposes by or on behalf of the government of a foreign country for the purposes of travel but that was not issued by or on behalf of that government. “False foreign travel document” includes a foreign travel document that has been altered by a person who is not authorized to alter that foreign travel document.1311 The word “make,” in relation to a false foreign travel document, includes altering a document so as to make it a false document (whether or not it was already a false document before the alteration).1312 A
False or Misleading Statements, Information, or Documents in Relation to Foreign Travel Document Applications In, or in connection with, an application for a foreign travel document, a person commits an offense by making a statement (whether orally, in writing, or any other way) to another person, and the statement is false or misleading; or omits any matter or thing without which the statement is misleading.1313 In, or in connection with, an application for a foreign travel document, a person commits an offense if the person gives information to another person; and the information is false or misleading, or it omits any matter or thing without which the information is misleading.1314 In, or in connection with, an application for a foreign travel document, a person commits an offense if the person produces a document to another person, and the document is false or misleading.1315 This does not apply to the person who produces a document if the document is accompanied by a written statement signed by the person stating that the document is, to the knowledge of the first-mentioned person, false or misleading in a material particular; and setting out, or referring to, the material particular in which the document is, to the knowledge of the first-mentioned person, false or misleading.1316
1 310 1311 1312 1313 1314 1315 1316
Australian Foreign Passports (Law Enforcement and Security) Act 2005 (Cth) s 5 (Austl.). Id. s 22(4). Id. Id. s 18. Id. s 19. Id. s 20(1). Id. s 20(3).
476
CHAPTER 6
The penalty for violating any of the above provisions is 10 years or 1,000 penalty units, or both.1317 B Improper Use or Possession of a Foreign Travel Document A person commits an offense if the person uses a foreign travel document in connection with travel or identification, and the document has been cancelled.1318 Further, a person commits an offense if the person uses a foreign travel document in connection with travel or identification, and the document was not issued to the person.1319 In addition, a person commits an offense if the person provides another person with a foreign travel document that was issued to the first-mentioned person, and the first-mentioned person is reckless as to whether the document is or will be used by the other person in connection with travel or identification.1320 Furthermore, a person commits an offense if the person has possession or control of a foreign travel document; and the person knows that the document was not issued to the person.1321 None of the above provisions apply if the person has a reasonable excuse.1322 The penalty for violating this statute is imprisonment for 10 years or 1,000 penalty units, or both.1323 C Possessing, Making or Providing False Foreign Travel Documents A person commits an offense if the person has possession or control of a document, and the person knows that the document is a false foreign travel document.1324 In addition, a person commits an offense if the person makes a false foreign travel document, or provides a false foreign travel document to another person; and the person does so with the intention that the false foreign travel document may be used, acted on or accepted as if it were a passport or document of identity issued by or on behalf of the government of a foreign country.1325 1 317 1318 1319 1320 1321 1322 1323 1324 1325
Id. ss 18–20. Id. s 21(1). Id. s 21(2). Id. s 21(3). Id. s 21(4). Id. s 21(5). Id. s 21(1)-(4). Id. s 22(1). Id. s 22(2).
Identity Crime Legislation in the United States
477
The provisions above do not apply if a person has a reasonable excuse.1326 The penalty for violating this statute is imprisonment for 10 years or 1,000 penalty units, or both.1327 Case: A defendant was convicted of the “possession” component of this statute, as well as the “production” component,1328 after police executed a search warrant at the defendant’s home, based on other identity crimes,1329 and found three U.K. passports, each in a different name, but with the applicant’s photo on them.1330 The sentencing judge had no information about how the defendant came to possess the passports, but noted that he would have had to participate in their creation by providing his photo. The judge noted, in sentencing the defendant, that the passports could have readily been used to facilitate fraudulent behavior, and that the passports “no doubt” were intended to be used for multiple frauds. D Demand for Suspicious Foreign Travel Document An enforcement officer may demand that a person surrender to the officer a foreign travel document that has been obtained, or that the officer suspects on reasonable grounds has been obtained, by means of a false or misleading statement, false or misleading information or a false or misleading document; or a foreign travel document or other document that has been used, or that the officer suspects on reasonable grounds has been used, in the commission of an offense against this Act.1331 A person commits an offense if 1. an enforcement officer demands that the person surrender a document; 2. the officer informs the person that the officer is authorized to demand that document; 3. the officer informs the person that it may be an offense not to comply with the demand; 4. the person has possession or control of the document; and 5. the person fails to surrender the document to the officer immediately.1332
1 326 Id. s 22(3). 1327 Id. ss 22(1), (2). 1328 See also discussion at Part 6C5.4. 1329 See Part 6C10.2. 1330 Stevens v The Queen, [2009] nswcca 260; 262 alr 91; 2009 WL 3536630; [2010] almd 3006. 1331 Australian Foreign Passports (Law Enforcement and Security) Act 2005 (Cth) s 17(1) (Austl.). 1332 Id. s 17(2).
478
CHAPTER 6
The penalty for violating this statute is imprisonment for 1 year or 20 penalty units, or both.1333 A document surrendered to an enforcement officer under this section may be retained for so long as there is an enforcement officer who suspects on reasonable grounds that the document was obtained by means of a false or misleading statement, false or misleading information or a false or misleading document; or that the document has been used in the commission of an offense against this Act.1334 6C.6.3 Under the Australian Criminal Code A Definition A “false travel or identity document” is a document any part of which has been falsified, such as that it is in a form or in terms not made or authorized by the person who is purported to have or authorized it.1335 It includes documents with unauthorized alterations, or alterations purported to have been made by fictitious persons.1336 It may also be a document showing a date that is not the actual date on which it was made or altered.1337 One may be held to have made a false document even if it was already a false document before the alteration.1338 B
Making, Providing, or Possessing a False Travel or Identity Document One is guilty of the offense of making, providing, or possession a false travel or identity document by doing so with the intent that the document will be used to facilitate the entry of another person into a foreign country, where such entry would not comply with the requirements under that country’s law for entry into the country, and in order to obtain a benefit.1339 C
Providing or Possessing a Travel or Identity Document Issued or Altered Dishonestly or as a Result of Threats One is guilty of the offense of “providing or possessing a travel or identity document issued or altered dishonestly or as a result of threats” if one does so
1 333 1334 1335 1336 1337 1338 1339
Id. Id. s 17(3). Criminal Code Act, 1995, § 73.7(1)(a), (b) (Austl.). Id. § 73.7(1)(c), (d). Id. § 73.7(1)(e). Id. § 73.7(2). Id. § 73.8.
Identity Crime Legislation in the United States
479
knowing that the document had been obtained dishonestly or by threats, and intending that it will be used to facilitate the entry of another person into a foreign country, where that would be illegal, and in order to obtain a benefit. The penalty for this offense is imprisonment for 10 years or 1,000 penalty units, or both.1340 The threat involved may be express or implied, conditional or unconditional.1341 “Dishonest” means according to the standards of ordinary people, and known by the offender to be so.1342 D
Providing or Possessing a Travel or Identity Document to Be Used by a Person Who is Not the Rightful User One is guilty of the offense of “providing or possessing a travel or identity document to be used by a person who is not the rightful user” by doing so intending that the document will be used to facilitate the illegal entry of another person into a foreign country, where one knows that the other person is not the person to whom the document applies and, in order to obtain a benefit. The penalty for this offense is imprisonment for 10 years or 1,000 penalty units, or both.1343 E
Taking Possession of or Destroying Another Person’s Travel or Identity Document One is guilty of the offense of “taking possession of or destroying another person’s travel or identity document” by doing so intending to conceal another person’s identity or nationality in order to organize or facilitate the illegal entry of the other person into a foreign country. The penalty for this offense is imprisonment for 10 years or 1,000 penalty units, or both.1344 6C.6.4 Components of the Identity Crime Model That Can Be Prosecuted as Travel Document Offenses Production: Under the Australian Criminal Code, making, providing or possessing a false travel or identity document is illegal, as is providing or possessing a travel or identity document issued or altered dishonestly or as a result of threats.1345 Under the Australian Passports Act, making false or misleading statements in relation to Australian travel documents,1346 and producing false
1 340 1341 1342 1343 1344 1345 1346
Id. § 73.9(1). Id. § 73.9(2). Id. § 73.9(3). Id. § 73.10. Id. § 73.11. Id. §§ 73.8, 73.9. Australian Passports Act 2005, (Cth) ss 29–30 (Austl.).
480
CHAPTER 6
or misleading documents in relation to an application for an Australian travel document, are illegal.1347 Under the Australian Foreign Passports (Law Enforcement and Security) Act, giving false or misleading statements, information, or documents, in, or in connection with, foreign passport applications is illegal,1348 as is making a false foreign travel document.1349 Acquisition: Taking possession of or destroying another person’s travel or identity document is a form of identity acquisition criminalized by the Australian Criminal Code.1350 Under the Australian Passports Act, obtaining an Australian travel document dishonestly or by threats is illegal.1351 Possession: The Australian Criminal Code makes possessing a false travel or identity document illegal.1352 It is also illegal to possess a dishonestly altered or issued travel document.1353 Possessing a travel or identity document to be used by a person who is not the rightful user is illegal1354 Several crimes of possession exist under the Australian Passports Act: possession a travel document knowing it was not issued to the person using it;1355 possessing a false travel document knowing it is false;1356 and bringing, taking, or sending a false travel document over an international border.1357 Under the Australian Foreign Passports (Law Enforcement and Security) Act, possession or control of another’s foreign travel document is illegal,1358 as is knowingly possessing a false foreign travel document.1359 Transfer or Trafficking: The following forms of trafficking are illegal under the Australian Criminal Code: providing a false travel document,1360 providing a dishonestly issued or altered travel document,1361 and providing a travel document to be used by a person who is not the rightful user.1362 Under the 1 347 Id. s 31. 1348 Australian Foreign Passports (Law Enforcement and Security) Act 2005 (Cth) ss 18–20 (Austl.). 1349 Id. s 22(2). 1350 Criminal Code Act, 1995, § 73.11. 1351 Australian Passports Act 2005, (Cth) ss 35(1). 1352 Criminal Code Act, 1995, § 73.8. 1353 Id. § 73.9. 1354 Id. § 73.10. 1355 Australian Passports Act 2005, (Cth) ss 32(4). 1356 Id. s 36(1). 1357 Id. s 37(1). 1358 Australian Foreign Passports (Law Enforcement and Security) Act 2005 (Cth) s 21(4) (Austl.). 1359 Id. s 22(1). 1360 Criminal Code Act, 1995, § 73.8. 1361 Id. § 73.9. 1362 Id. § 73.10.
Identity Crime Legislation in the United States
481
Australian Passports Act, providing another person with one’s own Australian travel document, and selling an Australian travel document, are illegal.1363 Under the Australian Foreign Passports (Law Enforcement and Security) Act, providing another person with one’s own foreign travel document is illegal,1364 as is providing another with a false foreign travel document.1365 Use: The Australian Passports Act makes use of an Australian travel document by a person other than the one to whom it was issued a criminal act.1366 The Australian Foreign Passports (Law Enforcement and Security) Act makes use illegal the use of a cancelled foreign travel document, or one issued to another person.1367 6C.7
Privacy Act 1988
The Australian Privacy Act protects “information privacy,”1368 in particular, personal information, as defined by the statute.1369 Personal information includes medical records, bank account details, photos, videos, and even information about what one likes, one’s opinions and where one works –basically, any information by which a person is reasonably identifiable.1370 Privacy is different from confidentiality, secrecy, and freedom of information.1371 The sections relevant to identity crimes are discussed below. 6C.7.1 Accuracy and Security of Credit Information Files and Credit Reports Credit reporting agencies or credit providers possessing or controlling credit information or reports must: 1. make sure they are accurate, up to date, complete, and not misleading; and 2. make sure their privacy is properly safeguarded; and
1 363 1364 1365 1366 1367 1368
Australian Passports Act 2005, (Cth) ss 32(3), 33. Australian Foreign Passports (Law Enforcement and Security) Act 2005 (Cth) s 21(3). Id. s 22(2). Australian Passports Act 2005, (Cth) s 32(2). Australian Foreign Passports (Law Enforcement and Security) Act 2005 (Cth) s 21(1), (2). Privacy Act, Australian Government Office of the Privacy Commissioner, http://www.privacy.gov.au/law/act (last visited Jan. 28, 2010). 1369 What is Privacy, Australian Government Office of the Privacy Commissioner, http://www.privacy.gov.au/aboutprivacy/what (last visited Jan. 28, 2010). 1 370 Id. 1371 Id.
482 3.
CHAPTER 6
if they must be given to a third party, make sure to safeguard against unauthorized use or disclosure of personal information contained in the files or reports.1372
6C.7.2 Access to Credit Information Files and Credit Reports A credit reporting agency must make sure that an individual can obtain access to his file. A credit provider or credit reporting agency must take steps to make sure that an individual can access his file. An individual may authorize another person, in writing, to exercise his rights to access the information in connection with an application for a loan.1373 6C.7.3 Alteration of Credit Information Files and Credit Reports A credit reporting agency must make appropriate corrections, deletions and additions, to ensure that the personal information is accurate, up to date, complete, and not misleading. If such changes are not made by the agency after they have been requested by the individual concerned, and that individual requests that a statement be included with the information, the agency generally must do so within 30 days after the request. If the statement is too long, the agency may refer it to the Privacy Commissioner for reduction.1374 6C.7.4 Limits on Disclosure of Personal Information by Credit Reporting Agencies The Privacy Act places stringent and detailed limits on when a credit reporting agency may disclose personal information contained in the file to a person, body or agency (other than the individual whose information is contained in the file). The Privacy Act lists situations in which the information can be disclosed. Specifically, it can be given to a credit provider: 1. to assess an application for credit.1375 2. to assess risks in purchasing loans by means of a securitization agreements.1376 3. to assess an application for commercial credit, and the applicant for credit has specifically agreed to the report.1377 1 372 1373 1374 1375 1376 1377
Privacy Act 1988 (Cth) s 18G (Austl.). Id. s 18H. Id. s 18J. Id. s 18K(1)(a). Id. s 18K(1)(ab), (ac). Id. s 18K(1)(b).
Identity Crime Legislation in the United States
483
4. to determine whether to accept the individual as a guarantor for a loan.1378 It can be given to a mortgage insurer to assess certain risks involving mortgages,1379 and to a trade insurer to assess the risk of providing insurance to a credit provider in respect to commercial credit.1380 Information can disclosed to a current credit provider if, at least 30 days before the disclosure, the agency has received information that the individual has been at least 60 days later in making a payment, and the credit provider has tried to secure the payment.1381 Upon request, the information can be given to a credit provider for the purpose of the collection of overdue payments.1382 It can be disclosed to a commercial credit provider whose payments are overdue and the individual has specifically agreed, in writing, to the report being given.1383 An agency may provide the information to another credit reporting agency.1384 The agency may provide it if the only information contained in the record is publicly available information,1385 or the disclosure is required or authorized by or under law,1386 or the agency believes that the individual has committed a serious credit infringement, and the information is given the credit provider or law enforcement authority.1387 An agreement by an individual to information being provided by an agency generally must be in writing.1388 The agency generally may not reveal personal information that the credit reporting agency would be prohibited from including in an individual’s credit information file by other provisions of the law.1389 If it does so it may be fined up to $150,000.1390 If such information is revealed, the agency must place a note in the file revealing that such a disclosure was made.1391 1 378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389
Id. s 18K(1)(c). Id. s 18K(1)(d). Id. s 18K(1)(e). Id. s 18K(1)(f) (referring to provisions at s 18E(1)(b)(vi)). Id. s 18K(1)(g). Id. s 18K(1)(h). Id. s 18K(1)(j). Id. s 18K(1)(k). Id. s 18K(1)(m). Id. s 18K(1)(n). Id. s 18K(1A). Id. s 18K(2) (referring to s 18E (Permitted contents of credit information files) and s 18F (Deletion of information from credit information files)). 1390 Id. s 18K(4). 1 391 Id. s 18K(5).
484
CHAPTER 6
A credit reporting agency may not include in a credit report given to a credit provider any information relating to an individual’s commercial activities, unless otherwise permitted.1392 6C.7.5 Unauthorized Access to Credit Information Files or Credit Reports Only persons authorized under the Privacy Act may gain access to credit information files or credit reports. One who intentionally violates this provision may be fined up to $30,000.1393 6C.7.6 Obtaining Access to Credit Information Files or Credit Reports by False Pretenses One who, by false pretenses, obtains access from a credit reporting agency or credit provider to an individual’s credit information file or credit report may be penalized $30,000.1394 6C.7.7 Disclosure of Information –Offense The Australian penal system measures the severity of crimes in “penalty units.” A person commits an offense if: 1. personal information that relates to an individual is disclosed to that person; and 2. the person subsequently discloses the personal information; and 3. the person is not responsible for the individual whose information is disclosed. The penalty is 60 penalty units or imprisonment for one year, or both.1395 The statute provides a number of exceptions.1396 6C.8
South Australia’s Identity Crime Provisions
As stated previously,1397 South Australia, an Australian state with its capital in Adelaide, has passed laws that directly target identity theft. Specifically, the Criminal Law Consolidation Act 1935 (SA) now contains a Part 5A entitled, “Identity Theft.” 1 392 1393 1394 1395 1396 1397
Id. s 18K(6) (referring to permitted contents under s 18E). Id. s 18S. Id. s 18T. Id. s 18 Q(1). Id. s 18Q(2). See Part 6C.3.
Identity Crime Legislation in the United States
485
6C.8.1 Analysis of South Australian Identity Crime Statute table 21
South Australian identity crime statute
Component of identity crime
Section of South Australia Criminal Law Consolidation Act (saclca)
Description of law: Law prohibits
Production of identity (either associated with a real person, or not so associated) Acquisition
saclca 144D
Possession
saclca 144D(3)
Transfer/Trafficking
saclca 144D
Use
saclca 144C
Producing prohibited material (anything that enables a person to assume a false identity) Assuming a false identity with intent to commit serious offense Possessing equipment to make prohibited material Selling or giving away prohibited material (anything that enables a person to assume a false identity) Misuse of personal identification information, for commission of serious criminal offense
saclca 144B
6C.8.2 Definitions In the South Australia identity crime provisions, “criminal purpose” means the purpose of committing, or facilitating the commission of, an offense. A “digital signature” is encrypted electronic or computer data intended for the exclusive use of a particular person as a means of identifying that person as the sender of an electronic communication. “Electronic communication” means a communication transmitted in the form of electronic or computer data.1398 “False identity”: A person assumes a false identity if the person pretends to be, or passes himself or herself off as, some other person. That other person may be (a) living or dead; (b) real or fictional; (c) natural or corporate.1399 “Personal identification information”: A person’s personal identification information is information used to identify the person, and includes, in the case of a natural person: 1 398 South Australia Criminal Law Consolidation Act 1935 (SA) s 144A (Austl.). 1399 Id.
486
CHAPTER 6
1.
information about the person such as his or her name, address, date or place of birth, marital status, relatives, and so on; 2. the person’s driver’s license or driver’s license number; 3. the person’s passport or passport number; 4. biometric data relating to the person; 5. the person’s voice print; 6. the person’s credit or debit card, its number, and data stored or encrypted on it; 7. any means commonly used by the person to identify himself or herself (including a digital signature); 8. a series of numbers or letters (or a combination of both) intended for use as a means of personal identification.1400 Information about a corporation is also considered to be personal identification information. Specifically, the information considered personal to a corporation is: 1. its name; 2. its Australian Business Number (abn); 3. the number of any bank account established in the body corporate’s name or of any credit card issued to the body corporate.1401 “Prohibited material” under the identity theft provisions means anything (including personal identification information) that enables a person to assume a false identity or to exercise a right of ownership that belongs to someone else to funds, credit, information, or any other financial or nonfinancial benefit.1402 A “serious criminal offense” is an indictable offense; or an offense prescribed by regulation for the purposes of this definition.1403 A “voice print” is a computer data recording the unique characteristics of a person’s voice.1404 6C.8.3 Assuming a False Identity with Intent to Commit Serious Offense A person who assumes a false identity; or falsely pretends to have particular qualifications; or to have, or to be entitled to act in, a particular capacity, makes a false pretense to which this section applies.1405 It is not relevant that the person who makes a false pretense acts with the consent of the person whose identity is falsely assumed.1406 One who makes such a false pretense, intending, by doing so, to commit, or facilitate the commission of, a serious 1 400 1401 1402 1403 1404 1405 1406
Id. Id. Id. Id. Id. Id. s 144B(1). Id. s 144B(2).
Identity Crime Legislation in the United States487
criminal offense is guilty of an offense and liable to the penalty appropriate to an attempt to commit the serious criminal offense.1407 6C.8.4 Misuse of Personal Identification Information A person who makes use of another person’s personal identification information intending, by doing so, to commit, or facilitate the commission of, a serious criminal offense, is guilty of an offense and liable to the penalty appropriate to an attempt to commit the serious criminal offense.1408 This penalty applies notwithstanding whether the person whose identity is used is living or dead, or consents to the use of the information.1409 6C.8.5 Prohibited Material A person who produces prohibited material,1410 or has possession of prohibited material, intending to use the material, or to enable another person to use the material, for a criminal purpose is guilty of an offense.1411 The maximum penalty for the offense is imprisonment for 3 years.1412 A person who sells (or offers for sale) or gives (or offers to give) prohibited material to another person, knowing that the other person is likely to use the material for a criminal purpose is guilty of an offense.1413 The maximum penalty is imprisonment for 3 years.1414 A person who is in possession of equipment for making prohibited material intending to use it to commit an offense is guilty of an offense.1415 The maximum penalty is imprisonment for 3 years.1416 6C.8.6 Attempt Offense Excluded A person cannot be convicted of an attempt to commit an offense against this statute.1417 6C.8.7 Application of Part The statute does not apply to misrepresentation by a person under the age of 18 years for the purpose of obtaining alcohol, tobacco or any other product not 1 407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417
Id. s 144B(3). Id. s 144C(1). Id. s 144C(2). For of “prohibited material,” see Part 6C.8.2. South Australia Criminal Law Consolidation Act 1935 (SA) s 144D(1). Id. Id. s 144D(2). Id. Id. s 144D(3). Id. Id. s 144E.
488
CHAPTER 6
lawfully available to persons under the age of 18; or gaining entry to premises to which access is not ordinarily allowed to persons under the age of 18.1418 It also does not apply to any particular thing done by a person under that age to facilitate such a misrepresentation.1419 6C.9
Queensland’s Identity Crime Provisions
As stated previously,1420 Queensland, a state in eastern Australia with its capital in Brisbane, has passed laws that directly target identity crimes. Specifically, the Criminal Code Act 1899 (Qld) was amended by the Criminal Code and Civil Liability Amendment Act 2007 (Qld) to include a section, numbered 408D, entitled “Obtaining or dealing with identification information.” 6C.9.1 Analysis of Queensland’s Identity Crime Statute table 22
Queensland’s identity crime statute
Component of identity crime
Section of Queensland Description of law: Law prohibits … Criminal Code Act (qcca)
Production of identity (either associated with a real person, or not so associated) Acquisition
Production of identity does not appear to be illegal under Queensland’s identity crime scheme.
Possession
qcca 408D(1A)
Transfer/Trafficking
qcca 408D(1)
Use
qcca 408D(1)
1 418 Id. s 144F(a). 1419 Id. s 144F(b). 1420 See Part 6C.3.
qcca 408D(1)
Obtaining identity information, for commission of indictable offense Possessing equipment to commit an indictable offense involving acquisition, transfer, or use of identity information Dealing with identity information, for commission of indictable offense Dealing with identity information, for commission of indictable offense
Identity Crime Legislation in the United States
489
6C.9.2 Definitions “Dealing with” identification information, includes supplying or using the information.1421 “Digital signature” means encrypted electronic or computer data intended for the exclusive use of a particular person as a means of identifying that person as the sender of an electronic communication.1422 “Identification information,” of another entity, means information about, or identifying particulars of, the entity that is capable of being used, whether alone or in conjunction with other information, to identify or purportedly identify the entity.1423 Identification information for an individual includes: 1. information about the individual or the individual’s relatives including name, address, date of birth, marital status and similar information; 2. the individual’s driver license or driver license number; 3. the individual’s passport or passport number; 4. anything commonly used by an individual to identify himself or herself, including a digital signature; 5. the individual’s financial account numbers, user names and passwords; 6. a series of numbers or letters (or a combination of both) intended for use as a means of personal identification; 7. any data stored or encrypted on the individual’s credit or debit card; 8. biometric data relating to the individual; 9. the individual’s voice print; 10. a false driver license or other false form of identification for a fictitious individual.1424 Identification information for an entity that is a body corporate includes: 1. name; 2. Australian Business Number (abn); 3. financial account numbers; 4. any data stored or encrypted on a credit or debit card issued to the body corporate.1425 “Obtaining,” identification information, includes possessing or making the information.1426 1 421 1422 1423 1424 1425 1426
Queensland Criminal Code, 1899, s 408D(7) (Austl.). Id. Id. Id. Id. Id.
490
CHAPTER 6
6C.9.3 Obtaining or Dealing with Identification Information A person who obtains or deals with another entity’s identification information for the purpose of committing, or facilitating the commission of, an indictable offense commits a misdemeanor, with a maximum penalty of 3 years’ imprisonment.1427 A person who possesses equipment for the purpose of committing, or facilitating the commission of, such an offense also commits a misdemeanor with the same penalty.1428 It is immaterial whether the other entity is alive or dead, or exists or does not exist, or consents or does not consent to the obtaining or dealing.1429 6C.9.4 Provisions to Assist the Victim When a court is sentencing a person for an offense, the court may order that the court’s certificate be issued to the victim (called the “other entity” in the statute) stating the offense, the entity’s name and anything else the court considers relevant for the victim’s benefit.1430 The order may be made on the court’s own initiative or on application by the victim or the prosecutor.1431 If the identity criminal is sentenced on a plea of guilty, the certificate may be given to the victim immediately.1432 If the identity criminal is not sentenced on a plea of guilty, the certificate must not be given to the victim until whichever is later, (a) the end of any period allowed for appeal against conviction; or, if an appeal is started, the end of any proceedings on the appeal.1433 6C.10 New South Wales’ Crimes Act 1900 New South Wales, the largest Australian state by population, does not have a statute specifically aimed at identity crimes. Identity crimes have, however, been prosecuted under the Crimes Act 1900, most recently amended in 2011. A part of the New South Wales Crimes Act is entitled “Deception,”1434 and states that “deception” as used in the part includes any deception, by words
1 427 1428 1429 1430 1431 1432 1433 1434
Id. s 408D(1). Id. s 408D(1A). Id. s 408D(2). Id. s 408D(3). Id. s 408D(4). Id. s 408D(5). Id. s 408D(6). New South Wales’ Crimes Act 1900, pt 4AA.
Identity Crime Legislation in the United States
491
or other conduct, as to fact or as to law, including a deception as to the intentions of the person using the deception or any other person; and conduct by a person that causes a computer, a machine, or any electronic device to make a response that the person is not authorized to cause it to make.1435 In addition, a person does not commit an act involving “deception” unless the deception was intentional or reckless.1436 The statute also defines certain other terms: “obtains property”: (1) when a person obtains ownership, possession or control of the property for himself or herself or for another person, or (2) when a person enables ownership, possession or control of the property to be retained by himself or herself or by another person, or (3) when a person induces a third person to do something that results in the person or another person obtaining or retaining ownership, possession or control of the property.1437 “Obtaining property” requires an intent to permanently deprive another of the property.1438 A borrowing or lending of the property may amount to permanent deprivation if, but only if, the borrowing or lending is for a period and in circumstances making it equivalent to an outright taking or disposal.1439 “property belongs”: “property belongs” to a person if the person has possession or control of the property, or the person has a proprietary right or interest in the property (not being an equitable interest arising only from an agreement to transfer or grant an interest or from a constructive trust). If property is subject to a trust, the persons to whom it belongs include any person having a right to enforce the trust.1440 “obtaining a financial advantage” includes obtaining a financial advantage for oneself or for another person, or inducing a third person to do something that results in oneself or another person obtaining a financial advantage, or keeping a financial advantage that one has, whether the financial advantage is permanent or temporary.1441 A similar delineation applies to “causing a financial disadvantage.”1442
1 435 1436 1437 1438 1439
Id. s 192B(1). Id. s 192B(2). Id. s 192C(1). Id. s 192C(2). Id. s 192C(4). This point about permanent deprivation is further delineated at Id. s 192C(5). 1440 Id. s 192C(3). 1 441 Id. s 192D(1). 1442 Id. s 192D(2).
492
CHAPTER 6
6C.10.1 Analysis of New South Wales’ Fraud Statute Production: Production is the focus of the statute prohibiting making or publishing false statements in order to obtain property.1443 Acquisition: Not covered. Possession: Not covered. Transfer or Trafficking: Not covered. Use: Use is the primary focus of the basic fraud statute, which outlaws obtaining property by deception.1444 6C.10.2 Fraud A person who, by any deception, dishonestly obtains property belonging to another, or obtains any financial advantage or causes any financial disadvantage, is guilty of the offense of fraud. The maximum penalty for the offense is imprisonment for 10 years.1445 A person’s obtaining of property belonging to another may be dishonest even if the person is willing to pay for the property.1446 A person may be convicted of the offense of fraud involving all or any part of a general deficiency in money or other property even though the deficiency is made up of any number of particular sums of money or items of other property that were obtained over a period of time.1447 Note: A conviction for the offense of fraud is an alternative verdict to a charge for the offense of larceny,1448 or any offense that includes larceny, and a conviction for the offense of larceny, or any offense that includes larceny, is an alternative verdict to a charge for the offense of fraud.1449 Case: This statute has been used to prosecute identity crimes. For example, in Stevens v. The Queen,1450 the defendant, Gary John Stevens, entered a bank branch in Sydney and asked to cash a check made out to cash, apparently signed apparently by a “J Nealer.” Stevens said he was “Gary Anderson” and explained that he needed to pay overdue wages to employees of a pool
1 443 Id. s 192G. 1444 Id. s 192E. 1445 Id. s 192E(1). Note that this section was designated 178BA until the Crimes Amendment (Fraud, Identity and Forgery Offences) Bill 2009 was incorporated. It formerly prohibited “obtaining a benefit” by deception. 1446 Id. s 192E(2). 1447 Id. s 192E(3). 1448 Id. ss 116 to 154D (covering larceny). 1449 Id. s 192E(4). 1450 Stevens v The Queen, [2009] nswcca 260; 262 alr 91; see also JOD v. The Queen, [2009] nswcca 205.
Identity Crime Legislation in the United States
493
company. Earlier, the bank manager had received a call from a man who said he was John Nealer of F.J. Hawkes & Co. and that he had given a check to someone and asked if that person could come into the branch to cash the check. He explained that he had been asked to make a payment for a swimming pool (on behalf of Doug Sayer, who was apparently overseas) and that his account only had $700 in it but that he would cover the payment first thing the next morning from an expected bonus payment. At the branch, Stevens gave the bank manager a business card in the name of “John L. Nealer.” The manager checked the account balance (which was $1,200) and gave the applicant $6,700 in cash. The manager, who was suspicious, caused the security camera to be activated as Stevens left the branch. Two days later, Douglas Sayer (who worked at F.J. Hawkes & Co) discovered that a check was missing from his checkbook. He went to the branch and identified the missing check as being the one that the applicant had cashed two days before. The signature on the check bore an imitation of Nealer’s signature. When Stevens was questioned by the police, he said he had cashed the check at the behest of a person (whom he had met at the races) after explaining that he was broke. He said that the person gave him $500 for cashing the check –$200 for his efforts, and $300 as a loan. Further indictments of Stevens indicated more frauds of similar nature. Stevens, according to the indictment, on 31 separate occasions over the course of six months, had been photographed making cash withdrawals from atm s in the name of “Chad Thorpe.” The funds in the account had come from unauthorized Internet transfers. The transfers totaled over $500,000. Stevens also had used the internet to transfer funds from an account held by Dr. Jeffrey Ichilcik into an account opened in the name of Brendan Urquart-Eastwood. “Urquart-Eastwood” withdrew money from that account via atm s. Stevens then called the Ichilcik’s bank, giving his name as “Jeffrey Ichilcik,” and re-set Ichilcik’s internet banking password after answering personal information. The mailing and residential addresses for the account were changed to that of a hostel where Stevens and “Urquart-Eastwood” had been seen by police. His contact email address was changed, as were the contact phone numbers. A mobile phone (with the same new number that had been registered on the account) was found during a search of the Stevens’ home. During the search of the Stevens’ home, a number of personal, business, and financial documents of Ichilcik were found, in addition to handwritten notes relating to Ichilcik. The prosecution made the case that the applicant obtained access to Ichilcik’s personal information through theft of his mail.
494
CHAPTER 6
6C.10.3 Intention to Defraud by False or Misleading Statement A person who dishonestly makes or publishes, or concurs in making or publishing, any statement (whether or not in writing) that is false or misleading in a material particular with the intention of obtaining property belonging to another, or obtaining a financial advantage or causing a financial disadvantage, is guilty of an offense, with a maximum penalty of imprisonment for 5 years.1451 6C.11 Tasmania’s Computer Fraud Statute Tasmania, the southernmost of Australia’s states, has enacted a comprehensive computer fraud statute that has been enforced in regard to identity crimes. 6C.11.1 Crimes Related to Computers The statute, sections 257A to 257E of the Criminal Code Act 1924, is entitled “Crimes Related to Computers.” The statute makes it a crime to, with the intent to defraud: a. destroy, damages, erase, alter, or otherwise manipulate data stored in, or used in connection with, a computer; or b. introduce into, or record or store in, a computer or system of computers data for the purpose of destroying, damaging, erasing or altering other stored data; or interfere with, interrupt or obstruct the lawful use of that computer or that system of computers or the data stored there; or c. otherwise uses a computer.1452 Damaging computer data is also a crime.1453 Thus, a person who intentionally and without lawful excuse destroys, damages, erases or alters data stored in a computer; or interferes with, interrupts, or obstructs the lawful use of a computer, a system of computers or any part of a system of computers or the data stored in that computer or system of computers, may be convicted for the crime of damaging computer data.1454 In addition, a person who, without lawful excuse, intentionally gains access to a computer, system of computers, or any part of a system of computers, is guilty of the crime of “unauthorized access to a computer.”1455 Further, a person who dishonestly introduces into, or 1 451 1452 1453 1454 1455
New South Wales’ Crimes Act 1900, s 192G. Tasmanian Criminal Code Act 1924 s 257B (Austl.). Id. s 257C. Id. s 257C. Id. s 257D.
Identity Crime Legislation in the United States
495
records or stores in, a computer or a system of computers, false or misleading information as data, is guilty of the crime of “insertion of false information as data.”1456 The Tasmanian law also contains a section on the extraterritorial application of this crime, apparently in recognition of the truism that identity crimes do not, by their very nature, stay within geographical territories. Thus, these crimes may be prosecuted in Tasmania if a significant part of the conduct relating to, or constituting, the doing of the act or thing occurred in Tasmania; or where the act or thing was done wholly outside Tasmania or partly within Tasmania, if substantial harmful effects arose in Tasmania.1457 6C.11.2 Components of the Identity Crime Model That Can Be Prosecuted under Tasmania’s Computer Fraud Statute Production: This is a broad statute. It includes, as an offense, “otherwise using a computer” with intent to defraud. Thus, it likely would cover creating a false identity by using one’s computer, so long as the intent of the person creating the identity is fraudulent. Acquisition: Similarly, under the broad statute, acquiring someone else’s identity through use a computer, whether one’s own computer or someone else’s, would be criminal. Possession: It is not clear from the wording of the statute that possession of identity information or an identity document could be prosecuted, although possession would tend to be evidence of production or acquisition. Transfer or Trafficking: Similar to possession, it is not clear that trafficking in identity information can be prosecuted under this statute. Use: The use of identity information to gain unauthorized access to a computer could be prosecuted under this law, as well as introducing into a computer false or misleading information as data, such as by the criminal accessing someone else’s account by representing himself or herself as the owner of the account. 6C.11.3 Case Example A case arose in Tasmania involving “57 crimes of dishonesty, most of which concerned identity fraud.”1458 Thirty of those counts were for computer fraud under Section 257B of Tasmania’s Criminal Code Act 1924. The case report
1 456 Id. s 257E. 1457 Tasmanian Criminal Code Act 1924 s 257F. 1458 Brown v. Tasmania, [2008] tassc 33.
496
CHAPTER 6
neglects to mention which specific acts were charged under the computer fraud statute,1459 and which fell under other statutes (such as forgery, uttering, receiving stolen property, and money laundering). One of the justices in the case, Justice Slicer, gave a summary of all of the charges in the context of attempting to define defendant Andrea Brown’s role in the criminal scheme, which involved numerous other participants. One can glean which offense might have been prosecuted as computer fraud. Justice Slicer noted that “the general scheme involved the burglary or theft … of items of identification, including bank cards, driver’s licenses, tax file numbers, manipulation and use of those items, and the obtaining of money through electronic banking facilities or atm machines, or credit through the misuse of data.” The first group of counts involved a house that was burgled and a laptop computer and personal identification documents stolen. Brown employed “her skills to use and manipulate the data retrieved from the computer memory and arrange access to the electronic banking facility operated by the owner. Two sums each of $9,000 were withdrawn.” The computer fraud statute would have been employed in these counts in that Brown accessed the laptop for a fraudulent purpose, and then accessed a banking system in order to obtain money. In terms of the identity crime components, she engaged in acquisition and use of identity information. In the second group of charges, “The home of a sleeping occupant was burgled … and banking and credit cards, driver’s license and other items of personal identification stolen. … [S]eparate accounts maintained by two persons at different banks were accessed, and through a series of complex but interlinked manipulations, a total of $39,000 withdrawn.” Accessing of the accounts, i.e., use of the information, was the computer fraud involved here, although stealing the cards was also a form of identity crime, likely charged under another statute. In another group of counts, “a wallet containing a bank card and personal items was stolen … and received by [Brown]. … [T]he items, and the knowledge obtained, were used to defraud a credit union of $6,598, and various retail outlets of lesser amounts. The scheme was complex, involving the use of telephonic facilities, automatic teller machines and the collection of a fresh credit card from a postal address.” Like the previous group of counts, this involved the use of identity information to access a bank computer system (under the computer fraud statute), as well as an acquisition identity crime in obtaining 1459 The case report concerns the defendant’s attempt to have her sentence reduced.
Identity Crime Legislation in the United States
497
the items in the wallet. It also appears, based on the “collection of a fresh credit card,” that a new identity document was produced. In the last group of counts, “A handbag containing a financial card and driver’s license was stolen from outside a hotel. … The contents were used on the same day to obtain credit and items from a financial credit provider for $6,000, and from two retail outlets.” As in the previous counts, there was a use of identity documents to access a computer, under the identity fraud statute, and an acquisition of identity documents in order to commit computer fraud. Andrea Brown’s main contribution to all of these schemes was “using her knowledge of computers, data processing and electronic banking systems” to commit the crime. “She was directly involved in the obtaining and receipt of some of the money through sale, withdrawal from an atm, collection of the credit union material from a post box, and representing herself to be another.” Although these crimes violated numerous statutes, it appears that the broad computer fraud law was the primary one employed.
Part D United Kingdom Statutes
6D.1
Introduction
It has been reported that identity crimes are a growing problem in the United Kingdom, with year-to-year increases in reports of impersonation, and surveys indicating that one in four British adults had been affected by identity crime, or knew someone who had been. It has been estimated that over 100,000 per year are affected by identity crime in the U.K., and the Home Office Identity Fraud Steering Committee reports that identity crime costs the U.K. economy nearly £1.7 billion annually.1460 In the first nine months of 2009, over 175,000 cases of confirmed fraud were recorded by members of the U.K’s Credit Fraud Avoidance System, an increase of over 11% from the same period in 2008.1461
1460 Perpetuity Research and Consultancy International Ltd, The Fight against Identity Fraud: A Brief Study of the EU, the UK, France, Germany and the Netherlands 14 (2006) [hereinafter “Perpetuity Research Study”], available at www.perpetuityresearch.com/publications.html. 1461 cifas website, http://www.cifas.org.uk/default.asp?edit_id=938–57.
498
CHAPTER 6
The United Kingdom is a unitary state, which means that it is not made up of territorial divisions that are states themselves;1462 any administrative divisions, such as Scotland, Wales, and Northern Ireland, exercise only powers that the central government chooses to delegate. Thus, unlike the other countries discussed above, the criminal law of the central U.K. government applies throughout the kingdom. There is no offense in the United Kingdom specifically called “identity crime,” “identity theft” or “identity fraud,” although there has been some activity to pass such legislation.1463 It is an offense to possess or control false identity documents, including genuine ones improperly obtained. Penalties have been increased for fraudulently obtaining passports and driving licenses. A Fraud Act has been passed (summarized below) stating that a person is guilty of fraud if found to be perpetrating any of the following, in order to make a gain for oneself or another, or to cause loss to another, or to expose another to a risk of loss: 1. Fraud by false representation. 2. Fraud by failing to disclose information. 3. Fraud by abuse of position. Below are summaries of the provisions in statutes designed to address the United Kingdom’s identity crime problem. Note that many of the offenses below are both “indictable offenses” and “summary offenses.” Summary offenses encompass the most minor offenses in the Criminal Code, with lesser penalties than indictable offenses. Summary offenses can be proceeded with summarily, without the right to a jury trial and/or indictment (required for an indictable offense). Many offenses can be prosecuted either by summary conviction or indictment, with the prosecution choosing or electing the mode of prosecution.1464
1 462 Black’s Law Dictionary (9th ed. 2009). 1463 Perpetuity Research Study, supra note 2283. 1464 See Summary Offences and the Crown Court, Crown Prosecution Service, http:// www.cps.gov.uk/legal/s_to_u/summary_offences_and_the_crown_court/ (last visited Oct. 31, 2012).
499
Identity Crime Legislation in the United States
6D.2
Analysis of the U.K.’s Identity-Crime-Related Statutes
table 23
U.K. identity crime related statutes
Component of identity crime
Statute
Description of law: Law prohibits
Production of identity (either associated with a real person, or not so associated)
Identity Cards Act 25(3), (5)
Making apparatus to make false identity document, or making an article or material adapted to making false identity documents Possession or control of apparatus to make a false identity document; possession or control of an article or material adapted to making false identity documents. Making or adapting any article knowing that it is designed or adapted for use in the course of or in connection with fraud Making a false instrument R. v. Tirnaveanu intending to induce another (Cornel), [2007] to accept it as genuine. ewca Crim 1239 (24 May 2007). Copying a false instrument
Identity Cards Act § 25(3), (6)
Fraud Act § 8
Forgery and Counterfeiting Act 1 Forgery and Counterfeiting Act 2 Acquisition
Identity Cards Act 28(2)
Providing false information to the National Identity Register, including for the purpose of obtaining an ID card
Sample cases
500 table 23
CHAPTER 6 U.K. identity crime related statutes (cont.)
Component of identity crime
Possession
Statute
Description of law: Law prohibits
Sample cases
Theft Act 1(1)
Dishonestly appropriating property belonging to another with the intention of permanently depriving the other of it
R. v Sofroniou (Leon Florenzous), [2003] ewca Crim 3681 (18 Dec 2003).
Theft Act 22 Computer Misuse Act 1, 2, 3, 3A Data Protection Act 55(1)
Handling stolen goods Accessing a computer without authorization Unlawfully obtaining personal data.
Identity Cards Act 25(1), (5)
Possession or control of false or improperly obtained identity document, or one that relates to someone else
R. v. Dast Jerdi (Bakshi Ali), [2011] ewca Crim 365 (7 Feb. 2011); R. v Ovieriakhi (Valerie Ekiuwa), [2009] ewca Crim 452 (26 Feb 2009); R. v. Carneiro (Rosiene Ribeiro), [2007] ewca Crim 2170 (5 Sept 2007)
Identity Cards Act 25(3)
Possessing or controlling apparatus to make false identity document, or possessing or controlling an article or material adapted
R. v. Toska (Albert), [2010] ewca 2187 (2 Aug 2010).
to making false identity documents
Identity Crime Legislation in the United States501 table 23
U.K. identity crime related statutes (cont.)
Component of identity crime
Statute
Description of law: Law prohibits
Fraud Act 6
Possession or control of any article for use in the course of or in connection with any fraud
Theft Act 22 Forgery and Counterfeiting Act 5
Handling stolen goods Possessing false documents with intent to use, or otherwise without lawful authority
Transfer/Trafficking Fraud Act 7
Theft Act 22 Data Protection Act 55(3), (4), (5) Use
Fraud Act 2(5) Forgery and Counterfeiting Act 3
Forgery and Counterfeiting Act 4
Sample cases
Supplying or offering to R. v. Huang (Jian), supply any article knowing [2010] ewca Crim that it is designed or 375 (9 Feb 2010) adapted for use in the course of or in connection with fraud Handling stolen goods Selling data covered by Data Protection Act, or offering to sell such data. Making a false representation Using a false instrument
Using a copy of a false instrument
R. v El Mashta (Ahmad Alhaleem), [2010] ewca Crim 2595 (6 Aug 2010)
502 6D.3
CHAPTER 6
Identity Cards Act 2006
Identity cards are the crucial identity documents in the United Kingdom. The Identity Cards Act 2006 is the primary statute pertaining to those documents, and is the only U.K. statute specifically designed to combat identity crimes. There has been some concern expressed, however, about the effectiveness of the cards. It was reported in August 2009 that a computer expert was able to clone and fake a U.K. identity card in just 12 minutes, using a standard Nokia mobile phone and reading the information on an rfid chip embedded in the ID card, copying it to a blank plastic smart card. It is speculated that ID cards may assist organized criminals and terrorists, because many people are willing readily to accept faked cards as genuine.1465 6D.3.1 Definitions An “identity document” is any document that is, or purports to be: 1. an ID card; 2. a designated document (this term is not further defined); 3. an immigration document; 4. a U.K. or non-U.K. passport, or document that can be used instead of a passport; and 5. a U.K. or non-U.K. driving license.1466 This list can be modified by the Secretary of State, after presenting a draft order to Parliament and getting the approval of each House.1467 The “National Identity Register” is a register set up to facilitate, by the maintenance of a secure and reliable record of registrable facts about individuals in the United Kingdom, the provision of: 1. a convenient method for such individuals to prove registrable facts about themselves to others who reasonably require proof; and 2. a secure and reliable method for registrable facts about such individuals to be ascertained or verified wherever that is necessary in the public interest.1468 A “registrable fact” about a person is: 1. his identity; 2. the address of his principal place of residence in the United Kingdom; 1465 12 Minutes to Clone UK Identity Card, Tech and the Law (Aug. 6, 2009), http://blog. tech-and-law.com/2009/08/12-minutes-to-clone-uk-identity-card.html. 1466 Identity Cards Act 2006, c. 15, § 26(1) (Eng.). 1467 Id. § 26(4), (5). 1468 Id. § 1(3).
Identity Crime Legislation in the United States
503
3.
the address of every other place in the United Kingdom or elsewhere where he has a place of residence; 4. where in the United Kingdom and elsewhere he has previously been resident; 5. the times at which he was resident at different places in the United Kingdom or elsewhere; 6. his current residential status; 7. residential statuses previously held by him; 8. information about numbers allocated to him for identification purposes and about the documents to which they relate; 9. information about occasions on which information recorded about him in the Register has been provided to any person; and 10. information recorded in the Register at his request.1469 However, “registrable facts” do not include any “sensitive personal data,” as defined in the Data Protection Act 1998 or anything the disclosure of which would tend to reveal such data.1470 “Sensitive personal data,” as defined in the Data Protection Act 1998, is personal data as to: 1. the racial or ethnic origin of the data subject, 2. his political opinions, 3. his religious beliefs or other beliefs of a similar nature, 4. whether he is a member of a trade union, 5. his physical or mental health or condition, 6. his sexual life, 7. the commission or alleged commission by him of any offense, or 8. any proceedings for any offense committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.1471 6D.3.2 Possession or Control of Documents The Identity Cards Act makes it an offense to possess or control certain identity documents, specifically, an identity document: 1. that is false and that the offender knows or believes is false; 2. that was improperly obtained and that the offender knows or believes to have been improperly obtained; or 3. that relates to someone else.1472 1 469 1470 1471 1472
Id. § 1(5). Id. § 1(6). Data Protection Act 1998, c. 29, § 2 (Eng.). Identity Cards Act 2006, c. 15, § 25(1).
504
CHAPTER 6
To be convicted of this offense, an offender must have the intent: 1. to use the document to establish registrable facts about the offender; or 2. to allow or induce another to use the document to establish, ascertain or verify registrable facts about himself or about some other person.1473 The punishment upon conviction is imprisonment up to 10 years, and/or a fine.1474 The Identity Cards Act also makes it an offense for a person to possess or control, without reasonable excuse: 1. an identity document that is false; 2. an identity document that was improperly obtained; 3. an identity document that relates to someone else; or 4. any apparatus, article or material that the offender knows is or has been specially designed or adapted for the making of false identity documents or to be used in the making of such documents.1475 The punishment upon conviction is imprisonment up to 2 years, and/or a fine,1476 with lesser punishments for so-called summary convictions (not based upon an indictment).1477 A Cases There are over 80 reported cases under this section of the Identity Cards Act.1478 Most such cases were heard by the Court of Appeal of England and Wales, Criminal Division, and a few were heard by the High Court of Justiciary in Scotland. The vast majority of the cases pertain to immigrants. Fairly typical is the case of Bakhshi Ali Dastjerdi1479 who, in 2009, pled guilty to the offense of possession of a false identity document, and was sentenced to 12 months’ imprisonment. The sentence would also subject Dastjerdi, an Iranian national, to automatic deportation. He had been arrested at Gatwick Airport from which he was attempting to travel to Canada. Although he was Iranian, he had presented a Romanian identity card to the immigration officer, who suspected the card to be false. He said that he was heading to Canada to try to obtain asylum. He had paid 10,000 Euros to an agent who was going to
1 473 Id. § 25(2). 1474 Id. § 25(6). 1475 Id. § 25(5). 1476 Id. § 25(7)(a). 1477 Id. § 25(7)(b), (c). 1478 Based upon search in the Westlaw database conducted Mar. 27, 2011 for cases with “Identity Cards Act” in the same paragraph as “possess” or “possession.” 1479 R. v. Dast Jerdi (Bakshi Ali), [2011] ewca (Crim) 365 (Eng.).
Identity Crime Legislation in the United States
505
take him on to Canada. He arrived in England after traveling to a few other countries. When he got to the U.K., nobody met him and he presented himself to the authorities. He said that he had purchased the false passport as part of his plan to flee Iran. On appeal, he claimed that he had not been advised in the criminal court that the need for asylum was a possible defense. The Court of Appeal agreed with the defendant, and allowed him extra time to prepare an appeal to his conviction. In another case, Valerie Ekiuwa Ovieriakhi, a Nigerian woman, was working at a U.K. nursing home when she was arrested for overstaying the six months allowed by her work permit.1480 Officers searched Ovieriakhi’s home found a false Nigerian passport in the name of Valerie Michaels, which contained the appellant’s photograph. Ovieriakhi admitted that she possessed a false passport, stating that when she entered the U.K. she had not intended to work, but had changed her mind. She had bought the passport £300 so that she could obtain employment, knowing that it was not a genuine document. She pled guilty to possessing false identity document with the intention of using it for establishing registrable facts about herself, under the Identity Cards Act. The appellate judges discussed Ovieriakhi’s case rather sympathetically, but the only issue to be decided was whether the 12-month sentence given to the defendant should be reduced. Because of the defendant’s good character, and that she had only used the document to obtain work, and not to evade criminal laws, she should only receive six months’ imprisonment. However, despite a plea from the defendant’s attorney, the defendant must also be deported. In the case of Rosiene Ribeiro Carneiro,1481 the appellant was a Brazilian who came to the U.K. lawfully as a visitor and was granted permission to remain so long as she did not take a job. She then obtained work as a cleaner and overstayed the permitted time. Carneiro opened a bank account using a Portuguese identity card in somebody else’s name, and two other documents. The card was a fake. Carneiro was charged with violating section 25(5) of the Identity Cards Act. The lower court sentenced Carneiro to six months’ imprisonment, and she appealed. The appellate court noted that the false use of a document to obtain employment was less serious than using a false passport to obtain entry. “The fact that she was not a drain on the economy is a common factor in the case of people who are using false documents to obtain employment in order to support themselves while unlawfully in the country. …
1 480 R. v. Ovieriakhi (Valerie Ekiuwa), [2009] ewca (Crim) 452 (Eng.). 1481 R. v. Carneiro (Rosiene Ribeiro), [2007] ewca (Crim) 2170 (Eng.).
506
CHAPTER 6
The personal circumstances of this appellant are sad, but there is nothing in them which could really merit suspending the sentence on that account alone. Accordingly, we are driven to the conclusion that the sentence passed by the judge was as lenient as it could be in all the circumstances, and it was certainly not wrong in principle or manifestly excessive.” 6D.3.3 Making, Possessing, or Controlling Apparatus to make Identity Documents The Identity Cards Act also makes it an offense to make, possess, or control: 1. any apparatus that one knows is or has been specially designed or adapted for the making of false identity documents; or 2. any article or material that one knows is or has been specially designed or adapted to be used in the making of false identity documents.1482 To be convicted of this offense, an offender must have the intent: 1. that it will be used to make a false identity document; and 2. that the document will be used by somebody for establishing, ascertaining, or verifying registrable facts about a person. The punishment upon conviction is imprisonment up to 10 years, and/or a fine.1483 The case of Albert Toska illustrates this offense.1484 Police officers searched Toska’s home, pursuant to a warrant, and found a thermal ID card printer with a laminator attached, and a number of blank white ID cards. The printer was designed for the production of high quality identity cards. It had previously been used by the U.S. Defense Department. The police further found a plastic bag containing driving licenses that had already been printed and then destroyed, and three that had not been destroyed. On Toska’s computer was a type of software used in the printing of identification cards. Other incriminating evidence was found as well. Toska was charged with violating section 25(3) of the Identity Cards Act. It was found that Toska was not a kingpin, but was a mere amateur, and that the documents that he produced were of low quality. It also appeared that his documents had not entered the public domain in any significant number. In light of those facts, the appellate court reduced Toska’s sentence from 4 years to 3.
1 482 Identity Cards Act 2006, c. 15, § 25(3) (Eng.). 1483 Id. § 25(6). 1484 R. v. Toska (Albert), [2010] ewca 2187 (Eng.).
Identity Crime Legislation in the United States
507
6D.3.4 Unauthorized Disclosure A person is required to keep information confidential if it is information that comes to him because he holds an office or employment with duties relating to: 1. the establishment or maintenance of the National Identity Register; 2. the issue, manufacture, modification, cancellation, or surrender of ID cards; or 3. the carrying out of the functions of the National Identity Scheme Commissioner.1485 A person is guilty of the offense of unauthorized disclosure of such information if, without lawful authority, (a) he provides any person with information that he is required to keep confidential; or (b) he otherwise makes a disclosure of any such information.1486 A person has lawful authority to give out information if the provision of such information either 1. is authorized under a statute; 2. is required by a court order; 3. is to fulfill a requirement of the European Community; or 4. is to perform the duties of one’s office or employment.1487 A person charged with unauthorized disclosure may defend himself by showing that, at the time of the alleged offense, he believed, on reasonable grounds, that he had lawful authority to provide the information or to make the other disclosure in question.1488 The punishment for this offense is up to two years’ imprisonment, and or a fine.1489 6D.3.5 Providing False Information A person is guilty of providing false information if he provides such information to any person: 1. for the purpose of securing the making or modification of an entry in the National Identity Register; 2. in confirming (with or without changes) the contents of an entry in the National Identity Register; or 3. for the purpose of obtaining for himself or another the issuance or modification of an ID card.1490 1 485 1486 1487 1488 1489 1490
Identity Cards Act 2006, c. 15, § 27(2). Id. § 27(1). Id. § 27(3). Id. § 27(4). Id. § 27(5). Id. § 28(1).
508
CHAPTER 6
In order to be convicted of the statute, the person must know or believe the information is false, or be reckless as to whether or not it is false.1491 The punishment for this offense is up to 2 years’ imprisonment, and or a fine.1492 Summary convictions (not on indictment) carry lesser penalties.1493 6D.3.6 Tampering with the National Identity Register A person is guilty of tampering with the National Identity Register if he engages in any conduct that causes an unauthorized modification of information recorded in the Register;1494 and at the time when he engages in the conduct, he intends to cause a modification of information recorded in the Register; or is reckless as to whether or not his conduct will cause such a modification.1495 Conduct is deemed to “cause” a modification of information recorded in the Register where it contributes to a modification of such information; or where it makes it more difficult or impossible for such information to be retrieved in a legible form from a computer on which it is stored by the Secretary of State, or contributes to making that more difficult or impossible.1496 A modification is “unauthorized,” in relation to the person whose conduct causes it, if he is not himself entitled to determine if the modification may be made; and he does not have consent to the modification from a person who is so entitled.1497 One who causes a modification of the Register may defend himself by showing that, at the time of the conduct, he believed, on reasonable grounds that he was a person entitled to determine if that modification might be made; or that consent to the modification had been given by a person so entitled.1498 The punishment for this offense is up to 10 years’ imprisonment, and or a fine.1499 A lesser punishment applies to summary (i.e., not on indictment) convictions.1500
1 491 1492 1493 1494 1495 1496 1497 1498 1499 1500
Id. § 28(2). Id. § 28(3)(a). Id. § 28(3)(b)-(c). Id. § 29(1). Id. § 29(2). Id. § 29(3). Id. § 29(5). Id. § 29(6). Id. § 29(7)(a). Id. § 29(7)(b)-(c).
Identity Crime Legislation in the United States
509
6D.3.7 Civil Penalties Civil penalties under the Identity Cards Act may be imposed by the Secretary of State, under a procedure set out by the act.1501 6D.3.8 Components of the Identity Crime Model That Can Be Prosecuted under Identity Cards Act Production: Although the Identity Cards Act does not specifically criminalize the making of counterfeit identity documents, it does make it illegal to possess or control apparatus to make a false identity document, and to possess or control an article or material adapted to making false identity documents.1502 Further, it is illegal to make an apparatus to make an identity document.1503 Thus, while production is not illegal per se, possession of the means of production is illegal. Acquisition: Providing false information to the National Identity Register, including for the purpose of obtaining an identity document, is a crime under the Identity Cards Act.1504 Possession: Possession or control of false or improperly obtained identity documents, or an identity document that relates to someone other than the possessor of the document, is illegal under the Identity Cards Act.1505 Possession of apparatus to make identity documents is also illegal (see above under “Production”). Transfer or Trafficking: Not criminalized under the Identity Cards Act. Use: Not criminalized under the Identity Cards Act. 6D.4
Fraud Act 2006
According to Police Chief Magazine, the Fraud Act creates “a new offense of fraud that can be committed in three ways: by making a false representation (dishonestly, with intent to make a gain, cause loss or risk of loss to another), by failing to disclose information, and by abuse of position. Offenses were also created of obtaining services dishonestly, possessing equipment to commit frauds, and making or supplying articles for use in frauds.”1506 It “facilitates the 1 501 Id. §§ 31–34. 1502 Id. § 25(5). 1503 Id. § 25(3). 1504 Id. § 28(2). 1505 Id. § 25(1), (5). 1506 Nicole van der Meulen, Year of Preventing Identity Crime: Moving Forward? Identity- Related Crime in the European Arena, The Police Chief (Aug. 2008), http://www. policechiefmagazine.org/magazine/index.cfm?fuseaction=display&article_id=1569&issue_id=82008#9.
510
CHAPTER 6
prosecution of identity theft and therefore makes a valuable contribution to Internet governance.”1507 Fraud formerly could not be conducted against a machine (such as a computer or an atm). Under the act, deceiving a machine, for example, by sending a phishing e-mail, may be prosecuted. Under the act, there is no requirement that the phisher be shown to have used the information to access the funds in a victim’s account, and the victim need not respond to that email or act on the request.1508 Under the act, conduct will now be caught and criminalized which would not have been sufficient even for an attempted offense prior to the act.1509 In summary, the Fraud Act defines the criminal offense of fraud in three classes: (1) fraud by false representation, (2) fraud by failing to disclose information, and (3) fraud by abuse of position. One guilty of fraud is may be given up to 10 years imprisonment and/or a fine (a lesser sentence upon summary conviction). Portions of the Fraud Act 2006 amended the Theft Act 1968, a discussion of which follows that of the Fraud Act. 6D.4.1 Fraud, Generally Under the Fraud Act 2006, a person is guilty of fraud if he commits fraud by false representation, fraud by failing to disclose information, or fraud by abuse of position (discussed below).1510 The punishment for such fraud is up to 12 months in prison and/or a fine. A lesser punishment applies upon summary conviction (that is, not on an indictment).1511 6D.4.2 Fraud by False Representation A “representation” is any representation as to fact or law, including a representation as to the state of mind of a person making the representation or any
1507 Anne Savirimuthu and Joseph Savirimuthu, Identity Theft and Systems Theory: The Fraud Act 2006 in Perspective, 4 SCRIPTed 4 (Sept. 2007), available at http://www.law.ed.ac.uk/ ahrc/script-ed/vol4-4/savirimuthu.pdf (citing van der Meulen, supra note 2329). 1508 Id. 1509 Maureen Johnson and Kevin M. Rogers, The Fraud Act 2006: The E-Crime Prosecutor’s Champion or the Creator of a New Inchoate Offense?, Paper Presented at the annual British and Irish Law, Education, and Technology Association conference, Apr. 16–17, 2007; see also van der Meulen, supra note 2329. 1510 Fraud Act, 2006, c. 35, § 1(1), (2) (Eng.). 1511 Id. § 1(3), (4).
Identity Crime Legislation in the United States
511
other person.1512 The representation may be express or implied.1513 A representation is false if it is untrue or misleading, and the person making it knows that it is, or might be, untrue or misleading.1514 A person is guilty of fraud by false representation, in violation of the act, if he dishonestly makes a false representation, intending to make a gain for himself or another, or to cause loss to another or expose another to a risk of loss.1515 One “makes” a representation if it (or anything implying it) is submitted in any form to any system or device designed to receive, convey or respond to communications (with or without human intervention).1516 6D.4.3 Fraud by Failing to Disclose Information A person is guilty of fraud by failing to disclose information if he dishonestly fails to disclose to another person information that he is under a legal duty to disclose, and intends, by failing to disclose the information, to make a gain for himself or another, or to cause loss to another or to expose another to a risk of loss.1517 6D.4.4 Fraud by Abuse of Position One who occupies a position in which he is expected to safeguard, or not to act against, the financial interests of another person, would be guilty of fraud by abuse of position if he dishonestly abuses that position, and intends, by means of the abuse of that position, to make a gain for himself or another, or to cause loss to another or to expose another to a risk of loss.1518 Such an abuse of position may consist of an omission rather than an act.1519 6D.4.5 “Gain” and “Loss” The various types of fraud refer to making “gains” or causing “losses.” The terms only extend to gains or losses in money or other property, and include any such loss, whether temporary or permanent, including causes of action (for example, the right to sue) and other intangible property. “Gain” includes a gain by keeping what one has, as well as a gain by getting what one does not have. “Loss” includes a loss by not getting what one might get, as well as a loss by parting with what one has.1520 1 512 1513 1514 1515 1516 1517 1518 1519 1520
Id. § 2(3). Id. § 2(4). Id. § 2(2). Id. § 2(1). Id. § 2(5). Id. § 3. Id. § 4(1). Id. § 4(2). Id. § 5.
512
CHAPTER 6
6D.4.6 Articles for Use in Frauds Another offense under the Fraud Act 2006 occurs when a person has in his possession or under his control any article for use in the course of or in connection with any fraud. The applicable punishment, upon indictment, is up to 5 years’ imprisonment and/or a fine. A lesser punishment applies to summary convictions (i.e., not on indictment).1521 In addition, a person is guilty of an offense if he makes, adapts, supplies, or offers to supply any article knowing that it is designed or adapted for use in the course of or in connection with fraud, or intending it to be used to commit, or assist in the commission of, fraud. The applicable punishment is 10 years’ imprisonment and or a fine, with a lesser punishment if there is a summary conviction (i.e., not on indictment).1522 An “article,” as used above, includes any program or data held in electronic form.1523 An illustration of a violation of this section, hence, trafficking in identity documents, is provided by the case of Jian Huang.1524 Huang had offered to supply to others certified university certificates and attendance records. Huang was involved in obtaining documents for Chinese students attesting to their successful graduation from U.K. universities. The documents purported to have been certified as authentic by the Chinese Embassy. The students would then show them to their families and future employers in China. Huang would receive instructions from his potential customers as to what documents they needed. The maker of the documents would supply a template to confirm that the quality and information were satisfactory. Once the customer confirmed that the sample was satisfactory, Huang would confirm the order with the maker of the documents. The criminal court sentenced Huang to 4 years, but the appellate court reduced this to 2–1/2 years. 6D.4.7 Components of the Identity Crime Model That Can Be Prosecuted under Fraud Act Production: Making or adapting any article knowing that it is designed or adapted for use in the course of or in connection with fraud, is illegal under the Fraud Act.1525 Acquisition: Not prosecutable under Fraud Act. 1 521 1522 1523 1524 1525
Id. § 6. Id. § 7. Id. § 8. R. v. Huang (Jian), [2010] ewca (Crim) 375 (Eng.). Fraud Act, 2006, c. 35, § 8.
Identity Crime Legislation in the United States
513
Possession: The possession or control of any article for use in the course of or in connection with any fraud is illegal under the Fraud Act.1526 Transfer or Trafficking: Supplying or offering to supply any article knowing that it is designed or adapted for use in the course of or in connection with fraud is illegal. This section has been used to prosecute identity crime.1527 Use: “ Making a false representation” is illegal under the Fraud Act. Such a broad statute could be adopted to prosecute identity crime.1528 6D.5
Theft Act 1968
The Fraud Act, discussed above, removed some portions of the Theft Act 1968 regarding offenses considered to be “fraud,” but it still contains the basic definition of “theft” in United Kingdom law. 6D.5.1 Definitions Theft:1529 A person is guilty of theft if he dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it; and “thief” and “steal” are construed accordingly. It is immaterial whether the appropriation is made with a view to gain, or is made for the thief’s own benefit.1530 The other definitions only apply to this definition of “theft,” and not to any other sections of the Theft Act or any other statute.1531 Dishonestly:1532 A person’s appropriation of property belonging to another is not “dishonest” if the appropriator takes the property believing he has the right to do so, or thinking he would have the other person’s consent under the circumstances. It is not dishonest if the appropriator believes that the person to whom the property belongs cannot be discovered by taking reasonable steps, unless the property came to the appropriator as trustee or personal representative. The appropriation may be dishonest even if the appropriator is willing to pay for the property.
1 526 1527 1528 1529 1530 1531 1532
Id. § 6. Id. § 7. Id. § 2(5). Theft Act, 1968, c. 60, § 1 (Eng.). Id. § 1(1), (2). Id. § 1(3). Id. § 2.
514
CHAPTER 6
Appropriates:1533 Any assumption by a person of the rights of an owner amounts to an appropriation. If someone comes to the property without stealing it, it is “appropriated” if a person later assumes rights to it by keeping or dealing with it as owner. When property is transferred for value to a person acting in good faith, a later assumption of rights in the property is not considered a theft merely because there was a defect in the transferor’s title. Property:1534 “Property” includes money and all other property, real or personal, including rights to causes of action and other intangible property. Belonging to another:1535 Property is regarded as belonging to any person having possession or control of it, or having in it any proprietary right or interest (other than an interest arising from an agreement to transfer or grant an interest). If property is subject to a trust, the persons to whom it belongs are those with a right to enforce the trust. An intention to defeat the trust is considered an intention to deprive any person having that right. When a person receives property from another under an obligation to deal with the property or proceeds in a particular way, the property or proceeds shall be regarded (as against him) as belonging to the other. When a person obtains property by another’s mistake and is under an obligation to give back the property or its proceeds, the property belongs to the other person. An intention not to restore it is an intention to deprive that person of the property or proceeds. With the intention of permanently depriving the other of it:1536 A person appropriating property belonging to another is regarded as having the intention of permanently depriving the other if he intends to treat it as his own, regardless of the other’s rights. Borrowing or lending a thing may amount to so treating it if it is for a period and under circumstances making it equivalent to an outright taking or disposal. If a person with possession or control of another’s property parts with the property under a condition as to its return, which he may not be able to perform, this amounts to treating the property as his own to dispose of regardless of the other’s rights. The use of the Theft Act in an identity crime case is illustrated by the case of Leon Florenzous Sofroniou.1537 Sofroniou was charged with obtaining services by deception, and charged under section 1(1) of the Theft Act. The prosecution characterized the case as one of identity crime, because Sofroniou falsely pretended 1 533 1534 1535 1536 1537
Id. § 3. Id. § 4. Id. § 5. Id. § 6. R. v. Sofroniou (Leon Florenzous), [2003] ewca (Crim) 3681 (Eng.).
Identity Crime Legislation in the United States
515
to be Andrew Cole, John Groves, or Andrew Narramore in order to deceive or attempt to deceive (1) banks into providing him with banking services, (2) credit card companies into providing him with credit cards, and (3) retailers into providing him with goods. Sofroniou was convicted, and the verdict was upheld. 6D.5.2 Sentences for Theft A person guilty of theft may be imprisoned for up to 7 years.1538 A person who dishonestly uses electricity without authority, or dishonestly causes it to be wasted or diverted, may be imprisoned up to 5 years.1539 6D.5.3 Handling Stolen Goods A person “handles stolen goods” if, knowing them to be stolen, he dishonestly receives them, or undertakes or assists in their retention, removal, disposal, or realization by or for the benefit of another person, or if he arranges to do so. The punishment is imprisonment up to 14 years.1540 “Stolen goods” includes the proceeds of the stolen goods.1541 Goods are not considered “stolen” after they have been restored to the person from whom they were stolen, or after the person from whom they were stolen ceases to have rights to those goods or to restitution for the goods.1542 6D.5.4 Components of the Identity Crime Model That Can Be Prosecuted under Theft Act Production: Not prosecutable under Theft Act. Acquisition: The Theft Act outlaws dishonestly appropriating property belonging to another with the intention of permanently depriving the other of it,1543 a prohibition that has been used in prosecuting identity crimes. In addition, handling stolen goods is illegal under the Theft Act.1544 Possession: Handling stolen goods is illegal under the Theft Act.1545 Transfer or Trafficking: Handling stolen goods is illegal under the Theft Act,1546 which could include trafficking in identity documents. Use: Not covered by the Theft Act. 1 538 1539 1540 1541 1542 1543 1544 1545 1546
Theft Act, 1968, c. 60, § 7. Id. § 13. Id. § 22. Id. § 24(2). Id. § 24(3). Id. § 1(1). Id. § 22. Id. Id.
516 6D.6
CHAPTER 6
Computer Misuse Act 1990
The Computer Misuse Act 1990 was created to make it illegal to access computer systems without authorization. It was meant to deter criminals from using a computer to assist in the commission of a criminal offense or from impairing or hindering access to data stored in a computer. It was later amended by the Police and Justice Act 2006 6D.6.1 Unauthorized Access to Computer Material One has committed the offense of “unauthorized access to computer material” if 1. he causes a computer to perform any function with the intent to secure access to any program or data held in any computer, or to enable any such access to be secured, 2. the access he intends to secure, or to enable to be secured, is unauthorized, and 3. he knows at the time when he causes the computer to perform the function that that is the case.1547 The person’s intent need not be directed toward: 1. any particular program or data, 2. a program or data of any particular kind, or 3. a program or data held in any particular computer.1548 The punishment for this crime is up to 2 years’ imprisonment and/or a fine. A lesser punishment is imposed for a summary conviction.1549 6D.6.2 Unauthorized Access With Intent to Commit or Facilitate Commission for Further Offenses A person commits the offense of “unauthorized access with intent to commit or facilitate commission for further offenses” if he commits the offense of “unauthorized access to computer materials,” as described above, with intent, as the name of the section implies, to commit or facilitate further offenses, whether by himself or by any other person.1550 It is immaterial whether the further offense is to be committed on the same occasion as the unauthorized access offense or on any future occasion.1551 A person may be guilty of an 1 547 1548 1549 1550 1551
Computer Misuse Act, 1990, c. 18, § 1(1) (Eng.). Id. § 1(2). Id. § 1(3). Id. § 2(1). Id. § 2(3).
Identity Crime Legislation in the United States
517
offense even though the facts are such that the commission of the further offense is impossible.1552 The further offense may only be one for which the law sets a fixed sentence, and for which one may generally be sentenced to prison for 5 years or more.1553 The term of imprisonment for this offense is up to 5 years and/or a fine, with a lesser sentence for summary conviction.1554 6D.6.3 Unauthorized Acts with Intent to Impair, or with Recklessness as to Impairing, Operation of a Computer, etc. A person commits an unauthorized act to impair the operation of a computer if, recklessly or intentionally, he does any unauthorized act in relation to a computer, and at the time when he does the act he knows that it is unauthorized.1555 This violation only applies if the person intends that by doing the act, or is reckless as to whether the act will have the effect: 1. to impair the operation of any computer; 2. to prevent or hinder access to any program or data held in any computer; 3. to impair the operation of any such program or the reliability of any such data; or 4. to enable any of these things to be done.1556 The intention of recklessness referred to above need not relate to any particular computer; any particular program or data; or a program or data of any particular kind.1557 The term of imprisonment for this offense is up to 5 years and/or a fine, with a lesser sentence for summary conviction.1558 6D.6.4 Making, Supplying or Obtaining Articles for Use in Offense This section was added by the Police and Justice Act 2006. A person is guilty of an offense of unauthorized access, or unauthorized access with intent to impair, if he makes, adapts, supplies, or offers to supply any article intending it to be used to commit, or to assist in the commission of,
1 552 1553 1554 1555 1556
Id. § 2(4). Id. § 2(2). Id. § 2(5). Id. § 3(1). Id. § 3(2), (3). Reference to “doing an act” includes reference to causing an act to be done. An act refers to a series of acts. A reference to impairing, preventing or hindering something includes a reference to doing so temporarily. Id. § 3(5). 1557 Id. § 3(4). 1 558 Id. § 2(6).
518
CHAPTER 6
an offense.1559 A person is guilty of the offense if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, the offense.1560 An “article” includes any program or data held in electronic form.1561 The term of imprisonment for this offense is up to 2 years and/or a fine, with a lesser sentence for summary conviction.1562 6D.6.5 Components of the Identity Crime Model That Can Be Prosecuted under Computer Misuse Act Although the act does not seem to have been used for this purpose, the sorts of crimes described by the Computer Misuse Act1563 are those that could arise in the acquisition of identity information. 6D.7
Forgery and Counterfeiting Act 1981
6D.7.1 Forgeries and False Instruments One commits “forgery” if he makes a “false instrument” intending to induce another to accept it as genuine, and thus to do something that will harm himself or someone else.1564 One commits the offense of “copying a false instrument” by making such a copy knowing it is a false instrument, and intending that someone else will accept it as genuine, thus harming himself or someone else.1565 One commits the offense of “using a false instrument” by so doing, knowing it to be false, and intending that someone else will accept it as genuine, thus harming himself or someone else.1566 One commits the offense of “using a copy of a false instrument” by so doing, knowing it to be false, and intending that someone else will accept it as a copy of a genuine instrument, thus harming himself or someone else.1567
1 559 1560 1561 1562 1563 1564 1565 1566 1567
Id. § 3A(1). Id. § 3A(3). Id. § 3A(4). Id. § 3A(5). Id. §§ 1-3A. Forgery and Counterfeiting Act, 1981, c. 45, § 1 (Eng.). Id. § 2. Id. § 3. Id. § 4.
Identity Crime Legislation in the United States
519
Application of this statute to punish one who makes a false instrument is illustrated by the case of Cornel Tirnaveanu.1568 Tirnaveanu, in the words of the indictment, “made or procured the making of a false instrument, namely a document purporting to be a British passport, in the name of Monica Halarescu, with the intention that she or another should use it to induce somebody to accept it as genuine and by reason of so accepting it to do some act, or not to do some act, to their own or another person’s prejudice.” The prosecution framed the indictment with the language “made or procured” because it was unclear to the prosecution whether Tirnaveanu was the principal offender who made false instrument, or a secondary party who procured the making of it, i.e., paid someone else to make it. The appeal was based on whether this was a proper way to frame the charge. Application of this statute to punish one using a false instrument is illustrated by the case of Ahmad Alhaleem el Mashta.1569 El Mashta was able to secure employment by producing, on two separate occasions, a false Home Office identity card which permitted employment. El Mashta held his job for five years until he was arrested, in late 2009. This gave rise to a count of using a false instrument with intent, under section 3 of the Forgery and Counterfeiting Act. For this violation as well as a number of others (for example, for using false information to obtain financial support from the U.K. government), El Mashta was given sentences of 15 months that were to run concurrently. El Mashta’s sentences were reduced by the appellate court to 8 months, running concurrently. El Mashta was also subject to deportation. 6D.7.2 Money Orders, Share Certificates, Passports, and the Like The instruments to which this section applies are: money orders; postal orders; U.K. postage stamps; tax stamps; share certificates; passports (including documents that can be used instead of passports); checks; travelers’ checks; credit cards; certified copies of entries in official registers of births, adoptions, marriages or deaths; and certificates relating to entries in official registers.1570 Possessing false documents of the type described above is an offense, if the possessor knows or believes they are false, and intends to induce someone to accept them as genuine, harming himself or another.1571 It is also an offense to possess such items without lawful authority or excuse, irrespective of intent.1572 In addition, one may not possess an instrument or machine to make 1 568 1569 1570 1571 1572
R. v. Tirnaveanu (Cornel), [2007] ewca (Crim) 1239 (Eng.). R. v. El Mashta (Ahmad Alhaleem), [2010] ewca (Crim) 2595 (Eng.). Forgery and Counterfeiting Act, 1981, c. 45, § 5(5). Id. § 5(1). Id. § 5(2).
520
CHAPTER 6
such item, with knowledge of what the instrument is for, and intent to use it for that purpose.1573 It is also an offense to possess such an item without lawful authority or excuse, irrespective of intent.1574 6D.7.3 Sentences The term of imprisonment for such offenses is up to 10 years, with a lesser punishment for summary convictions (not on indictment).1575 For the offenses that do not require “intent” as an element, the maximum term is 2 years.1576 6D.7.4 Searches, Seizures, Forfeitures The statute includes specific powers for the issuance of search warrants for the instruments that are the subjects of the statute, upon reasonable cause, and their seizure.1577 A constable may, once such an instrument is seized, apply to the court for its forfeiture and subsequent destruction or disposal.1578 6D.7.5 Definitions “Instrument.” An instrument is any document, whether formal or informal; a postage stamp or other indication of postage paid; a tax stamp; and any disc, tape, sound track, or other device on or in which information is recorded or stored by mechanical, electronic, or other means.1579 “Instrument” does not include currency, which is covered under the “counterfeit” part of the statute.1580 “False.” An instrument is “false” if it purports to have been made in the form in which it is made: 1. by a person who did not in fact make it in that form; or 2. on the authority of a person who did not in fact authorize its making in that form; or 3. by a person who did not in fact make it in those terms; or 4. on the authority of a person who did not in fact authorize its making in those terms.1581 It is also “false” if it purports to have been altered in any respect by a person who did not in fact alter it in that respect; or on the authority of a person who 1 573 1574 1575 1576 1577 1578 1579 1580 1581
Id. § 5(3). Id. § 5(4). Id. § 6(1)-(2). Id. § 6(4). Id. § 7(1). Id. § 7(2). Id. § 8(1). Id. § 8(2). Id. § 9(1)(a)-(d).
Identity Crime Legislation in the United States
521
did not in fact authorize the alteration in that respect.1582 It is “false” if it purports to have been made or altered on a date, in a place, or under circumstances other than those that actually occurred,1583 if it purports to have been made or altered by an existing person but that person did not in fact exist.1584 A person is treated for as making a “false instrument” if he alters an instrument so as to make it false in any respect.1585 6D.7.6 Components of the Identity Crime Model That Can Be Prosecuted under Forgery and Counterfeiting Act Production: Making a false instrument intending to induce another to accept it as genuine is illegal under the Forgery and Counterfeiting Act, as is copying a false instrument.1586 (An instrument under the Act can be any document.1587) Acquisition: Not prosecutable under the Forgery and Counterfeiting Act. Possession: Possessing false documents with intent to use, or otherwise without lawful authority, is illegal under the Forgery and Counterfeiting Act.1588 Transfer or Trafficking: Not prosecutable under the Forgery and Counterfeiting Act. Use: Using a false instrument, or using a copy of a false instrument, is illegal under the Forgery and Counterfeiting Act.1589 6D.8
Data Protection Act 1998
The Data Protection Act of 1998 applies to data held by all data controllers, whether computerized personal data or personal data held in structured manual files.1590 The Freedom of Information Act 2000 extended the Data Protection Act 1998 to apply to all recorded personal data (including that in unstructured manual files) held by data controllers who are also public authorities under the Freedom of Information Act. The act also applies to anything at all
1 582 1583 1584 1585 1586 1587 1588 1589 1590
Id. § 9(1)(e)-(f). Id. § 9(1)(g). Id. § 9(1)(h). Id. § 9(2). Id. §§ 1–2. Id. § 8(1). Id. § 5. Id. §§ 3, 4. Legislation: About the Data Protection Act, Department of Constitutional Affairs, http://www.dca.gov.uk/ccpd/about.htm (last visited Jan. 24, 2010).
522
CHAPTER 6
done to personal data (“processing”), including collection, use, disclosure, destruction, or merely holding personal data. The act is supervised by the Information Commissioner, who enforces the act’s requirements, promotes compliance and good practice, and manages the notification scheme. The act gives individuals rights to: 1. gain access to their data; 2. seek compensation; 3. prevent their data being processed in certain circumstances; 4. “opt-out” of having their data used for direct marketing; 5. “opt-out” of fully automated decision-making about them. Organizations processing personal data (“controllers”) must comply with the Data Protection Principles. These require data to be: 1. fairly and lawfully processed; 2. processed for limited purposes; 3. adequate, relevant, and not excessive; 4. accurate; 5. not kept longer than necessary; 6. processed in accordance with individuals’ rights; 7. kept secure; 8. not transferred to non-e ea (European Economic Area) countries without adequate protection.1591 In order to comply with the principles, controllers must: 1. meet one of six conditions in order to process personal data; 2. meet one of a number of further conditions in order to process sensitive data; 3. inform individuals when their data is collected. Sensitive data is data about a person’s ethnic origins, political opinions, religious beliefs, trade union membership, health, sexual life and criminal history. Controllers must tell the Commissioner about their processing, unless a notification exemption applies. Notification exemptions cover: 1. manual records; 2. core business activities; 3. charities’ membership records. Exemption from notification does not usually grant exemption from the data protection principles.
1591 These principles are described in more detail below.
Identity Crime Legislation in the United States
523
People can ask to see any personal information that is held about them by organizations. These requests are called “subject access requests.”1592 Some of the provisions of the act relevant to identity-related crime are summarized below. 6D.8.1 Definitions “Data” is ipnformation that: 1. is being processed by means of equipment operating automatically in response to instructions given for that purpose; or 2. is recorded with the intention that it should be processed by means of such equipment; 3. is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; 4. is otherwise part of an accessible record, which can be a health record, an education record, or certain other records as specified by statute.1593 “Data controller” is a person who determines the purposes for which and the manner in which any personal data are processed.1594 “Data processor” is any person (other than an employee of the data controller) who processes the data on behalf of the data controller.1595 “Data subject” is an individual who is the subject of personal data.1596 “Personal data” is data that relate to a living individual who can be identified from those data, or from those data and other information in the possession of, or likely to come into the possession of, the data controller, including any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.1597 “Processing,” in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including: 1. organization, adaptation, or alteration of the information or data, 2. retrieval, consultation, or use of the information or data, 3. disclosure of the information or data by transmission, dissemination, or otherwise making available, or
1 592 Legislation: About the Data Protection Act, supra note 2413. 1593 Data Protection Act, 1998, c. 29, § 1 (Eng.) (referring to “accessible records” as described in § 68 and sch. 12). 1594 Id. 1595 Id. 1596 Id. 1597 Id.
524
CHAPTER 6
4.
alignment, combination, blocking, erasure, or destruction of the information or data.1598 A “relevant filing system” is any set of information relating to individuals where the set is structured in such a way that specific information relating to a particular individual is readily accessible. The information need not be processed by means of equipment operating automatically in response to instructions given for that purpose, either by reference to individuals or by reference to criteria relating to individuals.1599 “Sensitive personal data” is personal data consisting of information as to: 1. the racial or ethnic origin of the data subject, 2. his political opinions, 3. his religious beliefs or other beliefs of a similar nature, 4. whether he is a member of a trade union, 5. his physical or mental health or condition, 6. his sexual life, 7. the commission or alleged commission by him of any offense, or 8. any proceedings for any offense committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.1600 6D.8.2 Right of Access to Personal Data An individual is entitled to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller.1601 If personal data are being processed, the individual must be given by the data controller a description of: 1. the personal data of which that individual is the data subject, 2. the purposes for which they are being or are to be processed, and 3. the recipients or classes of recipients to whom they are or may be disclosed1602 Information about the personal data must be communicated to the individual in an intelligible form, including information about the source of the data.1603 Where an individual is the subject of data processed automatically for the purpose of evaluating matters relating to him such as, for example, his 1 598 1599 1600 1601 1602 1603
Id. Id. Id. § 2. Id. § 7(1)(a). Id. § 7(1)(b). Id. § 7(1)(c).
Identity Crime Legislation in the United States
525
performance at work, his creditworthiness, his reliability or his conduct, and the data may constitute the sole basis for a decision significantly affecting him, the individual must to be informed of the logic involved in the decision-taking.1604 The data controller need not provide the information unless he receives a request in writing, and a fee, if required.1605 A data controller need not comply with a request to provide information unless he is supplied with enough information to allow him to be sure of the identity of the person making the request and to locate the information that the person seeks.1606 If a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless the other individual has consented to the disclosure of the information to the person making the request, or it is reasonable to comply with the request without the consent of the other individual.1607 Information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request,1608 but the date controller is not excused from communicating as much of the information sought as can be communicated without disclosing the identity of the other individual concerned.1609 In determining whether it is reasonable to comply with the request without the consent of the other individual concerned, the data controller must consider: 1. any duty of confidentiality owed to the other individual, 2. any steps taken by the data controller to seek the consent of the other individual, 3. whether the other individual is capable of giving consent, and 4. any express refusal of consent by the other individual.1610 A person making a request under this section may, in such cases as may be prescribed, specify that his request is limited to personal data of any prescribed description.1611 The data controller must comply with a request promptly, no later than the period prescribed in regulations of the Secretary of State.1612 A court may order 1 604 1605 1606 1607 1608 1609 1610 1611 1612
Id. § 7(1)(d). Id. § 7(2). Id. § 7(3). Id. § 7(4). Id. § 7(5). Id. Id. § 7(6). Id. § 7(7). Id. § 7(8).
526
CHAPTER 6
a data controller to comply with a request, on the application of a person who made a request but got no answer.1613 One who suffers damage or distress because the data controller fails to obey the requirements of the Data Protection Act is entitled to compensation from the data controller for that damage.1614 In proceedings against the data controller, it is a defense to prove that he had taken such care as in all the circumstances was reasonably required to comply.1615 6D.8.3 Unlawfully Obtaining Personal Data. One may not knowingly or recklessly, without the consent of the data controller, obtain or disclose personal data or the information contained in such personal data, nor may one procure the disclosure to another person of the information contained in the personal data.1616 Obtaining such data is an offense, and selling the data is a separate offense.1617 Offering to sell such data is an offense if it was obtained as described above, or if, after making the offer, one then obtains the data.1618 However, this does not apply to a person who can show that obtaining, disclosing, or procuring the data was necessary in order to prevent or detect a crime, or if he was required or authorized to obtain, disclose, or procure the data.1619 It also does not apply if the person reasonably believed that he had the right to act as he did,1620 or reasonably believed that he would have had the consent of the data controller if the controller was aware of what he did,1621 or that, under the circumstances, what he did was in the public interest.1622 6D.8.4 The Data Protection Principles (Schedule 1) Organizations processing personal data (“controllers”) must comply with the eight Data Protection Principles.1623 These principles are presented in the first schedule to the Data Protection Act. Some of the principles are subject to 1 613 1614 1615 1616 1617 1618 1 619 1620 1621 1622 1623
Id. § 7(9). Id. § 13(1), (2). Id. § 13(3). Id. § 55(1). Personal data includes information extracted from personal data. Id.§ 55(7). Id. § 55(3)-(4). Id. § 55(5). An advertisement indicating that personal data are or may be for sale is an offer to sell the data. Id. § 55(6). Id. § 55(2)(a). Id. § 55(2)(b). Id. § 55(2)(c). Id. § 55(2)(d). Legislation: About the Data Protection Act, supra note 2413.
Identity Crime Legislation in the United States
527
further explanations, as described below. The principles, reprinted verbatim, are:1624 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: (a) at least one of the conditions in Schedule 21625 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 31626 is also met. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. A Fair and Lawful Processing (the first principle) Particularly important in determining whether data is gathered fairly is whether the person from whom it is gathered was deceived or misled as to the purpose of the data.1627 The gathering of data is fair if the person from whom it was gathered was authorized or required to supply it.1628 Data is not “fairly” gathered from a data subject unless the data controller makes sure that the data subject has particular information,1629 specifically:
1 624 Data Protection Act, 1998, c. 29, sch. 1625 Schedule 2, described below, deals with the processing of any personal data (as opposed to sensitive personal data). Id. at sch. 2. 1626 Schedule 3, described below, deals with the processing of sensitive personal data. Id. at sch. 3. 1627 Id. at sch. 1, pt ii, § 1(1) (interpretation of the Principles in pt. I). 1628 Id. at sch. 1, pt. ii, § 1(2) (interpretation of the Principles in pt. I). 1629 Id. at sch. 1, pt. ii, § 2(1)(a) (interpretation of the Principles in pt. I).
528
CHAPTER 6
1. 2.
the identity of the data controller; the identity of the data controller’s representative, if he has nominated one for purposes of the act; 3. the purpose of the data; and 4. any other necessary information in light of the specific circumstances of the data collection.1630 If the data is not gathered from the data subject, the subject must be given the above information before the data is gathered, or as soon as practicable after that time.1631 Variations on this rule apply if the data is to be disclosed to a third party.1632 Timely disclosures to the data subject need not be made if the Secretary of State so provides; or if provision of the information would involve a disproportionate effort; or if recording or disclosure of the data is necessary to comply with come non-contractual legal obligation of the controller.1633 A “general identifier” is an identifier for data, such as an identifying code or number, which relates to an individual, and forms part of a set of similar identifiers that are of general application.1634 Personal data that contains a general identifier, as defined by the Secretary of State, must, in order to be considered fair and lawful, be processed so as to comply with any conditions prescribed for such identifiers. B Specified and Lawful Purpose (the second principle) The purpose for which data may be gathered must be contained in a notice given to the data subject by the controller, or in a notification given by the controller to the Information Commissioner under the requirements of the Data Protection Act.1635 In deciding whether the data fits within the purpose, the controller must consider how the data is intended to be treated by a person to whom the data are disclosed.1636 C Accurate and Up-to-Date Data (the fourth principle) The data controller must take reasonable steps to ensure the accuracy of the data. If the data subject has notified the data controller that the data are inaccurate, the data must indicate that fact. The principle that data must be
1 630 1631 1632 1633 1634 1635 1636
Id. at sch. 1, pt. ii, § (2)(3) (interpretation of the Principles in pt. I). Id. at sch. 1, pt. ii, § 2(1)(b), (2)(a) (interpretation of the Principles in pt. I). Id. at sch. 1, pt. ii, § 2(2)(b) (interpretation of the Principles in pt. I). Id. at sch. 1, pt. ii, § 3 (interpretation of the Principles in pt. I). Id. at sch. 1, pt. ii, § 4(2) (interpretation of the Principles in pt. I). Id. at sch. 1, pt. ii, § 5 (interpretation of the Principles in pt. I) (referring id. §§ 16–26. Id. at sch. 1, pt. ii, § 6 (interpretation of the Principles in pt. I).
Identity Crime Legislation in the United States
529
accurate and up-to-date is not violated so long as the preceding conditions are met.1637 D Rights of Data Subjects (the sixth principle) A controller violates the rights of data subjects in several specific ways: 1. If he fails to supply information to the data subject as required;1638 or 2. If he does not comply after receiving a notice from a data subject that the processing of a subject’s data is likely to cause him unwarranted damage or distress,1639 or failing to respond to such a notice;1640 or 3. If he fails to comply with a notice from a data subject not to process data for the purpose of direct marketing;1641 or 4. If he fails to comply with a notice from a data subject not to make a decision, or to reconsider a decision, based solely on automatic data processing on a matter relating to, for example, the subject’s performance at work, creditworthiness, reliability or conduct;1642 or failing to reply to such a notice as required.1643 E Prevention of Misuse or Loss of Data (the seventh principle) To the extent possible, the controller must make sure that he takes measures to ensure the data is secure. Such measures should be appropriate for the potential harm of misuse or loss of data, and the nature of the data to be protected.1644 The controller must make sure any employees with access to data are reliable.1645 Where work for the controller is done by a data processor, controller must choose one who complies with security safeguards.1646 The controller will be deemed not to be complying with the seventh principle unless the data processor does his processing under a contract in writing, under which the process only may act on instructions from the controller.1647 The contract
1 637 Id. at sch. 1, pt. ii, § 7 (interpretation of the Principles in pt. I). 1638 Id. at sch. 1, pt. ii, § 8(a) (interpretation of the Principles in pt. I) (referring to id. § 7, discussed above). 1639 Id. at sch. 1, pt. ii, § 8(b) (interpretation of the Principles in pt. I) (referring to id. § 10(1)). 1640 Id.(interpretation of the Principles in pt. I) (referring to id. § 10(3)). 1641 Id. at sch. 1, pt. ii, § 8(c) (interpretation of the Principles in pt. I) (referring to id. § 11(1)). 1642 Id. at sch. 1, pt. ii, § 8(d) (interpretation of the Principles in pt. I) (referring to id. § 12(1), (2)(b)). 1643 Id. (interpretation of the Principles in pt. I) (referring to id. § 12(2)(a), (3)). 1644 Id. at sch. 1, pt. ii, § 9 (interpretation of the Principles in pt. I). 1645 Id. at sch. 1, pt. ii, § 10 (interpretation of the Principles in pt. I). 1646 Id. at sch. 1, pt. ii, § 11 (interpretation of the Principles in pt. I). 1647 Id. at sch. 1, pt. ii, § 12(a) (interpretation of the Principles in pt. I).
530
CHAPTER 6
must require the data processor to comply the same rules that apply to the controller.1648 F International Transfers of Data (the eighth principle) Whether the level of protection for the transfer of data outside of the European Economic Area is adequate depends on all the circumstances, including: 1. the nature of the personal data, 2. the country of origin of the information contained in the data, 3. the country of final destination of that information, 4. the purposes for which and period during which the data are intended to be processed, 5. the law in force in the country, 6. the international obligations of that country, 7. any relevant codes of conduct or other rules enforceable in that country, and 8. any security measures taken in respect of the data in that country.1649 The Eighth Principle does not apply in certain cases discussed under Schedule 4.1650 Findings by the European Commission on the subject of the adequacy of foreign protections are determinative.1651 6D.8.5 Conditions for the Processing of Any Personal Data (Schedule 2) Under the First Principle, above,1652 fairness in the processing of personal data requires that at least one of the following conditions be met: 1. The data subject gave consent to the processing.1653 2. The processing is necessary to perform a contract to which the data subject is a party, or to take steps, at the request of the subject, toward entering a contract.1654 3. The processing is necessary for the controller to comply with a legal obligation, other than a contract.1655
1 648 Id. at sch. 1, pt. ii, § 12(b) (interpretation of the Principles in pt. I). 1649 Id. at sch. 1, pt. ii, § 13 (interpretation of the Principles in pt. I). 1650 Id. at sch. 1, pt. ii, § 14 (interpretation of the Principles in pt. I) (referring to Id. at sch. 4 (not summarized herein)). 1651 Id. at sch. 1, pt. ii, § 15 (interpretation of the Principles in pt. I). 1652 Id. at sch. 1, Part i, § 1. 1653 Id. at sch. 2, § 1. 1654 Id. at sch. 2, § 2. 1655 Id. at sch. 2, § 3.
Identity Crime Legislation in the United States
4. 5. 6.
531
The processing is necessary to protect the vital interests of the data subject.1656 The processing is necessary for the administration of justice, to exercise functions under a statute or as a government officer, or to exercise any other public functions in the public interest.1657 The processing is necessary to carry out the legitimate interests of the controller, or of a third part to whom the data are disclosed, unless the processing is unwarranted as prejudicial to the rights and interests of the data subject (the Secretary of State may specify particular circumstances when this condition is satisfied).1658
6D.8.6 Conditions for the Processing of Sensitive Personal Data (Schedule 3) Under the First Principle above,1659 fairness in the processing of sensitive personal data requires that at least one of the following conditions be met: 1. The data subject has given his explicit consent to the processing of the personal data.1660 2. The processing is necessary for the controller to meet a legal obligation connected with employment (the Secretary of State may add or subtract from this condition).1661 3. The processing is necessary to protect the vital interests of the data subject or another person where consent cannot be given and the controller cannot be expected to obtain consent, or is necessary to protect the vital interests of another person where consent has been unreasonably withheld.1662 4. The processing: a) is carried out in the course of its legitimate activities by a body or association that is not established or conducted for profit, and exists for political, philosophical, religious or trade-union purposes; and b) is carried out with appropriate safeguards for the rights and freedoms of data subjects; and c) relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes; and 1 656 1657 1658 1659 1660 1661 1662
Id. at sch. 2, § 4. Id. at sch. 2, § 5. Id. at sch. 2, § 6. Id. at sch. 1, Part I § 1. Id. at sch. 3, § 1. Id. at sch. 3, § 2. Id. at sch. 3, § 3.
532
CHAPTER 6
d) does not involve disclosure of the personal data to a third party without the consent of the data subject.1663 5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.1664 6. The processing is necessary for legal proceedings, to obtain legal advice, or to protect legal rights.1665 7. The processing is necessary to administer justice, or to carry out statutory or other government functions (the Secretary of State may specify particular circumstances when this condition is satisfied).1666 8. The processing is necessary for medical purposes and is undertaken by a health professional or one whose duty of confidentiality is equal to that of a health professional. “Medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.1667 9. Under circumstances specified by the Secretary of State, and with appropriate safeguards, the processing: a) is of sensitive personal data consisting of information as to racial or ethnic origin, and b) is necessary for the purpose of promoting racial or ethnic equality, and c) is carried out with appropriate safeguards for the rights and freedoms of data subjects.1668 10. The personal data are processed under circumstances specified in an order made by the Secretary of State.1669 6D.8.7 Components of the Identity Crime Model That Can Be Prosecuted under Data Protection Act The Data Protection Act is primarily a means for individuals to control the gathering, accuracy, and use of personal data about themselves. However, criminal penalties are included for certain activities that are relevant to identity crime. Under the statute, the unlawful acquisition of data covered by the act is punishable.1670 It is a further offense to sell data covered by the Data 1 663 1664 1665 1666 1667 1668 1669 1670
Id. at sch. 3, § 4. Id. at sch. 3, § 5. Id. at sch. 3, § 6. Id. at sch. 3, § 7. Id. at sch. 3, § 8. Id. at sch. 3, § 9. Id. at sch. 3, § 10. Id. § 55(1).
Identity Crime Legislation in the United States
533
Protection Act, or to offer to sell such data;1671 this implicates the transfer or trafficking component of the identity crime model. 6D.9
Conclusion
This survey of laws pertaining to identity crimes reveals a web of statutes aiming to catch identity criminals. The web is wide, and can be used to intercept a wide array of criminal activities. But the statutes are scattered throughout various parts of the criminal law compilations of different countries. Different countries characterize the crime with various terms: identity theft and identity fraud are the main ones, but also such terms as fraud and personation and misrepresentation are used. How does one find the relevant laws, especially when one doesn’t know what they are called? The Identity Crime Model, discussed elsewhere,1672 breaks down the various particular activities involving identity crimes into five major components: A. Production of an identity document or identity information of a real person, living or dead, or production of an identity document or identity information of a fictitious person B. Acquisition of an identity document or identity information C. Possession of an identity document or identity information D. Transfer or Trafficking in identity documents or identity information E. Use of identity documents or identity information Each component is or can be a criminal act. If law enforcement authorities wish to prosecute identity crime, they would be well-served to have statutes that criminalize each of these components. To greater or lesser extents, each nation has statutes that criminalize all five components. However, without the tables presented in this chapter,1673 one would be hard-pressed to determine which statute to use in order to prosecute any particular component. Even in the best-laid scheme –that of Canada –you still need to hunt for the right statute when prosecuting “use” of someone else’s identity;1674 the uses are not grouped with the crimes called “identity fraud” and “identity theft.” The United States was the first country to recognize the problem of identity crime, and passed early legislation to deal with it. President Reagan signed the
1 671 1672 1673 1674
Id. § 55(3)-(5). See Chapter 3. See Parts 6A.1.1, 6B.2, 6C.1.1, & 6D.2. See Canada table, at Part 6B.2.
534
CHAPTER 6
first statute addressing the problem back in 1982,1675 effectuating a U.S. statute well ahead of that of any other nation. The regime of criminal statutes, supplemented by various civil statutes aimed at either avoiding crime or staunching its effects once it has been committed, have been the models for other nations and international bodies, and have been copied and embellished by individual U.S. states. Nonetheless, statistics show that the statutory scheme and its implementation by law enforcement authorities have been ineffective. Growing numbers of people report that they have suffered from identity crimes.1676 Official statistics show increasing numbers of identity crimes, and “fraud,” which includes identity crimes, has become the third-largest offense category tracked by the Department of Justice (doj), after drug and immigration offenses, and surpassing firearms violations.1677 So why aren’t law enforcement officials catching enough criminals to stop the increase in crime? Identity crimes know no borders: most crimes are interstate, and many international, because they involve the transmission of information, which does not reside in any state or nation. Such crimes require communication and cooperation among multiple law enforcement agencies. Yet, the predominant term, “identity theft,” is a misnomer. The narrow slice of criminal activity that could accurately be called “identity theft” covers only one part of the spectrum of activities involved in identity crime enterprises. The one act that could accurately be called “identity theft,” the acquisition of identity information, is not even covered in the main identity crime statute, 18 U.S.C. § 1028. The wide array of identity-crime-related criminal sanctions, which do indeed prohibit acquisition, are spread among many parts of the United States Code. They are not just in the criminal title (18 U.S.C.), but they are also in the titles on immigration law and the Social Security Act.1678 The statutes, all involving identity crimes, refer to identification document fraud,1679 aggravated identity theft1680 (even though “theft” is just one aspect of the crime), and access device fraud.1681 Aspects of “computer fraud,”1682 “obtaining confidential
1 675 1676 1677 1678 1 679 1680 1681 1682
See Part 6A2.1. See Part 6A.1. Id. See discussion of 42 U.S.C. § 408 in Part 6A.3.11 (Social Security offenses), and 8 U.S.C. § 1324a(b) in Part 6A.3.9 (use of immigration documents). 18 U.S.C. § 1028 (2006). Id. § 1028A. Id. § 1029. Id. § 1030.
Identity Crime Legislation in the United States
535
phone records,”1683 “immigration fraud,”1684 and “offenses involving social security cards and numbers,”1685 are all, in reality, identity crimes, which is the preferred term used in this book. Many of the U.S. states also have identity crime statutes, and there is a common factor in the laws of all of the five leading states: All of them refer to the use and/or possession of “personal identification (or identifying) information” and/or “personal identification documents.” (In Texas, it is just “identifying information,” or “sensitive personal information.”) Thus, there is a starting point in state law for a common identity crime regime, revolving around “personal identification.” Additionally, the lists of documents and information that the various states believe should be protected are remarkably similar. Thus, there is a consensus to some extent among states about what information needs the protection of criminal laws. The lack of uniformity, between the federal government and the states, in nomenclature, in classification, and in the elements constituting the crime has consequences. The official doj statistics are based on prosecutions of particular crimes, generally, 18 U.S.C. §§ 1028 and 1028A. They do not encompass the many crimes outside those particular statutes that are also identity crimes. Yet, if you were to ask a person whether he or she was the victim of identity crime, as the Javelin Study did, and that person was a victim of a scheme involving the use her e-mail address under 18 U.S.C. § 1037, or the use of her credit card number as prohibited by 18 U.S.C. § 1029, the victim would likely answer the surveyor that, yes, she had been the victim of identity crime. But the official statistics would not reflect that because it was not identity crime: the crime was e-mail fraud or access device fraud. Various strands of identity crime are pulled together by the “aggravated identity theft” statute, 18 U.S.C. § 1028A.1686 The “aggravation” referred to in the title of the bill occurs when “identity theft” is part of crime involving some other type of fraud, or an immigration crime.1687 Thus, if one uses someone else’s identity in the course of committing a fraud on the bank, the bank fraud penalty will be increased by two years if the perpetrator is also charged under 18 U.S.C. § 1028A(a)(1). The title of the statute, “Aggravated Identity Theft,” makes it seem as though the main crime is identity theft; in reality, the primary crime, bank fraud, is aggravated by the fact that an identity crime occurred. Thus, 1 683 1684 1685 1686 1687
Id. § 1039. Id. § 1546. 42 U.S.C. § 408 (2006). Discussed in Part 6A.2.2. The underlying felonies are listed in Part 6A.2.2(c).
536
CHAPTER 6
1028A might better be called “Aggravated by Identity Theft.” One problem with the statute is that you cannot charge a violation of both 18 U.S.C. § 1028A(a)(1) and the very similar 18 U.S.C. § 1028(a)(7) without violating the Constitution’s double jeopardy clause.1688 Thus, the enhanced penalty under 1028A is not available if the primary crime is charged under 1028(a)(7) –you need two separate criminal acts in order to charge 1028A(7). One might surmise from the above that the U.S. system of identity crime laws is not a “system” at all: it is a jerry-built contraption that law enforcement authorities can use in order to snag criminals, but it is by no means ideal. Within that contraption you’ll find the tools needed, but using those tools requires an intricate instruction manual.1689 One of the problems in the system is that the “means of identification” covered by the various statutes are not uniform. The federal statute is worded broadly, covering any name or number that, either alone or in conjunction with any other information, identifies a specific individual. The statute then goes on to list examples of such information.1690 Meanwhile, state legislatures have kept abreast of the actual items used as means of identification; thus, each state gives a far more comprehensive list of covered documents, encompassing all possible types of “personal identifying information.”1691 Federal lawmakers would be wise to adopt such a list; alternatively, they could look to the type of identification required by state departments of motor vehicles when a person applies for a driver’s license.1692 Another intricacy is that 1028A is a sentencing statute, and it exists alongside federal Sentencing Guidelines, which also provide for enhanced sentences.1693 Should a prosecutor try to get a conviction for an underlying crime and ask for an enhancement under the Guidelines, or should he try to get two convictions, one for the underlying crime and one for “aggravated identity theft”? Clearly, a
1688 As to violations of the double jeopardy clause when both 1028A(a)(1) and 1028(a)(7) are charged, see Part 6A.2.2(e)(2). 1689 U.S. Criminal Resource Manual, supra note 906. 1690 See Part 6A.2.1(c)(1). 1691 See, e.g., California’s list in Part 6A.5.1(a)(1); New York’s list in Part 6A.5.3(a)(1); Florida’s list in Part 6A.5.4(a)(1); Illinois’s list in Part 6A.5.5(a)(1). Texas’s criminal law listing of means of identification mimics the federal list, see Part 6A.5.2(a)(1), although its listing of personal identifying information in its civil law, see Part 6A.5.2(e), is similar to that of the other states, and includes a further sub-grouping of items of “sensitive personal information. 1692 See, e.g., New York State Department of Motor Vehicles, Proofs of Identity, Form ID-44 (10/11), available at http://www.dmv.ny.gov/forms/id44.pdf. 1693 See Part 6A.2.1(d)(1)(i).
Identity Crime Legislation in the United States
537
prosecutor goes for the charge with the biggest potential penalty, but does such a complicated system really promote an understanding of the crime by both prosecutors and potential criminals? Are these laws optimal? A single and simplified statutory framework would clarify the nature of the crime, simplify the work of law enforcement, and make the penalties associated with such crime more certain. It would also make it possible to produce more trustworthy analyses of identity crimes, because all such crimes would be prosecuted under the same statutes. The state statutes discussed above are more comprehensive than the federal scheme, and are easier to understand. They clearly lay out what is illegal, and cover all of the components of identity crime. They agree with each other on certain terminology: some variation of the words “criminal use of personal identifying information” appear in all five statutes, making it easier for officials in one state to talk with those in another. Not only that, but all of the states list specific identification documents that are covered by their statutes. But the statutes do not mesh with the federal statute, even though identity crime is by its nature federal. Worse yet, a term like “aggravated identity theft,” used in the federal statute as a sentence enhancement mechanism for other types of fraud,1694 can mean something entirely different in a state statute. Thus, “aggravated identity theft” in New York enhances the penalty only when the victim of an identification theft is a member of the Armed Forces serving overseas.1695 Same words, different meaning. The state statutes are only applicable to crimes that occur within the state, and not those which occur in more than one state, or in a state and a foreign nation.1696 Thus, the federal statute comes into play in most cases of identity crime, because such crime is by its very nature interstate or international. Federal authorities are in the best position to make a dent in identity crimes, but they are hindered by the haphazard system of federal and state identity statutes. An overhaul of the federal and state laws is needed in order to make progress in the fight against identity crimes. The federal law must be designed so that it criminalizes all phases of the crime: Production, Acquisition, Possession, Transfer, and Use, following the Identity Crime Model.1697 This is not particularly difficult: Canada has enacted an excellent federal statute, with many elements adaptable to U.S. law. A new statute would use terminology more precisely, so 1 694 1695 1696 1697
See Part 6A.2.2(b). See Part 6A.5.3(a)(1). For federal jurisdictional issues, see Part 6A.2.1(b)(1). The Identity Crime Model is the subject of Chapter 3.
538
CHAPTER 6
that the overall group of laws could be called “Identity Crimes,” and particular aspects of the law would be identified as Identity Theft, or Identity Fraud, or Identity Misuse. The states could be urged to conform their statutes and terminology to the federal law. Or a state model law could be devised by an organization such as the National Conference of Commissioners on Uniform State Laws that picks up on relevant aspects of federal laws but can be tailored to the law enforcement concerns of the states. States could then adopt the model law with variations that state legislators feel necessary for their own jurisdictions. The United States’ law could also be designed as a model for an international convention on identity crimes. International borders are not barriers to the commission of crimes, and international cooperation is required. Such cooperation is difficult when not only do people speak different languages, but their terminology, even when translated, means completely things. Even if the laws are simplified, made rational, and conform to one another, there is still the matter of making them effective in curtailing identity crimes. These laws are not going to work unless federal authorities recognize the nature of identity crimes and make an all-out effort to stop them. This requires education not only about the laws, but about how identity criminals operate. Everyone knows the simplest ways used to gain access to identification information: rifling through files, digging through trash, obtaining someone’s personal information via e-mail fraud. But the ways and means of criminals are always shifting, thus, a national program must be put in place to promote awareness of identity schemes and devise strategies to combat it. It is known that U.S. cyberwar experts strategize under the auspices of the Defense Department to prepare for attacks on our electronic infrastructure;1698 similar experts need to gather at the Justice Department to devise new identity crime strategies and disseminate them to law enforcement officials. The national efforts against identity crime cannot stop at law enforcement; prevention is required, and follow-up after an identity crime is essential. The United States is a leader in this effort by providing the Fair and Accurate Credit Transactions Act (facta),1699 which places a positive duty upon consumer reporting agencies to respond to consumers’ concerns about possible misuse of
1698 E.g., Glenn Derene, The Coming Cyberwar: Inside the Pentagon’s Plan to Fight Back, Popular Mechanics, http://www.popularmechanics.com/technology/military/ 4277463 (last visited Dec. 12, 2010); Anna Mulrine, Pentagon: The global cyberwar is just beginning, The Christian Science Monitor, http://www.csmonitor.com/USA/ Military/2010/1005/Pentagon-The-global-cyberwar-is-just-beginning (last visited Dec. 12, 2010). 1699 See Part 6A.4.1.
Identity Crime Legislation in the United States
539
their identity information in committing credit card fraud (access device fraud, in the statutory language). This law makes it much more likely that once such fraud is reported to one consumer reporting agency, all such agencies will be informed, and consumers will be able to rid themselves of the stigma of bad credit histories caused by criminals. facta also requires that banks and other creditors look out for instances of identity crimes and that they “Red Flag” suspicious activities. The Red Flag Rules1700 were scheduled to go into effect on December 31, 2010, but have been delayed.1701 They should put a check on identity criminals before they have created havoc. In addition, stricter standards are in effect under the usa Patriot Act for opening accounts at financial institutions, and for ascertaining the identities of persons applying for visas.1702 The federal preventative and restorative measures in place are good ones, but they are limited. Essentially, they only cover information given to financial institutions and any business that gives credit. Their emphasis is well- placed: up to one-third of all identity crimes involve banking or credit. However, the measures do nothing about the two-thirds that do not involve banking or credit. Thus, a broader scope is required, one that takes into account all of the major repositories of personal identity information. The Internal Revenue Service requires that taxpayers produce reams of data to accompany their tax returns. How is that information protected, and what happens if it is stolen and misused? Accountants have access to the same type of data. How are we protected from misuse by them? Employers generate and obtain personal information, and there is no regime to deal with its theft or misuse. Doctors and insurance companies know a great deal of personal information, but the rules do not apply to them. The amount of information handled by institutions other than banks is enormous. Thus, it is imperative, as suggested elsewhere in this book, that there be Red Flag Rules for every industry and every business that routinely possesses the type of information that could devastate a person if it were to get in the hands of a potential criminal. Canada, which has learned from the United States, has gone the furthest in covering the whole panoply of possible identity crimes. Even though Canada is a large country, divided into about a dozen provinces, criminal law is the 1 700 See Part 6A4.1(g). 1701 See Fighting Fraud with the Red Flag Rules, ftc, http://www.ftc.gov/bcp/edu/microsites/ redflagsrule/index.shtml (last visited Mar. 17, 2011). According to the site, on December 18, 2010, President Obama signed into law the Red Flag Program Clarification Act. The new law, S. 3987, 111th Cong., 2d Sess., limits the circumstances in which creditors are covered by the Red Flags Rule. The ftc is revising the materials on its website to reflect the change in the law. 1702 See Part 6A4.2.
540
CHAPTER 6
domain of the federal government. Thus, the federal identity crime law has no geographic limitations; there is no need to look to the law of Manitoba or Newfoundland to see what their local legislatures have come up with. Note, however, that provincial privacy laws can override federal law.1703 Canada, unlike the United States, used the terms “identity theft” and “identity fraud,” and specific activities constitute those crimes. “Identity theft”1704 truly consists of stealing identity information; “identity fraud”1705 truly consists of a type of fraud in which a false identity is utilized. Laws pertaining to the creation of identity documents, termed “Production” in the Identity Crime Model, are in a statute entitled “Identity Documents.”1706 Even with such clear-cut guidance from the drafters of the Canadian statute, it is still hard to find one component of the Identity Crime Model, and that is the component of “Use.” As is shown in the table of Canadian law,1707 use of identification information is covered by a broad array of statutes. So, in addition to the section on identity fraud,1708 the general fraud statute1709 may be utilized, or the section on the use of a forged credit card,1710 or the statutes on false pretense crimes.1711 Clearly, the intent of the framers of the identity theft law1712 was that the section entitled “identity fraud” would be the first statute to consult. The Canadian statute is clearer than any other, and it is more comprehensive. Notable are the lists of identity documents and identity information that are encompassed by the law,1713 each of which can be expanded as new forms of information or new documents arise. The lists are comparable to those contained in some of the U.S. state identity crime statutes1714 Canada also provides an array of non-criminal statutes connected with the identity theft/fraud statute. The federal Privacy Act,1715 as well as provincial privacy acts, gives Canadians a great deal of control over the information that the disseminate about themselves. the Personal Information Protection and 1 703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714
See Part 6B.1. Criminal Code, R.S.C. 1985, c C-46 § 402.2 (Can.). Id. § 402.3 (formerly called “Personation with Intent”). Id. § 56.1. See Part 6B.2. Criminal Code, R.S.C. 1985, c C-46 § 402.2. Id. §§ 380–387. Id. § 342(1)(c). Id. §§ 362–365. Nancy Holmes & Dominique Valiquet, supra note 1765. See Parts 6B.3(a)(1), 6B.3(a)(3). See, e.g., the list of means of identification in the California law, Part 6A.5.1(a)(1), and the list of personal identification documents in the Illinois statute, Part 6A.5.5. 1715 See Part 6B.4.
Identity Crime Legislation in the United States
541
Electronic Documents Act1716 provides businesses with a stringent set of rules as to how they may deal with personal information. It deals with the collection, use, and disclosure of such information. Australia’s statutory scheme is just one element in its National Identity Security System, which is referred to by the government as “The Strategy.”1717 The Strategy does not just focus on criminal law, or on national law, but crosses all governmental lines, involving all levels of government in efforts to combat identity crimes. The Strategy depends upon a National Document Verification Service which can be used to check whether a particular proof-of-identity document is authentic, accurate and up-to-date. Such a national system is one that can be looked to as an example of an approach to crime that goes beyond just passing and enforcing criminal statutes. The approach is needed in Australia because, for the most part, passage and enforcement of criminal laws is not a function of the central government. Rather, the state and territorial governments must do it. Australia also has a federal Privacy Act1718 designed protect “information privacy,” in particular, personal information, including medical records, bank account details, photos, videos, and any other information by which a person is reasonably identifiable. The analysis of Australian law1719 shows a broad array of statutes that could be used to prosecute identity crimes in Australia, but there are two problems: none are specifically focused on identity crime, and almost all may only be enforced when the “victim” is a “Commonwealth person” or a “Commonwealth computer.”1720 In essence, this means that the statutes may only be used for crimes against the government of Australia. Two of Australia’s states, South Australia1721 and Queensland,1722 have passed comprehensive and coherent identity crime statutes, which can be enforced against crimes in which ordinary people or businesses are the victims. However, they are limited by the geography of those states, and thus may be ineffective weapons against crimes that are largely interstate and international. The approach of the United Kingdom is, at present, unfocused. As a center of the international financial community, it is to be hoped that the U.K. will
1 716 1717 1718 1719 1720 1721 1722
See Part 6B.5. See Part 6C.3. See Part 6C.4. See Part 6C.1.1. See Part 6C.3. See Part 6C.8. See Part 6C.9.
542
CHAPTER 6
adopt a comprehensive strategy such as Australia’s, combined with a comprehensive statute such as Canada’s. At the moment, the U.K. has only one statute specifically dealing with identity, the Identity Cards Act,1723 centering on a crucial U.K. document issued to each individual. The Identity Cards Act sets up a National Identity Register, and includes criminal penalties not just for crimes involving the official identity card, but also for other designated identity documents.1724 Criminal portions of the act cover the identity crime components of Production, Acquisition, and Possession. Other acts, primarily the Fraud Act and the Forgery and Counterfeiting Act, are required to comprehensively cover all five components of identity crime.1725 The approach taken by the U.K. is to establish a central place “registrable facts” about a person are stored. The types of information that may be stored are specified. Particular information deemed “sensitive” may not be stored, such a race, religion, and sex life. The approach is to make it possible for a person to have complete control of his or her identity, and make the repository a severely restricted area accessible only under the most stringent controls. There have been problems in implementing the system,1726 but it is noteworthy for being a serious governmental approach to the issue of identity theft. It is questionable whether such a system would work in many countries where the citizens have an overriding distrust in any central governmental repository. It is in the light of the legislative efforts of these four countries, as well as fledgling efforts by other nations and by international bodies, that this book makes recommendations for an international treaty and further national legislation on identity crime. The world needs standard definitions such as those provided by Canada, Australia, and by some U.S. states. An international convention is needed so that the laws can be enforced globally. Laws throughout the world must cover the five components: acquisition, production, transfer, possession and use. International studies are needed to assess the true impact of identity crimes. Better identification documents (such as U.K’s identity card) and tools (as discussed elsewhere in this book) are essential to making progress against identity criminals. And systems must be adopted so that identity, if it is stolen, can be efficiently restored to its true owner. The statutory schemes discussed in this chapter are just one part of the solution. 1 723 1724 1725 1726
See Part 6D.3. See Part 6D.3.1. See analysis in Part 6D.2. See Part 6D.3.
c hapter 7
Identity Crime Prevention and Impact Minimization Strategy
Introduction
The number of identity-related crimes continues to rise, but there are techniques and tactics available to prevent identity theft. Businesses, consumers, and governments all have a stake in preventing identity crime. While this chapter focuses on what business organizations can do to prevent identity crime, there are nevertheless a number of steps that should be taken by governmental bodies as soon as possible to deal in larger terms with the identity crime problem. First, as made explicit in Chapter 2, there must be a standard definition of “identity crime.” As described in Chapter 5, a range of international bodies have looked at the problem, but there has been little movement toward agreement on a standard. Once such a definition exists, the language used to describe and prosecute identity crimes should be standardized internationally. Only after prosecutors speak the same language can they cooperate and successfully prosecute identity crimes. Second, the standards adopted by all nations must encompass the five primary components of identity crime, as reflected in the Identity Crime Model.1 Acquisition, production, transfer, possession, and use must each be criminalized. The Identity Crime Model assists in understanding identity crimes, evaluating solutions to it, and developing instruments to prevent, prosecute, and recover from identity crimes. Third, governments and businesses must conduct identity crime impact assessments to better understand the true cost of identity crime. They need to follow an identity-crime-specific approach to decide upon the right strategies to prevent identity crime,2 and engage in threat agent assessment and 1 Illustrated in Chapter 3, and discussed throughout this book. The Identity Crime Model is essential to an understanding of identity crimes and for evaluating and developing different legal instruments for preventing, prosecuting and recovering from identity crimes. This model is used for conducting a study of the identity crime schemes of four countries. 2 Such strategies as the Identity Crime Model Approach (idcma) and the Identity Crime Threat Agent Approach (idcta) are discussed in Chapters 3 and 4.
© Koninklijke Brill NV, Leiden, 2020 | DOI:10.1163/9789004395978_008
544
CHAPTER 7
analysis3 to determine where resources should be spent, and how many resources, to best handle the problem. This chapter suggests ways this can be done effectively. In this connection, governments, in cooperation with the business community, must develop identification documents and tools that allow real-time authentication and verification of personal identity information and documents. It is possible to develop a fraud-proof means of identification that can be used for both online and offline identity. Once such a means of identification is established, it can be protected through better safeguards, tougher legislation, and a higher prosecution rate. This chapter does not suggest that various method of identity crime prevention have never been advanced. Actually, a number of prevention methods have been recommended by others. The methods range from consumer education to information management to technical solutions specific to the computer environment. Some methods require government action through legislation or law enforcement avenues, and still others reflect the international nature of identity-related crimes. Other prevention methods include strong user authentication in computer systems, development of business policies to address identity crime, content and identification management, gathering and sharing relevant information among stakeholders, consumer education, the creation of partnerships between public and private entities, international cooperation in both policy and actions, and criminalization, or treating identity crime as a crime and punishing its perpetrators accordingly. But these efforts, while laudable, are uncoordinated and do not go far enough in developing a strategy to prevent identity crime. It is therefore appropriate to create a broader framework or model that can be used to evaluate the various prevention strategies. Instead of simply providing another list of methods, of which there are already a large number, evaluating these methods to determine which offer the highest success rates is a useful exercise. After evaluating the methods and finding the best among them, organizations in the public and private sectors can move on to implementation. This chapter attempts to provide real tools to aid governments and businesses with real solutions to preventing identity crimes. Specifically, the Identity Crime Model Approach (idcma), explained in this chapter, should be used when evaluating and constructing different identity crime prevention and impact minimization strategies.
3 Discussed in Chapter 4.
Identity Crime Prevention and Impact Minimization Strategy
7.1
545
Proposed Approaches to Identity Crime Prevention
There are many crime prevention models and approaches, but few are entirely suitable for use in regard to identity-related crimes. Approaches such as the situational prevention approach, the victim-centric prevention approach, and crime prevention through environment design have been given considerable attention by experts in the criminal justice profession. The intention here is not to analyze the various crime prevention approaches, but instead, to present crime prevention and impact minimization concepts that are specifically meant for application to identity-related crimes. The basic approach is the Identity Crime Model Approach (idcma), but of equally valuable consideration are an understanding of the threat agents discussed in Chapter 4 and referenced again in this chapter. Currently, there is no specific framework for developing a methodological approach to preventing and reducing the impact of identity-related crime. Numerous recommendations for prevention have been made by governments, non-profit and for-profit organizations, ngo s, law enforcement authorities, and academics, but their recommendations have not been based on prevention approaches that address the unique elements of identity-related crimes. Many of the recommended approaches are relatively narrow in scope, focusing, for example, on the victim of a crime. The problem with this type of approach is that a single identity crime may impact multiple stakeholders and victims. If an individual is impacted by the fraudulent use of his/her credit card, inevitably the credit card issuer is affected as well, and if the individual or business files a complaint with a law enforcement agency, the costs of investigating, prosecuting, and incarcerating the criminal must be borne directly by the government and indirectly by taxpayers and society in general. Another problem is that the victim of an identity-related crime may be repeatedly impacted; personal information and documents obtained by identity criminals may be used to commit the same type of crime over and over. Criminals may commit different identity-related crimes using the same information, or they may even put that information up for sale to other criminals who will use it in additional identity crimes. The approaches presented here can be used to develop a cohesive plan for identity crime prevention and impact minimization strategies. Unlike approaches recommended elsewhere, the approaches presented here focus on the subsequent techniques that should be developed to prevent the use of identity information and/or documents acquired during the initial crime. This crime-centric approach emphasizes prevention, the actual commission of the crime, and the perceptions of the criminal in regard to the crime. Table 1, at
546
CHAPTER 7
the end of this chapter, presents an opportunity for individuals, businesses, or governments to use the Identity Crime Model Approach (idcma) to identify the various methods that might be used in their particular circumstances to prevent identity crime. 7.1.1 Approach based on the Identity Crime Model (idcma) This approach is based on the following five components: Acquire, Produce, Transfer, Possess, and Use. These components are used to develop a prevention and impact minimization strategy. The primary goal of this approach is to focus on developing a strategy that will prevent the acquisition of identity documents or information, and if criminals succeed in obtaining that information, prevent the information or documents from being manipulated, transferred, trafficked or used in any other for financial gain. If identity criminals cannot use stolen documents and/or information, it is useless to them, and they will have less motivation to commit the crime again. 7.1.2 Utilizing the Identity Crime Threat Agent Assessment In addition to using the idcma described above, those performing an overall threat assessment might also identify threat agents (see Chapter 4) as part of a prevention/minimization strategy. This approach will succeed if all the threat agents are comprehended and if an overall strategy to minimize these threats is created. Threats are indications of possible trouble, and to deal with threats, the potential victim of identity crime is behooved to take whatever advance action might deter the criminal from committing the crime. A threat assessment offers a way for individuals and organizations to define, analyze, and understand the threats that apply to their particular activities. For example, a threat assessment can uncover the vulnerabilities in a credit-card processing system that allow for its exploitation by identity criminals. An effective assessment will lead to the creation of countermeasures to protect vulnerable areas from being exploited.4 An important factor to consider when developing this strategy is that the different threat agent variables are dependent upon one another. For example, if the probability of apprehension is increased (or even if the perception of apprehension is increased), the imposition of harsher penalties will be more effective in deterring criminals. Threat assessment involves a determination of threats related to vulnerabilities of identity crime victims and the capabilities of criminals. It should 4 Discussed in Chapter 4.
Identity Crime Prevention and Impact Minimization Strategy
547
also consider the cost/benefit of any approach designed to harness and control identity crime. If the cost of a program aimed at reducing the risk of a crime is high, but the variable targeted has a very low rate of occurrence or a minimal loss impact, the program may not be as effective in reducing real crime rates as one that addresses a high-loss variable that occurs frequently. And if potential losses related to a particular threat agent are low while costs are high, it may not be worthwhile for organizations to take any action to reduce or prevent the threat. 7.2
Developing an International Identity Crime Treaty
Chapter 5 addressed the need for international approaches to dealing with identity crime. It was suggested there that governments at every level around the world are struggling to deal with the way in which identity –related laws are often 1) inadequate to effectively prosecute criminals, and 2) lacking in coordination with identity crime laws in other jurisdictions, thus making it difficult to work cooperatively with law enforcement officials in those jurisdictions that are simultaneously affected by the same crime. Chapter 5 and 6 applauded the progress being made in many countries and various regional political bodies such as the European Union to address identity crime. However, it was suggested that these developments fall short of the need for the greater international community to develop guidelines that will universalize methods of dealing with identity crime. Thus there needs to be an international treaty that presents common rules and guidelines to deal with identity crime. Chapter 9 discusses this need in more detail and presents a draft of such a treaty. 7.3
Developing Identity Information and Documents with Real Time Authentication and Verification
One strategy to reduce identity crime is to make it more difficult for criminals to misuse the data or documents they obtain illegally. Consider, for example, the matter of social security numbers. Criminals are frequently looking for ways to obtain social security numbers since these numbers are crucial to enabling them to pose as someone else and then access assets of the real owner of the number. Systems can be put in place to ascertain whether a person using a social security number is in fact the real owner of that number. The purpose of such a system would be to authenticate the person seeking to use the
548
CHAPTER 7
social security number; it would help to verify that the user is really the owner of the number. Likewise, if a company assigns passwords to its employees to enable them to access computer databases, a criminal could steal important information if he could obtain a password. Authentication techniques could be put in place to ensure that a criminal could not access the database even with someone’s password. Similar authentication measures could be put in place to authenticate passports, national identity cards, birth certificates, drivers’ licenses, and other important documents.5 Australia already has in place sophisticated authentication procedures for checking the use of birth certificates, credit cards, identification cards, and the like. The owner must provide additional information that only the owner has access to; if the criminal cannot supply that information, then the criminal can be easily detected. This additional required information is sometimes referred to as a two-factor system. Other countries should follow suit. The second step in identity authentication is verification, which determines if the data provided by an individual belong together. This might involve simply checking two documents against one another, for example a credit card and a driver’s license to determine if the names and addresses support one another, or it might involve searching through multiple databases to determine the accuracy of the data. 7.4
Authentication
One of the initial ways to address identity-related crime is to reduce the opportunities provided to criminals to misuse the information they manage to steal. Systems designed to prevent identity fraud typically use a two-part process. The first part determines an individual’s identity at the beginning of a relationship, and the second ensures, later on, that a given individual is the same person who enrolled. The first part of the process is called identification, while the second part is known as authentication.6 Authentication is used to ensure that the persons accessing information on a computer system are allowed to do so. It may involve the use of passwords, codes, specific questions for users, biometrics, and/or other technology. Since businesses and governments rely heavily on data stored in computer databases, 5 See Tim Mullen, Tweaking Social Security to Combat Fraud (Feb. 13, 2008), http://www.securityfocus.com/columnists/465. 6 The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan 42 (April 2007), available at www.idtheft.gov/reports/StrategicPlan.pdf.
Identity Crime Prevention and Impact Minimization Strategy
549
controlling access to sensitive information is critical. Automated systems perform a wide variety of essential functions, and it is important to acknowledge their limitations and vulnerabilities so that steps may be taken to implement appropriate protective policies and actions.7 Most businesses use single-factor authentication, which means that a user needs only a single password to access online information.8 By using two- factor authentication, the security of information is improved, and the danger to sensitive information is lessened. Banks have started to use multi-factor authentication with customers who access their accounts online. Multi-factor authentication makes it harder for an unauthorized person to pose as the legitimate holder of an account. An example of multi-factor authentication is a debit card, which requires a user to have the actual, physical card and the personal identification number (pin) in order to access the account.9 In the online banking environment, multi-layered authentication requires several login names, passwords, or other devices/knowledge to obtain access to high-risk transactions and sensitive data. This approach may ask several additional security questions or more passwords as transactions increase in risk.10 Experts recommend that organizations use only multi-factor authentication with personnel or customers who may access their information remotely.11 User authentication has become the focus of attention because of the threat of identity crime. The Federal Financial Institutions Examination Council (ffiec) in the United States has imposed a mandate on banks and other depository institutions to improve their user authentication policies. The Securities and Exchange Commission (sec) is also examining how the investment industry is handling the authentication issue. In 2007, 95 percent of U.S. banks were compliant with the ffiec mandate, and online fraud decreased by
7 8
9 10 11
International Review of Criminal Policy, United Nations Manual on the Prevention and Control of Computer Related Crime, United Nations Crime and Justice Information Network, http://www.uncjin.org/Documents/EighthCongress.html (last visited Feb. 14, 2012). Canadian Internet Policy and Public Interest Clinic (cippic), Policy Approaches to Identity Theft 16 (CIPPIC ID Theft Series, Working Paper No. 6, May 2007) [hereinafter “cippic, Policy Approaches”], available at http://www.cippic.ca/sites/default/files/bulletins/Policies. pdf. CC Pace, Risk Assessment Executive Overview 6 (2009), available at http://www. ccpace.com/Resources/documents/RiskAssessmentExecOverview.pdf.. Id. U.S. G.O.A., Information Security: Protecting Personally Identifiable Information GAO-0 8-3 43, at 2–3 (Jan. 2009), available at www.gao.gov/new.items/ d08343pdf.
550
CHAPTER 7
30–40 percent between 2006 and 2007 as a result of the government-provided guidelines on authentication.12 Financial firms have seen the benefits of using multi-layered authentication in their online transactions, as well. In a survey of financial institutions and brokerages, stronger log-in authentication that used measures beyond user- names and passwords, was found to be a “very important” security feature of the business for 94 percent of the respondents.13 The Canadian government is in the forefront of developing principles for authentication and has formed a working group comprising representatives from industry, consumer organizations, and various levels of government to develop and review these principles.14 In the United States, social security numbers are often used to link consumers with their personal records, including those holding credit information. The numbers are also used frequently as part of the authentication process because this is convenient. However, businesses must balance convenience with the ease by which identity criminals may impersonate legitimate customers. Developing authentication methods that do not rely on the use of social security numbers would help to prevent numerous identity-related crimes.15 7.4.1 Real-Time Authentication at Credit Bureaus It is easy for identity criminals to use a copy of an individual’s credit report to learn what accounts a victim may have and to learn about a victim’s financial history. They can either request the report directly from a credit bureau or obtain it through a third party, such as a mortgage broker. One way to prevent identity crime, therefore, is to make it more difficult for identity criminals to get a credit report. Credit bureaus and other relevant agencies should keep a record of who receives a report, retaining information about them in a central database. Additionally, all credit bureaus should only display the last four digits of an account number when pulling a report. At the present time, for example, a credit report from TransUnion includes complete account numbers, which identity criminals can use to ask the credit card company to change the address on the account. Once the address has been changed, criminals can report the card as lost, and again using the account number, take out a new credit card at a new 12 13 14 15
Digital Resolve, How Securities and Brokerage Firms Fight Online Fraud and Identity Theft 3 (n.d.). Id. at 4. Information Security, supra note 2560, at 3. Combating Identity Theft, supra note 2555, at 43.
Identity Crime Prevention and Impact Minimization Strategy
551
address. Or an identity criminal can simply ask for a new card and check the mail at the victim’s address after three days to see if the new card has arrived. Identity criminals can also use the account number on a credit report to order balance transfer cards. 7.5
Business Policies
Businesses face staggering costs from fraud, much of it associated with e- commerce. In 2007, this kind of fraud represented an estimated $9.25 billion, and the cost of managing fraudulent activities was estimated at 300 percent higher than that total.16 It is clear from these numbers that organizations must consider the return-on-investment when implementing policies designed to prevent or control the rate of identity-related fraud. 7.5.1 The Business Physical Plant Essentially, the protection of sensitive identity information is a function of risk management. All businesses require specific policies that define restricted areas in both physical and cyberspace. The tangible assets in the physical plant that require protection include computer equipment and supplies, media libraries, data preparation areas, and the physical site.17 Physical plants and electronic data processing facilities must be protected, through initial design and site planning, from access by unauthorized persons and from eventualities such as power outages, floods, fires, and other disasters.18 And because of the close relationship of the physical, environmental, and hardware environments in which computer system operates, policies regarding traditional security personnel and computer systems should be strengthened during the planning stages for new data processing facilities.19 Additionally, all physical plants must implement consistent policies to require checking the identification of the employees and service personnel who enter restricted areas to ensure their legitimacy.20
16 17 18 19 20
Digital Resolve, Fraud Prevention for Online Merchants and Building E-Confidence for Online Customers, at 2 (Digital Resolve White Paper, n.d.). International Review of Criminal Policy, supra note 2556. Id. Id. Heith Copes & Lynne Vieraitis, U.S. Dept. of Justice, Identity Theft: Assessing Offenders’ Strategies and Perceptions of Risk 7 (July 2007), available at www. ncjrs.gov/pdffiles1/nij/grants/219122.pdf.
552
CHAPTER 7
7.5.2 Document Management One of the simpler methods businesses can use to prevent identity crime is to implement effective document management programs. Many organizations collect personal information for which there is no real need, and they keep it because data storage has become cheaper than in the past. However, storing unnecessary information only makes these organizations vulnerable to identity crime. By using the principle of data minimization, companies can protect themselves from potential identity crime disasters. Data minimization involves retaining only the data connected to a necessary business process, not collecting sensitive information that is not necessary, and eliminating data that is no longer linked to a required process.21 Effective data management also means reducing the number of places –both electronic and hard-copy formats –in which data is stored. Data minimization policies should be reviewed on a yearly basis.22 It is also important to minimize the access that employees and clients have to sensitive identity information and to create written security policies applying to document management and disseminate them to all employees.23 Ensuring that documents are disposed of properly is another aspect of effective document management.24 Business organizations should study the best practices of other entities and follow them when implementing policies to secure personal records. Businesses need to be aware that they are responsible for protecting employee and client records. Concerns that following security practices will have a negative impact on the corporate bottom line are sometimes difficult to overcome, however.25 The Federal Information Security Management Act of 2002 (fisma) governs the security of information handled by the federal government in the United States. It takes a risk-based approach to managing security and defines the federal rules regulating the protection of information and information 21
22 23 24 25
Alan Brill & Troy Allen, Identity Theft: How Companies–and Consumers–Can Protect Themselves, Marsh and McLennan Companies, https://web.archive.org/ web/20100520040144/http://www.mmc.com/knowledgecenter/viewpoint/archive/ brill2006.php (last visited Feb. 14, 2012). Id. Thomas R. Duxbury, Identity Tehft Still Victimizes 9–10 Million People per Year, Identity Theft Exceprts from the Advisor, in Nat’l Ass. for Bank Security, Identity Theft 5–8 (n.d.), available at http://www.banksecurity.com/advisor_new.shtml. Copes & Vieraitis, supra note 2569, at 49. Graeme R. Newman, U.S. Dept. of Justice, Office of Community Oriented Policing Services, Identity Theft 43 (June 2004), available at http://www.cops. usdoj.gov/files/ric/Publications/e05042360.pdf.
Identity Crime Prevention and Impact Minimization Strategy
553
systems used in support of the assets and operations of federal agencies. fisma requires agencies to create risk-based policies that reduce security risks in the information environment to an acceptable level in a cost-effective manner. It also requires the National Institute of Standards and Technology (nist) to create technical guidelines in specific areas.26 Subsequently, nist has developed standards for securing data at appropriate risk levels. These standards provide guidance on the kinds of information and data systems that should be included in the risk categories. In connection with the nist guidelines, the U.S. Office of Management and Budget (omb) emphasized the responsibilities of federal agencies under the law, with a special focus on personally identifiable information.27 The omb requires, for example, that in addition to following the nist guidance, agencies use data encryption on mobile devices and create a core management group to respond to any breaches in security that involve personally identifiable information. 7.5.3 Identity Management Policy Identity management represents an additional aspect of document management for organizations. The business community in Canada has adopted effective practices for securing personally identifiable information that include encrypting the data both in storage facilities and while it is in transit.28 Fraud detection software and online security programs have been implemented by some companies, including visa Canada, while some computer manufacturers insert chips that assign permanent and unique identifiers to each machine before it leaves the factory, and laptops are being constructed with built-in encryption.29 Technical measures such as these form the core of identity management solutions. Additionally, businesses are devising strategies designed to minimize the impact that the identity-related information necessary to e-commerce transactions presents in terms of risks for identity crime.30 The creation and implementation of organizational guidelines and rules governing the security and management of identity data address the concerns
26 27 28 29 30
Information Security, supra note 2560, at 3. International Review of Criminal Policy, supra note 2556. cippic, Policy Approaches, supra note 2557. Id. Marco Gercke, Legal Approaches to Criminalize Identity Theft, in United Nations Office of Drugs and Crime, Handbook on Identity Related Crime 2 (2011), available at http://www.unodc.org/documents/treaties/UNCAC/Publications/Handbook_on_ID_ Crime/10-57802_ebooke.pdf.
554
CHAPTER 7
of private-sector businesses in regard to potential identity crime risks. At the end of the guideline development process, many organizations institute two- factor authentication procedures for transactions performed over the phone or via computer. Companies have also started to send dual confirmation of customers’ changes of address, limit access to non-public information to key personnel, monitor external websites on a regular basis for questionable practices, and periodically audit their protection systems for effectiveness. Additionally, businesses provide educational materials about identity crime on their corporate websites.31 7.5.4 Employee Policy Businesses can develop policies to address the risk of identity crime associated with employees. About 33 percent of identity criminals use their jobs to commit their crimes.32 They may work in government agencies or businesses that have access to credit card or social security numbers. Employers can make it more difficult for offenders to steal this information if they make it more difficult to access the data through authentication methods. For example, banks may require passwords every time an individual wants to withdraw money, even when they do so in person.33 Clear definition of individual employee security duties and the appropriate assignment of security responsibilities among employees can help control the risk of identity crime by organization personnel.34 By conducting thorough background checks on potential employees, limiting the number of employees who have access to sensitive identity information, and creating a positive work environment that decreases workers’ motivation to engage in activities like theft against the organization, employers can reduce the incidence of identity-related crime.35 Providing information to employees about the actual consequences identity crime has on victims is often useful in dissuading potential criminals from acting on their ideas.36 To be proactive in regard to fraud inside an organization, a team of internal stakeholders is required. These employees should be recruited from security,
31 32 33 34 35 36
Combating Identity Theft, supra note 2555, at 32 (“Implementation of Data Security Guidelines and Rules, ‘Strategic Plan,’ Section iii of A Strategy to Combat Identity Theft”). Copes & Vieraitis, supra note 2569. Id. International Review of Criminal Policy, supra note 2556., at p. 2. Copes & Vieraitis, supra note 2569, at 7–8. Id. at 8.
Identity Crime Prevention and Impact Minimization Strategy
555
customer service, information technology, operations, and risk management departments.37 7.5.5 Risk Management Policy Effective risk management policies require organizations to consider the types of information systems needed to meet federal guidelines and to create plans and processes to that operations regarding installed information systems have continuity over time.38 Businesses must also create procedures to identify security risks, implement communications controls, ensure the security of computer hardware and software, and clearly designate restricted areas.39 Communications threats can be addressed by using electronic screening technology, filtering encryption, or terminals designed for specific purposes. The complex nature of communications systems means that every system’s security must be considered on a case-by-case basis, however.40 Another element of an effective risk management policy involves the creation and testing of a disaster recovery plan,41 and the yearly testing and evaluation of how effective information security measures really are. For U.S. federal agencies, such testing includes examining management, operational, and technical controls applied to all systems described in an organization’s inventory of major IT systems.42 Sometimes very simple actions have a strong impact. For example, companies can develop safer processes for changing mail addresses and/or redirecting mail to a second address. By doing so, it has been shown that the potential for identity crime is significantly reduced.43 Monitoring and analyzing the use of transactions relating to identity may help to identify suspicious actions by users.44 There should also be procedures in place to detect, report, and respond to breaches of security.45 37
Proactive Approach to Fraud Prevention, brochure (pdf), http://www.philadelphiafed.org/ pcc/consumer/index.htm l (accessed Feb. 14, 2012) (on file with author). 38 Information Security, supra note 2560, at 10–11. 39 International Review of Criminal Policy, supra note 2556, at 60. 40 Id. 41 Duxbury, supra note 2572. 42 Information Security, supra note 2560, at 2–3. 43 U.N. Secretary-General, Comm’n on Crime Prevention and Criminal Justice, International Cooperation in the Prevention, Investigation, Prosecution, and Punishment of Fraud, the Criminal Misuse and Falsification of Identity and Related Crimes [Draft 1 Short Version], 48, U.N. Doc. E/CN.15/2007/8 (2007)m [hereinafter “U.N. Draft 1 Short Version”], available at https://www.unodc.org/unodc/en/organized-crime/identity-related-crime.html.). 44 Gercke, supra note 2579, at 2. 45 Information Security, supra note 2560, at 2–3.
556
CHAPTER 7
While there has been considerable publicity concerning mass hacker attacks to steal thousands of credit card numbers or social security numbers, it is useful to remember that many of the greatest weaknesses in business systems do not involve sophisticated technology. For example, large losses have accrued to corporations through the theft of backup tapes, either while they were in transit to physical storage locations or while they were in the care of a storage facility vendor.46 Current best practices require that backup tapes be encrypted. Additionally, any shipper, vendor, or offsite storage facility must be held to the same security standards as the business using their services, particularly if the parties are located in different countries. To this end, risk managers should be involved in assessing contracts and insurance arrangements with vendors.47 A recent case illustrates the importance of examining all vendor contracts closely. The case involved the actions of a British reporter who visited India and purchased sensitive, confidential personal information on citizens of the United Kingdom from a call-center outsourcing company there. Indian law did not clearly categorize this action as a crime, nor was it common to conduct background checks on employees at such companies in India.48 To address situations like this, some vendors have pursued accreditation under recognized global standards like iso 17799. Businesses may also use the services of a security assessment firm that will conduct onsite reviews.49 Monetary transactions represent a substantial segment of online activity. Merchants want to improve their order acceptance rates while reducing fraud and identity-related crime without paying large fees for order verification and chargebacks. According to a recent global survey of over 300 online merchants, using IP intelligence and its geo-location capabilities was one of the most effective tools for battling online fraud.50 Geo-location technology can automatically provide the geographic location of the computer from which an order for goods or services was placed, offering additional information that can be used with other order data and rules of acceptance to help in determining the risk of fraud associated with the specific transaction.51
46 47 48 49 50 51
Brill & Allen, supra note 2570, at 36. Id. Id. at 37. Id. Fraud Prevention for Online Merchants and Building E-Confidence for Online Customers, supra note 2565. Id.
Identity Crime Prevention and Impact Minimization Strategy
557
7.5.6 Risk Management in Identity Determination The task of determining a person’s identity can be a simple matter of matching a driver’s license and a credit card to check if the name and address on both documents is the same. However, it has become increasingly easy for identity criminals to obtain such documents over the Internet, from criminals who counterfeit them, or by using a fraudulent document to acquire a driver’s license or credit card in a false name. Therefore, other means must be applied to determine a true identity.52 Validation is the first step in information-based identity authentication, and while it represents the lowest level of risk management, it determines if the identifying data presented by an individual is real and that it follows an established format. For example, if a person provides a social security number that begins with 040, a number issued in Massachusetts, and says that he was born in California, further investigation is needed.53 The second step in information-based identity authentication is verification, which determines if the data provided by an individual belong together. This involves searching through multiple databases to determine the accuracy of the information. If there are discrepancies found in the database search, additional analysis is required. Using more comprehensive databases has a higher cost, however, so risk must be balanced with the expense.54 Finally, authentication represents the third level of the information-based identity authentication process. The chief element of authentication is a “modeling and scoring engine” that helps in determining the probability that a claimed identity is a real one. An identity decision engine determines the authenticity of an identity on the basis of variables such as:55 A. Existing records for that identity (validation) B. Consistency of internal codes (validation) C. Given identifier combination across databases (verification) D. Name E. Name variation/spelling F. Known aliases
52
53 54 55
Gary R. Gordon et al., Identity Fraud: A Critical National and Global Threat: A Joint Project of the Economic Crime Institute at Utica College and LexisNexis 30 (2003), available at http://www.utica.edu/academic/institutes/ecii/ publications/media/identity_fraud.pdf. Id. Id. Id.
558
CHAPTER 7
G. Address H. Phone number I. Social Security Number J. Immigration status K. Date of issue However, the authentication process presents challenges, since the information required to predict the authenticity of an identity could easily involve multiple databases, some of which are available only from international sources. This presents a significant problem for individuals who claim to be citizens of foreign countries.56 7.5.7 Technical Solutions Advances in computer technology have had a beneficial effect on identity- crime management solutions. Investing in technology, as recommended by the U.S. Department of Justice,57 and implementing system-wide standards to promote consistency in digital environments can help businesses prevent the theft of sensitive information.58 While consumer education is generally believed to represent the first and best defense against identity-related crime, others believe that consumers should not be the “first line of defense”59 since identity crime does not begin with an action performed by the consumer. The best place to stop identity crime is in the business community. Author Gregory Kipper notes the availability of a new program known as Graph Theoretic Anomaly Detection (gtad). This program finds unusual patterns on the basis of identity data elements that are listed on an application form. These elements include name, address, telephone number, and social security number. The graphic patterns found are then categorized as “likely legitimate” or “high-probability frauds.” The fraudulent anomalies discovered by gtad are used by businesses and the Identity Crime Resource Center to develop analytic scores that evaluate the risk of identity crime.60
56 57
Id. U.S. Dept. of Justice, Office of Community Oriented Policing Services, A National Strategy to Combat Identity Theft 44 (May 2006), available at www.cops.usdoj.gov/files/ric/Publications/e03062303.pdf.Similar. 58 Duxbury, supra note 2572. 59 Gregory Kipper, Wireless Crime and Forensic Investigation 38 (2007). 60 Id.
Identity Crime Prevention and Impact Minimization Strategy
559
7.5.8 Vendors Organizations must select their vendors carefully, particularly if they will be handling sensitive information. They must also ensure that all vendors have appropriate data security programs. Vendors targeted for examination include payroll companies, software firms, and benefits organizations. Careful vetting is critical because liabilities incurred by these vendors could be passed on to the employing organization.61 Procurement policies represent another area where identity crime can be prevented. Canada’s federal government is taking steps to ensure that any contractors that handle sensitive data follow relevant privacy laws.62 For example, contractors that bid on a student loan contract in 2006 had to show that they had the capacity to implement stringent security measures so as to protect the private financial and personal information of students.63 7.6
Consumer Education
Consumer education is a critical component of identity crime prevention. Providing potential victims of identity crime with information about fraud reduces the chance that they will be deceived.64 Consumer education can take the form of general information designed to raise the public’s awareness of the dangers of identity crimes, or it may focus on specific types of fraud and be based on the monitoring of fraudulent activities by authorities in both the public and private sectors.65 Public awareness campaigns can be designed to target specific segments of society, including seniors and children.66 These campaigns could also educate individuals about techniques used to respond to identity crimes in addition to offering practical steps for prevention.67 In addition to the general public, identity crime prevention information can be targeted at those in positions to identify, report, and/or prevent 61 Duxbury, supra note 2572. 62 cippic, Policy Approaches, supra note 2557, at 13. 63 Id. 64 U.N. Secretary-General, Comm’n on Crime Prevention and Criminal Justice, International Cooperation in the Prevention, Investigation, Prosecution, and Punishment of Fraud, the Criminal Misuse and Falsification of Identity and Related Crimes [Draft 1 Short Version], 21, U.N. Doc. E/CN.15/2007/8 (2007)m [hereinafter “U.N. Draft 1 Short Version”], available at https://www.unodc.org/unodc/en/organized-crime/identity-related-crime.html. 65 Id. at 22. 66 A National Strategy to Combat Identity Theft, supra note 2606, at 44. 67 Id. at viii.
560
CHAPTER 7
identity-related crimes when they occur. Many businesses already train key employees to recognize fraud in banking and credit card transactions or in specialized areas that hold the potential for identity crime.68 The United States Justice Department has devised a set of basic actions that consumers can take to minimize their chances of becoming a victim of identity crime that uses the word “scam” as a memory aid: “S” stands for “Stingy” to remind consumers to be “stingy” in giving out their personal information to other people. Personal information should only be given to trusted individuals or organizations. Be stingy about giving out your personal information to others. “C” stands for “Check” and refers to the recommendation that consumers check their financial information on a regular basis. This includes monthly banking and credit card statements. “A” stands for “Ask” as in asking periodically for a copy of an individual credit report. A credit report lists all financial accounts open under an individual’s name. It will show whether or not an unauthorized person has opened or used any of these accounts. “M” stands for “Maintain” and refers to the necessity of maintaining accurate records of all banking and financial accounts. Consumers who are aware of the threat of identity crime and who are motivated to take preventive action represent the first line of defense against the crime. Unfortunately, most consumers act in ways that put their personal information at risk. For example, they may not install “firewall” software on a computer used for online banking, or they may leave paid bills in their mail slot. As a result, the door opens to identity criminals.69 Consumer education is an effective means of reducing identity crime, and the U.S. federal government is a leading provider of such information.70 Authorities in some countries believe that focusing education efforts on employees of banks and other financial institutions is the best way to stem identity crime, since these individuals are most likely to encounter fraud.71 Programs to educate consumers about identity crime may involve creating partnerships with service agencies, local schools, and consumer organizations to teach the techniques of identity crime prevention and to implement programs designed to minimize the use of social security numbers as identifiers.72 68 U.N. Draft 1 Short Version, supra note 2613, at 21. 69 A National Strategy to Combat Identity Theft, supra note 2606, at 39. 70 Id. 71 U.N. Draft 1 Short Version, supra note 2613, at 48. 72 Newman, supra note 2574, at 44–47 (“Appendix A: Summary of Responses to Identity Theft).
Identity Crime Prevention and Impact Minimization Strategy
7.7
561
Consumer Actions
There are many actions that consumers can take to avoid becoming victims of identity criminals. One action is the appropriate disposal of financial statements, including monthly bank and credit card documents. Experts recommend shredding these documents, since identity criminals often avail themselves of “dumpster diving,” or actually getting into trash containers to find identifying information that has been thrown away. Using a shredder is a relatively inexpensive way to protect personal data.73 Another thing consumers can do is request a copy of their credit report at least once a year. The Fair and Accurate Credit Transactions Act signed into law in 2003 requires that the three national consumer reporting agencies (Experian, Equifax, TransUnion) provide a free copy of a consumer’s credit report every 12 months. These reports should be reviewed to ensure that no unauthorized activity has resulted from identity crime.74 The Identity Theft Consumer Education Kit is provided for free by the Consumer Response Center at the U.S. Federal Trade Commission. It offers many useful tips to help consumers prevent identity crime. In addition to shredding documents, the ftc recommends that a consumer:75 A. Protect his/her social security number. It should not be carried in a wallet, nor should the number be written on a check. This number should only be given out by a consumer if it is absolutely necessary. B. Consumers should not provide personal information over the phone, through the mail, or over the Internet unless they are sure of who is receiving it. C. Links in unsolicited e-mails should never be clicked on. The address should be typed into the browser bar instead. Firewalls, anti-spyware, and anti-virus software should always be used to protect home computers. The software should be kept up to date as well. D. When asked to create a password for access, consumers should never use obvious things like birthdate or mother’s maiden name. E. Personal information should be kept in a safe and secure place in the consumer’s home, especially if work is being done on the house, outside workers are employed in the home, or there are roommates. 73
About Identity Theft, ftc, https://web.archive.org/web/20120503022415/http://www.ftc. gov/bcp/edu/microsites/idtheft/consumers/about-identity-theft.html (last visited Oct. 31, 2012). 74 Duxbury, supra note 2572. 75 Identity Theft Resources, ftc, http://www.ftc.gov/bcp/edu/microsites/idtheft2012/ (last visited Oct. 31, 2012).
562 F.
G.
7.8
CHAPTER 7
Consumers should monitor financial accounts and billing statements regularly. Become suspicious if bills do not arrive when expected, credit is denied with no apparent reason, or communications are received about purchases the consumer did not make. Financial statements should always be reviewed to determine if there are any unexpected charges. Foundation Documents
Governments issue identity documents to their country’s citizens and residence that are known as “foundation documents.”76 These documents generally include the birth certificate, social security card, driver’s license, marriage certificate, and health card. Passports and permanent residency cards may also be included. In addition to their original functions, these documents are frequently used to prove identity, which makes them major targets for identity criminals. Criminals can steal these documents, or forge them, to commit financial fraud or to impersonate another person to gain benefits or to conceal themselves from the law. Because foundation documents are such high-value targets, governments have developed policies to enhance their security. 7.8.1 Birth Certificates Cooperative efforts by state and federal governments are designed to keep these documents from falling into the hands of identity criminals. For example, Ontario, Canada implemented new rules in 2002 that are designed to save birth certificates from being attractive theft targets. Citizens of the province are required to report birth certificates that are lost, stolen, or destroyed. The certificates are then deactivated. Only one certificate is issued at one time for an individual.77 Ontario’s government also increased the penalties for lying on the application for a driver’s license, and drivers are required by law to register any address change with the licensing authorities.78 7.8.2 Social Security Numbers In the United States, considerable attention is being paid to reducing the unnecessary use of Social Security numbers (ssn s) as official identification elements beyond their original intent. The Social Security number is of extreme 76 77 78
cippic, Policy Approaches, supra note 2557, at 10. Id. Id.
Identity Crime Prevention and Impact Minimization Strategy
563
value to identity criminals because it is frequently the major element used to authenticate consumers’ identities. If a thief can steal the social security number, financial accounts can be opened in the victim’s name or various benefits may be obtained. As long as these numbers are used in his way, identity criminals must be prevented from getting them.79 Some organizations in the private sector, along with some federal agencies, have moved to decrease their reliance on the use of the ssn, but more must be done to reduce its unnecessary use. Experts have recommended that a unified standard for the use and display of ssn s by federal agencies be created by the Office of Personnel Management and the Office of Management and Budget.80 These agencies are well positioned to provide guidelines on alternatives that are of less value to identity criminals. Other measures designed to protect foundation documents from identity criminals include imposing limits on the periods in which these documents are valid. Imposing new renewal requirements and using technology to make identity documents more difficult to alter provide additional solutions. Keeping the documents safe in transit during delivery is also important. 7.8.3 Identity Cards in Canada In Canada, identity cards have been created with high-tech features designed to thwart forgery. The government of Alberta recognized that its identification documents could be counterfeited easily, and so a new driver’s license was introduced. The license utilizes raised lettering and a laser-embedded photograph, with the birthdate and name of the driver featured in a gradually diminishing graphic.81 7.9
Medical Identity Crime Prevention
Medical identity crime is a common occurrence in the health care system. It may be committed by physicians, nurses, employees at a hospital, and by sophisticated and organized groups of identity criminals. Researchers at the World Privacy Forum have found that victims of medical identity crime require expanded rights in order to correct their medical files and recover from this crime. More consumer education programs should focus on addressing the specific damages arising from medical identity crime as 79 80 81
The President’s Identity Theft Task Force, supra note 2555, at 23. Id. at 25. cippic, Policy Approaches, supra note 2557, at 11.
564
CHAPTER 7
well. Among the actions to be taken to prevent medical identity crime and to provide victims with redress are:82 A. Expand the rights of individuals to correct mistakes in their medical histories. B. Allow individuals to remove false information from their medical files. C. Provide individuals with the right to receive one free copy of their medical files. D. Give individuals the right to obtain an accounting of any disclosures made of their health information. E. Conduct research to determine the scope of medical identity crime, how, and where it occurs, and how it can be discovered and prevented, F. Notify consumers of all security breaches of medical data, G. Perform comprehensive risk assessments on all working prototypes for the National Information Network that focus on simultaneously preventing medical identity crime and protecting patients’ privacy. 7.10
Victim Cooperation
The victims of identity crime who cooperate with law enforcement and other authorities to report the crimes represent an important source of information that can be provided to other consumers in an effort to prevent identity crimes. The cooperation of victims in the area of computer crimes is particularly desired, since the actual extent of these crimes is unknown. Most of the crimes go undetected, or individuals are reluctant to admit they were victims of computer fraudsters.83 Victims do not come forward for a variety of reasons. In the case of a financial business, a report of a breach of security often results in a loss of consumer confidence in the business, which in turn leads to additional economic losses on top of those imposed by the crime. Victims are also unwilling to be inconvenienced by long investigations. Without appropriate reports and investigations, however, identity criminals are only encouraged to commit more crimes.84 And with the additional information provided by victims, law
82 83 84
Pam Dixon, The World Privacy Forum, Medical Identity Theft: The Information Crime That Can Kill You (2006), available at http://www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf. International Review of Criminal Policy, supra note 2556, at 33. Id.
Identity Crime Prevention and Impact Minimization Strategy
565
enforcement officials can collect and analyze more information in order to spot new trends and adapt their detection methods to handle them. 7.11
Offenders
In a 1989 report to the U.S. Justice Department’s National Institute of Justice, George Rengert and John Wasilchick noted that understanding an offender’s perceptions, opportunities, and risks associated with identity crime is a critical element in understanding and ultimately preventing this crime.85 Identity criminals are motivated by a need for fast money. They view identity crime as a relatively easy way to get cash, and they have many ways of acquiring personal identity information and converting it to the money they need. Identity criminals justify their actions by perceiving the crime as a victimless crime. According to recent research, identity crime can be effectively prevented by making it more difficult and riskier for thieves to acquire personal information and convert it to cash or goods. Another effective strategy is to remove their excuses for committing the crime.86 In fact, researchers discovered that cognitive-based programs designed to remove excuses may be the most effective in changing offenders and reducing the incidence of identity crime.87 7.11.1 Offender Profile A profile of the typical identity criminal has been created via a study based on interviews with 59 inmates sentenced to federal prison for various identity- related crimes.88 According to this study, a typical identity criminal comes from a working-class or middle-class background, and about a third of them use their jobs to commit the crimes. They worked in government agencies, mortgage firms, and other businesses, such as banks and convenience stores, that provided access to social security or credit card numbers. Fifty of the 59 inmates interviewed had previous arrest records, with 26 having been arrested for other identity-related crimes. Of the few that perceived the risks associated with the crime, most thought their chances of being caught were low and that they would receive only light punishment. The identity criminals were able to continue offending because 85 86 87 88
Copes & Vieraitis, supra note 2581, at 49. Id. at 4. Id. at 5. Id.
566
CHAPTER 7
they used neutralization techniques to account for the crimes. Most commonly, the criminals believed their crimes caused no real damage to actual people. Additionally, the inmates justified their crimes by claiming they were committed to help someone else, and those who committed the crimes as part of a group tended to minimize their role in the crime and the financial benefits they received from it. As for ways of acquiring information, the offenders in the study cited many options.89 Purchasing information, either from employees at state agencies or private sector businesses or from people they knew, was the most common way the offenders got personal data. Many offenders obtained the information from going through mailboxes or the trash at businesses or homes. Insurance companies in particular were cited as good sources of identity information. It was also common for the identity criminals to get personal information from friends or relatives, sometimes with the other person’s knowledge and consent. Once they obtain the necessary information, offenders convert it to money and goods by producing or acquiring additional identity documents like a driver’s license or state ID card, making their own checks using the stolen name(s), or obtaining new credit cards under the false identity. Applying for loans is also a popular option. Individuals who commit identity crime develop several skills that help them to accomplish their crimes and avoid being discovered.90 These include social skills through which they can successfully manipulate situations both with words and by nonverbal communication. Identity criminals also become very intuitive and sense when they are at risk of being caught. They acquire a significant set of technical skills that allow them to product fake documents, and they have excellent knowledge of banks and other financial systems so they can effectively exploit weaknesses. 7.11.2 Researchers’ Recommendations The conclusions reached by researchers who conducted the interviews with the incarcerated identity criminals are as follows:91 A. Banks should be more aware of behaviors in the people who enter their facilities. B. All retail establishments should check their customers’ identification in a consistent manner.
89 90 91
Id. at 6. Id. at 7. Id. at 8.
Identity Crime Prevention and Impact Minimization Strategy
567
C.
Excuses for acquiring personal information of others and converting that information to cash and/or goods must be removed. D. Employees should be made aware that there are real consequences for identity crime victims. E. Messages should be placed in stores and banks to make offenders aware that their crimes have victims. F. Encourage offenders to stop their criminal activities by encouraging or requiring convicted identity criminals to attend cognitive based programs designed to remove excuses. G. Publicize the potential legal consequences associated with identity crime. 7.11.3 Situational Crime Prevention Techniques Situational measures found to be especially effective in preventing identity crime include making it more difficult for offenders to get and convert information, increasing the risk that criminals will be caught, and eliminating the excuses that identity criminals use to justify their crimes. The situational measures, along with cognitive-based interventions can reduce the likelihood that offenders will engage in repeated identity crime activities.92 Situational crime prevention techniques involve increasing the efforts and risks of getting information and entering banks or stores to convert the information into money or goods and removing the excuses that allow offenders to consider identity crime a non-criminal activity. Situational prevention programs are based on the theory of neutralization. According to neutralization theory, offenders use specific linguistic devices to justify their crimes, and by identifying these devices, programs can be created to attack their belief systems and motivate them to stop their illegal activities.93 Researchers have found that approaches designed to reduce crime on the basis of removing excuses are effective in cases of tax evasion and even rape, and the same types of programs work when applied to identity crime.94 Effective programs present the anti-neutralization message immediately in the crime situation. For example, since many offenders must go into banks to use stolen identity information to withdraw funds or cash checks, bank locations are perfect for messages aimed at making offenders realize the harm they cause to real individuals.95 92 93 94 95
Id. at 49. Id. at 51. Id. at 52. Id. at 52–53.
568
CHAPTER 7
Because many identity criminals get the information they need from individuals who have legitimate access to personal information, dishonest employees have a major role in the commission of identity crime. Publicity campaigns designed to remove excuses would also be useful in educating employees who might be thinking about using their positions to sell sensitive information.96 Another element of situational crime prevention involves making potential identity criminals aware of the consequences of being caught. One of the reasons that identity criminals go forward with their plans is that they believe there will be few consequences and minimal punishment for their actions. When they balance the significant rewards of identity crime with their expectation of light consequences, they are easily motivated to steal sensitive information for illicit uses. The surveyed inmates expressed surprise at the length of the prison sentences they received, which ranged from 12 to 360 months.97 Educating criminals about the reality and consequences of being convicted of identity crime would likely deter some of them from committing the offense. Deterrent messages informing offenders of the real harm they cause should be presented at the crime locations. Past studies of deterrence research indicates that perceived punishments tend to have a greater impact than actual punishment, so campaigns that give the impression that identity crime is considered a serious crime by law enforcement agencies who will prosecute offenders to the fullest extent of the law may be most effective in changing their perceptions of the crime.98 7.12
Law Enforcement Policies
Countries around the world should use their unique domestic authority to investigate, prosecute, and punish identity crimes. According to the United Nations, most countries experience a variety of criminal frauds and appear to criminalize these activities to the degree required to suppress domestic fraud and any international actions to support it.99 7.12.1 International Jurisdiction and Cooperation However, while most criminalization issues have been addressed, certain additional enhancements could be implemented to modernize and improve 96 97 98 99
Id. at 54. Id. Id. at 56. U.N. Draft 1 Short Version, supra note 2613, at 14.
Identity Crime Prevention and Impact Minimization Strategy
569
national laws relating to identity theft and fraud. This is because most legal systems, defined fraud offenses, and investigative techniques have not kept up with new frauds committed via modern technologies.100 For example, criminal offenses that involve only individual transactions could be enhanced to reflect the growth in transnational frauds by criminalizing fraud schemes and mass fraud in a specific manner. This approach would simplify jurisdictional issues in transnational cases, since jurisdiction would apply to the entire scheme rather than to single, specific transactions. Additionally, evidence of an entire fraud scheme could be used, and the necessity of proving the completion of frauds against individual victims would be eliminated. Therefore, the following recommendations have been made by the UN:101 A. Nations should consider modernizing their systems to deal with domestic and international identity crimes that are committed via the telephone, e-mail, the Internet, and/or other telecommunications technologies. B. Because major fraud activity generates substantial monies, countries that apply measures designed to fight money-laundering should consider fraud and similar crimes as predicate offenses to money-laundering. C. Rather than criminalizing fraud just on the basis of individual transactions, countries should consider criminalizing the actual operation of fraud and identity theft schemes, as well as the commission of mass frauds. The idea of basing offenses on identity abuse is new to most nations, so legislators must develop concepts, definitions, and approaches that will criminalize a wider range of conduct, including identity-related crimes. Public and private identity systems of all countries need to be consistent as do the links to crimes like forgery and impersonation. Jurisdictional issues arise in consideration of transnational fraud cases, since the crime typically occurs in many locations at the same time; it may not be addressed effectively by traditional territorial jurisdictions. Laws must be updated to handle the evolution of these crimes.102 Some recommendations made by the United Nations in regard to jurisdictional matters required that:103 A. All countries work to ensure that their jurisdictional rules reflect the continual changes that occur in identity fraud. B. In cases where several nations may have jurisdiction, these nations should cooperate to make sure the crimes are prosecuted by the country 1 00 101 102 103
Id. Id. Id. at 15. Id.
570
CHAPTER 7
that is best-positioned to handle the prosecution. To determine which nation that may be, factors such as witness availability, evidence, rights of the accused, and the ability of a nation to implement a fair and successful prosecution should be considered. C. Countries should obtain technical assistance through appropriate agencies, such as the United Nations Office on Drugs and Crime, to ensure that nations with jurisdiction but without necessary capacity to handle investigations can address the complicated nature of international fraud activities effectively. D. Nations should make sure that their investigative capabilities and jurisdiction are sufficient to provide aid to other countries prosecuting fraud cases that involve or impact their interests and which, for whatever reasons, they may not be able to prosecute themselves. The transnational nature of identity-related crimes provides the perfect opportunity for legal authorities in all countries to cooperate in finding solutions to the problem. The Convention against Transnational Organized Crime and the Council of Europe Convention on Cybercrime are two legal instruments that can be used to this end.104 The transnational dimension of identity crime is especially prevalent with Internet scams. Improving cooperation between nations can significantly enhance the measures aimed at finding and prosecuting offenders in transnational cases.105 Additional progress can be made if investigate techniques are improved in regard to interrogating suspected identity criminals.106 7.12.2 Assessing Law Enforcement Effectiveness Law enforcement agencies need a way to assess their effectiveness in discovering and prosecuting identity crimes. Statistical data and benchmarks are in short supply for measuring the effectiveness of the various portions of the legal system that address identity-related crimes.107 However, there are systems and processes available through the United State Bureau of Justice Statistics to obtain such information, plus data on the way identity crime cases are handled in state courts, victims’ perspectives on the crime, and how state and federal law enforcement agencies and prosecutors respond to identity crime cases.108 Recommendations to improve the gathering of measurement 1 04 Id. 105 Gercke, supra note 2579, at 3. 106 Id. 107 The President’s Identity Theft Task Force, supra note 2555, at 70. 108 Id.
Identity Crime Prevention and Impact Minimization Strategy
571
data on responses to identity crime from the criminal justice system in the U.S. include:109 A. Collecting and analyzing statistically reliable information from victims of identity crime. B. Expanding the range of the annual National Crime Victimization Survey (ncvs) to include information on the nature and consequences of identity crime for individuals aged 12 and above. C. Conducting reviews of data from the U.S. Sentencing Commission’s case files relating to identity crime every two-four years. D. Tracking the prosecutions of identity crime cases and the total resources applied to them. E. Conducting targeted surveys in specific areas, including law enforcement agencies that focus on response to identity crime, improvements to the current Law Enforcement Management and Administrative Services (lemas) survey, and improving the current training academy survey.110 7.12.3 Criminalization Chapter 6 comprehensively covered criminal statues in four countries and their application to various forms of identity crime. Accordingly, only a few relevant points will be made here. Law enforcement authorities in the United States and Canada believe that trafficking in personal information should be criminalized, whether or not there is intent to use the data for any special purpose.111 In Canada, the law enforcement community is working with the government to revise the nation’s criminal code to make simple possession of multiple identities a crime without a requirement to prove intent.112 There are two federal laws in the United States that provide for the criminalization of identity-related crimes. These are the identity theft statute (18 U.S.C. § 1028) and the aggravated identity theft statute (18 U.S.C. § 1028A).113 The first imposes a prohibition on the possession or use of a person’s identification in connection with any illegal action that violates federal, state, or local law. The second disallows the possession or use of another person’s identification in regard to several specified felonies, and it provides for enhanced penalties in
1 09 Id. at 71. 110 Id. at 99. 111 Philippa Lawson and John Lawford, “Identity Theft: The Need For Better Consumer Protection 36 (2003), available at http://www.ic.gc.ca/app/oca/crd/ dcmnt.do?id=1603&lang=eng. 112 Id. 113 Combating Identity Theft, supra note 2555, at 70.
572
CHAPTER 7
these cases.114 There are gaps in what these laws cover because they only apply to the illegal use of the identity of “a person.” Confusion exists over whether identity criminals who misuse the identification of an organization or business can be prosecuted under these statutes.115 In regard to sentencing guidelines, the courts have been uncertain in how to apply the multiple victim enhancements of the United States Sentencing Guidelines, which permits the courts to increase sentences for criminals who victimize more than one person, to cases of identity crime.116 The difficulty arises when victims have not suffered actual monetary losses. To provide clarity on the issue, expert recommendations include legislative changes, such as rewriting the federal criminal laws used in prosecutions of identity-related crimes to ensure sentences can be increased when more than one victim has been affected, whether or not the damage includes financial loss. Additionally, federal criminal statutes should be amended to include activities that occur repeatedly in identity-crime cases, such as mail theft, tax fraud, theft of electronic data, use of key loggers and spyware, and phishing.117 In the United States, a White House panel has actively promoted the passage of new laws targeting identity fraud. The possibility of applying existing laws to cases of computer-related identity crime has been suggested. Legislators have also recommended extending penalties for identity crime by placing “cybercrimes” under rico statutes. Victims should receive monetary compensation under the law for their financial and emotional damages as well.118 Law enforcement and judicial authorities must develop additional skills in order to respond effectively to the dynamic challenges of computer technology. The growing technical expertise of identity criminals complicates legal interventions. In the past it was enough to focus attention on identity crimes that occurred in the economic environment, but now computer crime can be found in all sectors.119 Appropriate application of existing laws requires coordinated efforts to provide investigators, prosecutors, and courts with the technical 1 14 115 116 117 118
Id. Id. Id. at 67. Id. at 68. Anne Broache, White House Panel Pushes New Identity Fraud Laws, CNet News (apr. 23 2007, 1:57 PM), http://news.cnet.com/White-House-panel-pushes-new-identity-fraud- laws/2100-7348_3-6178441.html?tag=nw.5. 119 International Review of Criminal Policy, United Nations Manual on the Prevention and Control of Computer Related Crime, supra note 2556.
Identity Crime Prevention and Impact Minimization Strategy
573
equipment and skills that will allow them to investigate identity crime committed by increasingly sophisticated computer criminals.120 7.13
Government Policies
There are some actions for preventing identity crime that only governments can take. These include creating a centralized database of identity-related crimes and the investigations performed, organized on a state-by-state basis;121 improving the security of the postal system;122 and developing more stringent rules for obtaining identity documents and controls on the use of such documents.123 In Canada, the government has acknowledged the frequent use of the postal system by identity criminals by improving the security surrounding change- of-address requests and by sponsoring a public education and awareness program focusing on the mail.124 Canada has also proposed the development of a national identification card, although privacy advocates, the Privacy Commissioner, and civil liberties advocates have raised significant concerns about the cards and the ethical and technological elements associated with their use.125 Governments must be responsible for responding to security breaches of data held in the public sector. The use of the social security number (ssn) for identification purposes in the United States is a good example. Federal, state, and local agencies use the ssn extensively, yet there is no single federal law that regulates the use, display, or disclosure of the number.126 There are several laws that govern the use of ssn s in specific situations or sectors. These laws include the glb Act that limits its re-disclosure of non- public personal information to third parties, the Health Insurance Portability and Accountability Act (hipaa) that restricts the disclosure of ssn s by health care organizations without the patient’s permission, and the Driver’s Privacy Protection Act that prohibits ssn disclosure by state motor vehicle departments outside of 14 allowed situations.127 There are various state laws that
1 20 121 122 123 124 125 126 127
Id. A National Strategy to Combat Identity Theft, supra note 2606, at 44. cippic, Policy Approaches, supra note 2557, at 12. Id. Id. Id. Combating Identity Theft, supra note 2555, at 24. Id.
574
CHAPTER 7
govern the use of ssn s as well, but significant gaps in the regulation still exist. This creates a risk for their misuse by identity criminals. To address this problem, the President’s Identity Theft Task Force has recommended a complete review of the use of social security numbers, the provision of guidance concerning the appropriate use of ssn s, a requirement that government agencies all review how they use ssn s, the creation of a clearinghouse for agency practices designed to minimize the use of ssn s, and cooperation with state and local governments to review the utilization of ssn s.128 7.14
Information Sharing
To prevent identity crime effectively, all parties must make an effort to share what they know about the crimes and the criminals that commit them. Law enforcement authorities in the public and private sectors, both domestically and internationally, should share data while adhering to appropriate privacy and security caveats.129 Information on identity-related crimes and criminals should be collected accurately and in a timely manner if it is to support prevention measures successfully. Technical data should be shared with developing countries so that they can create strong domestic identification programs as well.130 Countries that develop effective anti-fraud training materials have been advised to share these materials with the United Nations and intergovernmental groups so that their personnel may also be trained in handling identity-related crime.131 Best practices applying to identity fraud prevention techniques may represent a major portion of international programs. This information may include practices applied to specific cases, methods, or fraud operations.132 Federal law enforcement agencies in the United States understand how important it is for public and private sectors to share and coordinate information on identity crime. This presents many challenges, since this information is housed in several different databases and there is no single standard form for reporting identity crime complaints. The limited resources of law enforcement agencies also hinder information sharing.133 However, there are several 1 28 129 130 131 132 133
Id. at 25–26. U.N. Draft 1 Short Version, supra note 2613, at 21. Id. at 22. Id. Id. at 48. Id. at 53.
Identity Crime Prevention and Impact Minimization Strategy
575
repositories of such complaints, including the Identity Theft Clearinghouse at the U.S. Federal Trade Commission, the Internet Crime Complaint Center, and the Federal Bureau of Investigation’s Cyber Initiative and Resource Fusion Unit (cirfu). The U.S. Postal Inspection Service provides the Financial Crimes Database to its investigators to use in mail theft analysis and complaints.134 The private sector, particularly financial services organizations and credit reporting agencies, provide important information to law enforcement. These organizations are in good positions to discover early problems linked to identity crime. A number of private-public partnerships have developed in recent years to support and improve information sharing.135 Some of the recommendations made by law enforcement and other identity crime professionals include the creation of a standard format for sharing intelligence, secure methods of sharing data, improved communications between public and private sectors, and the active encouragement of research on identity crime.136 An especially promising area for research is the analysis of the demographics of individuals and businesses that fall victim to identity criminals137 and determining the best points of intervention to stop identity crime activities.138 7.15
International Collaboration and Efforts
Identity-related crimes are often transnational in nature, particularly the scams that involve the Internet. The ability of local law enforcement authorities within a single country to investigate such crimes is limited because of the principle of national sovereignty.139 International laws restrict the ability of a nation to conduct investigations on foreign territory. Therefore, there must be cooperation among the law enforcement agencies of different countries if identity criminals are to be brought to justice. Improvements in methods of cooperation, using the Palermo Convention as the legal basis for international cooperation, will enhance the ability of law enforcement to find and prosecute offenders in cases of transnational fraud.140
1 34 Id. at 54. 135 Id. at 48. 136 Id. at 17–20. 137 Id. at 54. 138 Id. at 48. 139 Gercke, supra note 2579, at 3. 140 Id.
576
CHAPTER 7
Although many cases of identity crime are transnational, they involve actions taken within individual countries. These crimes can be prevented if authorities in those countries have the information they need in a timely manner. International cooperation can also reduce the complications and costs associated with investigating and prosecuting transnational identity fraud.141 International cooperation should include providing help with developing preventive techniques, sharing best practices learned from experience, and sharing appropriate information about specific cases, methods, or types of identity crimes.142 Any efforts at international cooperation in the area of identity crime are hampered by a number of factors. For example, a single incidence of identity crime will not result in losses significant enough to justify the costs of a cross-border investigation. Additionally, the use of computer technology has made it for criminals to appear to be someone else, or even hundreds of different people. Therefore, it is difficult to find patterns of activity among those committing large-scale identity crimes over the Internet. Another problem is the ephemeral nature of Internet Protocol (IP) addresses, which represent the chief evidence in cases of online identity fraud. This information disappears with the click of the mouse and easily may not exist at the time a case is adjudicated. And most importantly, there are significant legal barriers to investigation and prosecution across national boundaries.143 According to federal law enforcement agencies in the United States, a substantial amount of identity crime that occurs in the U.S. actually has its origin in other countries, making cooperation with foreign law enforcement an essential feature of prevention and prosecution.144 With the ratification of the Convention on Cybercrime in 2001, the U.S. took a major step toward ensuring cooperation with other nations and coordination of preventive efforts. The Cybercrime Convention is the first multilateral legal instrument designed to address the spread of crime over computer networks, including identity crime.145 Under existing U.S. law, reciprocal agreements for assistance involving law enforcement agencies in other countries is allowed, and considerable cooperation between agencies does occur. However, law enforcement officials are
1 41 142 143 144 145
U.N. Draft 1 Short Version, supra note 2613, at 21. Id. International Review of Criminal Policy, supra note 2556, at 10–11. Combating Identity Theft, supra note 2555, at 58. International Review of Criminal Policy, supra note 2556, at 17.
Identity Crime Prevention and Impact Minimization Strategy
577
hampered by their limited ability to arrest and prosecute identity criminals because most countries do not have laws that specifically mention identity- related crimes or because the laws they do have are not compatible with those in the U.S.146 Also, the laws that govern requests made by foreign governments for electronic evidence are not clear about which court has the authority to handle such requests.147 In the light of these limitations, the Justice Department recommends:148 A. Encouraging other countries to pass laws that specifically criminalize identity crime B. Encouraging other countries to follow the Convention on Cybercrime or enact similarly comprehensive laws C. Identifying nations that are “safe havens” for identity criminals and work to end this situation via targeted diplomatic and enforcement actions D. Improving the ability of the U.S. government to respond to foreign requests for evidence in cases of identity crime E. Training and supporting foreign law enforcement agencies 7.15.1 Efforts by the European Union to Criminalize Identity Crime The European Union enacted the Data Privacy Directive in 1995, implementing a comprehensive policy of protection for individuals during the gathering and use of their personal information. Under the Directive, EU members must adopt laws governing the privacy of information and adapt to specific minimum standards. In comparison to similar laws in the United States, the Directive is more proactive, covering all uses of personal information for any purpose.149 In 2001, thirty EU nations, which comprise the Council of Europe Convention on Cybercrime, recognized the need for cooperative action between countries and organizations in the private sector to fight against crimes committed via information technologies, enacted the first international treaty specifically designed to address Internet-based offenses.150 The Treaty establishes standards by which countries should write laws to prevent and prosecute cybercrimes.
1 46 147 148 149
Combating Identity Theft, supra note 2555, at 58. Id. Id. Ian Heller, How the Internet has Expanded the Threat of Financial Identity Theft, and What Congress Can Do to Fix the Problem, 17 Kan. J.L. & Pub. Pol’y 84, 97 (2007). 150 Id. at 98.
578
CHAPTER 7
7.15.2 Canadian Efforts to Criminalize Identity Crime Similar to many ways to efforts in the U.S., Canada is fighting online identity crimes by focusing on the providers of personal data. However, Canada’s Model Code for the Protection of Personal Information is a country-wide attempt to secure personal information. It applies to all organizations in Canada that gather or use personal data and establishes ten rules designed to balance individual rights with the information needs of private organizations.151 The two most important principles of Canada’s Personal Information Protection and Electronic Documents Act involve accountability and consent. In contrast to the United States, all Canadian users of personal information are totally accountable for its management. This means that small neighborhood businesses are just as responsible for protecting sensitive personal data as banks and credit card firms. Individuals in Canada must provide knowledgeable consent before any of their personal information is collected, used, or disclosed, except where consent may be impractical to obtain, such as in medical or security cases. The affirmative duty of approval imposed on all Canadians effectively reduces the occurrences of fraudulent disclosures of personal information.152 7.16
Public-Private Partnerships
The formation of partnerships to facilitate cooperation and knowledge sharing between the public and private sectors is critical to efforts aimed at preventing identity crime. Private employers can collaborate with government and service organizations to better protect sensitive personal information, such as the unnecessary use of social security numbers for identification purposes.153 Victims of identity crime can work with law enforcement authorities and private organizations as partners in timely investigations. Banks and work with credit card issuers and government authorities to improve the security of consumer credit card information by enhancing techniques for identity verification.154 Businesses can also work with the U.S. Post Office and other delivery companies to oversee deliveries to addresses of vacant buildings and to watch for
1 51 Id. at 99. 152 Id. 153 Newman, supra note 2574, at 44–47 (“Appendix A: Summary of Responses to Identity Theft). 154 Id.
Identity Crime Prevention and Impact Minimization Strategy
579
suspicious diverted mail deliveries. Employees can be trained to identify suspect mail activities.155 Governments and private sector organizations can cooperate to develop identification systems that work well together. Inter-operable technology will facilitate investigations of identity crimes and allow relevant information to be shared more effectively. For example, measures could be taken to ensure that credit cards and passports are subject to more compatible and reliable information systems, which would make it more difficult to alter or falsify these documents for identification purposes.156 Information about identity crimes should be shared among law enforcement and private sector firms at the domestic and international level so that the data is more likely to be timely and accurate.157 Sharing of information between law enforcement and the private sector should include data from financial institutions, policies to counteract identity crime in the financial sector, and communications with credit reporting agencies about identity crime prevention.158 Public and private partnerships can also be created among businesses and state motor vehicle administrations to prevent identity crime using drivers’ licenses.159 Improved communications and cooperation between state and federal agencies and the private sector could include alerts sent to the Internal Revenue Service, passport office, or central medical database once an individual becomes a victim of identity crime, making it easier to determine if a new account has been created in that person’s name or if an existing account has been taken over. Without such cooperation, it is difficult to know if a criminal has applied for a driver’s license or passport, or applied for medical benefits under a false name in another state.160 Employers can use the Internet-based technology of services like E-Verify to discover if the information provided by new hires is accurate and to prevent identity crime by eliminating the illicit use of social security numbers and other stolen identity information. E-Verify is operated by the United States Citizenship and Immigration Service (uscis) and allows employers to compare information on the Employment Eligibility Verification Form I-9 with information in the databases of the Social Security Administration and U.S. Department of Homeland Security (dhs). 1 55 156 157 158 159 160
Id. U.N. Draft 1 Short Version, supra note 2613, at 22. Id. at 21. The President’s Identity Theft Task Force, supra note 2555, at 7. A National Strategy to Combat Identity Theft, supra note 2606, at 44. The President’s Identity Theft Task Force, supra note 2555, at 22.
580 7.17
CHAPTER 7
Data Protection through Technology
Various technological approaches have been proposed to improve the protection of sensitive personal information from identity criminals. These measures range from imposing limitations on the publication of critical information related to identity to enhanced notification requirements for breaches of data security.161 The use of additional security elements, including a Personal Identification Number (pin) or biometric information has been suggested as aids in preventing the abuse of identity-related personal data that is frequently exchanged.162 Technology can help in monitoring users’ behavior as well. For example, by monitoring and analyzing the use of identity-related transactions, law enforcement authorities and business interests can more easily identify suspicious activity.163 Progress in designing improved investigation techniques, including those involving the interrogation of identity crime suspects, can be enhanced through the implementation of technological approaches.164 Data protection, Data Loss Prevention and Privacy-Enhancing Technoglogies are discussed in detail in Chapter 8. 7.17.1 Biometrics The total prevention of identity crime is an unreachable goal as long as governments and businesses depend on numbers and words for identity verification. For example, many organizations use passwords and Personal Identification Numbers (pin s) to prevent unauthorized individuals to access banking and other accounts. However, there is a limit on how many different numbers/ passwords an individual can remember without writing them down or storing them in ways that could be discovered and used by identity criminals. And most people tend to use the same password for many purposes to counteract the memory problem. Therefore, reliance on passwords and pin s for authentication and verification of identity has limited potential for reducing identity- related crimes.165 For these reasons, and because identity criminals increasingly use computers and the Internet, current approaches to identity crime prevention often focus on technical methods related to bioverification.166 These systems use 1 61 Gercke, supra note 2579, at 1. 162 Id. at 2. 163 Id. 164 Id. at 3. 165 Lawson & Lawford, supra note 2660, at 40. 166 Heller, supra note 2698, at 99.
Identity Crime Prevention and Impact Minimization Strategy
581
methods including fingerprint identification technology and retinal scan identification technology. Both methods are effective in eliminating human error. If bioverification measures were used before cash or credit transactions occurred, the integrity of individual identities would be protected. These measures could eliminate the need for social security or credit card numbers in the future. For example, a unique retinal scan would securely provide all the verification of identity that current depends on social security numbers, bank account numbers, and drivers’ licenses. And without access to these numbers, identity criminals would have a difficult time committing their crimes.167 7.17.2 Fingerprint Identification Technology Fingerprints have been used for some time as unique identifiers by forensic scientists. The technology relies on the distinctive patterns of arches, loops, and whorls on the skin of finger tips, which are unique to each individual and which never change. Currently, fingerprinting identification technology has been computerized, making it even easier to use in criminal cases.168 7.17.3 Retinal Scan Identification Technology The retinal scan technology involves taking a photograph of the inside of the human eye to display the blood vessel layer at the back of the eyeball. The eyes of every individual have unique features, so these scans provide a reliable and very accurate method for verifying a person’s identity. However, the technology is expensive, and so it has been limited to use at high-security government and military installations.169 7.17.4 Bioverification Systems Bioverification systems use an individual’s genetic make-up to verify his or her identity. It has been suggested that the United States Congress encourage the adoption of bioverification systems.170 Privacy advocates in most countries have expressed strong objections to the general use of biometric technology for identification purposes. Arguments against the technology usually cite the potential misuse of private information that is held in a large, centrally controlled database. Supporters of biometrics say that there would be no central storage of the information, since the biometric data would only be encrypted and placed on a credit card, for example, and function as a “lock” on that card. 1 67 168 169 170
Id. at 105. Id. at 104. Id. at 105. Id.
582
CHAPTER 7
No one could use it without the verification of identity offered by matching a stored retinal scan or fingerprint.171 Since no third party could access the biometric information, the chances of its misuse are eliminated. 7.17.5 Biometric Passports and National Identification Cards Supporters of biometric technology have proposed the creation of two documents that make use of the concept: the biometric passport and the national identification card. Both of these documents have their share of critics. Canadian authorities have responded to pressure from the United States and the United Nations’ International Civil Aviation Organization and decided to improve national security via the introduction of biometric passports.172 The Canadian federal government changed the law to allow the Passport Office to convert personal information on a passport into a “digital biometric format.”173 Canada is also investigating the creation of a national identity card, which could reduce the number of identity crime cases in the country. Critics of the card say it could actually make the problem worse, since national ID cards obtained in a fraudulent manner would be very difficult to challenge, and victims would have an even more difficult time being compensated for damages in these cases.174 Critics of biometrics have noted that a biometric identification card is only as good as the papers required to get it. If these documents are fraudulent, the biometric elements mean nothing in terms of security. An identity crime expert in the United Kingdom suggested that there would be no way in which false information could be brought into question once “more reliable” fake identification documents become available.175 Canadians have also expressed concern about the potential for expanding the scope of a national identity card, and they have shown strong opposition to the idea of a mandatory “universal identifier.”176 The cost of implementing a national ID system and whether such a system would offer an acceptable balance of personal privacy versus national security have also raised concerns in the Canadian public.177
1 71 172 173 174 175 176 177
Id. at 106–07. cippic, Policy Approaches, supra note 2557, at 12. Id. Lawson & Lawford, supra note 2660, at 41. Id. at 40. Id. Id. at 41.
Identity Crime Prevention and Impact Minimization Strategy
583
7.17.6 Cryptographic Systems The implementation of modern cryptographic systems has allowed for the widespread use of payment card technology. The international community has been in the forefront of using digital signatures and other measures designed to reduce identity fraud in business transactions. Technical measures are viewed as necessary by businesses that want to ensure global security. Without workable security technology, some elements of which are controlled by users, security measures applied in one nation would be ineffective in another, or prevent legitimate users from participating on an international level.178 7.17.7 Geolocation Geolocation technology identifies the actual geographic location of the computer from which some access the Internet. In the case of an online order, geolocation lets businesses know the exact location of the customer. The technology also provides data that can be compared to other order information and rules developed to help in calculating the risk of fraud associated with a given transaction.179 Leveraging the intelligence of IP within a framework of fraud prevention measures, businesses can link the virtual environment with physical features and make decisions in real time about how valid or “real” an online customer may be.180 A significant problem for governments and businesses that want to implement new technologies to prevent identity crime is the fact that, while technologies and applications continually improve, the techniques used by offenders also evolve and adapt to them. Therefore, public and private sectors must be committed to putting resources toward new preventive measures as soon as existing methods are compromised.181 7.18
Training Programs and Initiatives
The United Nations has made several recommendations designed to prevent identity crime that highlight the importance of effective training programs for law enforcement, government, and private sector personnel. In its manual on the prevention and control of computer-related crimes, the UN recommends 1 78 U.N. Draft 1 Short Version, supra note 2613, at 49–50. 179 Fraud Prevention for Online Merchants and Building e-confidence for online customers, supra note 2565. 180 Id. 181 U.N. Draft 1 Short Version, supra note 2613, at 49–50.
584
CHAPTER 7
improved training efforts implemented via closer cooperation between federal and state governments and the international community.182 The UN also recommends better training in identity-related crime for investigators and prosecutors, as well as the need to provide technical aid to developing countries in this area.183 Collaboration among the agencies created to fight fraud, money laundering, corruption, terrorism, and cybercrimes should be encouraged for developing appropriate training materials and information about these crimes. Training materials should then be disseminated investigators and prosecutors and to individuals working in the private sector in positions where they could prevent identity-related crimes.184 In 2007, the President’s Identity Theft Task Force made several recommendations for training law enforcement officers and prosecutors in regard to identity-related crimes. One of these recommendations involved creating a comprehensive course at the National Advocacy Center that focused only on identity crime. The course was designed to include: A. A discussion about the scope of problems associated with identity crime B. A review of all laws applicable to the crime as well as sentencing guidelines C. A description of investigation techniques and methods of presenting court cases D. Training on handling the specific needs of identity crime victims E. Ways to use collective resources like task forces and working groups.185 Another recommendation by the President’s Task Force was to increase the number of regional, educational seminars on identity crime, with participants coordinating their programs with the Task Force in order to develop timely and targeted training materials.186 Law enforcement personnel need greater Internet access to informational resources on identity crime. There is an identity crime clearinghouse (www. idtheft.gov) that is designed as an online portal to provide access to law enforcement agencies to educational materials on identity crime investigations and methods for responding appropriately to victims of the crime.187
1 82 183 184 185 186 187
International Review of Criminal Policy, supra note 2556, at 2. U.N. Draft 1 Short Version, supra note 2613, at 22–23. Id. The President’s Identity Theft Task Force, supra note 2555, at 69.. Id. Id. at 70.
Identity Crime Prevention and Impact Minimization Strategy
585
The Task Force also suggested a review of all course curricula in training programs for identity crime in order to improve methods and materials. Federal investigating agencies can conduct reviews of their own training materials and those provided at the Federal Law Enforcement Training Center. This will ensure that courses and materials offer the most useful identity crime training available.188 An issue raised by a United Nations study on identity crime training for investigators and prosecutors is the need for training and technical help in developing countries so that they might address identity crime appropriately.189 Training in developing nations should address the large variety of economic identity fraud committed, the sophistication of identity criminals, the issue of transnationality, and the criminalization of identity crime.190 Training programs should also include multidisciplinary materials for investigators, so that they can become well versed in areas such as accounting and commercial financial systems. Investigators need information about impersonation and forgery, as well as a nation’s identity infrastructure and the systems that support it.191 In the United States, the Federal Information Security Management Act of 2002 (fisma) is the chief law applied to the federal government’s information security and protection of personal information. It requires federal agencies develop and implement agency-wide information security programs and specifically requires these programs include security awareness training for all personnel, including agency contractors and any other uses of the information systems that are used to support agency operations.192 7.19
Meeting the Challenges of Identity Fraud Prevention
In order to meet the challenges presented by the ever-growing threats associated with identity crime, a comprehensive domestic and international strategy to address the problem must be implemented. In the United States, a framework for the construction of a strategic plan requires a strong commitment from the federal government to provide direction and funding.193 1 88 189 190 191 192 193
Id. U.N. Draft 1 Short Version, supra note 2613, at 22. Id. Id. Information Security, supra note 2560, at 2–3. Gary R. Gordon et al., supra note 2601, at 39.
586
CHAPTER 7
The plan’s elements will work together to provide the research, analysis, data, regulations, and development required to manage identity fraud by making fraudulent documents useless. The plan will:194 A. Obtain a strong commitment from the highest levels in the federal government B. Create a central information database of incidents of identity fraud C. Develop a national agenda for identity fraud research D. Create enhanced networks for the sharing of information E. Perform a study of current laws, regulations, and policies F. Improve the protection of individual privacy and ownership of information G. Improve systems for sharing information 7.20
Evaluating Identity Crime Prevention and Impact Minimization Techniques
As a method of evaluating identity crime prevention and impact minimization techniques and strategies, this chapter earlier (Paragraphs 7.1, 7.1.1, and 7.1.2) introduced the Identity Crime Model Approach (idcma) and again highlighted the need to identify threat agents. These approaches can be used individually or in combination to develop a cohesive plan for identity crime prevention and impact minimization. These approaches focus on the techniques that should be developed to prevent the discovery and use of identity information and/or documents sought to be acquired by criminals. This approach emphasizes prevention, the actual commission of the crime, and the perceptions of the criminal in regard to the crime. All users of the table, at the end of this chapter, should use at least one approach to 1) evaluate, and 2) construct, a prevention strategy, unless resources are adequate for pursuing both approaches. The idcma approach is based on the following five components: Acquire, Produce, Transfer, Possess, and Use. The primary goal of this approach is to focus on developing a strategy that will prevent the acquisition of identity documents or information, and if criminals succeed in obtaining that information, prevent the information or documents from being manipulated, transferred, trafficked or used in any other for a gain.
194 Id.
Identity Crime Prevention and Impact Minimization Strategy
587
The identification of threat agents (as described in Chapter 4) is also a way to develop a prevention/minimization strategy. This approach will succeed if all the threat agents are identified and if a strategy is created to reduce potential threat. A potential victim of identity crime should take whatever advance action necessary to deter the criminal from committing the crime. A threat assessment will enable an individual or organization anticipate the occurrence of identity crimes in their midst.195 7.21
Conclusion
Identity-related crimes have reached epidemic proportions. This makes it imperative that individuals, businesses, and governments devise techniques and tactics to reduce their own vulnerability to identity crime. This chapter has focused on what individuals and organizations can do to prevent identity crime. Specifically, they need to follow an identity-crime-specific approach to decide upon the right strategies to prevent identity crime,196 and engage in threat agent assessment and analysis197 to determine where resources should be spent. They should create a broader framework that can be used to evaluate the various prevention strategies. Instead of simply providing another list of methods, of which there are already a large number, evaluating these methods to determine which offer the highest success rates is a useful exercise. After evaluating the methods and finding the best among them, organizations will benefit from implementing the chosen methods. This chapter attempts to provide real tools to aid governments and businesses with real solutions to preventing identity crimes. Specifically, the Identity Crime Model Approach (idcma) and/or the strategy of identifying threat agents should be used in evaluating and constructing different identity crime prevention and impact minimization strategies. The table below is a useful tool designed to assist any organization in this evaluation process. The evaluation will be aided, of course, by a consideration of the variables discussed in chapter 4 that directly or indirectly affect a threat agent.
1 95 Id. at 1. 196 Such strategies as the Identity Crime Model Approach (idcma) and the Identity Crime Threat Agent Approach (idcta) are discussed more fully in Chapters 3 and 4. 197 Discussed in Chapter 4.
588 7.22
CHAPTER 7
Appendix: Table of Identity Crime Prevention and Impact Minimization Techniques
This table presents an opportunity for individuals, businesses, or governments to select the Identity Crime Model Approach (idcma) and/or the Identity Crime Threat Agent Approach (idcta) as a means of identifying the various methods they might use to prevent identity crime. See Paragraph 7.20 in Chapter 7 for a more detailed explanation of how this table should be used. Identity Crime Prevention and Impact Minimization Techniques
Authentication Two-factor authentication Consumer education Business policies to address identity crime The Business Physical Plant Protect tangible assets in the physical plant from natural and man-made disasters Strengthen business policies governing security personnel and computer systems during planning Create consistent policies for checking employee/ service personnel ID for access to restricted areas. Identification management Gathering information Sharing information Public-private partnerships International cooperation Criminalization Using passwords or codes to access information Posing specific questions to users to access information Biometrics Understanding weaknesses of databases
Identity Crime Model-based Approach
Identity Crime Threat Modelbased Approach
Component(s)
Threat Agent(s) Variable(s)
Identity Crime Prevention and Impact Minimization Strategy Identity Crime Prevention and Impact Minimization Techniques
Using pin s to access information Real-time authentication at credit bureaus Make it more difficult for identity criminals to get a credit report Require credit bureaus to keep a record of who receives a credit report Display only the last four digits of an account number when pulling a credit report Don’t collect any more personal information than is necessary Don’t store unnecessary information Use the principle of data minimization Reduce the number of locations in which data is stored Review data minimization policies annually Minimize access to sensitive information by employees and clients Create written security policies governing document management Ensure appropriate disposal of sensitive documents Follow best practices for protecting employee and client records Create risk-based policies to reduce security risks in the information environment Follow nist standards on the kinds of information and data systems included in risk categories Use data encryption on mobile devices Create a core management group to respond to security breaches involving sensitive information Encrypt data in storage facilities and while it is in transit to these facilities Use fraud detection software and online security programs
589
Identity Crime Model-based Approach
Identity Crime Threat Modelbased Approach
Component(s)
Threat Agent(s) Variable(s)
590 Identity Crime Prevention and Impact Minimization Techniques
Construct computers with chips assigning permanent and unique identifiers Construct laptops with built-in encryption Create and implement organizational guidelines to govern the security of identity data Use two-factor authentication for transactions conducted via phone or computer Send dual confirmation of customers’ changes of address Limit access to non-public information to key personnel Monitor external websites regularly for questionable practices Audit website protection systems for effectiveness periodically Provide educational materials about identity crime on corporate websites Make it more difficult for employees to steal sensitive information Banks should require passwords for every withdrawal of funds, even in-person withdrawals Clearly define the security duties of individual employees Assign security responsibilities among employees appropriately Conduct thorough background checks on potential employees Create a positive work environment to decrease workers’ motivation to engage in activities targeting the employer Provide employees with information about the actual consequences of identity crime on victims
CHAPTER 7 Identity Crime Model-based Approach
Identity Crime Threat Modelbased Approach
Component(s)
Threat Agent(s) Variable(s)
Identity Crime Prevention and Impact Minimization Strategy Identity Crime Prevention and Impact Minimization Techniques
Form a team of internal stakeholders recruited from security, customer service, IT, operations and risk management departments to take proactive action against ID crime Create business procedures that identify security risks Create business procedures to implement controls on communications Ensure the security of computer hardware and software Clearly designate restricted areas Use electronic screening technology, encryption, or computers designed for specific purposes to control communication breaches Create and test a disaster recovery plan Test and evaluate the effectiveness of information security measures annually Develop safer processes for changing physical mail addresses and/or redirecting mail to a second address Monitor and analyze the use of transactions related to identity to identify suspicious actions by users Create procedures for detecting, reporting, and responding to breaches of data security Encrypt backup tapes Hold shippers, vendors, and offsite storage facilities to the same security standards as the business using their services Involve risk managers in assessing contracts and insurance arrangements Use the services of security assessment firms to conduct security reviews of vendors Use geolocation technology
591
Identity Crime Model-based Approach
Identity Crime Threat Modelbased Approach
Component(s)
Threat Agent(s) Variable(s)
592 Identity Crime Prevention and Impact Minimization Techniques
Use a three-step information-based identity authentication program that validates identifying data, verifies it, and authenticates it by determining the probability that an identity is real Invest in technology and implement system-wide standards to create consistent digital environments Rely on the business community as the first line of defense against identity crime Use the Graph Theoretic Anomaly Detection (gtad) program to find high-probability frauds Select vendors that handle sensitive personally identifiable information carefully Ensure all vendors have appropriate data security programs Carefully vet payroll companies, software firms, and benefits organizations. Ensure that contractors handling sensitive information follow relevant privacy laws. Create strong security policies to govern procurement activities. Educate potential victims of identity crime about the crime and steps they can take to avoid it Use public awareness campaigns that target specific segments of society, like senior or children. Provide education programs on identity crime to individuals in positions to identity, report and/or prevent the crime. Train key employees to recognize fraud in areas that present potential identity crime targets. Train consumers to be stingy in giving out their personal information to others.
CHAPTER 7 Identity Crime Model-based Approach
Identity Crime Threat Modelbased Approach
Component(s)
Threat Agent(s) Variable(s)
Identity Crime Prevention and Impact Minimization Strategy Identity Crime Prevention and Impact Minimization Techniques
Educate consumers to ask for an annual copy of their credit reports. Educate consumers to maintain accurate records of all banking and financial accounts. Educate consumers about the benefits of computer firewalls and encourage them to install the software Educate consumers to dispose of financial statements appropriately by shredding the documents Do not carry a Social Security card in a wallet or write it on a check. Do not provide personal information over the phone, through the mail, or over the Internet unless the recipient is known Do not click on links in unsolicited e-mails. Do not use obvious things like birth date to create a computer password Keep financial information in a safe place in the home Monitor financial accounts and billing statements regularly for unexpected charges or activity Cooperation between state and federal governments Reduce the use of Social Security numbers as identifiers Standardize the use and display of Social Security numbers by federal agencies Limit the periods of time in which identity documents are valid Impose more stringent renewal requirements on identity documents Make identity documents more difficult to alter Keep identity document safe during transit to delivery locations
593
Identity Crime Model-based Approach
Identity Crime Threat Modelbased Approach
Component(s)
Threat Agent(s) Variable(s)
594 Identity Crime Prevention and Impact Minimization Techniques
Create identity cards that incorporate technology designed to thwart forgery Develop consumer education programs focusing on damages associated from medical identity crime Expand individuals’ right to correct mistakes in medical history Give individuals the right to receive a free copy of their medical files Provide individuals with the right to obtain an accounting of the disclosures made of their medical information Conduct research to determine the scope of medical identity crime and how/where it occurs Notify consumers of all breaches in the security of medical data Institute cooperation between identity crime victims and law enforcement officials Encourage victims of identity crime to report the crimes Law enforcement should collect and analyze victim- related information to spot new trends in the crime Law enforcement should adapt detection methods to the evolution of identity crimes Understand the motivations of identity theft criminals Make it more difficult for identity thieves to acquire personal information Remove the excuses/justifications of identity thieves for committing the crimes Educate identity criminals about the real damages their crimes do to victims Make it more difficult for employees to steal identity information
CHAPTER 7 Identity Crime Model-based Approach
Identity Crime Threat Modelbased Approach
Component(s)
Threat Agent(s) Variable(s)
Identity Crime Prevention and Impact Minimization Strategy Identity Crime Prevention and Impact Minimization Techniques
Banks should be more aware of the behaviors of people who enter their facilities All retail establishments must check customer identification in a consistent manner Make employees aware of the real consequences of identity crime for victims Place messages in stores and banks to make offenders aware of victims Encourage offenders to stop their criminal activity by requiring those convicted to attend cognitive-based programs designed to remove excuses Publicize the potential legal consequences for those who commit identity crime Use situational crime prevention techniques like neutralization Make potential identity criminals aware of the consequences of being caught Add enhancements to national and international laws to provide for the criminalization of identity crime Countries should modernize systems to address identity crimes committed using the telephone, e-mail, Internet and other telecommunications technologies Countries should work to ensure that jurisdictional rules reflect the evolution of identity fraud Nations must cooperate to ensure identity crimes are prosecuted in the country best positioned to handle the prosecution in cases of overlapping jurisdiction Countries must obtain technical assistance to ensure they can handle complex international fraud cases Nations must ensure that their investigative capabilities are capable of providing aid to other countries that may not be able to prosecute identity crimes themselves
595
Identity Crime Model-based Approach
Identity Crime Threat Modelbased Approach
Component(s)
Threat Agent(s) Variable(s)
596 Identity Crime Prevention and Impact Minimization Techniques
All countries must cooperate to address the transnational dimension of identity crime Law enforcement agencies need to find methods for assessing their effectiveness in identifying and prosecuting identity crimes Collect and analyze statistically reliable information from identity crime victims Expand the National Crime Victimization Survey to include information on the nature and consequences of identity crime for victims aged 12 and older Review data from the case of the U.S. Sentencing Commission related to identity crime every two years Track prosecutions of identity crime cases and the resources applied to them Conduct surveys in specific law enforcement areas to ensure continual improvement Rewrite federal criminal laws to ensure an increase in sentences when more than one identity victim exists Amend federal criminal statutes to include actions that recur in identity crime cases, such as mail theft, tax fraud, spyware, and phishing. Apply existing laws to cases of computer-related identity crime Place identity crime and other cybercrimes under rico statutes Provide victims with monetary compensation for financial and emotional damages Develop skills in law enforcement personnel to respond effectively to the dynamic challenges of computer technology Create a centralized database of identity-related crimes and the investigations performed in these cases on a state-by-state basis
CHAPTER 7 Identity Crime Model-based Approach
Identity Crime Threat Modelbased Approach
Component(s)
Threat Agent(s) Variable(s)
Identity Crime Prevention and Impact Minimization Strategy Identity Crime Prevention and Impact Minimization Techniques
Improve the security of the postal system Develop more stringent rules for obtaining identity documents Improve the security of change-of-address requests Provide public education programs focused on the security of the mail Implement a national identification card Pass a single federal law to regulate the use, display and disclosure of Social Security numbers Conduct a complete review of the use of Social Security numbers Provide guidance on the use of the Social Security numbers Create a clearinghouse for agency practices designed to minimize the use of Social Security numbers Encourage cooperation between federal, state, and local governments to review the use of Social Security numbers Share information about identity crimes and criminals among law enforcement authorities in the public and private sectors, domestically and internationally Share technical identity crime information with developing countries so they can create strong domestic prevention programs Financial services organizations and credit reporting agencies must share identity data with law enforcement Create a standard format for sharing identity crime intelligence Implement secure methods for sharing identity crime information Improve communications between the public and private sectors
597
Identity Crime Model-based Approach
Identity Crime Threat Modelbased Approach
Component(s)
Threat Agent(s) Variable(s)
598 Identity Crime Prevention and Impact Minimization Techniques
Encourage research on identity crime Use the Palermo Convention as the legal basis for international cooperation on identity crime Address the limited ability of law enforcement agencies in one country to conduct their identity crime investigations in other countries Encourage all countries to pass laws to specifically criminalize identity crime Encourage other countries to follow the Convention on Cybercrime Identify nations that are “safe havens” for identity thieves and work to eliminate these havens Improve the ability of the U.S. government to respond to foreign requests for evidence in identity crime cases Train and support foreign law enforcement agencies Enact laws that balance individual privacy rights with international law enforcement needs Form public-private partnerships to facilitate knowledge sharing on identity crime Enhance the security of consumer credit card information by improving identity verification techniques Work with the Post Office to monitor deliveries to vacant buildings and suspiciously diverted mail deliveries Implement inter-operable technology to allow information about identity crimes to be share more effectively Partner businesses with local motor vehicle administrations to prevent identity crime using driver’s licenses
CHAPTER 7 Identity Crime Model-based Approach
Identity Crime Threat Modelbased Approach
Component(s)
Threat Agent(s) Variable(s)
Identity Crime Prevention and Impact Minimization Strategy Identity Crime Prevention and Impact Minimization Techniques
Send alerts from the private sector to the Internal Revenue Service, passport office, or central medical database when an individual becomes a victim of identity crime Use Internet-based technology and services like E-Verify to determine whether new hires have provided accurate and real information Use biometric verification methods Limit the publication of sensitive personal information Use bioverification measures on all cash or credit transactions Use retinal scans for verification User fingerprint identification technology Implement biometric passports and national identification card programs Implement cryptographic systems in payment card technology Use geolocation technology to determine the real physical location of computer users Improve training programs on identity crime for in the public and private sectors Improve training for prosecutors and investigators in regard to identity crime Increase the number of regional educational seminars on identity crime Provide law enforcement with better Internet access to information resources on identity crime Review all training materials to ensure they keep up with changes in how identity crime is committed Address the wide variety of economic identity fraud and the sophistication of identity thieves in educational materials
599
Identity Crime Model-based Approach
Identity Crime Threat Modelbased Approach
Component(s)
Threat Agent(s) Variable(s)
600 Identity Crime Prevention and Impact Minimization Techniques
Encourage a multidisciplinary approach to training for investigators in the identity crime field Construct a framework for analyzing the effectiveness of methods designed to prevent identity crime Obtain strong commitment from high-level federal government officials for identity crime prevention analysis Create a central information database of identity crime cases Create enhanced networks for sharing information among relevant parties Perform a study on current laws, regulations, and policies applied to identity crime Improve the protection of individual privacy and ownership of information Improve systems for sharing information
CHAPTER 7 Identity Crime Model-based Approach
Identity Crime Threat Modelbased Approach
Component(s)
Threat Agent(s) Variable(s)
c hapter 8
Privacy, Anonymity, and Identity Crime
Introduction
Privacy is a much larger issue than can be discussed here in its entirety, so this chapter will focus on privacy as it relates to identity crime. It will also discuss the technologies available to address privacy and identity crime and how effective these technologies might be in enhancing privacy and preventing identity crime. Privacy comprises many interrelated philosophical, legal, and technological matters, and it is difficult to disentangle one issue thread from the others. Merely finding a standard definition of privacy is problematic. As a general rule, privacy, as U.S. Justice Louis Brandeis defined it, is “the right to be left alone”1 In 1965, the Supreme Court justices described privacy “as a ‘penumbra’ of other rights.”2 Privacy has been described as a chameleon-like property that holds special nuances depending on the interests to which it is applied. Privacy has even been described as a “concept that is in disarray.”3 Privacy technology is universally applicable, but conceptualizations and expectations of privacy differ according to nationality and/or culture.4 Privacy cannot be understood separate from a society. Privacy is a socially created need; there would be no need for privacy if there were no society.5 In the United States, protection of consumer privacy relies on self-regulation by industry with minimal legislative or administrative regulation. In contrast, the European Union relies more on legislating privacy protection, and the EU’s Data
1 Through the Keyhole: Privacy in the Workplace, an Endangered Right, aclu (July 26, 1998), https:// w ww.aclu.org/ technology- a nd- l iberty/ t hrough- keyhole- p rivacy- workplace- endangered-right. 2 Dan Jeffers, Privacy, Anonymity and Identity Part iii: Types of Privacy, Mobility Labs (Sept. 10, 2013), http://mobility-labs.com/2013/privacy-anonymity-and-identity-part-iii-types-of- privacy; see also Griswold v. Connecticut, 381 U.S. 479 (1965) (discussing how the specific guarantees of the Bill of Rights have penumbras “formed by emanations from those guarantees that help give them life and substance,” and that the right to privacy exists within this area). 3 Daniel J. Solove, A Taxonomy of Privacy, 154 U. Pa. L. Rev. 477, 477–78 (2006) [hereinafter Solove, A Taxonomy of Privacy]. 4 Information Commissioner’s Office, Privacy by Design 6 (2008). 5 Solove, A Taxonomy of Privacy, supra note 2749, at 484 (quoting Barrington Moore, Jr., Privacy: Studies in Social and Cultural History 73 (1984).
© Koninklijke Brill NV, Leiden, 2020 | DOI:10.1163/9789004395978_009
602
CHAPTER 8
Protection Directive of 1995 imposes significant regulations on the sale and purchase of personal data. Organizations in the EU are obligated to collect data solely for specific and legitimate reasons, and they may store only the data that is accurate, relevant, and up-to-date. EU citizens have a guaranteed right to access their personal data, correct any mistakes in the data, and refuse the use of their personal information for direct marketing purposes. If unlawful processing of their data occurs, they are guaranteed a right of recourse.6 The concept of information privacy in the EU is based on the idea of data protection and the application of privacy principles to the processing of personal information. The United Kingdom’s Data Protection Act (dpa) implements the EU’s Data Protection Directive. Under the UK law, those who process personal information must comply with a series of principles that ensure the data is handled legally and fairly.7 In an illustration of how people in different cultures feel about their personal privacy, a 2013 survey found that, in India, 72 percent of the respondents were willing to provide more personal information to banks if it would simplify their financial management. Approximately 88 percent of Indian consumers surveyed said they would provide a fingerprint or other biometric to their bank to verify transactions to protect themselves from identity theft. Ninety-four percent of consumers in China were willing to provide biometric measures of verification, but only about 33 percent of consumers in Japan were willing to accept biometric identification technology.8 For all of its vagueness, the concept of privacy remains closely associated with identity, and the technologies designed to protect privacy are related to the technologies meant to protect individuals from identity crime. For example, identity technologies are used by organizations to link specific information to a specific individual. From an identity crime perspective, the best of these technologies provide more privacy for the individual and protect against the risk of identity crime, while the worst allow personally identifying information (pii) to be gathered, duplicated, and exposed by unauthorized parties or fail to protect the data from inadvertent data breaches. Organizations that
6 Debra A. Valentine, Symposium Review, Privacy on the Internet: The Evolving Legal Landscape, 16 Santa Clara Computer & High Tech. L.J. 401, 416 (2000). 7 Id. at 416. 8 Indians More Willing to Share Personal Info than Others: Study, Hindustani Times (India), May 19, 2013, http://www.hindustantimes.com/News-Feed/PersonalTech/Indians-more- willing-to-share-personal-info-than-others-study/Article1-1062483.aspx.
Privacy, Anonymity, and Identity Crime
603
do not acknowledge the connection between identity technology and privacy are at risk of serious data loss.9 The ease of collecting, storing, and disseminating the personal information of consumers, and the low cost of doing so, has both positive and negative aspects. On the positive side, the ability to collect, process, and share information over the Internet offers consumers many benefits, such as establishing personal preferences when visiting websites and receiving recommendations for products or services based on the their browsing history. On the negative side, the same collecting and storing of the personal information available online represents a threat to individual privacy. Sometimes, the uses made of consumers’ information can be intrusive. This is the case when private data is widely shared, when inaccurate information remains in circulation, or when pii is used by identity criminals to target their victims.10 The language of privacy and identity is complicated, and while taxonomy is developing,11 disagreements about terminology continue to plague privacy experts. Without a standardized vocabulary with which to talk about privacy and identity, an environment is created in which the owners of systems and system managers approve specifications without sufficient attention to either privacy or identity. The confusion that results in the interchangeable use of terms like “identification”, “verification”, “authentication” and “authorization” only complicates matters further and even leads to the implementation of systems that collect personal information that isn’t really necessary for the purpose at hand.12 The technologies applicable to identification, verification, authentication and authorization are all critical for protecting privacy and preventing or reducing identity crime. When these technologies fail, there is an increased potential for an inadvertent release of pii or intentional hacking to obtain sensitive information. In terms of identity crime, the primary goal is always to protect pii from being released or accessible to unauthorized parties through a data breach or data leakage. Privacy can be applied as a tool to help in minimizing the occurrence of these events. The more general term “data loss” incorporates data leakage, which is used to demote release of or access to sensitive data by mistake, and data breach, which refers to hacking or intrusion activities. Data loss represents a significant problem for individuals, businesses, and governments worldwide. According 9 Information Commissioner’s Office, Privacy by Design 7 (2008). 10 Valentine, supra note 2752, at 402–03. 11 Solove, A Taxonomy of Privacy, supra note 2749, at 477. 12 Information Commissioner’s Office, Privacy by Design 12–13 (2008).
604
CHAPTER 8
to research surveys,13 over a billion individuals around the world were affected by data loss between 2007 and 2012. Nearly 700 million people were victimized by hacking in 2012 alone. Sixty percent of all data loss in 2012 and 75 percent of data loss in the retail sector was attributed to hacking. In same year, the technology sector experienced 26 percent of the total number of individuals affected by data loss. Additional statistics from 2012 show that the insurance sector was at the greatest risk of data loss through social engineering and system/human error, while the government, education, and technology sectors suffered the highest number of data loss cases. Data loss involving third parties was most common in the technology sector. pii was the most common type of data lost in 2012. 8.1
The Identity Crime Privacy Model
The Identity Crime Privacy Model was developed to show the interaction of identity crime, privacy, and anonymity. While these concepts may overlap, the differences between them also sometimes place them in conflict with one another, and so they have been treated as separate matters of study. The Model illustrates four specific outcomes that can be impacted by privacy and privacy-related technology solutions. When designing or implementing a privacy solution, businesses and governments should consider whether the technology will: a) Increase privacy while decreasing identity crime b) Decrease privacy while increasing identity crime c) Increase privacy while also increasing identity crime d) Decrease privacy while also decreasing identity crime The model reflects the peculiar impact that privacy solutions have on identity crime. The same approaches and technologies that enhance privacy may also put individuals at risk of identity crime. By consulting the Identity Crime Privacy Model, issues associated with privacy and identity crime and the connection between these concepts and their related technologies, may be more clearly illustrated.
13
kpmg, Data Loss Baromoter: A Global Insight into Lost and Stolen Information (2012), available at http://www.kpmg.com/UK/en/IssuesAndInsights/ ArticlesPublications/Documents/PDF/Advisory/data-loss-barometer-2012.pdf.
605
Privacy, Anonymity, and Identity Crime
Increase Privacy Decrease Identity Crime
d y se ac o iv xp Pr ly e No ab ov Pr or
More Privacy
Decrease Privacy Increase Identity Crime
Ab or solu An te on Pr ym iva ity c y
Less Identity Crime
or Pr No ov P ab riv ly ac ex y po se d
y ac iv Pr ity te m lu ny so no Ab or A
Decrease Privacy Decrease Identity Crime
Increase Privacy Increase Identity Crime
f igure 6 Identity crime privacy model
Each corner of the model represents one of the four outcomes. The top- right corner represents the state of absolute privacy or anonymity, while the top-left corner represents the extreme of having no privacy at all. Moving up along the dotted line on the left indicates a reduction in identity crime. Moving to the right along the dotted line at the bottom indicates that increasing privacy will ultimately lead to more identity crime and not less. The center line running diagonally from the bottom-left corner to the top- right corner illustrates movement toward “utopia” for identity protection promoters and privacy advocates. The dotted red line that begins in the middle of the square is meant to illustrate the attempt to reach the ultimate but impractical goal of perfect privacy. Paradoxically, the effect of privacy technologies on identity crime reaches a counter-intuitive point somewhere along the diagonal center line in the model. While attempting to increase privacy in order to decrease identity crime, the imposition of more privacy actually begins to increase identity crime. In the model, this point is located in the center for illustrative purposes; after this point, the black line, which drops to the lower-right corner, indicates that increasing privacy also increases identity crime. In practice, the point at which diminishing returns on privacy technology are reached will differ with every organization and industry.
606
CHAPTER 8
Generally, when attempting to provide protection from identity crime, the more information provided for verification the better, but the need for the privacy of the individual must be balanced with the level of security actually required by a facility or organization. For example, a high level of security is required at a nuclear plant because of the potentially disastrous consequences if the wrong people are given access to sensitive information or processing areas. A bank does not need the same level of security when opening a new account for a customer, and no wide-ranging life-or-death issues are in the balance when an individual applies for a loan or credit card. This means that a privacy policy for the nuclear plant will utilize identification and verification methods that may be considered more intrusive to the individual, such as those provided by biometric technology, in addition to the more traditional identification methods (driver’s license, Social Security number, etc.). The privacy policy at a bank may also rest on traditional forms of identification, along with a series of knowledge-based questions easily answered by the account holder. A retail store may ask for a photo ID before accepting a credit card for a purchase, but it is unlikely to require costly biometric identification. Measures have already been developed to help balance the two interests. For example, when protecting pii, companies can implement appropriate privacy enhancement technologies (pet s) or follow fair information policies (fip s), and biometrics may offer better and cheaper solutions in the future. The use of knowledge-based verification has fast become standard practice and is extensively used by public and private sector organizations. Even the U.S. Internal Revenue Service has implemented an identification and verification system based on knowledge-based answers (kba). Providing the correct answers to these questions allows taxpayers to obtain past tax returns and to access other useful information. While it is beyond the scope of this paper to evaluate the feasibility of kba, it is useful to note that using publicly available data to gain access to sensitive tax information may expose users to the risk of identity theft. The convenience to users of kba should be balanced with the easy availability of answers that can be obtained by sophisticated identity thieves and that provide data aggregators with ever-more data with which to profile individuals for marketing and other purposes. kba is currently an important technique for verifying and authenticating people, but it relies on the exploitation of people’s personal information in the public realm and credit reports. Without this exploitation, however, its usefulness is lost. Therefore, if concerns about privacy eliminate the availability of this data for kba verification purposes, we will continue to struggle to verify and authenticate people particularly in faceless transactions. In the future, we
Privacy, Anonymity, and Identity Crime
607
might confront a similar dilemma with any new methods used for this purpose, but we must always remember that the goal is to implement privacy policies and systems that are the least intrusive to individuals yet provide adequate verification measures for business and government entities. Even if it were possible to achieve perfect privacy, identity crime would not be totally eliminated because there are more variables associated with the commission of identity crime than are found in computer technology or on the Internet. Much identity crime still relies on physical actions like dumpster- diving or the theft of physical identity materials (credit cards, documentation, etc.) by family members. No privacy-enhancing computer technology can address every variable that leads to identity crime. Organizations should try to implement policies and systems that will enhance privacy while reducing the risk of identity crime. They should keep the goal of identity crime prevention foremost during the design phase. Preventing identity crime does not require (nor can it achieve) absolute privacy, but it does mean that sufficient attention is given to the identity crime potential inherent in the design of systems and policies. The Identity Crime Privacy Model represents an additional principle that can be added to the fundamental principles established in Privacy by Design. From an identity crime perspective, privacy is a tool that can be used to prevent or reduce identity crimes. There is always tension between protecting privacy and maintaining data security. Data can be completely anonymous, or it can be useful. It can’t be both.14 It may appear as if the ultimate goal for a system would be achieving absolute or perfect privacy, but in practice, this approach would paralyze all interactions between people, commercial or otherwise, because no information/ data about anyone could be exchanged. No commerce could be conducted. With total privacy and complete anonymity, there would be no way to verify that an individual truly is who he/she claims to be. This means that identity thieves would be protected, and legitimate users would at least be inconvenienced. Instead of striving for absolute privacy, organizations should work to enhance privacy in ways that reduce the risk of exposing sensitive personal information to identity criminals. At present, businesses and governments approach identity crime prevention with strategies that increasingly erode individual privacy. This is the exact opposite of what is being suggested here. Here the goal is to use methods that will reduce identity crime by increasing individual privacy.
14 Paul Ohm, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization, 57 UCLA L. Rev. 1701 (2010).
608
CHAPTER 8
Businesses and governments are eager to promote their commitment to protecting individual privacy by implementing technologies they believe to be effective in this area and that will also reduce identity crime. However, they have other reasons for encouraging individuals to give up more and more or their private personal information. Businesses want more information so they can market their products and services more effectively, narrowly targeting consumers’ by interest, location, or financial status. Governments are interested in keeping track of their citizens for reasons that may be good, bad, or both. The policies and systems utilized by businesses and governments to protect identity are designed with multiple goals, and they may not always be the best ways to reduce identity crime. Traditionally, violations of privacy have been viewed as invasive actions by particular people who directly harm their victims. The victims then suffer embarrassment, stress, or damaged reputations. In other words, no violation of privacy occurs until these types of injuries are manifested. Laws, therefore, are designed to respond when a home is invaded or an individual’s most closely guarded secrets are exposed. “In the traditional view, privacy is an individual right, remedied at the imitative of the individual.”15 This perspective on privacy faces serious challenges from computers and the Internet. Because privacy issues now involve the flow of information, the creation of “digital dossiers” about individual persons is possible. There is greater access to personal information, greater use of this information to make decisions with life-altering consequences. Data is disseminated on a wider basis among multiple entities, and the way personal data is used continually expands. There are also emerging partnerships between entities in the private sector that gather personal information and the governments and law enforcement officials with which they may share this data.16 These factors create a different kind of privacy problem, and they require a different way of thinking about privacy. Because of the unique status of identity crime in the privacy technology discussion –that there is a tipping point at which more privacy leads to more identity crime –organizations must always consider how their policies and systems will impact the increase or decrease of identity crime. When making decision about how to reduce identity crime, they should always consider how their efforts will affect privacy. 15 16
Daniel J. Solove, Identity Theft, Privacy, and the Architecture of Vulnerability, 54 Hastings L.J. 1227, 1229 (2002–03) [hereinafter Solove, Identity Theft, Privacy, and the Architecture of Vulnerability]. Id.
Privacy, Anonymity, and Identity Crime
609
Numerous technologies have been developed to protect privacy. Many also have implications for identity crime. When viewed from an identity crime perspective, the critical elements of Privacy-Enhancing Technology (pet) are anonymity, identifiability, verification, authentication, authorization, and data leakage. Also integral to the discussion is Personally Identifiable Information (pii), which includes name, birth date, Social Security number, and other data that can be linked directly to a particular individual. 8.2
Fair Information Practices (fip s)
8.2.1 Brief History of fip s The idea of establishing and following a set of Fair Information Practices (fip s)17 dates from the 1970s, and the core elements of information privacy in international policies have been in place since then. They are internationally recognized as such and represent policies that underlie national laws that apply to data protect and privacy in the United States and other countries. They have evolved over time into different forms in different countries. In 1973, fip s were first proposed and named by the U.S. Department of Health, Education and Welfare (hew) Secretary’s Advisory Committee on Automated Personal Data Systems in a report entitled Records, Computers and the Rights of Citizens. The committee was created in response to the increased utilization of automated data systems that stored personally identifying information about individuals, and devised an initial Code for Fair Information Practices for automated personal data systems. The original set of privacy safeguards proposed the following:18 1. There must be no personal-data record-keeping systems whose very existence is secret. 2. There must be a way for an individual to find out what information about him is in a record and how it is used. 17
18
Robert Gellman, Fair Information Practices: A Basic History 12 (2013) (explaining that the acronym “fipps” as an alternative to the more traditional “fip s” was introduced by the United States Department of Homeland Security (dhs), and some other U.S. agencies and non-federal government organizations have adopted the dhs style), available at http://www.bobgellman.com/rg-docs/rg-FIPShistory.pdf. While there may be some differences between statements of fipp s and the classic statement of fip s, “the differences are no greater in degree or kind than differences among various statements of fip s.” Id. The Code of Fair Information Practices, Electronic Privacy Information Center, http://epic.org/privacy/consumer/code_fair_info.html (last visited Feb. 10, 2014).
610
CHAPTER 8
3.
There must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent 4. There must be a way for an individual to correct or amend a record of identifiable information about himself 5. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data. The Organization for Economic Cooperation and Development (oecd) revised these principles and developed an influential international document that addressed privacy. The Fair Information Practices may represent a generic form of privacy principles worldwide even if they may not reflect the specific standards required in particular situations. Around the same time that the U.S. enacted the Privacy Act of 1974, European countries began to pass national privacy laws applicable to the public and private sectors. The policies contained in fip s formed the basis for most national laws. Notably, in 1974, the Committee on Privacy (the Younger Committee) in the United Kingdom took an approach similar to that of the hew in the U.S, but limited its policies to organizations in the private sector and did not address public entities that presented potential threats to privacy.19 The Privacy Protection Study Commission (ppsc) in the U.S. was inspired by the legislative work associated with the Privacy Act of 1974 to refine the five original hew privacy protection principles into a list of eight principles. The oecd proposed similar policies for information practices and adopted “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” in 1980.20 The oecd principles differed somewhat the hew/p psc principles, combining some and expanding others. 8.2.2 Comparison of HEW/EU and oecd Privacy Principles There are many similarities in the hew and oecd principles. The table below illustrates the similarities between the two sets of principles and the modifications made by the oecd to the hew set.21 19 Gellman, supra note 2763, at 3. 20 Id. at 6–7. 21 The information in the table is based on Robert Gellman’s history of fip s, supra note 2763, at 4–5, and on oecd Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, oced, http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm (last visited Feb. 10, 2014).
Privacy, Anonymity, and Identity Crime table 24
611
Comparison of hew and oecd privacy principles
Privacy Protection Study Commission (ppsc) 1974 Openness Principle There shall be no personal-data record- keeping system whose very existence is secret and there shall be a policy of openness about an organization’s personal-data record-keeping policies, practices, and systems.
Organization for Economic Cooperation and Development (oecd) 1980
Openness Principle There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. Individual Access Principle Individual Participation Principle An individual about whom information An individual should have the right: a) to obtain is maintained by a recordkeeping from a data controller, or otherwise, confirmation organization in individually identifiable of whether or not the data controller has data form shall have a right to see and copy relating to him; b) to have communicated to that information. him, data relating to him within a reasonable Individual Participation Principle time; at a charge, if any, that is not excessive; An individual about whom information in a reasonable manner; and in a form that is is maintained by a recordkeeping readily intelligible to him; c) to be given reasons organization shall have a right to if a request made under subparagraphs (a) and correct or amend the substance of that (b) is denied, and to be able to challenge such information. denial; and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended. Collection Limitation Principle Collection Limitation Principle There shall be limits on the types of There should be limits to the collection of information an organization may collect personal data and any such data should be about an individual, as well as certain obtained by lawful and fair means and, where requirements with respect to the manner appropriate, with the knowledge or consent of in which it collects such information the data subject. Use Limitation Principle Use Limitation Principle There shall be limits on the internal uses Personal data should not be disclosed, made of information about an individual within available or otherwise used for purposes other a record-keeping organization. than those specified in accordance with [the Purpose Specification Principle] except: a) with the consent of the data subject; or b) by the authority of law.
612 table 24
CHAPTER 8 Comparison of hew and oecd privacy principles (cont.)
Privacy Protection Study Commission (ppsc) 1974
Organization for Economic Cooperation and Development (oecd) 1980
Disclosure Limitation Principle There shall be limits on the external disclosures of information about an individual a record-keeping organization may make.
Purpose Specification Principle The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. Information Management Principle Data Quality Principle A record-keeping organization shall Personal data should be relevant to the purposes bear an affirmative responsibility for for which they are to be used and, to the extent establishing reasonable and proper necessary for those purposes, should be accurate, information management policies and complete, and kept up-to-date. practices which assure that its collection, Security Safeguards Principle maintenance, use, and dissemination Personal data should be protected by reasonable of information about an individual is security safeguards against such risks as loss necessary and lawful and the information or unauthorized access, destruction, use, itself is current and accurate. modification or disclosure of data. Accountability Principle. A record-keeping organization must be accountable for the record-keeping policies, practices, and systems it applies to personal data.
Accountability Principle A data controller should be accountable for complying with the measures that give effect to the stated principles
fip s were the basis for principles developed by both the Council of Europe Convention and the oecd guidelines. These two organizations expanded and revised the original U.S. version of fip s. The oecd’s Privacy Guidelines became the policy version cited most frequently by authorities in the years following their creation. In general, the guidelines proposed rights and remedies and assigned specific responsibilities to the keepers of data. Variations in privacy legislation reflecting differences in national circumstances were taken into account by the Council of Europe, the oecd,
Privacy, Anonymity, and Identity Crime
613
and the European Union, with a focus on harmonizing privacy standards among nations. These efforts prompted a growing interest in privacy in the business sector.22 The oecd issued a revision to its guidelines in 2013, the first since the original release in 1980. The revisions were prompted by calls in 2008 for a review of the guidelines to address “changing technologies, markets and user behavior, and the growing importance of digital identities.”23 Some of the changes in the environment in which traditional privacy principles currently operate has changed since the initial oecd guidelines in regard to the volume of personal information collected, utilized, and stored; the scope of analytics addressing personal data that offer insights into trends, interests, activities, and movements of individuals and groups; the economic and social benefits enabled by new technology and the responsible utilization of personal data; the extent of threats to privacy;; the variety of individuals/entities capable of either putting privacy and risk or protecting it; and frequency and complexity of interactions associated with personal data that people are expected to understand and handle.24 8.2.3 Additional Versions of fip s As indicated above, the core concepts of fip s have wide acceptance, but statements of fip s by various authorities may look different, and the way fip s are implemented in national laws varies according to country and sector. Different kinds of recordkeepers may also find a number of ways to comply with fip s. In the U.S., shortened or incomplete fip s versions have been offered by federal agencies and trade associations; for example, notice and choice may be presented as fip s implementation, but do not meet fip s standards.25 The table below26 includes some of the different versions of fip s to appear over the years.
22 Gellman, supra note 2763, at 8. 23 oecd, OECD Privacy Framework 3 (2013), available at http://www.oecd.org/sti/ ieconomy/oecd_privacy_framework.pdf. 24 Id. 25 Gellman, supra note 2763, at 10. 26 This table was constructed from information available from the agencies listed and on the Gellman history of fip s, supra note 2763. For a current list of current fip s, see Current Federal Information Porcessing Standards (fip s), nist, http://www.nist.gov/itl/fipscurrent.cfm (last updated Sept. 9, 2013).
614 table 25
CHAPTER 8 Versions of fip s by year
Year Agency/Organization
Description
2000 U.S. Federal Trade Commission (ftc)
The ftc recommended that the business websites collecting personally identifying information about their online customers should be required to comply only with the “most widely-accepted” fip s: notice, choice, access and correction, and security. The dhs version of fip s implemented the first statutory reference to fair information practices. This version closely matches the eight principles included in the oecd, but include the following differences: a) Replaces the oecd Collection Limitation Principle with a Data Minimization Principle; b) Moves elements of one principle to another, e.g., the dhs Individual Participation Principle includes the oecd provision of obtaining data with knowledge/consent of the individuals; c) Eliminates the requirement for fair and lawful means of data collection; d) Makes more specific implementation, such as requiring training for employees and contractors; and e) Adds a requirement that dhs specifically articulates the authority allowing collection of pii to the Purpose Specification Principle. This fip s version appears to be the first of the fip s specifically endorsed by the White House and extended by the White House to the private sector. With this version, nstic is looking to provide guidance to the private sector and to government agencies that participate in its recommended Identity Ecosystem for online identification and authentication. This version builds on provisions of the Energy Independence and Security Act of 2007 and Obama Administration smart-grid investments to encourage long-term job growth, innovation, and savings for
2008 U.S. Department of Homeland Security (dhs) Privacy Office
2011 U.S. National Strategy for Trusted Identities in Cyberspace (nstic)
2011 U.S. National Science and Technology Council
consumers. It is based on principles designed to secure the grid from cyber security threats.
Privacy, Anonymity, and Identity Crime615 table 25
Versions of fip s by year (cont.)
Year Agency/Organization
Description
2012 U.S. Department of Commerce
Another White House version of fip s, this time addressing consumer privacy in a report “A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy” that includes a Consumer Bill of Rights applying “globally recognized Fair Information Practices.”
2012 U.S. Federal Trade Commission (ftc)
In a major privacy report, the agency indicates support of a framework “consistent with” the original articulation of FIPs principles. It also includes the principles of Privacy by Design, Simplified Choice for Businesses and Consumers, and Greater Transparency for collection and use practices of information. 2012 U.S. Department of Health The agency uses some form of fip s as the foundation of and Human Services (hhs) its privacy policy regarding health technology and health privacy. 2013 U.S. Executive Order Executive Order 13656 was issued by President Obama on Improving Critical and directs agencies of the federal government to share Infrastructure more cyber threat information with the private sector. Cybersecurity It may be the first Executive Order to make reference to fip s and uses the version in the previous White House ntsic document.
8.2.4 Laws based on fip s In the United States, fip s represent the foundation of a number of individual federal and state laws. On the federal level, these include the Fair Credit Reporting Act of 1970,27 the Right to Financial Privacy Act of 1978,28 the Electronic Communications Privacy Act of 1986,29 the Video Privacy Protection Act,30 and the Children’s Online Privacy Protection Act.31 27 28 29 30 31
15 U.S.C. §1681 et seq (2012). 12 U.S.C. ch. 35 (2102). 18 U.S.C. §§ 2510–22 (2012). 18 U.S.C. § 2710 (2012). 5 U.S.C. §§ 6501–05 (2012).
616
CHAPTER 8
Along with the federal government and many state governments, numerous private and nonprofit organizations have incorporated fip s into their own privacy policies.32 The European Union and Canada have based privacy protections on fip s. A
The European Union Directive on the Protection of Personal Data (1995) (Directive 95/46/EC) This Directive acts as a reference on personal data protection at the European level. It establishes a framework of regulations that attempts to balance a high level of privacy protection for individuals and the free movement of personally identifiable information within the European Union (EU). The Directive restricts the collection and utilization of personal information and requires each EU member state to create an independent body to be responsible for protecting the data. The data covered under the Directive include information processed by automated methods, such as a database of customer names, and information included in or intended to be part of filing systems, like paper files, that are not automated. It does not apply to data processing. The Directive also establishes guidelines to be used for protecting the rights of individuals in regard to the processing of their personal data and for determining whether the processing is performed legally.33 B
The Canadian Standards Association, Model Code for the Protection of Personal Information: a National Standard of Canada (1996) (pipeda) This Code establishes ten privacy principles, which represent a large portion of Canada’s privacy legislation, that define responsibilities for private sector entities that collect personal information in the performance of commercial activities in the areas subject to the law.34 The ten principles are accountability; identifying purposes; consent; limiting collection; limiting use, disclosure and retention; accuracy; safeguards; openness; individual access; and challenging compliance.35 32 33 34 35
Fair Information Practice Principles, IT Law Wiki, http://itlaw.wikia.com/wiki/Fair_ Information_Practice_Principles (last visited Feb. 10, 2014). Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995, 1995 O.J. (L 281), available at http://eur-lex.europa.eu/LexUriServ/LexUriServ. do?uri=CELEX:31995L0046:EN:NOT. pipeda, PrivacySense.net, http://www.privacysense.net/pipeda/ (last visited Feb. 10, 2014). The 10 Privacy Principles of PIPEDA, PrivacySense.net, http://www.privacysense.net/ 10-privacy-principles-of-pipeda/ (last visited Feb. 10, 2014).
Privacy, Anonymity, and Identity Crime
617
Covered organizations are those that are regulated by the federal government and are under the authority of the Parliament of Canada. These include telecommunications and broadcasting industry and all businesses in Yukon, Nunavut, and the Northwest Territories. pipeda also applies to the private sector in each province unless that province has passed its own privacy law that is substantially similar to pipeda.36 8.2.5 Criticism of fip s fip s have been criticized by those who believe they are not strong enough, provide for too many exemptions, do not take into account the problems arising from self-regulation, and are out-of-date in regard to advances in information technology. Criticism from the business sector involves a desire to limit the principles to notice, consent, and accountability, believing the requirements overall are too expensive, difficult to implement, and run contrary to free speech and openness principles.37 fip s were developed as “broad” and “aspirational” policies that included substantive and procedural elements that reflected a consensus concerning the need for standards that would facilitate individual privacy without limiting the potential of free-flowing information in a society that has become increasingly dependent on technology. However, when implemented into laws in the U.S. and elsewhere in the world, fip s become only “narrow” and “legalistic” principles that emphasize individual control of data instead of the welfare of individuals and society. This approach imposes legal obligations on businesses that use data and inconveniences on individuals through largely meaningless notices and limited choices.38 Enforcement of notice, choice, and the other fipps is uneven at best. Individuals are rarely in a position to know if personal information about them has been used in violation of some prior notice that they received or consent that they gave. Situations likely to threaten greatest harm are often subject to the least oversight, while innocuous or technical violations of fipps may be prosecuted vigorously if they are
36 pipeda, supra note 2780. 37 Gellman, supra note 2763, at 25. 38 Fred H. Cate, The Failure of Fair Information Practice Principles, in Consumer Protection in the Age of the “Information Economy (2006), available at http://www.informationpolicycentre.com/files/Uploads/Documents/ Centre/Failure_of_ Fair_Information_Practice_Principles.pdf.
618
CHAPTER 8
the subject of a specific law or obligation and they can be used to generate popular or political pressure...”In short, the control-based system of data protection, with its reliance on narrow, procedural fipps, is not working. The available evidence suggests that privacy is not better protected.39 As an alternative to fip s, it has been proposed that governments stop making policies on the basis of individual preferences and return to the broader concepts in the Consumer Privacy Protection Principles (cppps). The first three cppps principles define the purpose of and limits on data protection, creating standards that can be used to interpret the principles that follow. These include the prevention of harm, benefits maximization, and consistent protection. The rest of the cppps principles address the legal obligations associated with data protection and include transparency, honesty and accountability; integrity of personal information; security; liability; and effective and efficient enforcement.40 In general, cppps are designed to emphasize the protection of data in situations where such protection is critical. The policies are also meant to make sure that the law provides substantive protections in these situations. Additionally, cppps principles seek to protect individuals through providing sufficient information about how their personal data is being processed to allow them to make intelligent decisions regarding their information. However, providing individuals with notice and choice should not replace efforts to develop requirements and incentives to encourage data processors to take meaningful steps to secure sensitive customer data.41 8.3
Privacy Taxonomies
The complexities of the privacy concept have prompted a number of efforts aimed at creating taxonomies by which to organize its many facets. It has been useful to develop specific privacy taxonomies meant to apply to specific disciplines or fields of study. These more targeted views of privacy include those applying to law, to computer science, to social networking, and to
39 40 41
Id. Id. Id.
Privacy, Anonymity, and Identity Crime
619
requirements-based software engineering projects in sensitive industries like health care and finance. Taxonomy in tort law in the United States begins with William Prosser who separated the general notion of a “right to privacy” into a taxonomy comprising four torts:42 1. Intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs. 2. Public disclosure of embarrassing private facts about the plaintiff. 3. Publicity which places the plaintiff in a false light in the public eye. 4. Appropriation, for the defendant’s advantage, of the plaintiff’s name. Critics have pointed out that Prosser’s approach does not “accommodate subsequent cases involving contraceptives, abortion, and state regulation of sexual and ingestive activities,” noting that he focused on activities that could cause harm rather than things that should be protected.43 In 2006, a legal taxonomy of privacy was developed with a focus on privacy harms in different cultures around the world.44 The taxonomy was designed to “conceptualize the social and legal aspects of privacy from the bottom-up rather than define privacy as a singular concept from the top down...and to divide the concept of privacy into discrete, actionable elements.”45 This taxonomy46 is applicable to a discussion of privacy and identity crime because it attempts “to identify and understand the different kinds of socially recognized privacy violations, privacy harms and problems that have achieved a significant degree of social recognition.”47 In order to protect privacy, one must first be able to conceptualize it.48 There are 14 categories under four classifications in this taxonomy. The areas in which privacy is at risk are categorized into four basic groups:49 a) Information collection, which includes surveillance and interrogation. b) Information processing, which includes aggregation, identification, insecurity, secondary use, and exclusion. 42 43
William L. Prosser, Privacy, 48 Cal. L.Rev. 383, 388–89 (1960). Gary L. Bostwick, A Taxonomy of Privacy: Repose, Sanctuary, and Intimate Decision, 64 Cal. L.Rev. 1447, 1450 (1976), abailable at http://scholarship.law.berkeley.edu/californialawreview/vol64/iss6/2. 44 Solove, A Taxonomy of Privacy, supra note 2749. 45 Aaron K. Massey & Annie I. Antón, A Requirements-based Comparison of Privacy Taxonomies (Dept. of Comp. Science, North Carolina State University), available at taxonomy-akmassey-relaw08.pdf. 46 Solove, A Taxonomy of Privacy, supra note 2749, at 483. 47 Id. 48 Solove, Identity Theft, Privacy, and the Architecture of Vulnerability, supra note 2761. 49 Solove, A Taxonomy of Privacy, supra note 2749, at 488.
620
CHAPTER 8
c)
Information dissemination, which includes breach of confidentiality, disclosure, exposure, increased accessibility, blackmail, appropriation, and distortion d) Invasion, which includes intrusion and decisional interference. Privacy-enhancing technology (pet) can be applied to these areas, while keeping the potential for identity crime in mind. The privacy implications for information collection involve surveillance, which consists of “watching, listening to, or recording of an individual’s activities” and interrogation, which consists of “various forms of questioning or probing for information.”50 Information processing refers to how data is stored, manipulated and used. Information processing also includes the important element of data aggregation, which involves combining pieces of personal data in multiple and increasingly innovative ways. Another legal taxonomy, which represents “privacy interests,” suggests that the “right to privacy” does, in fact, include three separate rights –the right of repose, the right of sanctuary, and the right of intimate decision –and unless each is analyzed within its proper context, privacy becomes only a “catch-all phrase” that protects too little “because it protests too much.51 A taxonomy developed for computer scientists differs from those created for application to the law. It reflects the difficulties faced by builders of software systems that must comply with pre-set privacy and data protection policies, the requirements-based taxonomy was created to help software engineers understand the requirements based on the online privacy policy goals of a specific organization. This requirements-based taxonomy lists five protection goals and seven vulnerabilities. These are illustrated in the tables below.52 A taxonomy of social networking data describes five types of data. This is important because the taxonomy and definitions provided in it create a framework by which discussions of the context of privacy problems and rights may be discussed. The taxonomy is as follows:53 1. Service data. The information that must be provided to a social networking site so that individuals may use it. It may include name, age, and credit card number.
50 Id. 51 Bostwick, supra note 2789, at 1438. 52 Massey & Antón, supra note 2791, at 2. 53 Stuart Soffer, Taxonomy of Social Networking and Privacy (Dec. 15, 2009, 11:22 am), http://cyberlaw.stanford.edu/blog/2009/12/taxonomy-social-networking-and-privacy.
Privacy, Anonymity, and Identity Crime621 table 26
Privacy goals
Privacy Goal
Definition
Notice and Awareness
This addresses how customers are informed about what practices are used by organizations when handling their information. This refers to the ability of customers to choose how they want an organization to manage their information.
Choice and Consent Access and Participation Integrity and Security Enforcement and Redress
table 27
This involves customers’ ability to change and/or correct the personal information used by organizations. This describes the steps an organization takes to protect the accuracy of customers’ information. This addresses how organizations handle internal violations of their privacy policy by employees.
Potential privacy violations
Vulnerabilities
Definition
Information Monitoring Reflects the way organizations track how customers interact with their website. Information Aggregation Describes how organizations combine customers’ information with data from third-party sources. Information Storage Describes the methods used by organizations when storing customer records in a database. Information Transfer Addresses how organizations may share the customer information they collect with third parties. Information Collection Describes the kind of information are allowed to collect and how they collect it. Information Describes how organizations customize website presentation to Personalization customers. Solicitation Illustrates the methods and purposes used by organizations to contact customers.
622
CHAPTER 8
2.
Disclosed data. Information posted on users’ own pages, such as blog entries, photos, comments, messages, etc. 3. Entrusted data. Data posted to other people’s pages on the network. While this is the same as what is on a user’s own page, that user has no control over posts to other people’s pages. 4. Incidental data. Information that other people post about an individual. This is the same as disclosed or entrusted data, except that the individual discussed has no control over the information and did not create it either. 5. Behavioral data. Information the social networking site collects about its users by recording their activity and interactions with others. In 2010, a study of the privacy concerns associated with the failed introduction of the Facebook advertising tool Beacon developed a taxonomy of “privacy concerns.” The taxonomy helped to analyze how concerns as related to commercialism, terms of service, lack of user control and awareness, lack of data security impacted the perceptions about online privacy among users. The thematic analysis ultimately generated a list of 48 privacy themes/concerns, which became the taxonomy. These concerns included identity theft, stalking, construction of a digital dossier on specific individuals, and secondary privacy diffusion.54 Privacy is an important concern for data handlers and researchers, but it is difficult to study in a naturalistic manner. In an attempt to resolve this problem, a linguistic taxonomy of privacy –a dictionary of privacy –designed for content analysis has been developed. The dictionary is based on verbal discussions of privacy from technical and non-technical contexts.55 Privacy has become an increasingly critical issue for the database community. The same problem of defining privacy arises in the database community, where it cannot be assumed that all stakeholders have the same understanding of the word. Therefore, researchers have developed a “taxonomy capable of thinking of data privacy technologically.” This taxonomy offers four technical dimensions to privacy that can be used by data providers, collectors, users, and data repositories when addressing privacy issues. The four dimensions
54 55
Jamal Arshad, Dept. of Comp. and Sys. Sciences, Stockholm University, Towards a Taxonomy of Privacy Concerns of Online Social Network Sites Users: A Case Study of Facebook Beacon 36–37 (Aug. 2010). Alastair J. Gill et al., Privacy Dictionary: A Linguistic Taxonomy of Privacy for Content Analysis, in CHI 2011 Proceedings of the SIGCHI Conference on Human Factors in Computing Systems at 3227–3236 (2011), available at http://dl.acm.org/citation.cfm?doid=1978942.1979421.
Privacy, Anonymity, and Identity Crime
623
forming the foundation of this taxonomy are purpose, visibility, granularity, and retention.”56 Even more specific taxonomies include a threat taxonomy applying to mHealth technologies, which address the use of mobile devices that allow individuals and their doctors to monitor and manage health conditions. This taxonomy lists privacy-related threats applying to the misuse of patient identities, unauthorized access or modifications to patient health information, and disclosure of this information.57 Data aggregation illustrates how technology itself represents a challenge to information privacy. The introduction of a new technology has historically disrupted expectations of privacy, i.e., the invention of the telegraph and the telephone. The Internet represents a similar disruption in which expectations of privacy reflect the ability of the technology to gather, store and collect personal information about individuals that was not possible before. Technology has made it possible to collect seemingly unrelated pieces of data at little cost and combine them in various ways to identify specific individuals and their habits.58 From the identity crime perspective, the spread of information is associated with increased accessibility to data and using the identity of data subjects to benefit other individuals. It is also related to activities that result in the transfer of personal data or a threat to transfer it.59 Designers of hardware and software must think about how their systems will balance privacy protections with access to necessary information.60 The information targeted for protection must be identified in any discussion of pet. In terms of identity crime, the target information is data that can be used to identify a specific individual. Such information has been labeled Personally Identifiable Information, or pii.
56
Ken Barker,et al., A Data Privacy Taxonomy, in Dataspace: The Final Frontier at 42– 44 (2009), available at http://download.springer.com/static/pdf/232/bok%253A978-3- 642-02843-4.pdf?auth66=1392258046_23485b2421120badb6ca0777271a8493&ext=. pdf. 57 David Kotz, AThreat Taxonomy for mHealth Privacy, in Communication Systems and Networks (comsnets), 2011 Third International Conference on (2011). 58 Technologies, The Privacy Projects, http://theprivacyprojects.org/privacy-projects/ technologies (last visited Nov. 11 2013). 59 Solove, A Taxonomy of Privacy, supra note 2749, at 490. 60 Technologies, supra note 2804.
624 8.4
CHAPTER 8
Personally Identifiable Information (pii)
Personally Identifiable Information (pii) refers to data that can be used alone or in combination with other data to identify, locate, or contact a single unique person. It can also be used to identify a single individual in context. Advances in information technology and greater use of the Internet have made personal information extremely easy to collect. These factors have resulted in the development of thriving large-scale criminal enterprises devoted to the theft, purchase, and sale of pii, which have serious implications for privacy and identity crime. Government agencies in the United States have developed policies to handle pii according to established definitions. According to United States Office of Management and Budget’s omb Memorandum M-07-1616,61 which is designed to provide guidance to government agencies when dealing with third- party websites or applications, pii refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of pii is provided on a case-by-case basis by determining the risks of individual identity exposure in specific data. When assessing the risk, agencies must be aware that data generally not considered to be pii may easily become pii when made publically available and when aggregated and combined with other information that could result in the identification of a specific individual. The omb lists as examples of pii:62 1. Full name (if not common) 2. Email address (if private from an association/club membership, etc.) 3. National identification number 4. IP address (in some cases) 5. Vehicle registration plate number 6. Driver’s license number 7. Face, fingerprints, or handwriting 8. Credit card numbers 9. Digital identity 10. Date of birth 11. Birthplace 12. Genetic information
61 62
Personally Identifiable Information (pii), U.S. Government Services Administration, http://www.gsa.gov/portal/content/104256 (last modified June 6, 2013). Id.
Privacy, Anonymity, and Identity Crime
625
13. Telephone number 14. Login name, screen name, nickname, or handle The United States Department of Homeland Security defines sensitive pii as “personally identifiable information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.”63 The U.S. National Institute of Standards and Technology (nist) describes pii as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”64 These definitions take into account the fact that technologies increasingly permit and facilitate the aggregation of disparate pieces of data so that information not traditionally considered as pii can be combined in ways that can damage individual privacy and expose individuals to potential victimization by identity criminals, An analysis of 1990 census data65 found that it is possible to identify, as individuals, 87.1 percent of people in the United States by combining a five-digit zip code, birth date (including year), and gender. Fifty-three percent of American citizens can be uniquely identified by knowing the city in which they live, birth date, and gender, and 18 percent by combining their county of residence, birth date, and gender. The ease with which data aggregation can be accomplished has implications for privacy and identity crime. Therefore, when designing or implementing privacy-enhancing technologies, their effect on increasing or decreasing identity crime should be considered. 63
64
65
Handbook for Safeguarding Sensitive Personally Identifiable Information, Department of Homeland Security (2012), available at http:// www.dhs.gov/sites/default/files/publications/privacy/Guidance/handbookforsafeguardingsensitivePII_march_2012_webversion.pdf. McCallister, Grance, Scarfone, Nat’l Institute of Standards of Technology, Guide to Protecting the Confidentiality of Personally Identifiable Information (pii):Recommendations of the National Institute of Standards and Technology, Special Publication 800–1 22 (2010). Latanya Sweeney, Uniqueness of Simple Demographics in the U.S. Population, Laboratory (International Data Privacy Working Paper, LIDAP-WP4, 2000). A subsequent study placed the number at 61% (for 1990 census data) and 63% (for 2000 census data). Philippe Golle, The Uniqueness of Simple Demographics in US Population, in Proceedings of the 5th ACM Workshop on Privacy in Electronic Society 77–80 (2006), available at http://crypto.stanford.edu/~pgolle/papers/census.pdf.
626
CHAPTER 8
Internet use has changed the concept of identity because, in addition to real-world characteristics, individuals also have digital identities when they are online. A digital identity is the representation of a human being on a distributed network that interacts with other people or digital devices that are also connected to that network. There are two parts to a digital identity: 1) who the individual is, and 2) the credentials that the individual holds. Credentials are the attributes of the individual’s identity. Digital identification involves linking what is known about an identity with other information. To protect privacy and reduce identity crime, the information used to recognize or confirm a digital identity should always be limited to the minimum required for identification. A digital identity may sometimes take refuge in anonymity.66 8.5
Data Mining
Data mining has serious implications for privacy and identity crime. The technology used in data mining is not new, but advances in computer processing power, disk storage, and statistical software have made significant improvements in the accuracy of the analyses, which can now be performed at much lower costs than in the past. However, the advances that offer the benefits of personalization and customization to consumers may also be used by criminals to target their identity crime victims. In order to develop appropriate privacy protections, the nature and scope of data mining should be addressed. Basically, data mining involves analyzing data from different perspectives and manipulating it so that it becomes useful information. Data mining software is one of the tools available to perform the analysis. In addition to providing different views of collected data, the software allows users to categorize and summarize any relationships identified in the raw data. The objective of data mining is to find patterns in the fields that make up large relational databases.67 There are differences between data, information and knowledge. Data are facts, figures, or text that can be processed by a computer. There are operational or transactional data, which include sales, cost, and inventory; nonoperational data, which include forecasts and macro-economic elements; and metadata, which is data about the data itself, such as logical database design or data dictionary definitions. Information is made up of associations, 66 67
See supra Ch. 2 (discussing Digital Identity). Bill Palace, What is Data Mining, Technology Note Prepared for Management 274A Anderson Graduate School of Management at ucla), available at http://www.anderson. ucla.edu/faculty/jason.frand/teacher/technologies/ palace/datamining.htm.
Privacy, Anonymity, and Identity Crime
627
relationships, or patterns discovered in the data, which may lead to additional insights.68 Knowledge involves information that has been converted through analysis to identity future trends or behavior.69 The same advances in technology that allow for greater collection of data have also made data warehousing possible. Data warehousing refers to a process of centralized data management and retrieval. The centralization of data is necessary to maximize users’ access to data and the ability to analyze it.70 However, the more centralized large amounts of data become, the greater the risk to privacy from damaging data breaches and hacking by identity criminals. There are five major elements in data mining:71 1. Extracting, transforming, and loading data into a data system 2. Storing and managing the data in a multi-dimensional database system 3. Providing access to the data to analysts and IT professionals 4. Using software to analyze the data 5. Presenting the data in a useful format like a table or graph Among the various types of analyses that can be applied in data mining are:72 1. Artificial neural networks 2. Genetic algorithms 3. Decision trees 4. Nearest-neighbor method 5. Rule induction 6. Data visualization 8.5.1 Big Data “Big data” can be as simple as a list of search terms sent to Google or as complex as the capture and analysis of vibrations given off by an engine to discover patterns. More and more activities can be translated into data in a process known as “datafication.”73 For example, there is a smartphone application that records when a user is walking, riding a bike, or traveling in a car; it knows the difference by recording movements, acceleration, etc., and because location 68 69 70 71 72 73
Id. Id. Id. Id. Id. Kenneth Cukier and Viktor Mayer-S chonberger, Big Data: A Revolution that Will Transform How We Live, Work and Think 15 (2013) (defining “datafication” and explaining “It refers to taking information about all things under the sun … and transforming it into a data format to make it quantified.”).
628
CHAPTER 8
and acceleration are “datafied,” inferences can be made about what a user is doing at a specific point in time. “Big data” means analyses can be performed, and insights potentially gained, looking at mass quantities of data than cannot be achieved looking at “little data.”74 Companies like credit card firms and credit bureaus collect and store very large amounts of data about individuals, billions and billions of data points that they can analyze in ways that were not possible in the past due to high storage costs and the large amounts of processing power that were needed to perform the analyses. These analyses made the companies more efficient, allow them to perform better services and offer better products to consumers.75 While individuals still have a desire for privacy, the idea of controlling every piece of personal information and every way it is used is “thinking in the small data age.”76 If only a few pieces of information are collected –Social Security number, birth date, and address, for example –then an individual can have some success in protecting it, but if a billion data points about a person are being collected –way of walking, places visited, locations at specific points in time –it is silly to try and control every one of those data points. Instead, as society moves further into the age of “big data,” thinking about privacy and controlling personal information should focus more on whether or not the use of the data is for a good or bad purpose.77 With the information they collect about consumers, data brokers know a lot about them: the kind of cars they drive, what their hobbies are, and whether they are good with money. Brokers collect information about “health interests” and infer what diseases a consumer may have. They collect information about any public licenses held by individuals, such as hunting or fishing licenses. Dating sites share self-reported information about sexual orientation, drug use, and smoking habits. Data brokers collect all public tweets, and all public “likes,” comments, or reviews posted on Facebook. They get location-based information by collecting cell phone tracking data or following WiFi signals. Demographic information about race, ethnicity, and religious affiliation is regularly collected by data brokers, who may then sell that
74 75 76 77
Kelly Dilworth, Scared of Big Brother? Too Late, Says “Big Data” Co-Author Viktor Mayer- Schönberger, CreditCardes.com (May 2, 2013), http://www.creditcards.com/credit- card-news/qa-big-data-author-viktor_mayer-schonberger-1278.php. Id. Id. Id.
Privacy, Anonymity, and Identity Crime
629
information. They know what books consumers read, what music they listen to, and what movies they watch by getting information from video and music streaming sites.78 And all of this information is obtained legally. Pharmacies can legally sell prescription information to third parties if names are not linked to the data. Marketers can access any information that is “voluntarily” self-reported via surveys, warranty card registrations, some rebate coupons, and sweepstakes prizes. Video streaming services can legally share what their customers watch with third parties, as long as they ask for the user’s permission first.79 There is little recourse for consumers who don’t want to be monitored, since there are few privacy laws that address online collection and aggregation of publicly available personal information, especially when it is given voluntarily by individuals. The U.S. Congress and regulatory authorities have started to look at the activities of data brokers more closely in recognition of the fact that, while consumers know they are being targeted by advertisers at online websites, most have no idea of how extensively marketers and aggregators mine for data, or their capabilities for combining data from online and offline sources.80 Existing laws in the U.S. tend to focus on industry-specific uses of data, such as in credit reports or medical records, rather than on protecting individuals’ privacy. The law has not kept up with data brokers and their data mining technologies. There is no one law or regulatory agency that has oversight of the commercial collection or distribution of the diverse information collected by data brokers from various sources.81 Data brokers claim to have adequate protections in place to safeguard privacy and state that the information they collect has benefits for both businesses and consumers. Critics argue that the industry is too secretive about what they data they collect, how they collect it, and how they use it once they have it. For example, the Consumer Data Products Catalog from data broker Acxiom promises to provide businesses with access to a national database that 78 79 80 81
Kelly Dilworth, 12 Creepy Details Data Collectors Know About You, CreditCards.com (Oct. 04, 2013), http://www.foxbusiness.com/personal-finance/2013/10/03/12-creepy- details-data-collectors-know-about/. Id. Tony Mecia, Congress asks if data brokers invade consumers’ privacy, CreditCards.com (Aug. 1, 2012), http://www.creditcards.com/credit-card-news/congress-probes-data- brokers-1282.php. Tom Zeller Jr., Breach Points Up Flaws in Privacy Laws, The New York Times (Feb. 24, 2005), http://www.nytimes.com/2005/02/24/business/24datas.html?_r=0& pagewanted=all&position=.
630
CHAPTER 8
holds information on over 144 million households. The firm reports that the data include names and addresses gleaned from public records, which is then improve upon through Acxiom’s own extensive demographic, financial, behavioral, and lifestyle data.82 While the data brokerage industry has created a complex system for collecting consumer data, it has done little to ensure that consumers are allowed to make decisions about the nature of the data collected and how it can be used.83 Additionally, companies do not use “big data” just to learn more about their customers; they are using it to make decisions that have real consequences for people’s lives. If the data collected about an individual are wrong, that individual could be the victim of decisions that deny a mortgage or raise an interest rate on the basis of that erroneous data. Since the use of “big data” is relatively new, few rules or ethical guidelines for its use exist.84 Consumers are generally unaware of the amount or scope of the personal information that data brokers buy and sell. Where credit reporting agencies had once provided information only to banks or potential employers, they have been replaced by “one-stop shops” like ChoicePoint, which offers its consumer data products to all “ostensibly qualified parties.”85 ChoicePoint is a firm that gathers and sells data about nearly every citizen in the U.S. In 2005, it revealed that data thieves had obtained access to the information it stored on about 145,000 people around the country. The criminals used fake identities to open accounts that allowed them to access the names, addresses, Social Security numbers and credit reports of these consumers.86 Silicon Valley, arguably the center of computer entrepreneurship, has compared data to oil in the sense that digital information resources can be transformed into “fuel for pleasure and profit” if individuals just provide companies with access to personal information.87
82 Id. 83 Id. 84 Kelly Dilworty, Tracking Your Card Purchases: Big Data Becoming Big Business, CreditCards.com (April 19, 2013), http://blogs.creditcards.com/2013/04/tracking- card-purchases-big-data-business.php. 85 Zeller, supra note 2827. 86 Ray Suarez, Stealing Identities, Transcript, pbs News Hour Broadcast (Feb. 24, 2005), http://www.pbs.org/newshour/bb/business/jan-june05/identity_2-24.html. 87 Pratap Chatterjee, The Data Hackers: Mining Your Information for Big Brother, TomDispatch.com (Oct. 8, 2013 8:04 a.m.), http://www.tomdispatch.com/blog/ 175757/.
Privacy, Anonymity, and Identity Crime
631
8.5.2 Data Aggregation Data aggregation refers to a kind of data mining process by which information is collected and then expressed as a summary for a variety of purposes, including statistical analysis. “Data aggregation usually involves big data or data marts that do not provide much information value as a whole.”88 A common use of data aggregation is obtaining information about particular groups of people –consumers –on the basis of variables like age, income, or profession. This data can then be utilized to personalize websites and to offer content and advertising that is narrowly targeted to a particular individual who belongs to the group for which the information has been gathered. Online analytic processing (olap) represents one kind of data aggregation.89 Data aggregation represents a growing profit center for organizations as more consumers use the Internet. The United States Constitution, along with federal and state statutes, limits the scope of information that may be collected about individuals without first obtaining a warrant and showing probable cause. However, no such limits are imposed on nongovernmental companies, and so the number of organizations created to collect ever-larger volumes of raw data continues to grow.90 Data brokers now have the ability to collect huge quantities of data about customers relatively cheaply, and they can then resell that data to marketers and other interested parties. In the age of “big data,” there are few things about an individual consumer that marketers don’t know. Data brokers collect and sell personal information freely, often without the knowledge or consent of those whose data is being gathered.91 Companies continue to develop methods that improve their customer tracking and data collection methods, and they are getting better at linking information from different sources to obtain increasingly detailed profiles of individual consumers.92 Data aggregation can be performed manually or with specialized software and hardware. Once raw data is obtained, it is analyzed by algorithms that are designed to combine and recombine the data into useful information. For example, social network analysis and semantic analysis tools are sold as the
88
Margret Rouse, Definition: Data Aggregation, SearchSQLServer, http://searchsqlserver. techtarget.com/definition/data-aggregation (last updated Setp. 2006). 89 Id. 90 John F. McMullen, Digital Data: Why What’s Being Collected Matters, Techopedia (Oct. 2, 2012), http://www.techopedia.com/2/28826/security/online-data-why-whats- being-collected-matters. 91 Dilworth, supra note 2824. 92 Id.
632
CHAPTER 8
means to discover potential terrorist threats coming from social protest groups or anti-government activists. A software package called “Riot” claims it can predict where individuals are likely to go when they leave their current location by mining data gathered from social networks like Facebook, Foursquare, and Twitter.93 Mobile devices and web browsers contain software that allows users to be followed constantly. The applications are installed as a matter of routine in all data devices and sold to the government by contractors for a profit.94 Social apps, which are enthusiastically downloaded by Internet users, allow data brokers to gather large amounts of raw data. The growing availability of geolocation applications means that more information is collected about where people go on a daily basis. If such data is accessed by unauthorized parties, it can be used to make inferences about the individuals, including where they live, where they work, and who belongs to their social network. Geolocated systems involve objects or devices that are associated with a location, such as a smartphone or a vehicle with gps features. The system usually belongs to the individual or a family and so its location corresponds to that of the owner. Geolocated data is publicly available and easy to get. Social media applications like Twitter provide location data in nearly real time. This data can be collected to make predictions about whether or not the owner of the Twitter account is at home or not.95 To protect “geo-privacy,” there is a process that adds uncertainty to the information and removes some of its more sensitive elements. There is an application known as gepeto (for GEoPrivacy Enhancing TOolkit), which seeks to give geo-privacy researchers a way to evaluate some of the techniques used to remove sensitive data from geolocated information, as well as inference attacks on the data.96 Through explorations of the various kinds of inference attacks made on geolocated data, researchers have concluded that, of all pii, discovering the location of an individual represents one of the major threats to privacy.97 All mobile phones come with one of the simplest forms of surveillance technology available: the International Mobile Subscriber Identity (imsi) catcher.
93 Chatterjee, supra note 2833. 94 Id. 95 Gambs, Killijian & Cortez, Show Me How You Move and I Will Tell You Who You Are, 4 Transactions On Data Privacy 103 (2011), avialiable at http://dl.acm.org/citation. cfm?id=2019320. 96 Id. 97 Id.
Privacy, Anonymity, and Identity Crime
633
The msi is unique to every mobile phone, and catcher devices capture all mobile phone signals in a given area, identifying and locating all the phone users there. The device tricks the phones into wirelessly sending data back to it. By deploying several of the catchers in an area and measuring how fast the responses are received, the movement of anyone with a phone –whether it is in use or not –can be tracked.98 Software vulnerabilities are often exploited by data brokers and surveillance companies to obtain sensitive data. Hacking software can be installed from a usb drive or delivered via an email attachment or downloaded software update. Once the hacking application is installed, analysts can view files, log keystrokes, or even capture screen displays every second. The software can also activate cameras and microphones on devices to gather information about user activities in real time.99 The goal of data mining companies is to detect patterns of user behavior by analyzing raw data. The processed information can then be used for good purposes, such as personalizing a customer’s buying experience, or bad purposes, including identity theft.100 8.5.3 Ghosting A large amount of personal information is publicly available and easy for identity thieves to obtain. With this information they can take over existing financial accounts or create new ones to get cash, financial instruments, or products for their personal use. They may resell the information on the black market so that the same information may be used to victimize individuals multiple times. In other cases, the personal identity information taken from public sources is used for ghosting. Ghosting has generally referred to the theft of a deceased individual’s identity in which the thief actually takes on that identity, living and working as that person, rather than using his/her own name and identity. Ghosting is perpetrated chiefly by those wishing to avoid prosecution for another crime or who want to avoid other legal mandates, such as paying taxes. Computer technology gives criminals the ability to collect and combine large amounts of data from a variety of sources and create a detailed picture of a real individual for impersonation or to construct a fraudulent identity using real information. They may also identity individuals who match a specific
98 Chatterjee, supra note 2833. 99 Id. 100 Id.
634
CHAPTER 8
pattern.101 In an environment characterized by more and more data aggregation and a willingness among individuals to allow their personal data to be posted online, criminals have a relatively easy time taking on totally new identities with impunity. Much of the sensitive personal information on individuals that is publicly available online is stored in county, state, and government agency databases. Information that is available on one of these websites (Social Security number) can be combined with data from a social network site (name, address) and allow an identity thief to construct an entire profile of a given individual without that person being aware of it. Because there are no comprehensive laws or regulatory oversight, imposters can continue the impersonation by moving from one place to another with little chance of detection. 8.6
Privacy-Enhancing Technologies (pet s)
While there is no standard definition for the term “privacy-enhancing technology (pet),” most pet s are based on similar principles. pet s typically reduce or eliminate the risks associated with opposing privacy concepts and regulations, minimize the amount of pii stored about individuals; or give individuals the power to control their pii at all times.102 pet s can be used effectively to protect privacy with regard to surveillance, interrogation, aggregation, and identification. Of particular interest from the identity crime perspective are pet s applied to the collection, processing and spread of information using techniques based on anonymity and the identification, verification, authentication, and authorization of users. Terms like “identification,” “verification,” “authentication,” and “authorization” are often used interchangeably when discussing secure systems, but each term has its own application and focus. Understanding the differences is important to developing and implementing effective policies to protect privacy and reduce identity crime. The following example may clarify the differences of these processes and their relationship to one another.103
101 Michael McFarland, Ethical Implications of Data Aggregation, Santa Clara Unitversity, http://www.scu.edu/ethics/practicing/focusareas/technology/internet/ privacy/data-aggregation.html (last visited Nov. 12, 2013). 102 Information Commissioner’s Office, Privacy by Design 8 (2008). 103 Eli Talmor, Authentication vs. Authorization vs. Identity verification, Sentry-c om.net Blog (Dec. 21, 2008), http://sentry-com.net/blog/?p=28.
Privacy, Anonymity, and Identity Crime
635
Suppose an individual orders vip football game tickets online. The process required to actually acquire the physical tickets involves identifying oneself to the person at the box office before the game. The person at the box office will ask for an identification document (a driver’s license, for example). This is identification. The box office clerk then verifies the buyer’s identity by visually examining the identification document presented and checks it against information stored in the ticket issuer’s database to verify that the individual presenting the document has actually purchased tickets online. That is verification. Once these checks have been performed, the ticket buyer receives the physical ticket that will allow entrance to the venue. This ticket is an authentication token. To enter the venue, the ticket holder will produce the token (the ticket) to the person at the door for examination before being allowed to enter. This is authentication. The ticket holder can then enter the vip area because he/she has met the requirements for authorization that allow entry. 8.6.1 Identification When communities are small, people know each other on a face-to-face basis, and even if people do not personally know one another, each individual knows someone else who is acquainted with the unknown person. Because of there is a high degree of personal knowledge, there is also a high degree of trust in the community; transactions are based on the confidence that the people involved are really who they purport to be.104 As communities become more complicated and spread out over larger geographical areas, it becomes more difficult to have personal knowledge about someone’s identity. This creates a need to find other ways to develop trust.105 As societies became more mobile, people relied more on social institutions to take the responsibility for mediating relationships. Tokens of trust, such as handwritten signatures, became the new guarantees of identity. As more transactions were performed at a distance, additional tokens of trust were required as proxies for the kind of trust that develops through ongoing relationships between people in the same location.106 Modern society, which has become increasingly anonymous and anonymized, needs systems of identification that can identify individuals in a reliable way and facilitate trust without face-to-face interaction. The Internet, 104 Jennifer Barrigar, Office of the Privacy Commissioner of Canada, Guided Literature Review: Identity Management Systems (2011), available at http://www.priv. gc.ca/information/research-recherche/2011/barrigar_201102_e.asp. 105 Id. 106 Id.
636
CHAPTER 8
which effectively eliminates geographical presence as a requirement for communication, requires unique methods of identification, authentication, verification and authorization to develop trust in transactions that take place online.107 8.6.2 Verification Verification involves confirming that an individual is who he/she claims to be in situations where that individual is not physically present at the location requiring the verification. It is a real-time electronic process designed to validate information provided by an individual user. Verification technologies compare collected information with a database of data samples previously gathered to ascertain whether a given individual actually has the identity he/she claims to have. Systems designed to verify identity are usually very large and rely on databases storing huge amounts of personal data.108 The verification and re-authorization technologies currently in use tend to provide for a one-time verification. They are often knowledge-based and require individuals to provide answers to pre-established questions. This means that even verified users may lose sensitive information through session hijacking. This may be resolved through more frequent verification, but the verification must be performed in a passive manner that is transparent to the user. Requiring a user to continually interact with a system to be re-verified would be inconvenient and obtrusive.109 In a biometric system, verification refers to a one-to-one relationship between a sample and an individual, confirming that the individual is the person that he/she claims to be.110 Signature verification is a biometric technique that uses the characteristics of an individual’s signature (factors like pressure, pen lifts, speed and direction of pen strokes) to confirm identity. Verification should be differentiated from identification in discussions of biometric technologies.111
1 07 Id. 108 Robert Pinheiro Consulting llc, Position Paper, Using Strong Authentication for Preventing Identity Theft (Mar. 2007), available at http://ftc.gov/os/comments/ IDMngmntworkshop/527026-00025.pdf. 109 Zheng, Paloski &Wang, Working Paper, An Efficient User Verification System via Mouse Movements (2011), http://www.cs.wm.edu/~nzheng/paper/ccs11.pdf. 110 Identificaton v. Verification, gsi, http://globalseci.com/?page_id=37 (last visited Nov. 12, 2013). 111 Robert Pinheiro Consulting, supra note 2854.
Privacy, Anonymity, and Identity Crime
637
Biometrics offers several benefits over other types of verification because it is based on identifying an intrinsic portion of a human being.112 Identification tokens like smart cards or physical keys are subject to theft, loss, or duplication. Individuals often forget passwords, and they tend to share them too easily with others or have them taken by third parties who watch their input.113 Many biometric measures that can be effective for verification (a one-time process to identity a particular individual) and for authentication (a process that may be implemented multiple times to ensure that the user of an account is the same individual who opened the account, for example.) Advanced biometric systems are expensive, however, so the cost must be balanced with the degree of security required. Verification and authentication of personnel at a nuclear power plant requires a high level of assurance and trust that only authorized individuals can enter the facility. In such a case, the cost of the system may be warranted. A typical consumer bank account does not require the same level of security as a nuclear plant, and so less expensive systems would be adequate. Types of biometrics include:114 1. dna Matching 2. Iris Recognition 3. Retina Recognition 4. Face Recognition 5. Fingerprint Recognition 6. Finger Geometry Recognition 7. Gait 8. Hand Geometry Recognition 9. Odor 10. Signature Recognition 11. Typing Recognition 12. Vein Recognition 13. Voice/Speaker Recognition 8.6.3 Authentication Authentication is the process of identifying an individual before allowing that individual to use an online account. It is usually performed by asking for a 112 See generally John R. Vacca, Biometric Technologies and Verification Systems (2007). 113 Id. 114 Types of Biometrics, Biometrics Institute, http://www.biometricsinstitute.org/pages/ types-of-biometrics.html (last visited Nov. 12 2013).
638
CHAPTER 8
username and password and matching that information with data stored when the account was created. The idea behind authentication is that each individual user holds unique information that differentiates that user from others115 and that this information can be used reliably to confirm the individual’s identity when engaging in online transactions. Security systems distinguish authentication from authorization. Authorization is the process of giving individuals access to the system based on their identity. It is also different from identity verification. Identity verification can be performed once, while authentication can be performed many times. There are three basic categories of authentication. Users may be authenticated on the basis of something they know (birth date, pin, answers to knowledge-based questions), something they have (a token, ID card), or something they are (biometric data like fingerprints, iris scans). Each of the categories uses specific data elements to confirm the identity of an individual before granting that person access to a system or approving a transaction. Security researchers recommend that using the elements of at least two of these categories is best when looking for a positive authentication; including elements from all three is optimal.116 When two of the elements are required, this is called “two-factor authentication.” Many authentication systems are secure but difficult to use and generally involve the use of a user-name/password combination. These kinds of systems are vulnerable to attacks resulting from the theft of passwords. Two-factor authentication addresses the problem by confirming the identity of an individual by using two separate factors in conjunction to perform the authentication. One two-factor authentication system proposed permits users to freely choose and change a password instead of remembering it. The approach relies on a smart card and can protect against identity theft, so-called guessing attacks, impersonation attacks, and other types of incursions.117 With respect to Internet-based financial transactions, there are at least two additional ways to perform authentication and prevent identity theft when new accounts are opened online. In one method, a digital certificate could be presented by the individual opening the new account. The certificate would
115 Definition: aaa Server Authentication, Authorization, and Accounting, SearchSecurity, http://searchsecurity.techtarget.com/definition/AAA-server (last visited Nov. 12, 2013). 116 Authentication, SearchSecurity ( June 4, 2007), http://searchsecurity.techtarget. com/definition/authentication. 117 Akram, Misbahuddin & Varaprasad, A Usable and Secure Two-Factor Authentication Scheme, 21 Info. Security J.: A Global Perspective, 169 (2012), available at http:// www.tandfonline.com/doi/abs/10.1080/19393555.2011.629340#.UoLiopGGQY0.
Privacy, Anonymity, and Identity Crime
639
contain identity information and be “signed” by a party trusted by the entity granting the credit. In a second method, a trusted third party may vouch for the identity of the new account applicant. This assumes that there is some “Identity Provider” trusted by the entity granting the credit and that this provider issues credentials to people that can be used later for subsequent identity authentication. This method also assumes that the Identity Provider has adequately verified the identity of the person to whom it issues these credentials.118 A Passwords The most common method of authenticating users in an online environment is using a password. However, passwords are not the best technology for protecting pii. Passwords can be guessed relatively easily, are subject to hacking, and because users tend to forget them, they also tend to use the same ones across multiple sites, exponentially increasing the possibility that they will be discovered by identity criminals. Attempts have been made to strengthen passwords by making them longer and more complex. However, even passwords as long as 55 characters can now be broken.119 A freely available tool for breaking passwords has come along just as consumers are being encouraged to create longer and longer passwords. Identity thieves have been able to thwart this approach by expanding the dictionaries they use for breaking passwords to include phrases from the Bible, popular literature, and even online discussions.120 The use of stolen passwords is sometimes called an “offline attack” because it targets data obtained from a compromised database. The data obtained allows whoever recovers it to attempt an unlimited number of guesses until they discover the right plaintext password. Once hackers have the user credentials that underlie an account, they can use them to access any online account associated with those credentials.121 While the inadequacies of alphanumerical passwords have been acknowledged from the perspective of both privacy protection and identity theft risk,
1 18 Robert Pinheiro Consulting, supra note 2854. 119 Somini Sengupta, Beyond Passwords: New Tools to Identify Humans, New York Times (Sept. 10, 2013), http://cacm.acm.org/news/167614-beyond-passwords-new-tools-to- identify-humans/fulltext. 120 Dan Goodin, “Thereisnofatebutwhatwemake” –Turbo-Charged Cracking Comes to Long Passwords, Ars Technica (Aug. 26, 2013), http://arstechnica.com/security/2013/08/ thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/. 121 Id.
640
CHAPTER 8
most organizations still use them for authentication purposes on the Internet. Why? Password use continues for several reasons.122 Passwords protect many kinds of services, and none of the authentication methods proposed to date is appropriate for ever one of them. Additionally, competing technical proposals and goals of stakeholders mean that no single approach predominates. The lack of data measuring the frequency, nature, scale, and financial impacts of incidents involving password loss is difficult to obtain, so it is hard to determine whether losses result from phishing, social engineering, or keylogging attacks. The lack of data presents challenges for organizations that need to calculate the costs and benefits of changing policy. Users are reluctant to make changes, and it is difficult to motivate them to improve their security, particularly if the alternatives cost more or are complicated than existing methods. Because consumers use their own devices and platforms to conduct online transaction, online merchants are limited to the types of hardware/software measures they can implement. In addition to these factors, no single organization can impose security changes in an environment characterized by the decentralized and global nature of the Internet, where no one entity is in control B Biometrics Authentication has been problematic since the creation of the Web, and security professionals have long wanted to avoid the risks associated with token-based and password-based systems.123 The development of biometric systems for authentication in the 1980s held promise, but concerns about its cost and intrusive nature hindered its widespread adoption. Some biometric technologies like fingerprints are now in common use and have been discussed in Chapter 7. Advances in biometric technology continue, however, and several new and more exotic systems being developed and tested. These include brainwave-based computer authentication and heartbeat monitoring. These technologies124 eliminate the need for users to remember and type in a password.125
122 Herley, van Oorschot & Patrick, Passwords: If We’re So Smart, Why Are We Still Using Them?, Financial Cryptography and Data Security, Lecture Notes, in Computer Science Volume 5628, 230 (2009). 123 Sengupta, supra note 2865. 124 New Research: Computers That Can Identify You by Your Thoughts, UC Berkeley School of Information, (Apr. 3, 2013), http://www.ischool.berkeley.edu/newsandevents/ news/20130403brainwaveauthentication. 125 Sengupta, supra note 2865.
Privacy, Anonymity, and Identity Crime
641
Biometric elements like fingerprints or retinal scans are useful for providing accurate, one-time authentication, but many biometric systems require specialized and costly hardware that may not be available in all situations. Behavioral biometrics, which includes keystrokes and mouse dynamics, are more promising as authentication technologies because they can be obtained by common user interface devices (mouse, keyboard) available to every user.126 In particular, mouse dynamics may offer a better solution for two reasons. Monitoring keystrokes may lead to the exposure of passwords and user names, which raises significant privacy and identity crime concerns. A keyboard is a more complex device than the mouse, and keystroke dynamics are more affected by factors like the size, shape, and layout of the particular appliance.127 A system that tracks mouse movements and clicks performed by users gathers minimal information from the individual. Recording mouse dynamics does not reveal user names or passwords. It only tracks the physical movements of the mouse and clicks made within a certain time period. This reveals little about the user that can be stolen, and such a system would not violate individual privacy.128 The risks to privacy associated with smartphones are significant. For example, 57 percent of smartphone owners use banking apps, and 41 percent use shopping apps. Almost 70 percent regularly disable the phone’s security features and remain continuously logged in.129 On the basis of these statistics, it is clear that smartphone users need security options that are both convenient and powerful to avoid being exposed to identity crime and data loss. Mobile authentication solutions have been developed to reduce fraud and make user authentication easier through the addition of a security layer that relies on a user’s unique tablet or smartphone interaction patterns to recognize and verify their identity, thus eliminating ne the need for pin s, passwords, or other biometric solutions.130 Biometric authentication systems are often presented as a way to prevent identity theft. However, the challenges to privacy, reliability and security of biometric data impose unique challenges, including the need for interoperability among all the devices used for authentication. Additionally, biometric authentication itself must often be used in conjunction with other proofs of identity. This means that multi-factor authentication methods are required 1 26 127 128 129
Zheng, Paloski &Wang, supra note 2855. Zheng, Paloski &Wang, supra note 2855, at 2. Zheng, Paloski &Wang, supra note 2855, at 10. Implicit Authentication Fights Fraud, Accelerates Mobile Commerce, PR Web (Sept. 10, 2013), http://www.prweb.com/releases/2013/9/prweb11101322.htm. 130 Id.
642
CHAPTER 8
to enforce strong authentication based on the biometrics. A two-phase authentication mechanism for federated identity management systems (FIdMs) addresses this problem. The method uses techniques from the vector-space model to create secret cryptobiometric keys that safeguard the confidentiality of biometric data. The method then utilizes other authentication factors in addition to the biometrics to provide strong authentication. A benefit of this approach is that any unanticipated combination of authentication factors can be used, leveraging user information that is available from the FIdM.131 In biometrics, physical and behavioral characteristics are collected through appropriate sensor technology and unique or distinctive features are taken from the data to create a biometric template. The system processes a collected biometric item and compares it to the stored template for authentication. That comparison leads to an acceptance of the identity or a rejection. Many of the concerns about the use of biometrics for verification or authentication are related to the storage and potential misuse of biometric information. The emerging technologies of biometric cryptosystems and cancelable biometrics are two methods for protecting a biometric template.132 Because biometric characteristics essentially do not change, any compromise of biometric template data means a permanent loss of an individual’s biometrics. Standard encryption algorithms cannot protect biometric templates that are exposed during every authentication. Mechanisms designed to protect biometric templates are known as biometric cryptosystems and cancelable biometrics. These mechanisms meet the two fundamental requirements of biometric data protection: irreversibility and unlinkability. Irreversibility means that it should be difficult to reconstruct the original template from stored reference data, but it should be easy to generate the protected biometric template. Unlinkability means that different versions of the protected templates may be generated on the basis of the same biometric data, but the protected templates should not permit cross-matching.133 131
Bhargav-Spantzel et al., Privacy Preserving Multi-Factor Authentication with Biometrics, in dim ‘06 Proceedings of the Second amc Workshop on Digital Identity Management 63–72 (2006), available at http://delivery.acm.org/10.1145/1180000/ 1179540/ p 63- b hargav.pdf ?ip=169.229.32.136&id=1179540&acc=ACTIVE%20 SERVICE&key=C2716FEBFA981EF180AFFA68148A758BBB00FA0C3D166145& C F I D = 3 7 8 5 0 5 8 5 3 & C F T O K E N = 4 1 2 0 8 7 2 7 & _ _ a c m _ _ = 1 3 8 4 3 2 1 3 7 3 _ dea8a06a9ca2166cdb1dbb6e2105ff38. 132 Christian Rathgeb & Andreas Uhl, A Survey on Biometric Cryptosystems and Cancelable Biometrics, eurasip J. Info. Security, 2011, available at http://jis.eurasipjournals. com/content/pdf/1687-417X-2011–3.pdf. 1 33 Id.
Privacy, Anonymity, and Identity Crime
643
Biometric cryptosystems bind a digital key to a biometric or generate a digital key from a biometric in a secure manner. They can replace password- based key release systems, providing greater security, since it is harder to copy, fake, share, and distribute biometrics than passwords. Cancelable biometrics involve intentional and repeatable distributions of biometric signal through transformations that provide comparisons of biometric templates in the transformed “domain.” As opposed to templates that are protected by standard encryption algorithms, transformed templates are never decrypted because the comparison of the biometric templates occurs in transformed space.134 C Knowledge-based Authentication Knowledge-based authentication (kba) refers to an authentication method that proves a user’s identity by requiring the user to demonstrate knowledge of unique personal information before granting access to the protected data. There are two kinds of kba: static and dynamic. Static kba uses predetermined and shared information to prove identity, while dynamic kba uses questions generated from stored personal information. Static kba relies on personal information used as “shared secrets.” This method has often been used by financial institutions and e-mail providers to confirm identity before allowing access to an account if the password has been forgotten. With static kba, questions and answers are agreed upon by the customer and the provider, then stored for potential retrieval at a later time only when the user wants access to the account. Static kba has been criticized as a security measure because the allegedly “secret” information is now frequently available online and can be captured by identity thieves to reset passwords and gain access to accounts. Dynamic kba also utilizes knowledge-based questions to confirm individual identity, but no previous contact between user and provider is necessary because the questions are generated “on the fly” from data aggregated from the user’s public records, marketing data, or credit reports. kba interrogation has resulted in a significant disconnect between strategies for fraud prevention and the customer care objectives of many businesses. Currently, financial institutions either perform too little authentication, which leaves accounts open to fraud, or too much, which irritates customers.135 And in recognition of the easy access to personal information via online resources, the National Institute
1 34 Id. 135 The Death of Knowledge-Based Authentication, TrustID, (July 22, 2011), https://www. trustid.com/blog/2011/07/22/the-death-of-knowledge-based-authentication/.
644
CHAPTER 8
of Standards and Technology (nist) and the Federal Financial Institutions Examination Council (ffiec) have called for organizations to stop using kba altogether.136 Critics have suggested that kba systems establish identity on the basis of “pseudo secrets.”137 For example, some states continue to include the Social Security numbers of individuals in some public records, and even attempts to address this issue fall short. In Alabama, a law requires the consent of an individual before revealing his/her Social Security number on state documents before they are released to the public, but this law exempts liens, conviction records, and bankruptcy filings.138 The National Institute of Standards and Technology (nist) particularly singled out as no longer acceptable “instant” kba because the establishing an identity and finalizing a transaction using that identity occur at the same time. This type of kba is also vulnerable for off-line research, and users do not have an opportunity to opt out of the process to mitigate their risks.139 The case of database leaks at LexisNexis, Dun & Bradstreet, and Kroll Background America, which allowed criminals to obtain and sell the personal private information of millions of consumers for more than six months before being discovered, have prompted companies to replace this outdated authentication technology with a more multi-layered approach.140 D Single Sign-on Single sign-on refers to an authentication process used in client-server systems where a user enters one name and password combination in order to access several different resources. The use of single sign-on eliminates the need for the user to authenticate all over again when switching from one application to another. Single sign-on systems reduce “password fatigue,” which results from
136 Federal Financial Institutions Examination Council, Supplement to Authentication in an Internet Banking Environment (2011), available at http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20%28FFIEC%20Formated%29. pdf. 137 Margaret S. Leary, Quantifying the Discoverability of Identity Attributes in Internet-B ased Public Records: Impact on Identity Theft and Knowledge-B ased Authentication 6 (2008), available at http://udini.proquest.com/view/quantifying-the-discoverability-of-goid:304834287/. 138 Id. 139 The Death of Knowledge-Based Authentication, supra note 2881. 140 LexisNexis Hack Signals the Death of Knowledge-Based Authentication –NuData Security, PR Web (Sept. 27, 2013), http://www.prweb.com/releases/2013/9/prweb11169573.htm.
Privacy, Anonymity, and Identity Crime
645
having to remember different user names and passwords for every website visited. Single sign-on emphasizes the importance of authentication systems because losing the availability of the centralized server results in a denial of access to all the systems using that server. The technology also centers on protecting users’ credentials; therefore, it has been recommended that strong authentication methods (smart cards, single-use password tokens) be used in combination with the single sign-on method for optimal security. However, the single sign-on approach may not be best for systems that have to guarantee continual access.141 Additionally, single sign-on is vulnerable to identity crime because only one user name and password combination is needed to access many accounts. Once an identity thief obtains that combination, multiple accounts are placed at risk. Facebook has become a one-stop identity authentication service, and millions of websites now allow their users to log in with Facebook credentials. This is convenient for users, but it also allows service providers to gather more and more pii by monitoring the other sites their users visit. In some cases, users have no choice but to use a Facebook log-in to access a site because there is no option to create a separate account. This places personal information at risk because pii from many locations throughout the web is stored in one central location.142 As more devices are connected to the Internet, single sign-on may not be advisable,143 since single sign-on may increase risks to privacy and potential for identity crime at this point, while appearing to provide a solution to the problem. E Federated Identity Management Systems In a typical identity management system, identity refers to claims made about a user and having these claims upheld through authentication. However, as the number of users and providers increases, and requests for and provision of data also increase, multiple user profiles are required, which leads to inconveniences for both users and providers. At this point, multiple log-in screens, passwords and identifiers are required, and all of them must be tracked. The cost of managing and storing multiple user profiles while eliminating the potential for data duplication presents a
141 Definition: Single Signon, Webopedia, http://www.webopedia.com/TERM/S/single_ signon.html (last visited Nov. 12, 2013). 142 Sengupta, supra note 2865. 143 Id.
646
CHAPTER 8
problem for many organizations. Federated identity management systems (FIdMs) are designed to address these issues.144 In a federated identity management system (FIdM), service providers depend on trusted third parties chosen by the user to authenticate access to requested services on that user’s behalf.145 This is usually accomplished in a one- to-one relationship between a service provider and a user. A FIdM system includes four major entities: the end user who wants to interact with online services, a user agent (generally a browser) through which the user conducts these interactions, a service provider (SP), which is the online application or service with which the users wants to interact and that must obtain some degree of certainty about the user’s identity before allowing any interaction, and the identity provider (IdP). The IdP is the web-based entity that actually performs the process of authenticating a user and/or storing the user’s pii. This information may be shared with other providers.146 Once basic information management has been addressed, the authentication process, which is critical in FIdM, may impose risks of its own, however. The effectiveness of FIdM is ultimately measured by the effectiveness and reliability of the authentication process.147 8.6.4 Authorization Authorization is the process of granting or denying a user access to network resources once the user has been authenticated through a username and password combination or some other authentication method. The amount of information and the range of services the user may access depend on the user’s authorization level. Allowing access to data in protected systems generally has two stages. The first is authentication, which ensures that users are who they say they are, while the second stage is authorization, which allows an individual to access specific resources on the basis of that individual’s identity.148 Authorization protects consumers’ personal information by allowing only those who have been specifically granted permission to use that information
144 Poetzch et al., Future of Identity in the Information Society, D3.12: Federated Identity Management–W hat’s in it for the Citizen/ Customer?, (2009), available at http://www.fidis.net/fileadmin/ fidis/deliverables/ new_deliverables/fidis-wp3-del3.12.Federated_Identity_Management.pdf. 145 Id. 146 Id. 147 Poetzch et al., supra note 2890. 148 IT Glossary: Authorization, Gartner, http://www.gartner.com/it-glossary/authorization/ (last visited Nov. 12, 2013).
Privacy, Anonymity, and Identity Crime
647
to gain access to it.149 There are several authorization systems that may reduce identity crime. These include:150 1. Web authorization management solutions that work with web servers and e-commerce systems. They allow administrators to define generic user roles and then allow access to data stored in multiple applications on the basis of those roles. 2. Digital wallets that provide a storage location for the secure information needed for user authentication in commercial transactions 3. Federated identity management systems, which allow identity information to be developed and shared among multiple entities and identity the attributes to be transferred from one trusted authenticator to another for single sign-on for correctly identified individuals. aaa systems are systems in IP-based networking that are designed to control the types of computer resources a user may access and to keep track of users’ activity on a network. The “triple As” stand for authentication, authorization and accounting. Authentication and authorization have been discussed above. Accounting refers to the process of monitoring user activity while that user is accessing the network’s resources.151 A Trusted Computing In the field of computer science, trusted computing refers to a computer that consistently behaves as expected, with the hardware and software enforcing these behaviors. Enforcement is achieved by implementing a unique encryption key into the hardware. This key cannot be accessed by other parts of the system. Developing a trusted computing system requires a “working knowledge of security in relation to the design and usage of cryptographic modules as well as cryptographic techniques including public-key cryptography, cryptographic algorithms and protocols.”152 The concept of trusted computing has been the subject of debate because the hardware is not only kept protected for
1 49 Id. 150 IT Glossary: Federated Identity Management, Gartner, http://www.gartner.com/it- glossary/federated-identity-management/ (last visited Nov. 12, 2013). 151 Authentication, Authorization, and Accounting (aaa), Cisco, http://www.cisco.com/en/ US/products/ps6663/products_ios_protocol_option_home.html (last visited Nov. 12, 2013) (“It is an architectural framework for configuring a set of three independent security functions in a consistent manner. aaa provides a modular way to perform authentication, authorization, and accounting services.”). 152 Trusted Platform Module, Trusted Computing Group, http://www.trustedcomputinggroup.org/developers/trusted_platform_module/ (last visited Nov. 12, 2013).
648
CHAPTER 8
f igure 7 Concepts of identity crime, privacy and anonymity: interdependencies and overlap
its owner, but it is also protected from its owner, leading some critics to called it “treacherous computing.”153 There are six key technologies required for a system to be fully trusted:154 1. Endorsement key 2. Secure input and output 3. Memory curtaining/protected execution 4. Sealed storage 5. Remote attestation 6. Trusted Third Party (ttp) Developers of trusted computer systems are challenged by having to balance anonymity while providing a “trusted platform.”155 Using a “trusted mode” means that the individual with whom a computer is communicating is able to trust that this computer is not running hardware or software that has been
153 Richard Stallman, Can You Trust Your Computer?, in Free Software Free Society: Selected Essays of Richard M. Stallman 117–121 (2002), available at http://www.gnu.org/philosophy/can-you-trust.html. 154 Soham Sadhu, Trusted Computing (Feb. 20, 2012), available at http://www.cs.rit.edu/ ~hpb/Lectures/20112/S_T/Src/34/Trusted_Computing.pdf. 155 Bryan Parno, Trust Extension as a Mechanism for Secure Code Execution on Commodity Computers (Dissertation 2010, Paper 28), available at http://repository.cmu.edu/cgi/ viewcontent.cgi?article=1029&context=dissertations.
Privacy, Anonymity, and Identity Crime
649
tampered with. The person contacting the other computer is assured that there is no malicious software there that can compromise sensitive data. However, to obtain this objective, the second computer must tell the first one that it is using “safe” software and hardware, potentially providing a unique identity of itself to the computer contacting it. This could be a problem in situations such as conducting bank transactions via the Internet. In other cases, however, users are happy to take advantage of the anonymity promised through trusted computing.156 Current trusted computing proposals have a high cost. They provide security for users while also giving third parties the power to enforce policies on the users’ computers whether users give them permission or not. In other words, users are required to relinquish some control over their computers to someone else.157 This kind of problem may be mitigated through a device-based approach158 that leverages the trust a user has in one device and allows that user to use another device or service securely without losing any expected features or performance. To accomplish this, a trusted portable device is made available by which a user would securely learn the code that executes on the local computer; instead of entrusting their sensitive data to less-than-optimal code that probably exists on their PC. “An on-demand secure execution environment” would be constructed to perform tasks requiring high levels of security. These would handle private data in total isolation from all other software and most other hardware on the system.159 8.7
Anonymity
Privacy and anonymity are different concepts. Privacy refers to the ability of an individual to decide with whom to share personal information.160 With privacy, there is knowledge of an individual’s identity but not of associated personal facts. With anonymity, there is knowledge of these personal facts, but not of the identity of the person associated with those facts. Anonymity and privacy,
156 Trusted Computing, Wikipedia, http://en.wikipedia.org/wiki/Trusted_Computing (last updated Nov. 12, 2013). 157 Seth Schoen, Trusted Computing: Promise and Risk, Elecronic Frontier Foundation (Oct. 1, 2013), https://www.eff.org/wp/trusted-computing-promise-and-risk. 158 Parno, supra note 2901. 159 Id. 160 Jeffers, supra note 2748.
650
CHAPTER 8
which can be viewed as mirror images of each other, function in opposite ways. Privacy hides facts about the person whose identity is known by eliminating data linked to that person from public availability, whereas anonymity hides the identity of the person associated with specific data in order to place the facts into public circulation.161 Recognizing the differences between privacy and anonymity makes it possible to facilitate and control the production of public goods. Under current law, anonymity is used in several ways: 1) as a right when buying land, 2) as a requirement for voting, and 3) as a trigger for eliminating privacy rights in medical research. While these uses appear unrelated, they represent previously unrecognized rules that use anonymity to control the production and dissemination of information and not to protect privacy.162 These rules operate in many areas of law, but have gone relatively unnoticed because anonymity is generally understood to be a tool or facet of privacy. By fusing anonymity and privacy, the actual difference between the two factors is hidden. Protecting anonymity online may be one way to protect against identity crimes, but conversely, identity criminals may use the same anonymity technology to steal victims’ identities without being detected. There are many positive ways to use anonymity on the web, but there can sometimes be very destructive side effects too, such as lack of accountability, impersonation of an individual and even stock market manipulation. The concepts of identity crime, privacy and anonymity may be viewed as having interdependencies, and they often overlap, as shown in the diagram above. However, the concepts have significant differences that put them in conflict. On the positive side, anonymity allows people to feel free to discuss sensitive topics without fear of reprisal. On the other hand, it also permits those with destructive intent to avoid responsibility and accountability for their actions. Some privacy protection solutions attempt to eliminate all anonymity in order to keep individual privacy from harm.163 There are areas in which privacy and anonymity may either cause or mitigate identity crime. However, anonymity represents only a very small part of the privacy and identity crime concepts. There are many other factors that impact 161 Anonymity is Not Privacy (and Why it Matters), Harv. (Sept. 11, 2013), http://blogs.law. harvard.edu/billofhealth/2013/09/11/anonymity-is-not-privacy-and-why-it-matters/. 162 Id. 163 Alex Masters, Identity on the Internet: The Pros and Cons of Anonymity, The Independent (Sept. 19, 2011, 1:16 p.m.), http://blogs.independent.co.uk/2011/09/19/identity-on-the- internet-the-pros-and-cons-of-anonymity/.
Privacy, Anonymity, and Identity Crime
651
privacy and result in the commission of identity crimes. Protecting privacy and preventing identity crime involve measures that go beyond anonymity. Among the differences between privacy and anonymity is the fact that privacy is often a passive element that involves the ability to share access to certain data only with those who have been privileged with that access. Anonymity, on the other hand, is a more active concept in which some type of action is taken while the identity of the person performing the action remains hidden. Traditionally, someone who violates privacy does so anonymously.164 Anonymity can be used to reduce identity crime, but it may also hide perpetrators of the crime from discovery. The original architects of the Internet did not pay sufficient attention to identifiability as a critical component of the network, say some critics, while others see this situation as a liberating feature rather than as a drawback.165 The difference between these two approaches influenced the different ways in which anonymity, privacy, and anonymization have been treated in computer systems and their potential for addressing identity crime. In some situations, the ability to communicate anonymously over untrusted networks is necessary. Anonymous peer-to-peer (P2P) communications over untrusted networks is sometimes required by the military and may utilize a technique known as a ‘secret handshake. This is a cryptographic mechanism that allows secure and anonymous communications by allowing two arbitrary members in the same group to authenticate privately to one another and to agree on a shared key for additional communication in the future. However, one problem with this method is that it often failed to meet unlinkability requirements, and this has limited its practical use. Advances in the construction of unlinkable secret handshakes have made the technique more feasible, and when compared with previous technology, this method improves performance and provides good security results.166 8.7.1 Unlinkability Unlinkability of data means that an individual can use a resource or service multiple times without other entities being able to link these uses together.167
1 64 Jeffers, supra note 2748. 165 Barrigar, supra note 2850. 166 Eun-Kyung Ryu, Kee-Young Yoo & Keum-Sook Ha, Efficient Unlinkable Secret Handshakes for Anonymous Communications, 7 Journal of Security Engineering 619 (2010), available at http://www.sersc.org/journals/JSE/vol7_no6_2010.php. 167 Future of Identity in the Information Society, WP13, D13.1: Identity and Impact of Privacy Enhancing Technologies (Daniel Cvrček & Vashek Matyás eds.,
652
CHAPTER 8
Unlinkability may also be separated into the two categories of absolute unlinkability, which refers to the meaning given above, and relative unlinkability, in which relative unlinkability between arbitrary items could be defined as follows:168 Unlinkability of two more items of interest, from the attacker’s viewpoint, means that within the system the attacker cannot distinguish whether any of the items are related or not
Linkability of any two or more items of interest from the attacker’s point of view means that the relatedness of these items can be sufficiently distinguished
“Items of interest may include subjects, events, messages, actions, etc. Within the system that holds these and possibility other items, from an attacker’s perspective, the items of interest are no more and no less related after observation.”169 In other words, the unlinkability of items does not provide an identity criminal with a greater ability to connect them even after the attacker observes the system in which those items are included. 8.7.2 Undetectability and Unobservability Undetectability and unobservability can be distinguished from anonymity and unlinkability. With anonymity and unlinkability, only the relationship of an item of interest to other items of interest is safeguarded. With undetectability, the items of interest themselves are protected. From an attacker’s point of view, an item of interest cannot distinguish whether or not the item exists.170 Unobservability refers to a situation in which a user may utilize a service or resources without third parties being able to observe that the service or resource is being used. Users cannot know whether or not an operation is being performed, so this approach is less user-centric and more general. If messages
2007) [hereinafter Identity and Impact of Privacy Enhancing Technologies], available at http://www.cosic.esat.kuleuven.be/publications/article-928.pdf. 168 Andreas Pfitzmann & Marit Hansen, A Terminology for Talking About Privacy by Data Minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management 35 (Internet Engineering Task Force, Working Document, Aug. 10, 2010), available at https://kantarainitiative.org/confluence/download/attachments/ 45059055/terminology+for+talking+about+privacy.pdf. 1 69 Identity and Impact of Privacy Enhancing Technologies, supra note 2913. 170 Pfitzmann & Hansen, supra note 2914.
Privacy, Anonymity, and Identity Crime
653
are considered to be items of interest, this means that they are not sufficiently discernable from “random noise.”171 Unobservability of an item of interest, from the point of view of an attacker, means that the attacker cannot distinguish sufficiently whether the item exists or not
Observability, from the attacker’s perspective, means that an item of interest can be sufficiently distinguished as to whether it exists or does not exist
8.7.3 K-Anonymity The concept known as k-anonymity is a method designed to address the problem of releasing person-specific data while simultaneously protecting the anonymity of the individual to whom the data refers. For example, a table provides k-anonymity if efforts to link any explicitly identifying information to its contents ambiguously maps the information to at least some other entities.172 Data holders face the challenge of releasing information while not compromising privacy or confidentiality. However, they must allow some release of their data for it to be useful. Not releasing it may reduce any need for the data, but failure to provide appropriate security and privacy of anonymous data during its release could cause harm to individuals or other interests. The common way to handle this difficulty is to release person-specific data with all of the explicit identifiers (name, address, phone number, etc.) removed, assuming that anonymity will be maintained since the resulting data looks anonymous. In most cases, however, the data that remains can be used to re-identify specific individuals by matching or connecting it to other data or by examining unique characteristics discovered in the released data.173 Computer security and privacy protection are not identical issues. A traditional area associated with computer security is authentication. The goal is to ensure that anyone who receives information has permission to do so. Authentication protection can safeguard information against direct disclosure, but it does not address disclosures based on inferences drawn from released data.
1 71 Id. 172 Pierangela Samarati, Paper, Protecting Respondents Identities in Microdata Release (2001), available at http://spdp.di.unimi.it/papers/tkde_k-anonymity.pdf. 173 Latanya Sweeney, K-Anonymity: A Model for Protecting Privacy, 10 Int’l J. Uncertainty, Fuzziness & Knowledge-B ased Sys., 557 (2002).
654
CHAPTER 8
Researchers suggest that all information should be released, but only in ways that protect the identities of the people who are the subjects of the data.174 When a data set is considered to be k-anonymous “every equivalence class is of size k, or includes at least k records.”175 For example, if an attribute is the same for all records in an equivalence class, then the size of the class does not offer any anonymity, since mapping a unique identifier to the class is enough to map it to the attribute in question in a situation that is termed “attribute disclosure.”176 The prevention of re-identification of individuals through their data records is often addressed by k-anonymity. This method guarantees that no records can be distinguished from at least other k-1 records. However, there is significant data loss that results from the use of k-anonymity. To resolve this problem, researchers have suggested considering each record as a vertex and the similarity of two records as the edge weight and then building a complete weighted graph. It has been shown that this approach offers improvements over baseline heuristic algorithms, and researchers suggest this approach as a solution to the k-anonymity problem when data utility and runtime must both be taken into account.177 8.7.4 Anonymity and Identifiability It is important to distinguish anonymity from identifiability. Anonymity refers to visual anonymity of other group members, that is, in a system in which recipients are those who access and receive data, and senders represent the data repository providing the requested data, potential recipients are anonymous to a sender. By contrast, identifiability refers to the recognizability of a sender’s communicative behavior from the recipients’ perspective.178 An overview of definitions relevant to anonymity and identifiability is presented below.179
1 74 175 176 177
Id. Identity and Impact of Privacy Enhancing Technologies, supra note 2913. Barrigar, supra note 2850. JianQiang Li et al., A Top-Down Approach for Approximate Data Anonymisation, 7 Enterprise Info. Sys. 272 (2012), available at http://www.tandfonline.com/doi/abs/ 10.1080/17517575.2012.688223#.UoPrPJGGQY0. 178 Joachim Kimmerle & Ulrike Cress, Knowledge Communication with Shared Databases, in Handbook of Research on Computer Mediated Communication 424–4 35 (2008), available at http://www.igi-global.com/chapter/knowledge-communication- shared-databases/19763. 1 79 Pfitzmann & Hansen, supra note 2914, at 35.
Privacy, Anonymity, and Identity Crime Anonymity, from the perspective of an attacker, means the attacker is not able to identify a unique subject from a set of subjects, the anonymity set.
655
Identifiability, from an attacker’s point of view, means that a unique identity of a subject can be identified from within a set of subject, known as the identifiability set.
Both anonymity and identifiability can be perceived as desirable states. The environment in which information is stored and accessed has an impact on the benefits or disadvantages of anonymity versus identifiability. For example, in an enterprise network, employers do not want their workers to be anonymous because they need to know where and who their employees are. On a public wireless network, on the other hand, the protection of users’ identities and location is critical. With a subscribed network, some disclosure of identity is required in order to obtain services.180 In addition, people seek to remain anonymous for a variety of reasons, which may reflect their unique life experiences. Research indicates that Internet users often make decisions about protecting their online anonymity and the strategies for doing so based on prior negative consequences experienced when using their real identities. They may also have a desire to maintain a separation between their online and offline worlds.181 A Reasons for Anonymity There are a number of reasons to maintain individual anonymity:182 1. Anonymity may facilitate communications and the flow of information regarding unpopular political issues or coming from individuals who may be afraid for their safety if their real identity is known, as is the case with political dissidents. 2. Anonymity is useful in situations such as medical research where individuals may not want to make their health status public.
180 Bob Hinder, Tradeoffs between Anonymity and Identifiability, Presentation at ietf 63, Paris (Aug. 3 2005), available at http://www.ietf.org/proceedings/63/slides/alien-4.pdf. 181 Kang, Brown & Kiesler, Why Do People Seek Anonymity on the Internet? Informing Policy and Design, (Research Paper, Human Computer Interaction Institute, Carnegie Mellon University, 2013), available at http://www.academia.edu/2668114/Why_Do_People_ Seek_Anonymity_on_the_Internet_Informi. 182 Gary T. Marx, Identity and Anonymity: Some Conceptual Distinctions and Issues for Research, in Documenting Individual Identity: The Development of State Practices in the Modern World (J. Caplan & J. Torpey eds., 2001), available at http://web.mit.edu/gtmarx/www/identity.html.
656 3. 4.
5.
6.
7. 8.
9.
10. 11. 12. 13. 14. 15.
CHAPTER 8
It can focus attention on the content of a message or a particular behavior itself, rather than emphasize the source of the message or the perpetrator of an activity, as may occur with celebrities. Anonymity encourages communication, investigation, and sharing about conditions that may be socially stigmatized, that place an individual at a disadvantage, or that are extremely personal, as may occur in regard to self-help groups or medical testing. Anonymity can help to obtain a resource or encourage a condition using methods linked to illegal or morally questionable actions when a “lesser evil” is the ultimate goal, as may be the case with gun amnesty programs or needle-exchange programs. Anonymity protects donors of resources, as well as those who take actions deemed necessary but unpopular, from additional obligations or retribution, which is the case with sperm or egg donors, anonymous gifts to charities, or police officers who are identified only by number and not name. Anonymity protects the strategic economic interests of buyers and sellers, as when developers purchase land parcels under assumed names to prepare for a future real estate development. Anonymity protects an individual’s personal space and time, as illustrated by unlisted telephone numbers, mail-forwarding services, and females who use gender-neutral or traditionally male names for listings in public directories for fear of stalkers. Anonymity increases the chance that judgments will be implemented according to established standards rather than on the basis of personal characteristics, as when musicians compete for positions in an orchestra by performing behind a screen. Anonymity protects assets and reputations from the consequences of identity theft. Anonymity helps individuals avoid persecution. Anonymity is sometimes a crucial part of the “fun” in games and celebrations, as is shown in the custom of wearing masks at Halloween or at a costume party. Anonymity can also encourage risk-taking and experimentation without fear of significant consequences, such as failure or embarrassment. Anonymity protects individual autonomy and recognizes that exchanging personal information involves a level of intimacy that is best left for the people involved to determine. Anonymity has the default expectation in regard to personal information in certain types of social interaction, becoming an artifact of how technology has developed or group life evolved.
Privacy, Anonymity, and Identity Crime
657
B Reasons for Identifiability Some level of identifiability is required for social interaction. Sharing information is one way for individuals and organizations to show trust. Among the areas in which identifiability is expected include:183 1. Identifiability provides for accountability. People usually want to avoid negative outcomes and want other people to have a good opinion of them. Being identified with one’s actions leads to these results. 2. Identifiability is useful in judging reputation. The impersonal nature of modern mass societies depends on records and recommendations that can be used to assess personal qualities. 3. Identifiability facilitates the payment of dues and receiving just rewards. A fundamental element of society is reciprocity, which requires the ability to find those with whom we interact and to distribute justice and rewards as needed. 4. Identifiability improves service and enhances efficiency. Knowledge is power in modern competitive environments, which creates an organizational demand for personal information to help companies meet their goals and improve customer service. 5. Identifiability can be used to bureaucratic eligibility. Administering complicated divisions of labor requires establishing and using characteristics linked to a name and location so that people can reliably perform specific actions (driving a car) or provide services (working with children). 6. Identifiability guarantees interactions that are separated or mediated by space and time, such as paying with a credit card or a check instead of cash. 7. Identifiability facilitates research, which may benefit from relationships with other kinds of personal information or tracking unique individuals. 8. Identifiability protects health and consumers by requiring the identification of individuals with specific predispositions or experiences. 9. Identifiability builds effective relationships. Reciprocity and information sharing is required for friendship and intimacy. The revelation of personal information begins with knowing a name and a location. 10. Identifiability helps with social orientation. Providing clues about other aspects of identity revealed in name and location facilitates orientation in a society.
183 Id.
658 8.8
CHAPTER 8
Anonymization
The basic methods of data anonymization include replacing, generalizing, perturbing, or suppressing data.184 Replacing refers to substituting identifiers. Generalizing data means exchanging a specific piece of information, such as a birth date, with a more general piece of data, such as the year of birth. With perturbation, random changes are made to the data; data may be distorted, or noise: may be added to a value. Not all anonymization techniques may be applied to all types of data. Some types of data –images, for e xample –may remain useful through perturbation, but their utility suffers if generalized. Therefore, suppression is the most generally applicable method for anonymization if the effects of generalization or perturbation on certain data are unknown. With suppression, some data is simply omitted from released information. However, anonymization implemented through i-diversity may result in a significantly skewed distribution of sensitive attribute values.185 If the distribution of an attribute is known, this information could be used to determine the probability of a specific attribute value being associated with a specific identifier. For example, in a database, only five of 1,000 records describe a certain disease, but an equivalence class in the anonymous data set may exist for which 50 percent of the records contain the disease. This would imply that members of the equivalence class were 20 times more likely to have the disease than others in the database.186 8.8.1 De-Anonymization and Social Networks De-anonymization is a data mining strategy in which anonymous data is cross- referenced with other data to re-identify the original source of that data. Any information that distinguishes one data source from another can be used for de-anonymization.187 Online social networks often share potentially sensitive information about their users with advertisers, application developers, and data mining researchers. In these cases, anonymization is generally used to protect users’ privacy
184 Data Anonymization and Re-Identification: Some Basics of Data Privacy, Whimsley, http:// whimsley.typepad.com/whimsley/2011/09/data-anonymization-and-re-identification- some-basics-of-data-privacy.html (last visited Nov. 12, 2013). 185 Barrigar, supra note 2850. 186 Id. 187 De-Anonymization (deanonymization), Wahtis.com, http://whatis.techtarget.com/definition/de-anonymization-deanonymization (last visited Nov. 12, 2013).
Privacy, Anonymity, and Identity Crime
659
by removing names and addresses, for example. An analysis of privacy and anonymity in social networks indicates that approximately 33 percent of users who can be confirmed as having accounts on both Twitter and Flickr can be re-identified in an anonymous Twitter graph with an error rate of just 12 percent.188 The popularity of mobile phones has raised many privacy and identity crime concerns because these devices are easy to steal, and even more importantly, easy to track. Tracking technology is a good example of the good and bad consequences of information sharing. One the one hand, mobile phones equipped with sensors provide a considerable amount of data that can be used in urban planning, epidemiology, operations research and emergency preparedness. To protect privacy, however, all personally identifying information must be eliminated before this data is shared with researchers. This is very difficult to do. Re- identifying individuals from relatively little information, on the other hand, is fairly easy. Research has shown that only four points of reference were needed to uniquely identify 95 percent of 1.5 million cell phone users in a small European country with information gathered over a period of 15 months.189 In other words, all that is necessary to extract complete location information for a single individual from an “anonymized” set of data that includes one million people is to place that person within a few hundred yards of a cell phone transmitter at some point in the course of an hour, four times in one year.190 According to a formula developed using the tools of statistical physics, the mathematical relationship between the resolution of space-and-time data and the probability of identifying a single member of a data set decreases as the resolution of the measurements decrease, but less than might be expected. The results of this calculation provide sufficient reason to think about applying privacy protections when working with aggregated location data.191 The ability of data miners to track and identify individual users through the mobile phone location is a concern to privacy advocates. Most location-based services (lbs) require mobile device owners to report their exact location information in order to obtain the services they want. Revealing such data to potentially untrusted lbs providers can result in significant privacy breaches. To protect the privacy of a user’s location, the technique of spatial cloaking is 188 How Hard Is It to ‘De-Anonymize’ Cellphone Data?, Science Daily (Mar, 27, 2013), http:// www.sciencedaily.com/releases/2013/03/130327132547.htm. 189 Id. 190 Id. 191 Id.
660
CHAPTER 8
generally used. This approach involves blurring the exact location of a user into a “cloaked” area that meets user-specified privacy parameters. However, these algorithms cannot be used in mobile peer-to-peer (P2P) environments where mobile users communicate only with their peers through a P2P, multi-hop routing. Researchers are working on the development of spatial cloaking algorithms for mobile P2P environments that address their unique limitations.192 Other research has shown that data in social networks cannot be treated during anonymization in the same way as other data. Usually, the k-anonymity method is applied. Traditional assumptions about data types and background knowledge of possible attackers, which are used to specify data types as “quasi- identifiable” or “sensitive,” cannot easily be applied to social networks. This is because it is difficult to predict how applications will use data collected from a social network. Social network data must be treated as either sensitive or private, or quasi-identifiable or public, which makes it difficult to apply current anonymity models.193 An alternative anonymity method, q-Anon, relies on the interactive data release model utilized by social network api s to guarantee anonymity without assumptions limiting the attacker’s background knowledge or knowing how the data might be used. The data release model and anonymity definition have more useful application and more robust guarantees of anonymity than those provided by anonymizing the same data set using traditional methods and releasing it publicly. The q-Anon model measures the probability that an attacker may logically deduce previously unknown information from a social network api, while assuming the data that is being protected may already be available to the public.194 Additionally, q-Anon emphasizes the measure of ambiguity in released data when facing a re-identification attack. Privacy is measured in terms of q, with larger values representing greater ambiguity or privacy. The value of q is determined by finding all unique user groups that could have accounted for the released data, and then finding the largest part (fraction) of those groups that includes any one user, with q defined as the reciprocal of this fraction.195 This method is feasible and suggests that a social network site like Facebook could, 192 Chow, Mokbel & Liu, Spatial Cloaking for Anonymous Location-Based Services in Mobile Peer-to-Peer Environments, 15 Geoinformatica 351 (2009). 193 Beach, Gartrell & Han, q- Anon: Rethinking Anonymity for Social Networks, in Proceedings: SocialCom 2010, The Second IEEE International Conference on Social Computing; PASSAT 2010, The Second IEEE International Conference on Privacy, Security, Risk and Trust 185–192 (2010). 194 Id. 195 Id.
Privacy, Anonymity, and Identity Crime
661
for practical purposes, implement an anonymous api using q-Anon and give its users an alternative anonymity option to replace the current application model.196 8.8.2 Re-Identification Re-identification has been made more feasible by advances in processing hardware capabilities and storage capacity. Larger and larger concentrations of pii make it possible to link disparate types of data and identify unique individuals within a set or group. These capabilities represent a major threat to traditional anonymization approaches. A re-identification attack involves matching a set of quasi-identifiers from an anonymized data set with data that is publicly available, like census or voting records. This effectively de-anonymizes the previously anonymous data. Quasi-identifiers are assumed to be public by definition and do not represent the original data that is to be protected. The data that are slated for protection from re-identification attacks are referred to as a “sensitive attributes.”197 The development and proliferation of re-identification and de-anonymization capabilities are a significant threat to the promises made by Internet organizations about protecting the privacy and identities of their users. The trust that users have that anonymization can protect privacy and sensitive information has thus been significantly eroded. It has become easy to “re-identity” and “de- anonymize” the identity of unique individuals that was previously believed to be hidden in anonymized data. In essence, re-identification technology has shown that users have been operating under a basic misunderstanding about the level of privacy they actually have. This misunderstanding is central to nearly all information privacy law, regulation or discussion, and the failure of anonymization must be addressed.198 A malicious adversary can use an individual’s pii to link information to a specific person. The same goal can be achieved using data that would not be traditionally classified as “personally identifiable.”199 Re-identification results in increasingly critical privacy violations by combining information held in databases that were originally designed to be kept separate. And every time a re-identification effort succeeds, the method becomes more powerful through accretion, making data that had been considered as secret or private easier and easier to find. Thus, fraudsters and others 1 96 197 198 199
Id. Paul Ohm, supra note 2760. Id. Id.
662
CHAPTER 8
with evil intent can link individuals to specific information that can be used to defame or discriminate against them.200 Protecting the privacy of users from these powerful and evolving re- identification methods can only be accomplished at significant cost, since keeping data perfectly anonymous or private renders it effectively useless. As the utility of information increases, privacy decreases. For years, regulators and lawmakers have enacted policies based on a belief that anonymization offered a robust solution. Now they have to review every privacy law and regulation to determine if re-identification threatens their original design.201 Techniques like anonymization or de-identification, which are implemented to protect privacy, may actually lead to laws that endanger privacy by focusing on identifiability. Even if the presumed effectiveness of anonymization and/or de-identification does not influence privacy law, the language used to discuss these issues brings its own dangers. Using such language could result in absolving organizations from the responsibility to protect personal information, while also encouraging people to let down their guard because they assume the organizations are handling the problem. Organizations and individuals are more likely to share information or allow it to be shared if they believe sensitive information is protected by these systems. The security and safety of information allegedly provided by anonymization or de-identification could be dangerous, since re-identification can be accomplished relatively easily as more data is collected and made available to the public, and as more computer power exists to handle it.202 8.8.3 Pseudonymity Proponents of federated identity management systems (FIdS) believe that pseudonymity is an important tool for protecting privacy and preventing data mining, interception, and data linkage. Pseudonymity involves the use of pseudonyms, or identifiers of subjects. Being pseudonymous means using a pseudonym as identification in place of a “real” identity. Every pseudonym is assumed to refer to just one subject; it does not change over time, and it is not transferred to other subjects.203 There are two types of pseudonyms: group pseudonyms and transferable pseudonyms.204 Group pseudonyms refer to multiple subject holders. They 2 00 201 202 203 204
Id. Id. Barrigar, supra note 2850. Identity and Impact of Privacy Enhancing Technologies, supra note 2913. Barrigar, supra note 2850.
Privacy, Anonymity, and Identity Crime
663
may produce or infer an anonymity data set because an attacker cannot determine whether an action was performed by a specific individual in the set by relying only on the information provided by the pseudonym. Transferable pseudonyms may be transferred from one holder to another. An advantage of pseudonymity is that accountability for misbehavior can be attributed to individuals. Persistent pseudonyms allow their owners to create a pseudonymous reputation over time. Controls for each pseudonym have to be granular enough to let users choose different levels of protection from tracking.205 8.9
Data Loss and Data Loss Prevention (dlp)
Data loss is a broad term that encompasses all types of information loss in a system and includes data leakage and data breach. It does not matter what the intention or motivation may be, once data is out of a system, it represents data loss for that system. Data loss prevention, often referred to as dlp, refers to methods designed to prevent information from being lost to a system, however that loss may occur. Whether the loss is due to intentional action or error or negligence does influence the types of remedies that may be applied. It is critical to understand that data protection refers to the entire process of identifying and comprehending where and how sensitive data is created, processed, used, moved, shared, stored, and disposed of. Sensitive information requires security and protection at all stages of the data lifecycle.206 Data breach is the release of sensitive, confidential information, either intentionally or unintentionally, to an unauthorized or untrusted environment. Other terms for data breach include unintentional information disclosure, data leak, and data spill.207 Data breaches may involve credit card numbers or bank account information, personal health information, or Social Security numbers. This information is valuable to identity criminals, and between 2005 and 2013, the number of records containing sensitive personal information exposed by data breaches in the United States totaled nearly 61 billion.208 2 05 Id. 206 Adi Ruppin, Data Loss Prevention Solutions Fail To Stop Information Leaks, CioZone, http:// w ww.ciozone.com/ i ndex.php/ E nterprise- S oftware/ D ata- L oss- P revention- Solutions-Fail-To-Stop-Information-Leaks.html (last visited Nov. 13, 2013). 207 Data Breach, Wikipedia, http://en.wikipedia.org/wiki/Data_breach (last visited Nov. 13. 2013). 208 See Data Breach Trends & Stats, In Defense of Data, http://www.indefenseofdata.com/ data-breach-trends-stats/ (last visited Nov. 13, 2013).
664
CHAPTER 8
The popular stereotype of a data breach is a criminal hacking into a corporate network to steal confidential information, but not all data breaches are this dramatic. Data breach also covers cases in which unauthorized employees view consumers’ records over the shoulders of co-workers who are authorized to access these records.209 There are industry guidelines and government compliance regulations that govern how sensitive personal information should be handled to avoid data breaches. For example, in the payment card industry, the Payment Card Industry Data Security Standard (pci dss) governs who can access credit card numbers, pin s and bank account numbers together with names and addresses. The U.S. government enacted the Health Insurance Portability and Accountability Act (hipaa), which regulates the handling and use of personal health data, including name, date of birth, Social Security number and information about an individual’s medical history. Violations of these rules may result in civil or criminal prosecution.210 Because more and more sensitive information is collected and stored in ever- larger databases, there is a need for strong security measures to protect sensitive pii. However, many large databases are not adequately protected, leaving them open to data breach and risk of identity crime. According to the Federal Trade Commission, about one-third of all consumer complaints filed with the agency involve identity theft.211 In 2007, over 66 percent of organizations reported not keeping accurate inventory of user data or having lists of all the locations where pii is stored. Only about 50 percent of all companies had developed policies governing the protection, disclosure, and destruction of data.212 The security industry generally focuses on external threats to data and has created products focused on intrusion protection and discovering malicious software. As more cases involved the loss of sensitive information from unauthorized access and/or the accidental leak of information by internal sources, the industry started to develop products to address these threats. dlp systems are designed to stop the deliberate or inadvertent release of sensitive material without authorization.213
209 Definition: Data Breach, SeachSecurity, http://searchsecurity.techtarget.com/definition/data-breach (last visited Nov. 13, 2013). 210 Id. 211 Price Waterhouse Coopers, Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands (2008), available at http://www.pwc.com/en_US/us/ increasing-it-effectiveness/assets/data_loss_prevention.pdf. 212 Id. 213 George Lawton, New Technology Prevents Data Leakage, Computer, Sept. 2008, at 14.
Privacy, Anonymity, and Identity Crime
665
Data leakage refers to the unauthorized transmission of information from inside an organization to an external recipient through electronic or physical means. Sometimes, the term “information leakage” is used to describe this situation.214 Data leakage incidents have become increasingly visible because the sharing of data and collaboration has become a must in today’s increasingly mobile and global world. The challenge is that some documents have to be shared and some must be kept secure to varying degrees. However, current data loss prevention (dlp) and content security solutions do not address these requirements of this more complex world in which we live.215 Traditional dlp systems used algorithms that compared files leaving an organization with models of what constituted a sensitive document. The simplest systems utilized algorithms based on expression-pattern-matching, which identified data strings in the form of credit card or Social Security numbers. Such algorithms are unable to identify data, the extensive nature of identification system required huge models of sensitive data and significant processing power.216 Traditional dlp systems use a binary process and are only able to look at documents and decide whether they can go out or not. However, most businesses today are not binary, and it has become difficult for IT professionals to define policies that accurately describe what most enterprises need without generating an undesirable number of false positives in a traditional dlp system. Additionally, dlp solutions do not address what happens to data once it has been distributed.217 Newer algorithms in dlp applications may use data fingerprinting, which identifies sensitive data by reducing information about a document to a small code string that can be scanned easily. Other new methods may use dictionaries of keywords found only in the sensitive documents or Bayesian statistical analysis, which determines the probability that data is sensitive.218 Because different parties in an organization need to collaborate and share data, organizations cannot implement total blocking of documents to keep them safe. The goal is to protect information throughout the data lifecycle,
214 Peter Gordon, SANS Institute InfoSec Reading Room, Data Leakage-Threats and Mitigation (2007), available at http://www.sans.org/reading-room/whitepapers/ awareness/data-leakage-threats-mitigation-1931. 215 Lawton, supra note 2959, at 15. 216 Id. 217 Ruppin, supra note 2952. 218 Lawton, supra note 2959, at 15.
666
CHAPTER 8
wherever that information is stored. “Data lifecycle protection” represents the ultimate objective for enterprises that handle sensitive information.219 There are a number of security policies, enforcement initiatives and security controls available for mapping to a lifecycle process. These include full drive encryption, file/folder encryption, content monitoring and filtering at email and web security gateways. Other methods are application-level encryption, end-user activity monitoring, sensitive data discovery tools, digital rights management, the ability of the data owner to deny or assign permissions for copying, printing and forwarding files, and the ability to track documents and determine who can see them.220 A survey of stakeholders in pharmaceutical, healthcare, semiconductor, software, insurance and IT organizations, found that document security was a major concern. However, efforts to prevent data leaks were incomplete or flawed. Sixty-five percent of the survey respondents reported sharing sensitive data, and over than 50 percent said they share data regularly. Ninety-six percent said they worry about sensitive data getting into the wrong hands. About 33 percent admitted to having had at least one data leakage incident, and 85 percent stated that the leaks were not the result of malicious intent. Only 12 percent said they used data loss prevention (dlp) or digital rights management (drm).221 8.10
The Identity Crime Prevention Model and Privacy by Design
Privacy is closely linked with identity. Organizations use identity technologies to connect personal information to a specific individual in order to conduct a wide range of societal transactions. The best identity technologies provide appropriate levels of anonymity and privacy to the individual, while poor approaches expose sensitive data to the risk of identity crime throughout all the collection, dissemination, and storage stages. Organizations that do not recognize the relationship between identity systems and privacy are vulnerable to data loss. Privacy and identity should be considered together when designing information systems.222 Privacy-enhancing technologies (pet s) were developed in the 1990s to address the effects of information and communication technology (ict), and 2 19 Ruppin, supra note 2952. 220 Id. 221 Id. 222 Privacy by Design, supra note 2848.
Privacy, Anonymity, and Identity Crime
667
large-scale networked information systems. The fundamental idea of Privacy by Design (PbD) is that privacy’s future cannot be kept safe through regulatory compliance alone. Instead, assurance of privacy should be the default mode of operation for any organization. In the past, the deployment of pet s was believed to be the best solution. Now, it may be that the use of pet s should be extended by PbD, which comprises; 1) information technology systems, 2) accountable business practices, and 3) physical design and networked infrastructure.223 PbD seeks to ensure individuals’ privacy and give them control over their pii. PbD is based on seven principles that are defined as follows:224 1. “Proactive not Reactive; Preventative not Remedial.” Anticipates an invasion of privacy before it occurs, addressing the problem before the fact and not after. 2. “Privacy as the Default Setting.” Supports the idea that default settings should be those that provide the greatest degree of privacy. Personal data should be automatically protected in any IT system or business practice. The individual user should not be required to take any action to protect his/her privacy. 3. “Privacy Embedded into Design.” Embeds privacy into the design and architecture of IT systems and business practices, making privacy an essential element of core functionality and integral to a system. 4. “Full Functionality –Positive-Sum, not Zero-Sum.” Accommodates all legitimate goals and interests in a positive-sum “win- win” manner rather than through a zero-sum approach that imposes unnecessary tradeoffs. It is possible to have both privacy and security. 5. “End-to-End Security –Full Lifecycle Protection.” Extends strong security measures throughout the lifecycle of data, ensuring that all data are securely stored and securely destroyed in a timely way at the end of the process. 6. “Visibility and Transparency –Keep It Open.” Assures all stakeholders that when any technology or business practice is involved, it operates according to the stated objectives, subject to independent verification; elements and operations remain visible and transparent to be providers and users. 223 Ann Cavoukian, Information & Privacy Commissioner, Ontario, Canada, Privacy by design: The 7 Foundational Principles (2009), available at http://www.ipc.on.ca/images/ resources/7foundationalprinciples.pdf. 224 Id.
668
CHAPTER 8
7.
“Respect for User Privacy –Keep It User-Centric.” Most importantly, PbD requires all system operators and architects to raise the interests of the individual user in mind at all times, offering strong privacy defaults, appropriate notice, and user-friendly options. All of these principles represent part of a strategy to prevent identity crime. The addition of identity crime considerations in the development of data systems and technologies can be viewed as an extension, an “eighth principle,” of Privacy by Design. To understand the impact of identity theft, businesses and organizations tend to focus on data security measures to prevent data loss, but ignore the impact on customers and their organization once the data is lost or breached. Additionally, all data collected and stored is not of equal value to an identity criminal. Certain types of Personal Identifiable information (pii) are more valuable to a criminal, and if these data are lost, it will be more detrimental to the consumer whose information is compromised. Therefore, each different data point should be evaluated separately for its attractiveness to identity criminals and the impact its loss will have on a consumer and/or organization. See Chapter 4 for an in-depth discussion of how to evaluate the impact of identity crime on a victim of identity crime. The 8th Principle: “Consider the Impact of Data Loss –Evaluate Each Data Point Separately.” All data does not have the same value to an identity criminal. The loss of some types of data is more damaging that the loss of others; therefore, data should be evaluated in terms of the impact its loss will have on an individual or organization. 8.11
Conclusion
Information cannot be totally private or perfectly anonymous and still be of use to society. Therefore, policies and systems designed to protect privacy and reduce the risk of identity crime must always strive to maximize the level of privacy, minimize the risk of identity crime, and facilitate the sharing of information in useful ways. This goal can be accomplished by thinking clearly about the nature of privacy, anonymity and the technologies of verification and authentication used to protect them. Additionally, the concept of identification must be addressed separately from the concept of identity in system design. The effectiveness of any privacy technology from the identity crime perspective should be assessed according to the Identity Crime Privacy Model. The success of a privacy protection method should be addressed in terms of
Privacy, Anonymity, and Identity Crime
669
how it will affect the individuals and organizations whose sensitive data is at risk of being compromised by identity theft. When the pii of consumers is compromised, there are serious implications for consumers and the organizations that handled their data. The reputation of a business can be damaged if there is a data breach, and the costs associated with the loss may be high. Victims of identity crime face significant financial, emotional, and reputational damage. Organizations have a responsibility to ensure that information is easily accessible and secure and that only those authorized to handle sensitive personal information can use it. Data mining and data aggregation represent real threats to privacy that increase as more information is collected through advances in technology and as data storage becomes increasingly centralized. Privacy is a tool that may be used to prevent identity crime, and privacy technologies should be evaluated in terms of identity-crime threat agents. The Identity Crime Privacy Model offers businesses and governments a graphical representation of the unique effect that privacy solutions have on identity crime: solutions that are effective in reducing identity crime reach a point at which they begin to lose their usefulness and result in the opposite of what is intended –an increase in identity crime. Currently, organizations approach identity crime with the idea that decreasing the privacy of individuals is the best way to reduce the risk of crime. The Identity Crime Privacy Model illustrates an opposing view, suggesting that there are more desirable ways to reduce identity crime that can enhance individual privacy rather than erode it. Adhering to the principles established in Privacy by Design, it is possible to have both privacy and security. By applying the suggested “Eighth Principle,” organizations can evaluate their security methods by addressing both privacy and identity crime simultaneously. No single technology can be totally effective in protecting privacy and eliminating identity crime. Developers will always struggle to address security and utility, privacy and identity crime, anonymity and privacy, identity and identifiability. The goal is to find the right balance between these opposing forces.
c hapter 9
Convention on Identity Crime
Introduction
Recognizing that identity crime is increasingly a problem of international dimensions, this chapter presents a model draft of an international convention to confront the problem. Currently, an international convention on identity crime does not exist. In much the same way that the international community eventually recognized the need to draft an international convention to deal with cybercrime, it is likely that the international community will also eventually deem it necessary to draft a convention to address identity crime. The need for an international convention on identity crime is obvious to those aware of the menace that international identity crime has become. Given the ease with which people in the modern world can interact by Internet or other technological means with other people and organizations around the world, identity crimes are increasingly committed across national borders, thus, requiring several jurisdictions to become jointly involved to prosecute the crimes. Some nations have existing identity crime legislation and are equipped to prosecute crimes, but most other nations have inadequate identity crime legislation or even none at all. This disparity in the various nation’s statutory schemes creates the conundrum of which nation’s laws should be used to prosecute committed crimes, and presents the potential problem of conflicting laws from different jurisdictions. International enforcement agencies with a common purpose cannot work effectively when the type of evidence needed to provide proof of an identity crime differs from one jurisdiction or nation to another. Despite laws and approaches to identity crime that are at best conflicting or at worst nonexistent, authorities in the various affected jurisdictions are usually compelled to cooperate, however awkwardly, to prosecute crimes committed. The need for international cooperation beckons for a convention that facilitates ease of cooperation and identifies the laws that will be prosecuted. As discussed in Chapter 5, a number of regional political and semi-political bodies have taken initial steps to confront identity crime as a collective problem. The need for legislation that enables prosecutors to address cross-border identity crimes has not escaped attention, but the need for better international cooperation in formulating ways to deal with international identity crime remains a topic
© Koninklijke Brill NV, Leiden, 2020 | DOI:10.1163/9789004395978_010
Convention on Identity Crime
671
that needs to be brought to the forefront of the identity crime prevention discussion. The international community continues to face a rise in identity crime, and despite the progress various nations and regional organizations make in dealing with identify crime, there still exists a need for an international convention that presents uniformly common rules and guidelines to combat a genuinely international problem. Moreover, an international agency created pursuant to an international convention would provide a forum for international discussion, ongoing response to technological developments, technical assistance to developing states, information sharing across national borders, not to mention it would create a deterrent to perpetrators of identify crime. This chapter presents a model draft of an international convention on identity crime. The draft is intended to serve as a starting point for the drafting of a convention on identity crime that is so desperately needed in the international community. No pretense is made in stating that the Convention on Cybercrime, already adopted by many nations, is in some respects used as a model and template for the convention proposed herein, but the likenesses are limited to the procedural law and mutual assistance aspects only. The terms and conditions as well as the substantive law included in this proposed convention on identity crime stand alone and are based on 1) the Identity Crime Model developed in this book, 2) the resulting definition of identity crime developed in this book, and 3) the lessons learned during the in-depth analysis of current legislation performed in this book. The substantive law addressed in this book and proposed in this convention on identity crime model is comprehensive and specifically designed to accommodate the prosecution and punishment of identity crimes, which are more numerous and in many cases entirely distinct from cybercrimes. Moreover, the proposed model convention on identity crime creates a new body of criminal law that can be used by adopting nations to prosecute identity crime. Such a feature cannot be claimed by the Convention on Cybercrime, which requires adopting nations to use their own, if any, legislation to combat and punish identity crime. To be clear, the Cybercrime Convention contains no specific provisions concerning identity crime or its prosecution. It might be possible to prosecute some identity crimes if they are committed by means of the Internet or computer systems;1 however, a much broader approach is needed to attack the growing array of identity crimes. 1 Certain methods of illegal acquisition of identity information using a computer system can be criminalized through the Convention on Cybercrime. For example, see Article 2 illegally accessing a computer system, Article 3 illegal interception of non-public computer data,
672
CHAPTER 9
The procedural law and mutual assistance provisions in the proposed convention are comparable to similar provisions found in the Convention on Cybercrime. The language borrowed is that which would be applicable to any convention dealing with the virtual realm. In preparing the proposed convention on identity crime, the assumption was made that adopting similar, or in some cases identical, language to that contained in the Convention on Cybercrime would be a strength of this convention, not a weakness. In fact, overlapping language in the procedural and mutual assistance provisions of both conventions will facilitate cooperation among authorities investigating crimes that might fall under either or both conventions. But, there are differences in the two conventions, even in the procedural and mutual assistance provisions. Unlike the Convention on Cybercrime, in the proposed convention on identity crime the procedural and mutual assistance provisions are designed to consider physical evidence as well as virtual evidence (to address both computer based and non-computer based evidence). This is to be expected because the nature of the two categories of crime –identity crime and cybercrime –are different in multiple ways. Cybercrime is criminal activity that involves the Internet, a computer system, or computer technology. It is “virtual” criminal activity. Indeed, identity crimes are frequently committed “online” through computer systems, and therefore, could also be prosecuted under the Convention on Cybercrime.2 However, a considerable amount of identity crime is committed without the use of a computer system and is independent from any electronic processes. Cybercrimes are committed only in the virtual realm, while identity crimes are committed in either the virtual or physical realms. In fact, it is possible for a criminal to commit an identity crime involving both the virtual and physical realms. For illustration purposes, suppose a thief breaks into a car and steals a victim’s wallet containing the victim’s identification cards, social security card, and credit cards (acquisition of information in the physical realm). This thief then sells the various cards to another criminal (transfer/trafficking in the physical realm). Suppose this thief also keeps the information by writing
Article 4 Data interference, and Article 5 System interference. Furthermore, the Misuse of computer devices can be prosecuted using Article 6, computer-related forgery under Article 7, and Computer related fraud under Article 8. See Alexander Seeger, Presentation at UN ISPAC Conference on the Evolving Challenge of Identity-Related Crime, Identity Theft and the Convention on Cybercrime, (Courmayeur, Italy, Nov. 30–Dec. 2, 2007), available at http:// www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/cy%20activity_events_on_ identity_theft/567%20UN%20id%20theft%20and%20CCC_en.pdf. 2 Id.
Convention on Identity Crime
673
it down on a piece of paper (possession in the physical realm). Next, suppose this entrepreneurial thief sells the information to someone in another country through an email message sent over the internet (trafficking in the virtual realm). Finally, this thief uses the information to apply for a credit card (acquisition involving the virtual realm). Once the card is obtained, the thief uses the credit card to purchase merchandise and applies for a tax refund under the victim’s name and personal information (possession and use in both the virtual and physical realms). In this example, the Convention on Cybercrime would be wholly inadequate to prosecute the criminals involved, but the convention on identity crime could be effectively used to prosecute all of the criminals involved. A separate and distinct convention on identity crime is needed. The existing Convention on Cybercrime (or any other international instruments) is completely inadequate to confront the enormous volume and variety of identity crimes modernly committed. 9.1
Preamble
The States signatory hereto, Considering that the aim of this Convention is to achieve greater unity among States in identifying and prosecuting identity crimes; Recognizing the value of fostering cooperation with the other States parties to this Convention; Convinced of the need to pursue, as a matter of priority, a common criminal policy aimed at the protection of society against identity crime, inter alia, by adopting appropriate legislation and fostering international cooperation; Conscious of the profound changes brought about by the prolific spread of identity crime worldwide; Recognizing the need for cooperation between States and private industry in combating identity crime; Believing that an effective fight against identity crime requires increased, rapid and well-functioning international cooperation in criminal matters; Believing that a brisk solution needs to be implemented before people, businesses and government’s faith is eroded to a point of disrupting commerce and public trust; Convinced that the present Convention is necessary to deter action directed against the confidentiality, integrity and availability of personal identity, as described in this Convention, and the adoption of powers sufficient for effectively combating such criminal offenses that rob persons of their identity, by
674
CHAPTER 9
facilitating their detection, investigation and prosecution at both the domestic and international levels and by providing arrangements for fast and reliable international cooperation; Mindful of the need to ensure a proper balance between the interests of law enforcement and respect for fundamental human rights as enshrined in applicable international human rights treaties, which reaffirm the right of everyone to preserve personal information which is essential to their well-being, and to protect their rights concerning the respect for privacy; Recognizing that an international convention rather than enforcement of only national laws is essential because: 1. Identity crimes are transnational, and require a transnational response. 2. Identity criminals exploit weaknesses in the laws and enforcement practices of states, exposing all other states to dangers that are beyond their capacity unilaterally or bilaterally to respond. 3. The speed and technical complexity of identity crimes using the Internet require prearranged, agreed procedures for cooperation in investigating and responding to them. 4. A multilateral Convention will ensure that all parties to the Convention: (i) adopt laws making identity offenses criminal; (ii) enforce those laws or extradite criminals for prosecution by other states; (iii) cooperate in investigating criminal activities and in providing usable evidence for prosecutions; and (iv) participate in formulating and agree to adopt and implement standards and practices that enhance safety and security. (v) An international agency created pursuant to the Convention will provide a forum for international discussion, ongoing response to technological developments, and technical assistance to developing states. Recognizing that identity crimes include a broad range of criminal activities, including Identity Related: 1. Credit Card Fraud 2. Employment Fraud 3. Bank Fraud 4. Tax Fraud 5. Phone or Utility Fraud 6. Rental Fraud; Property, Apartments, House 7. Medical Fraud 8. Loan Fraud 9. Bankruptcy Fraud
Convention on Identity Crime
675
10. Insurance Fraud 11. Securities and other investments 12. Government Benefit Fraud 13. Government Document Fraud 14. Internet or Email Fraud 15. Evading the Law Recognizing that an attribute of identity crime that makes it hard to conquer is that it is particularly difficult to investigate and gather sufficient evidence for an indictment. Criminal investigations can be exceedingly complex in a number of ways: 1. An investigation requires the participation of a multitude of different businesses, such as financial institutions, credit card companies, debt collectors, and medical records companies, in each of which investigators may have difficulty establishing contacts.3 2. A single crime may occur in many jurisdictions, which often have imprecise and varying definitions of identity crime if they have any definition at all.4 Evidence that may fit the crime in one place may be a mismatch for the criminal elements required in another place. Evidence often is not something tangible, like a fingerprint or an incriminating document; rather it exists in the virtual world, and can be erased or overwritten if the investigator does not act quickly. Gathering evidence requires specialized knowledge, and that knowledge must be updated constantly to keep abreast of the criminals. Prosecutors must find a way for judges and juries to understand exactly what the perpetrator did and how that is a crime, despite the lack of tangible evidence.5 Identity crime is not a single crime. Rather, it unfolds in stages, from obtaining or creating a usable identity, and then using that identity to commit further crimes, while concealing the true identity of the criminal.6 A person’s victimization from identity crimes may be ongoing and repetitive. One criminal may acquire card information (perhaps by larceny), use it to commit credit fraud (larceny and fraud), gain employment (fraud; offenses against employment
3 International Association of Chiefs of Police, Identity Crime Toolkit for Investigators, To Identity Thieves, Everyone is Just a Number 38 (nd.) [hereinafter “iacp Toolkit”], available at http://www.theiacp.org/investigateid/pdf/binder- resources/identity-crime-toolkit.pdf (reporting on challenges cited by members of the National District Attorneys Associations). 4 Id. 5 Id. at 40. 6 Id.
676
CHAPTER 9
laws), get a driver’s license (fraud on the dmv; traffic law violations for driving without a valid license), and commit a money laundering offense, then sell the identity information to someone else who continues to use it until something or someone puts a stop to it. It is further recognized that identity crime consists of multiple parts. The parts of the crime might not even be, in and of themselves, criminal. Thus, it is the intent of the person who performs such acts that determines whether the act constitutes an identity crime. There are five actions/components that, separately or collectively, can comprise an identity crime: a. Acquisition of identity information or documents; b. Transfer/Trafficking of identity information or documents; c. Production of identity information or documents; d. Possession of identity information or documents; and e. Use of the information for criminal purposes. The middle three of these components –transfer/trafficking, production, and possession –form the core of the body of law codified by most current identity crime statutes that have been passed by federal, state, and foreign governments. But this Convention recognizes that acquisition and use are also necessary components. “Acquisition” is made illegal under a broad array of other statutes criminalizing theft and embezzlement. “Use” of identity information is the ultimate reason why identity information has value, and the crimes involving the use of the information run the gamut of the family of crimes known as “fraud.” This Convention recognizes all five components and encourages prosecution of identity crimes under all five components. The Model Identity Crime diagram (see Exhibit “A”) is intended to visually represent all possible identity crimes and how they relate to one another. Ordinarily, one speaks about the five components of identity crime in the order in which they might logically occur if all five components were present in a single scheme: first, acquisition of an identity; then production of the identity; then transfer; then possession; and lastly, use. Not all of those components are present in each case of identity crime, of course. The one component that must always be present is “possession,” which appears at the top of the chart, and is not dependent on any of the other components. This Convention adopts the Identity Crime Model as a useful tool for understanding and prosecuting identity crimes. Welcoming recent developments which further advance international understanding and cooperation in combating identity crime, including action taken by the United Nations, the oecd, the European Union, and the G8; Recalling the adoption by the Council of Europe of a Convention on Cybercrime on November, 23, 2001, and acknowledging the need in a similar way
Convention on Identity Crime
677
to foster international cooperation with respect to reducing identity crime in the world; Acknowledging that the Convention on Cybercrime has already been adopted by a significant number of nations and in many respects deals with the same issues and processes that are dealt with in this Convention, the Convention on Cybercrime is used as a model and a template for this Convention; and Desiring the largest possible number of States to become parties to this Convention and acknowledged the need for a swift and efficient system of international cooperation, which duly takes into account the specific requirements of the fight against identity crime; and Have agreed as follows: 9.2
Chapter i –Use of Terms
Article 1 –Definitions For the purposes of this Convention: a. “Identity Information” means any information of a type that is commonly used, alone or in combination with other information, to identify or purport to identify an individual, including biological or physiological information. This includes: i. fingerprints ii. voice prints iii. retina images iv. iris images v. dna profiles vi. Names vii. Addresses viii. dates of birth ix. written signatures x. electronic signatures xi. digital signatures xii. user names xiii. credit card numbers or payment methods xiv. debit card numbers xv. financial institution account numbers xvi. passport numbers xvii. social insurance numbers xviii. health insurance numbers xix. driver’s license numbers
678 b.
c.
d.
e. f.
g. h.
i.
CHAPTER 9
xx. passwords xxi. other useful means commonly used to identify a person or entity “Identity Document” means any type of document commonly accepted to identify an individual, or intended to be used for that purpose when completed with information concerning a particular individual. It may be one from the federal government or any other governmental body. It might come from the sponsoring entity of an event designated as a special event of national significance, a foreign government, or an international governmental or a quasi-governmental organization. Such a document may be made by, issued by, or merely under the authority of the body responsible for the identification document. Drivers’ licenses, passports, social security cards, health insurance cards, birth certificates, death certificates, and credit cards are the most common types of identity documents. “Forgery” means to make, copy, or use a false document, or to use a copy of a false instrument, to have custody or control of such an instrument, or to manufacture or have custody or control over the equipment and/or materials to make false instruments. “Acquisition” means intentionally acquiring identity information or documents and subsequently using the information or documents to defraud the owner or benefit or potentially benefit, whether for financial purpose or otherwise, some person or persons other than the owner of such information or documents. “Production” means all forms of counterfeiting, forging, making, manufacturing, issuing, and publishing identity information or documents without lawful authority. “Transfer/Trafficking” of identity information or documents refers to one who acquires identity information or documents and sells, pledges, distributes, gives, loans, or otherwise transfers it to another, with or without consideration, knowing that the other intends to use it unlawfully. “Possession” means possessing a piece of identity information or document with the intent to use that information or document for some unlawful purpose. “Use” of identity information or documents for the purpose of gaining some benefit, financial or otherwise, to which the identity criminal is not entitled, or using such information identity or documents to commit other crimes. “True Identity” refers to identity information or documents that belong to a real person that now exists or has existed in the past.
Convention on Identity Crime
j.
679
“Synthetic Identity” is an assembly of fabricated identity information or documents that does not belong to a person that currently exists or existed in the past. k. “Hybrid Identity” refers to identity information or documents, some of which is true, some of which is synthetic. l. “False identity” refers to a person who pretends to be, or passes himself or herself off as, some other person. The other person may be (a) living or dead; (b) real or synthetic; (c) natural or corporate. m. “Issuing Authority” means a government body or other official body authorized by law to issue identity information or documents. n. “Document-Making Implement” is any implement, impression, template, computer file, computer disc, electronic device, or computer hardware or software that is specifically configured or primarily used for making an identification document, a false identification document, or another document-making implement. o. “Authentication Feature” is any hologram, watermark, certification, symbol, code, image, sequence of numbers or letters, or other feature that either individually or in combination with another feature is used by the issuing authority on an identification document, document-making implement, or means of identification to determine if the document is counterfeit, altered, or otherwise falsified. p. “Identity” (or “means of Identity”) means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any (A) name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (B) unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (C) unique electronic identification number, address, or routing code; or (D) telecommunication identifying information or access device. q. “Identity Theft” means one who knowingly obtains or possesses another person’s identity information in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood. r. “Identity Fraud” means an event that occurs when a false identity is used, or when another individual’s identity details are used in support of illegal activity, or when a person avoids an obligation or liability by falsely claiming status as an identity-fraud victim. When “identity fraud” is used, it applies to one who fraudulently personates another person,
680
s.
CHAPTER 9
living or dead, or synthetic or hybrid, with intent to gain advantage, to obtain property, to cause a disadvantage to the person being personated, to avoid arrest or prosecution, or to obstruct justice.7 “Identity Crime” (whether using true, synthetic, or hybrid identity, and including Identity Theft and Identity Fraud8) means knowingly acquiring, producing, transferring, possessing, or using identity information or documents in order to commit a fraud, or to commit other unlawful activities.9 Specifically, it means any of the following activities that are committed, or attempted to be committed, knowingly and intentionally (reckless, negligent, mistaken, or accidental activity is not deemed an identity crime under this Convention): 1. acquiring, producing, or using an identity document/information or authentication features without lawful authority; 2. transferring identity document/information or authentication features with knowledge that they were stolen or produced illegally; 3. possessing, with intent to use or transfer unlawfully, three or more such documents/ information or authentication features, other than identification documents/information issued or provided lawfully for the use of the possessor; 4. possessing or using such document/information or features intending to defraud any nation or any political subdivision of any nation; 5. producing, transferring, or possessing a document-making implement, identity information, or authentication feature, intending to use it (a) to produce false identity documents/information or (b) to produce additional document-making implements, identity information, or authentication features that will be so used; 6. acquiring, possessing, or using identity documents/information or authentication features that are forged or otherwise appear to be authorized by a nation or any political subdivision thereof, or by a sponsoring entity, for an event designated as one of national significance, that are stolen or produced without lawful authority, with knowledge that they are stolen or produced without such authority;
7 Criminal Code, R.S.C. 1985, c. C-46 §403(1) (Can.). 8 The most common phrase used to describe identity crime is “identity theft” and, to a lesser extent, “identity fraud.” While theft and fraud are a part of identity crime, they each only describe a part of the whole, namely, taking the identity information and documents and using the identity information and documents to deceive someone. However, identity crime is identity theft and identity fraud and more. 9 For a detailed discussion of the definiton see Chapter 1 and 3.
Convention on Identity Crime
9.3
7.
681
acquiring, producing, transferring, possessing, or using, without lawful authority, a means of identity, with the intent to commit, aid, or abet an indictable offense (a single document or item of information that contains more than one means of identity is considered to be a violation of this provision).10
Chapter ii –Measures To Be Taken at the National Level
Section 1 –Substantive Criminal Law Title 1 –Offenses against the State Article 2 –Identity Crimes Each Party shall adopt such legislative and other measures as may be necessary to establish as a criminal offense any identity crime as defined in Article 1 of this Convention under its domestic law, when committed knowingly and intentionally. National and other governmental statutes establishing identity crimes should adopt, to the extent reasonably possible, the definitions of various terms used in Article 1 hereof. Article 3 –Five Components of Identity Crime The five principal components of identity crime, all defined in Article 1, are acquisition, production, transfer/trafficking, possession, and use. These five components are reflected, separately or in combination, in the various identity crimes defined in Article 1(s); that is, they are not themselves defined herein as identity crimes, but rather are to be understood as components, to one degree or another, of the identity crimes set forth in Article 1(s). Article 4 –Punishment of Identity Crime Parties shall adopt such legislative and other measures as may be necessary to establish punishment for the various identity crimes set forth in Article 1. It is recommended that such parties establish a gradation of punishment for crimes whereby the punishment exacted takes into consideration the loss or injury to the victim, the type of identity crime committed by the defendant, the number and seriousness of the Identity crimes committed, the benefits gained by the defendant, and any other factors deemed relevant. It is further recommended that a principle of gradation of punishment of crimes be enforced
10
These provisions are taken in large measure from U. S. and Canadian statutes, which in combination provide a solid coverage of what constitutes identity crime. See Chapter 6.
682
CHAPTER 9
by the Parties. Accordingly, for example, crimes that involve three of the five components of identity crime set forth in Article 3 should be punished more seriously than crimes involving less than three of the five components; crimes that involve four of the five components of identity crime set forth in Article 3 should be punished more seriously than crimes involving less than four of the five components; and crimes that involve all five components of identity crime set forth in Article 3 should be punished more seriously than crimes involving less than all five components. Article 5 –Personal Information Each Party shall adopt such legislative and other measures as may be necessary to identify the types of personal information that are to be protected by law. Article 6 –Smart Documents Each Party shall adopt smart documents that can be verified as Identity documents in real time.11 Moreover, each Party shall adopt such additional legislative and other measures as may be necessary to encourage authentication, verification and protection of identity information and identity documents to prevent identity crimes from being committed. Such measures are the absolute best way to prevent identity crime. Article 7 –Identity Information and Identity Documents Each Party shall adopt such legislative and other measures as may be necessary to impose punishments for the criminal use of identity information, as defined in Article 1, which are similar or identical to punishments assessed for the use of identity documents, as defined in Article 1, for the reason that identity crimes involving non-documentary information versus identity crimes involving documents are not categorically dissimilar. Article 8 –Recovery, Restitution and Assistance Each Party shall adopt recovery, restitution and victim assistance measures as may be necessary to assist victims of identity crime. Parties should engage in all reasonable efforts to aid victims in the recovery of money or property lost by virtue of an identity crime. In providing for the recovery of property or other restitution measures, Parties should consider the amount of the loss sustained by each victim, the time spent by the victim in recovering from the
11
The Australian model, where the document verifier only receives a yes or no answer about whether the identity document is valid, is an excellent approach.
Convention on Identity Crime
683
identity crime, the type of identity crime committed by the defendant, the financial resources of the defendant, the financial needs and earning ability of the defendant and the defendant’s dependents, and any other factors deemed appropriate. Recovery of assets, appropriate restitution and assistance on behalf of victims is never less important than prosecuting criminals who commit identity crimes. Article 9 –Dual Criminality Required An activity must be considered a crime in both nations before one nation can demand cooperation from another. Thus, this Convention requires law enforcement authorities in Nation A to cooperate with foreign authorities in Nation B only when the activity being investigated in Nation B is a crime in both Nations A and B. Title 5 –Ancillary Liability and Sanctions Article 10 –Attempt and aiding or abetting 1. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offenses under its domestic law, when committed intentionally, aiding or abetting the commission of any of the offenses established in accordance with Articles 2 through 9 of the present Convention with intent that such offense be committed. 2. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offenses under its domestic law, when committed intentionally, an attempt to commit any of the offenses established in accordance with this Convention. 3. Each Party may reserve the right not to apply, in whole or in part, paragraph 2 of this Article. Article 11 –Corporate liability 1. Each Party shall adopt such legislative and other measures as may be necessary to ensure that legal persons can be held liable for a criminal offense established in accordance with this Convention, committed for their benefit by any natural person, acting either individually or as part of an organ of the legal person, who has a leading position within it, based on: a. a power of representation of the legal person; b. an authority to take decisions on behalf of the legal person; c. an authority to exercise control within the legal person. 2. In addition to the cases already provided for in paragraph 1 of this article, each Party shall take the measures necessary to ensure that a legal person can be held liable where the lack of supervision or control by a natural
684
CHAPTER 9
has made possible the commission of a criminal offense established in accordance with this Convention for the benefit of that legal person by a natural person acting under its authority. 3. Subject to the legal principles of the Party, the liability of a legal person may be criminal, civil or administrative. 4. Such liability shall be without prejudice to the criminal liability of the natural persons who have committed the offense. Article 12 –Sanctions and measures 1. Each Party shall adopt such legislative and other measures as may be necessary to ensure that the criminal offenses established in accordance with Articles 2 through 9 are punishable by effective, proportionate and dissuasive sanctions, which include deprivation of liberty. 2. Each Party shall ensure that legal persons or entities held liable in accordance with Article 11 shall be subject to effective, proportionate and dissuasive criminal or non-criminal sanctions or measures, including monetary sanctions. Section 2 –Procedural Law Title 1 –Common Provisions Article 13 –Scope of procedural provisions 1. Each Party shall adopt such legislative and other measures as may be necessary to establish the powers and procedures provided for in this section for the purpose of specific criminal investigations or proceedings. 2. Except as specifically provided otherwise in Article 19, each Party shall apply the powers and procedures referred to in paragraph 1 of this article to: a. the criminal offenses established in accordance with Articles 2 through 9 of this Convention, including identity crimes committed by means of a computer system; and b. the collection of evidence in electronic form or non-electronic form of a criminal offense. 3. a. Each Party may reserve the right to apply the measures referred to in Article 18 only to offenses or categories of offenses specified in the reservation, provided that the range of such offenses or categories of offenses is not more restricted than the range of offenses to which it applies the measures referred to in Article 19. Each Party shall consider restricting such a reservation to enable the broadest application of the measure referred to in Article 18. b. Where a Party, due to limitations in its legislation in force at the time of the adoption of the present Convention, is not able to apply the measures referred to in Articles 18 and 19 to communications
Convention on Identity Crime
685
being transmitted within a computer system of a service provider, which system: i. is being operated for the benefit of a closed group of users, and ii. does not employ public communications networks and is not connected with another computer system, whether public or private, that Party may reserve the right not to apply these measures to such communications. Each Party shall consider restricting such a reservation to enable the broadest application of the measures referred to in Articles 18 and 19. Article 14 –Conditions and safeguards 1. Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1966 United Nations International Covenant on Civil and Political Rights and other applicable international human rights instruments, and which shall incorporate the principle of proportionality. 2. Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure. 3. To the extent that it is consistent with the public interest, in particular the sound administration of justice, each Party shall consider the impact of the powers and procedures in this section upon the rights, responsibilities and legitimate interests of third parties. The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods. Each Party shall pay for all surveillance required to prosecute crimes under this Convention, unless its own legislation specifically assigns it elsewhere. Title 2 –Expedited Preservation of Identity Information Article 15-Expedited preservation and disclosure of identity information 1. Each Party shall adopt, in respect of rights that are to be preserved under Article 14, such legislative and other measures as may be necessary to: a. ensure that such expeditious preservation of human rights is available regardless of whether one or more service providers were involved in the transmission of that communication; and
686
2.
CHAPTER 9
b.
ensure the expeditious disclosure to the Party’s competent authority, or a person designated by that authority, of a sufficient amount of information to enable the Party to identify the identity information wrongfully accessed and used. c. ensure that, subject to a and b above, all necessary evidence needed to prosecute identity crimes, physical or non-physical, is legally made available to prosecutors. The powers and procedures referred to in this article shall be subject to Articles 13 and 14.
Title 3 –Production Order Article 16 –Production order 1. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order: a. a person in its territory to submit specified identity information in that person’s possession or control, which is stored in a computer system or a computer-data storage medium; and b. a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider’s possession or control. 2. The powers and procedures referred to in this article shall be subject to Articles 13 and 14. 3. For the purpose of this article, the term “subscriber information” means any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established: a. the type of communication service used, the technical provisions taken thereto and the period of service; b. the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement; c. any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement. Title 4 –Search and Seizure of Stored Computer Data Article 17 –Search and seizure of stored identity information 1. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to search or similarly access:
Convention on Identity Crime
2.
3.
4.
5.
687
a.
a computer system or part of it and computer data stored therein; and b. a computer-data storage medium in which computer data may be stored in its territory. c. any other data or identity information or documents, whether stored in a computer system or not. Each Party shall adopt such legislative and other measures as may be necessary to ensure that where its authorities search or similarly access a specific computer system or part of it, pursuant to paragraph 1(a) above, and have grounds to believe that the data sought is stored in another computer system or part of it in its territory, and such data is lawfully accessible from or available to the initial system, the authorities shall be able to expeditiously extend the search or similar accessing to the other system. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to seize or similarly secure computer data accessed according to paragraphs 1 or 2. These measures shall include the power to: a. seize or similarly secure a computer system or part of it or a computer-data storage medium; b. make and retain a copy of those computer data; c. maintain the integrity of the relevant stored computer data; d. render inaccessible or remove those computer data in the accessed computer system. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order any person who has knowledge about the functioning of the computer system or measures applied to protect the computer data therein to provide, as is reasonable, the necessary information, to enable the undertaking of the measures referred to in paragraphs 1 and 2. The powers and procedures referred to in this article shall be subject to Articles 13 and 14.
Title 5 –Real-Time Collection of Computer and Other Data Article 18 –Real-time collection of data 1. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to: a. collect or record through the application of technical means on the territory of that Party, and
688
CHAPTER 9
b.
compel a service provider, within its existing technical capability: i. to collect or record through the application of technical means on the territory of that Party; or ii. to co-operate and assist the competent authorities in the collection or recording of, traffic data, in real-time, associated with specified communications in its territory transmitted by means of a computer or any other system or means of data collection; and c. collect such other data, intangible or tangible, as shall be necessary to adequately prosecute persons committing any identity crime. 2. Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1(a) above, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of traffic data associated with specified communications transmitted in its territory, through the application of technical means on that territory. 3. Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it. 4. The powers and procedures referred to in this article shall be subject to Articles 13 and 14. Article 19 –Interception of data 1. Each Party shall adopt such legislative and other measures as may be necessary, in relation to a range of serious offenses to be determined by domestic law, to empower its competent authorities to: a. collect or record through the application of technical means on the territory of that Party, and b. compel a service provider, within its existing technical capability: i. to collect or record through the application of technical means on the territory of that Party, or ii. to co-operate and assist the competent authorities in the collection or recording of, content data, in real-time, of specified communications in its territory transmitted by means of a computer system. c. subject to the rights of the accused, to compel any person or entity in possession of necessary data, identity information or documents, physical or non-physical, that constitutes evidence in a case involving identity crime.
Convention on Identity Crime
2.
3.
4.
689
Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1(a), it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of content data on specified communications in its territory through the application of technical means on that territory. Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it. The powers and procedures referred to in this article shall be subject to Articles 13 and 14.
Section 3 –Jurisdiction Article 20 –Jurisdiction 1. Each Party shall adopt such legislative and other measures as may be necessary to establish jurisdiction over any offense established in accordance with Articles 2 through 9 of this Convention, when the offense is committed: a. in its territory; or b. on board a ship flying the flag of that Party; or c. on board an aircraft registered under the laws of that Party; or d. by one of its nationals, if the offense is punishable under criminal law where it was committed or if the offense is committed outside the territorial jurisdiction of any State. 2 Each Party may reserve the right not to apply or to apply only in specific cases or conditions the jurisdiction rules laid down in paragraphs 1(b) through 1(d) of this article or any part thereof. 3. Each Party shall adopt such measures as may be necessary to establish jurisdiction over the offenses referred to in Article 22, paragraph 1, of this Convention, in cases where an alleged offender is present in its territory and it does not extradite him or her to another Party, solely on the basis of his or her nationality, after a request for extradition. 4. This Convention does not exclude any criminal jurisdiction exercised by a Party in accordance with its domestic law. 5. When more than one Party claims jurisdiction over an alleged offense established in accordance with this Convention, the Parties involved shall, where appropriate, consult with a view to determining the most appropriate jurisdiction for prosecution.
690 9.4
CHAPTER 9
Chapter iii –International Cooperation
Section 1 –General Principles Title 1 –General Principles Relating to International Cooperation Article 21 –General principles relating to international cooperation The Parties shall co-operate with each other, in accordance with the provisions of this chapter, and through the application of relevant international instruments on international co-operation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offenses related to computer systems and data, or for the collection of evidence in electronic form of a criminal offense. Title 2 –Principles Relating to Extradition Article 22 –Extradition 1. a. This article applies to extradition between Parties for the criminal offenses established in accordance with Articles 2 through 9 of this Convention, provided that they are punishable under the laws of both Parties concerned by deprivation of liberty for a maximum period of at least one year, or by a more severe penalty. b. Where a different minimum penalty is to be applied under an arrangement agreed on the basis of uniform or reciprocal legislation or an extradition treaty, applicable between two or more parties, the minimum penalty provided for under such arrangement or treaty shall apply. 2. The criminal offenses described in paragraph 1 of this article shall be deemed to be included as extraditable offenses in any extradition treaty existing between or among the Parties. The Parties undertake to include such offenses as extraditable offenses in any extradition treaty to be concluded between or among them. 3. If a Party that makes extradition conditional on the existence of a treaty receives a request for extradition from another Party with which it does not have an extradition treaty, it may consider this Convention as the legal basis for extradition with respect to any criminal offense referred to in paragraph 1 of this article. 4. Parties that do not make extradition conditional on the existence of a treaty shall recognise the criminal offenses referred to in paragraph 1 of this article as extraditable offenses between themselves.
Convention on Identity Crime
5. 6.
7.
691
Extradition shall be subject to the conditions provided for by the law of the requested Party or by applicable extradition treaties, including the grounds on which the requested Party may refuse extradition. If extradition for a criminal offense referred to in paragraph 1 of this article is refused solely on the basis of the nationality of the person sought, or because the requested Party deems that it has jurisdiction over the offense, the requested Party shall submit the case at the request of the requesting Party to its competent authorities for the purpose of prosecution and shall report the final outcome to the requesting Party in due course. Those authorities shall take their decision and conduct their investigations and proceedings in the same manner as for any other offense of a comparable nature under the law of that Party. a. Each Party shall, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, communicate to the Secretary General of the United Nations the name and address of each authority responsible for making or receiving requests for extradition or provisional arrest in the absence of a treaty. b. The Secretary General of the United Nations shall set up and keep updated a register of authorities so designated by the Parties. Each Party shall ensure that the details held on the register are correct at all times.
Title 3 –General Principles Relating to Mutual Assistance Article 23 –General principles relating to mutual assistance 1. The Parties shall afford one another mutual assistance to the widest extent possible for the purpose of investigations or proceedings concerning criminal offenses related to identity information and documents, or for the collection of evidence, electronic or non-electronic, of a criminal offense. 2. Each Party shall also adopt such legislative and other measures as may be necessary to carry out the obligations set forth in Articles 25 through 33. 3. Each Party may, in urgent circumstances, make requests for mutual assistance or communications related thereto by expedited means of communication, including fax or e-mail, to the extent that such means provide appropriate levels of security and authentication (including the use of encryption, where necessary), with formal confirmation to follow, where required by the requested Party. The requested Party shall accept and respond to the request by any such expedited means of communication. 4. Except as otherwise specifically provided in articles in this chapter, mutual assistance shall be subject to the conditions provided for by the law
692
CHAPTER 9
of the requested Party or by applicable mutual assistance treaties, including the grounds on which the requested Party may refuse co-operation. The requested Party shall not exercise the right to refuse mutual assistance in relation to the offenses referred to in Articles 2 through 9 solely on the ground that the request concerns an offense which it considers a fiscal offense. 5. Where, in accordance with the provisions of this chapter, the requested Party is permitted to make mutual assistance conditional upon the existence of dual criminality, that condition shall be deemed fulfilled, irrespective of whether its laws place the offense within the same category of offense or denominate the offense by the same terminology as the requesting Party, if the conduct underlying the offense for which assistance is sought is a criminal offense under its laws. Article 24 –Spontaneous information 1. A Party may, within the limits of its domestic law and without prior request, forward to another Party information obtained within the framework of its own investigations when it considers that the disclosure of such information might assist the receiving Party in initiating or carrying out investigations or proceedings concerning criminal offenses established in accordance with this Convention or might lead to a request for co-operation by that Party under this chapter. 2. Prior to providing such information, the providing Party may request that it be kept confidential or only used subject to conditions. If the receiving Party cannot comply with such request, it shall notify the providing Party, which shall then determine whether the information should nevertheless be provided. If the receiving Party accepts the information subject to the conditions, it shall be bound by them.
Title 4 –Procedures Pertaining to Mutual Assistance Requests in the Absence of Applicable International Agreements Article 25 –Procedures pertaining to mutual assistance requests in the absence of applicable international agreements 1. Where there is no mutual assistance treaty or arrangement on the basis of uniform or reciprocal legislation in force between the requesting and requested Parties, the provisions of paragraphs 2 through 9 of this article shall apply. The provisions of this article shall not apply where such treaty, arrangement or legislation exists, unless the Parties concerned agree to apply any or all of the remainder of this article in lieu thereof. 2. a. Each Party shall designate a central authority or authorities responsible for sending and answering requests for mutual assistance, the
Convention on Identity Crime
3. 4.
5. 6.
7.
8.
9.
693
execution of such requests or their transmission to the authorities competent for their execution. b. The central authorities shall communicate directly with each other; c. Each Party shall, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, communicate to the Secretary General of the United Nations the names and addresses of the authorities designated in pursuance of this paragraph; d. The Secretary General of the United Nations shall set up and keep updated a register of central authorities designated by the Parties. Each Party shall ensure that the details held on the register are correct at all times. Mutual assistance requests under this article shall be executed in accordance with the procedures specified by the requesting Party, except where incompatible with the law of the requested Party. The requested Party may, in addition to the grounds for refusal established in Article 23, paragraph 4, refuse assistance if it considers that execution of the request is likely to prejudice its sovereignty, security, ordre public or other essential interests. The requested Party may postpone action on a request if such action would prejudice criminal investigations or proceedings conducted by its authorities. Before refusing or postponing assistance, the requested Party shall, where appropriate after having consulted with the requesting Party, consider whether the request may be granted partially or subject to such conditions as it deems necessary. The requested Party shall promptly inform the requesting Party of the outcome of the execution of a request for assistance. Reasons shall be given for any refusal or postponement of the request. The requested Party shall also inform the requesting Party of any reasons that render impossible the execution of the request or are likely to delay it significantly. The requested Party shall promptly inform the requesting Party of the outcome of the execution of a request for assistance. Written reasons shall be given for any refusal or postponement of the request. The requested Party shall also inform the requesting Party of any reasons that render impossible the execution of the request or are likely to delay it significantly. The Secretary General of the United Nations shall annually publish a list of all refused requests and the reasons therefor. a. In the event of urgency, requests for mutual assistance or communications related thereto may be sent directly by judicial
694
CHAPTER 9
authorities of the requesting Party to such authorities of the requested Party. In any such cases, a copy shall be sent at the same time to the central authority of the requested Party through the central authority of the requesting Party. b. Any request or communication under this paragraph may be made through the International Criminal Police Organization (Interpol). c. Where a request is made pursuant to sub-paragraph a. of this article and the authority is not competent to deal with the request, it shall refer the request to the competent national authority and inform directly the requesting Party that it has done so. d. Requests or communications made under this paragraph that do not involve coercive action may be directly transmitted by the competent authorities of the requesting Party to the competent authorities of the requested Party. e. Each Party may, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, inform the Secretary General of the United Nations that, for reasons of efficiency, requests made under this paragraph are to be addressed to its central authority. Article 26 –Confidentiality and limitation on use 1. When there is no mutual assistance treaty or arrangement on the basis of uniform or reciprocal legislation in force between the requesting and the requested Parties, the provisions of this article shall apply. The provisions of this article shall not apply where such treaty, arrangement or legislation exists, unless the Parties concerned agree to apply any or all of the remainder of this article in lieu thereof. 2. The requested Party may make the supply of information or material in response to a request dependent on the condition that it is: a. kept confidential where the request for mutual legal assistance could not be complied with in the absence of such condition, or b. not used for investigations or proceedings other than those stated in the request. 3. If the requesting Party cannot comply with a condition referred to in paragraph 2, it shall promptly inform the other Party, which shall then determine whether the information should nevertheless be provided. When the requesting Party accepts the condition, it shall be bound by it. 4. Any Party that supplies information or material subject to a condition referred to in paragraph 2 may require the other Party to explain, in relation to that condition, the use made of such information or material.
Convention on Identity Crime
695
Section 2 –Specific Provisions Title 1 –Mutual Assistance regarding Provisional Measures Article 27 –Expedited preservation of stored computer data 1. A Party may request another Party to order or otherwise obtain the expeditious preservation of data stored by means of a computer system, located within the territory of that other Party and in respect of which the requesting Party intends to submit a request for mutual assistance for the search or similar access, seizure or similar securing, or disclosure of the data. 2. A request for preservation made under paragraph 1 shall specify: a. the authority seeking the preservation; b. the offense that is the subject of a criminal investigation or proceedings and a brief summary of the related facts; c. the stored computer data to be preserved and its relationship to the offense; d. any available information identifying the custodian of the stored computer data or the location of the computer system; e. the necessity of the preservation; and f. that the Party intends to submit a request for mutual assistance for the search or similar access, seizure or similar securing, or disclosure of the stored computer data. 3. Upon receiving the request from another Party, the requested Party shall take all appropriate measures to preserve expeditiously the specified data in accordance with its domestic law. For the purposes of responding to a request, dual criminality shall not be required as a condition to providing such preservation. 4. A Party that requires dual criminality as a condition for responding to a request for mutual assistance for the search or similar access, seizure or similar securing, or disclosure of stored data may, in respect of offenses other than those established in accordance with Articles 2 through 9 of this Convention, reserve the right to refuse the request for preservation under this article in cases where it has reasons to believe that at the time of disclosure the condition of dual criminality cannot be fulfilled. 5 In addition, a request for preservation may only be refused if the requested Party considers that execution of the request is likely to prejudice its sovereignty, security, ordre public or other essential interests. 6. Where the requested Party believes that preservation will not ensure the future availability of the data or will threaten the confidentiality of or otherwise prejudice the requesting Party’s investigation, it shall promptly
696
CHAPTER 9
so inform the requesting Party, which shall then determine whether the request should nevertheless be executed. 7. Any preservation effected in response to the request referred to in paragraph 1 shall be for a period not less than sixty days, in order to enable the requesting Party to submit a request for the search or similar access, seizure or similar securing, or disclosure of the data. Following the receipt of such a request, the data shall continue to be preserved pending a decision on that request. Article 28 –Expedited disclosure of preserved traffic data and other information 1. Where, in the course of the execution of a request made pursuant to Article 27 to preserve traffic data or other information concerning a specific communication, the requested Party discovers that a service provider in another State was involved in the transmission of the communication, the requested Party shall expeditiously disclose to the requesting Party a sufficient amount of traffic data or other information to identify that service provider and the path through which the communication was transmitted. 2. Disclosure of traffic data under paragraph 1 may only be withheld if the requested Party considers that execution of the request is likely to prejudice its sovereignty, security, ordre public or other essential interests. Title 2 –Mutual Assistance regarding Investigative Powers Article 29 –Mutual assistance regarding accessing of stored data 1. A Party may request another Party to search or similarly access, seize or similarly secure, and disclose data stored by means of a computer system located within the territory of the requested Party, or data stored by any other means, including data that has been preserved pursuant to Article 27. 2. The requested Party shall respond to the request through the application of international instruments, arrangements and laws referred to in Article 21, and in accordance with other relevant provisions of this chapter. 3. The request shall be responded to on an expedited basis where: a. there are grounds to believe that relevant data is particularly vulnerable to loss or modification; or b. the instruments, arrangements and laws referred to in paragraph 2 otherwise provide for expedited co-operation. Article 30 –Trans-border access to stored personal data with consent or where publicly available A Party may, without the authorization of another Party:
Convention on Identity Crime
697
a.
access publicly available (open source) stored computer or other data, regardless of where the data is located geographically; or b. access or receive, through a computer system in its territory, stored computer or other data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system. Article 31 –Mutual assistance in the real- time collection of identity information 1. The Parties shall provide mutual assistance to each other in the real-time collection of identity information associated with specified communications in their territory transmitted by means of a computer or other system. Subject to the provisions of paragraph 2, this assistance shall be governed by the conditions and procedures provided for under domestic law. 2. Each Party shall provide such assistance at least with respect to criminal offenses for which real-time collection of identity information would be available in a similar domestic case. Article 32 –Mutual assistance regarding the interception of data The Parties shall provide mutual assistance to each other in the real-time collection or recording of data of specified communications transmitted by means of a computer or other system to the extent permitted under their applicable treaties and domestic laws. Title 3 –24/7 Network Article 33 –24/7 Network 1. Each Party shall designate a point of contact available on a twenty-four hour, seven-day-a-week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offenses related to identity crimes and related data, or for the collection of evidence in electronic or other form of a criminal offense. Such assistance shall include facilitating, or, if permitted by its domestic law and practice, directly carrying out the following measures: a. the provision of technical advice; b. the preservation of data pursuant to Articles 27 and 28; c. the collection of evidence, the provision of legal information, and locating of suspects. 2. a. A Party’s point of contact shall have the capacity to carry out communications with the point of contact of another Party on an expedited basis. b. If the point of contact designated by a Party is not part of that Party’s authority or authorities responsible for international mutual
698
3.
9.5
CHAPTER 9
assistance or extradition, the point of contact shall ensure that it is able to co-ordinate with such authority or authorities on an expedited basis. Each Party shall ensure that trained and equipped personnel are available, in order to facilitate the operation of the network. Chapter iv –Final Provisions
Article 34 –Signature and entry into force 1. This Convention shall be open for signature by the member States of the United Nations and by non-member States which have participated in its elaboration. 2. This Convention is subject to ratification, acceptance or approval. Instruments of ratification, acceptance or approval shall be deposited with the Secretary General of the United Nations. 3 This Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date on which five States of the United Nations, have expressed their consent to be bound by the Convention in accordance with the provisions of paragraphs 1 and 2. 4 In respect of any signatory State which subsequently expresses its consent to be bound by it, the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of the expression of its consent to be bound by the Convention in accordance with the provisions of paragraphs 1 and 2. Article 35 –Territorial application 1. Any State may, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, specify the territory or territories to which this Convention shall apply. 2. Any State may, at any later date, by a declaration addressed to the Secretary General of the United Nations, extend the application of this Convention to any other territory specified in the declaration. In respect of such territory the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of receipt of the declaration by the Secretary General. 3. Any declaration made under the two preceding paragraphs may, in respect of any territory specified in such declaration, be withdrawn by a notification addressed to the Secretary General of the United Nations.
Convention on Identity Crime
699
The withdrawal shall become effective on the first day of the month following the expiration of a period of three months after the date of receipt of such notification by the Secretary General. Article 36 –Effects of the Convention 1. The purpose of the present Convention is to supplement applicable multilateral or bilateral treaties or arrangements as between the Parties. 2. If two or more Parties have already concluded an agreement or treaty on the matters dealt with in this Convention or have otherwise established their relations on such matters, or should they in future do so, they shall also be entitled to apply that agreement or treaty or to regulate those relations accordingly. However, where Parties establish their relations in respect of the matters dealt with in the present Convention other than as regulated therein, they shall do so in a manner that is not inconsistent with the Convention’s objectives and principles. 3. Nothing in this Convention shall affect other rights, restrictions, obligations and responsibilities of a Party. Article 37 –Federal clause 1 A federal State may reserve the right to assume obligations under Chapter 2 of this Convention consistent with its fundamental principles governing the relationship between its central government and constituent States or other similar territorial entities provided that it is still able to co-operate under Chapter 3. 2. When making a reservation under paragraph 1, a federal State may not apply the terms of such reservation to exclude or substantially diminish its obligations to provide for measures set forth in Chapter 2. Overall, it shall provide for a broad and effective law enforcement capability with respect to those measures. 3. With regard to the provisions of this Convention, the application of which comes under the jurisdiction of constituent States or other similar territorial entities, that are not obliged by the constitutional system of the federation to take legislative measures, the federal government shall inform the competent authorities of such States of the said provisions with its favourable opinion, encouraging them to take appropriate action to give them effect. Article 38 –Reservations By a written notification addressed to the Secretary General of the United Nations, any State may, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, declare that it avails itself of any reservation(s) permitted under the provisions of this Convention.
700
CHAPTER 9
Article 39 –Status and withdrawal of reservations 1. A Party that has made a reservation in accordance with Article 38 may wholly or partially withdraw it by means of a notification addressed to the Secretary General of the United Nations. Such withdrawal shall take effect on the date of receipt of such notification by the Secretary General. If the notification states that the withdrawal of a reservation is to take effect on a date specified therein, and such date is later than the date on which the notification is received by the Secretary General, the withdrawal shall take effect on such a later date. 2. A Party that has made a reservation as referred to in Article 38 shall withdraw such reservation, in whole or in part, as soon as circumstances so permit. 3. The Secretary General of the United Nations may periodically enquire with Parties that have made one or more reservations as referred to in Article 38 as to the prospects for withdrawing such reservation(s). Article 40 –Amendments 1. Amendments to this Convention may be proposed by any Party, and shall be communicated by the Secretary General of the United Nations to the member States of the United Nations, to the non-member States which have participated in the elaboration of this Convention as well as to any State which has acceded to, or has been invited to accede to, this Convention in accordance with the provisions of Article 35. 2. Any amendment proposed by a Party shall be communicated to the General Secretary of the United Nations. 3. The United Nations shall consider the proposed amendment and, following consultation with the Parties to this Convention, may adopt the amendment. 4. The text of any amendment adopted by the United Nations in accordance with paragraph 3 of this Article shall be forwarded to the Parties for acceptance. 5. Any amendment adopted in accordance with paragraph 3 of this article shall come into force on the thirtieth day after all Parties have informed the Secretary General of their acceptance thereof. Article 41 –Settlement of disputes 1. The United Nations shall be kept informed regarding the interpretation and application of this Convention. 2. In case of a dispute between Parties as to the interpretation or application of this Convention, they shall seek a settlement of the dispute through negotiation or any other peaceful means of their choice, including submission of the dispute to the United Nations, to an arbitral tribunal
Convention on Identity Crime
701
whose decisions shall be binding upon the Parties, or to the International Court of Justice, as agreed upon by the Parties concerned. Article 42 –Consultations of the Parties 1. The Parties shall, as appropriate, consult periodically with a view to facilitating: a. the effective use and implementation of this Convention, including the identification of any problems thereof, as well as the effects of any declaration or reservation made under this Convention; b. the exchange of information on significant legal, policy or technological developments pertaining to identity crime and the collection of evidence in electronic or other form; c. consideration of possible supplementation or amendment of the Convention. 2. The United Nations shall be kept periodically informed regarding the result of consultations referred to in paragraph 1. 3. The United Nations shall, as appropriate, facilitate the consultations referred to in paragraph 1 and take the measures necessary to assist the Parties in their efforts to supplement or amend the Convention. 4. Except where assumed by the United Nations, expenses incurred in carrying out the provisions of paragraph 1 shall be borne by the Parties in the manner to be determined by them. 5. The Parties shall be assisted by the Secretariat of the United Nations in carrying out their functions pursuant to this article. Article 43 –Denunciation 1. Any Party may, at any time, denounce this Convention by means of a notification addressed to the Secretary General of the United Nations. 2. Such denunciation shall become effective on the first day of the month following the expiration of a period of three months after the date of receipt of the notification by the Secretary General. Article 44 –Notification The Secretary General of the United Nations shall notify the member States of the United Nations, the non-member States which have participated in the elaboration of this Convention as well as any State which has acceded to, or has been invited to accede to, this Convention of: a. any signature; b. the deposit of any instrument of ratification, acceptance, approval or accession; c. any date of entry into force of this Convention in accordance with Articles 35 and 36;
702 d.
CHAPTER 9
any declaration made under Article 38 or reservation made in accordance with Article 38; e any other act, notification or communication relating to this Convention. In witness whereof the undersigned, being duly authorised thereto, have signed this Convention. Done at ___________, this ____ day of _______________20__, in English and in French, both texts being equally authentic, in a single copy which shall be deposited in the archives of the United Nations. The Secretary General of the United Nations shall transmit certified copies to each member State of the United Nations, to the non-member States which have participated in the elaboration of this Convention, and to any State invited to accede to it.
c hapter 10
Conclusion Identity crime is a growing, destructive, modern phenomenon that is, unfortunately, here to stay. The sooner governments worldwide comprehend the enormity of identity crime and begin serious efforts to curb its disastrous effects upon individuals, businesses, governments, and other organizations, the better life will be for law-abiding people and organizations everywhere. Understanding identity crime and reshaping law to deal with it effectively has been the core message of this book. Nevertheless, given the considerable ground we have covererd in this book, reviewing briefly the principal discussion points around this core message is certainly in order in this concluding chapter. Chapter 1, the Introduction, introduced the subject of identity crime and presented information about the nature of identity crime and why the international community must step up efforts to deal with its harmful effects. Identity crime already accounts for more than $50 billion in annual losses in the United States alone, and this figure grows each year. Similar harmful effects can be seen in other countries around the world. Chapter 2 addressed the meaning of “identity” and surveyed the range of personal information and documents that might inform or define one’s identity. Recommendations were made about how we should define “identity” for purposes of dealing with identity crime. As citizens of the world increasingly depend upon the creation, transfer, and storage of personal information, it becomes imperative that this information be protected from identity thieves. It was suggested that the international community should not only step up its efforts to universalize the definition of identity, but also to make more uniform the array of laws that seek to reduce and eliminate identity crime. Chapter 3 presented the Identity Crime Model, a framework for understanding identity crime. The model allows one to evaluate and develop procedures and tools for prevention, recovery, and prosecution, and to develop an overall prevention strategy. The model also includes the five critical components of identity crime, namely acquisition, production, transferring, possession, and use. Criminals are crafty and sophisticated: there was presented, from the perspective of the criminal, techniques and strategies for acquiring personal information and documents, including the acquisition of data theft techniques that rely on computer technology, such as phishing, botnets, smishing, vishing, pharming, spyware, malware, web Trojans, keyloggers and screenloggers,
© Koninklijke Brill NV, Leiden, 2020 | DOI:10.1163/9789004395978_011
704
CHAPTER 10
system reconfiguration attacks, hacking and cracking, online searching and search hacking, wardriving, and identity theft via social networks. Chapter 3 also distinguished identity-related fraud and generic fraud, revealing the unique features of the former. Different types of identity-related fraud were presented: e.g., credit cards and payments; banks; trade; loans; real estate and mortgages; employment; criminal evasion; telephones and other utilities; taxes; social security numbers and cards; passports and visas; drivers’ licenses; medical services; credentials; insurance; investments; tenancy; bankruptcy; postal services; email and the Internet. Chapter 3 further discussed situations in which identity information and documents are used for committing other crimes, such as terrorism, money laundering, illegal immigration, drug trafficking, and organized crime. The chapter stressed that in the computerized world in which we live, identity crime crosses national borders routinely and thus where the crimes are committed, who is responsible for prosecuting the crimes, and how cooperation among various legal jurisdictions is essential to effective reduction and elimination of identity crime, combine to result in a clarion call for universalizing the law of identity crime. Chapter 4 analyzed the components of identity crime and emphasized the considerable threat that exists today of becoming a victim of identity crime. The Identity Crime Risk Assessment Model, which spells out the identity crime threat agents that increase or decrease the likelihood of becoming a victim, was introduced. Also discussed were thirteen variables that define the rationales and motives that incentivize threat agents to commit identity crimes. In general, the chapter equipped potential victims of identity crime to understand the risk factors that will enable one to develop an effective approach to reducing identity crime. Chapter 4 concluded with an impact analysis that showed the true cost of identity crime to victims. An identity crime cost model was developed, and the four primary types of identity crime costs were discussed, specifically, prevention costs, consequential costs, recovery costs, and response costs. Also provided was an identity crime costing template using the Identity Crime Cost Model. The impact of identity crime on victims, businesses, government, the community, society, offenders, victim families, and offender families was discussed. Chapter 5 presented a review of the activity of a variety of regional and international organizations to combat identity crime. Unfortunately, these organizations that have begun to deal with criminal issues have not yet developed specific identity crime legislation. They are making some progress, but it is not yet enough and their progress is progress mostly on a regional basis. The larger international community will continue to face a rise in identity crime and
Conclusion
705
no matter how much progress the various nations and regional organizations make in dealing with identify crime, there still needs to be an international convention that presents genuinely common rules and guidelines to deal with a genuinely international problem. Nevertheless, the insights of these organizations are discussed in detail, insights that can influence the emergence of future legislation to deal more effectively with identity crime. Chapter 6 evaluated and critiqued statutes and treaties worldwide pertinent to identity crime. Some of the laws examined were identity-crime-specific; others were merely identity-crime-related such as general fraud and theft statutes. Identifying and analyzing the statutes currently used to prosecute identity crime is an important component in developing proper deterrents and law enforcement responses to identity crime. The statutes were analyzed according to their record of success or failure. In many ways Chapter 6 is the heart of the book since the legislation passed in the four countries under review becomes, collectively, the basis for analyzing how international legislation, indeed an international convention, should be adopted to deal with the emerging global concerns of identity crime. Included in this study were the United States, Canada, Australia, and the United Kingdom. These countries constitute a balanced sample that represents the state of legislation in the world regarding identity crime. Moreover, these countries are the only ones currently with identity-crime-specific legislation in place. The United States was the first country in the world with identity- crime-specific statutes (enacted in 1998). Canada recently (2010) enacted perhaps the most sophisticated body of identity crime legislation. In fact, to its credit, Canada’s statute includes all five elements of the Identity Crime Model introduced in Chapter 3. Australia perhaps spent more time than any other country in studying identity crime before it began, slowly, to enact legislation in the various provinces. However, there is no sweeping national legislation yet in Australia addressing identity crime, although that would be a positive step for Australia. Unique among nations, Australia has devised a National Identity Security Strategy (referred to by government documents as “The Strategy”) to “combat the misuse of stolen or assumed identities in the provision of government services.” There is no offense in the United Kingdom specifically called “identity theft” or “identity fraud.” Nevertheless, the UK is actively trying to address identity crime, although, like many countries, it is using statutes predominantly enacted before identity crime was an issue. A comparative analysis of the legislation of these four countries was conducted. This comparison enabled us to understand whether identity-crime- specific statutes are superior in prosecuting identity crime. The strengths and weaknesses of all four nations’ statutes were analyzed, comparing them to
706
CHAPTER 10
the Identity Crime Model introduced in Chapter 3 as a baseline for all identity crime legislation. Moreover, the limitations of countries with no identity- crime-specific statues (e.g., countries that tackle identity crime by using general fraud, forgery, or theft statutes) were addressed. Chapter 7 presented strategies, other than the international convention recommended in Chapter 9, to curb identity crime. The intention was not to analyze the various crime prevention approaches, but instead, to present crime prevention and impact minimization concepts that are specifically meant for application to identity-related crimes. The basic approach was the Identity Crime Model Approach (idcma), a broader framework that can be used to evaluate the various prevention strategies. The discussion included government initiatives, industry and non-profit initiatives, and identity management techniques. It presented the best method for establishing an authenticated identity, and other recommendations to prevent identity crimes. The chapter also offered a table of identity crime prevention and impact minimization techniques evaluated based on the Identity Crime Model, but also a renewed discussion of the threat agents initially discussed in Chapter 4. Privacy is a far-reaching concept that is difficult to define. It has unique features and operates with unique dynamics because it encompasses ideas from law, philosophy, psychology, and technology. From the perspective of identity crime, privacy can be considered a tool for developing effective prevention strategies. In Chapter 8, the Identity Crime Privacy Model is developed to show the interaction between privacy, anonymity, and identity crime. Traditional approaches attempt to reduce identity crime by providing less and less privacy. The Model suggests that it is possible to achieve a reduction in identity crime by enhancing privacy and leveraging the benefits of anonymity, while recognizing that absolute privacy and total anonymity can only lead to an environment in which there can be no exchange of information at all. This book recommends that the choice of policies and technologies should always be made on the basis of how they will affect the privacy of individuals and organizations and whether they will protect personally identifiable information while retaining the ability of that data to be useful to society. Chapter 9 presented a draft of an international convention that provides common rules and guidelines to deal with the international problem of identity crime. In much the same way that the international community eventually felt the need to a draft an international convention to deal with cybercrime, it is likely that it will eventually deem it necessary to draft a convention to deal with identity crime. Chapter 9 presents a full draft, modeled after the Convention on Cybercrime, of such a convention.
Conclusion
707
Working toward effective legislation on identity crime and effective prosecution of identity crime are at the heart of this book’s message. The Identity Crime Model was introduced as a vital tool toward achieving both of these ends. The model provides a framework for understanding why identity crime is on the rise even in countries with identity-crime-specific laws. This is true for three basic reasons: First, the extant laws do not completely cover the crime. Second, even if those laws did cover the crime, the laws must be enacted internationally, and be accompanied by a commitment for cross-border cooperation in enforcing the laws. Third, even if a strong transnational system is in place, individuals, companies, and governments must adopt rigorous strategies to prevent the crimes, and those strategies must be based on an approach specific to identity crime. The importance of international cooperation in crafting and enforcing identity crime laws cannot be adequately stressed. This book is intended to guide the international legal community in determining the right laws, and the right enforcement methods, to control the threats posed by identity crime. It is the author’s hope that this need for international coordination of efforts to curb identity crime will be repeated by other authors and government leaders. The suggestions made in this book pertaining to how identity crime should be shaped are hopefully only the beginning of what will become widely recognized worldwide, which in turn will result in the action called for in this book. Recognition for the uniqueness of identity crime must be global in order to successfully prosecute such crime. A universal template for the criminalization of identity-related offenses is needed so that investigations and prosecution of crimes can be coordinated among far-flung enforcement bureaus. Statistics on worldwide identity crime will only become meaningful when the parameters of the crime are clearly drawn and recognized by a substantial number of jurisdictions. International enforcement agencies with a common purpose cannot work effectively when the type of evidence needed to provide proof of a crime differs from one place to another, when the crime was committed in all of those places. Many nations’ economies are already teetering on disaster. Unless we carefully guard the foundations of our most vibrant financial systems, which are built on easy access to funds and ample lines of credit, much of the world’s resources will flow to those who cheat the system at the expense of honest governments, businesses, and consumers. The reality and potential of identity crimes is a threat to our ability to maintain a system of free trade and international commerce unimpeded by the manipulations of crooks and thieves. Our systems for welfare, social security, and immigration, among others, which must work properly if the borders of countries are to be respected and the
708
CHAPTER 10
public good protected, need assurances that the persons taking advantage of government benefits are, in fact, for people entitled to do so. The practitioners of criminology have put forth numerous crime prevention models and approaches, but few are well-suited to identity-related crimes. There is no specific framework for developing a methodological approach to preventing, and reducing the impact of, identity-related crimes. Additionally, numerous recommendations for prevention have been made by governments, non-profit and for-profit organizations, ngo s, and law enforcement authorities, but these recommendations have been based on prevention approaches that do not address the unique elements of identity crimes. The approach that is put forth in this book is specifically tailored to identity crimes, as opposed to one adaptable to a wide range of crimes. Thus, it should prove more useful in preventing such crimes than generic solutions. But identity crime is rapidly becoming an international plague. This book makes a clarion call for international cooperation in devising legislation, indeed even an international convention, to deal effectively, sooner rather than later, with the growing threat of identity crime.
Appendix 1
Table of Cases 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35.
Armas v. State, 947 So. 2d. 675 (Fla. Dist. Ct. App. 2007). Barr v. Baker, 9 Mo. 850, 1846 WL 3690 (1846). Bell v. U.S., 462 U.S. 356 (1983) Brown v. Tasmania, [2008] tassc 33. Darren Mark Cranshaw v. The Queen, [2009] nswcca 80. Flores-Figueroa v. U.S., 129 S. Ct. 1886 (2009). Flores-Figueroa v. U.S., 556 U.S. 646, 655 (2009). Ford v. State, 282 S.W.3d 256 (Tex. Crim. App. 2009). In re Application of Anonymous, 587 N.Y.S.2d 548, (N.Y. City Civ. Ct., 1992). In re Application of Ferner, 685 A.2d 78 (N.J. Superior L., 1996). In re Pimsler, 286 A.D.2d 82, 731 N.Y.S.2d 51 (App. Div. 2001). JOD v. The Queen, [2009] nswcca 205 (Austl.). People v. Andra, 156 Cal. App. 4th 638, 67 Cal. Rptr. 3d 439 (3d Dist. 2007). People v. Chive, 189 Misc. 2d 653, 734 N.Y.S.2d 830 (N.Y. Crim. Ct. 2001). People v. Elcock, 396 Ill. App. 3d 524, 919 N.E.2d 984 (Ill. App. Ct. 2009). People v. Essalek, 17 Misc. 3d 835, 847 N.Y.S.2d 421 (Crim. Ct. 2007). People v. Hagedorn, 127 Cal. App. 4th 734, 25 Cal. Rapt. 3d 879 (5th Dist. 2005). People v. Hayes, 71 A.D.3d 1187, 896 N.Y.S.2d 225 (App. Div. 2010). People v. Hooks, 71 A.D.3d 1184, 896 N.Y.S.2d 501 (App. Div. 2010). People v. Jackson, 391 Ill. App. 3d 11, 908 N.E.2d 72 (Ill. App. Ct. 2009). People v. Makwana, 17 Misc. 3d 296, 844 N.Y.S.2d 607 (Crim. Ct. 2007). People v. Mitchell, 164 Cal. App. 4th 442, 78 Cal. Rptr. 3d 855 (3d Dist. 2008). People v. Molina, 120 Cal. App. 4th 507, 15 Cal. Rptr. 3d 493 (2d Dist. 2004). People v. Montoya, 373 Ill. App.3d 78, 868 N.E.2d 389 (Ill. App. Ct. 2007). People v. Shabtay, 138 Cal. App. 4th 1184, 42 Cal. Rptr. 3d 227 (2d Dist. 2006). People v. Tillotson, 157 Cal. App. 4th 517, 69 Cal. Rptr. 3d 42 (4th Dist. 2007). People v. Vandermuelen, 42 A.D.3d 667, 839 N.Y.S.2d 835 (App. Div. 2007). R. v El Mashta (Ahmad Alhaleem), [2010] ewca Crim 2595 (Aug. 6, 2010). R. v Ovieriakhi (Valerie Ekiuwa), [2009] ewca Crim 452 (Feb. 26, 2009). R. v Sofroniou (Leon Florenzous), [2003] ewca Crim 3681 (Dec. 18, 2003). R. v. Boyle, [2005] B.C.J. No. 2501, 2005 bcca 537 (Can.). R. v. Bradley, [2004] A.J. No. 1278 (Can. Alta. C.A.). R. v. Bradley, [2004] CarswellAlta 1529. R. v. Carneiro (Rosiene Ribeiro), [2007] ewca (Crim) 2170 (Eng.). R. v. Dast Jerdi (Bakshi Ali), [2011] ewca (Crim) 365 (Eng.).
© Koninklijke Brill NV, Leiden, 2020 | DOI:10.1163/9789004395978_012
710
Table of Cases
36. R. v. El Mashta (Ahmad Alhaleem), [2010] ewca (Crim) 2595 (Eng.). 37. R. v. Hamilton, 2005 S.C.C. 47 (Can.). 38. R. v. Harris, [2004] B.C.J. No. 2847, 2004 bcpc 532 (Can. Prov. Ct. Crim. Div.). 39. R. v. Huang (Jian), [2010] ewca (Crim) 375 (Eng.). 40. R. v. Jubbal, [2004] B.C.J. No. 2207, 2004 bcpc 389 (B.C. Prov. Ct. (Crim. Div.)). 41. R. v. Lavoie, [2000] iijcan 14437 (Qc. C.Q.). 42. R. v. Mayer, [2006] A.J. No. 324, 2006 abpc 30 (Alta. Prov. Ct. (Crim. Div.)). 43. R. v. McNeil, [2006] B.C.J. No. 187, 2006 bcpc 32 (Can. C.A.). 44. R. v. Naqvi, [2005] A.J. No. 1593, 2005 abpc 339 (Alta. Prov. Ct. (Crim. Div.)). 45. R. v. Ovieriakhi (Valerie Ekiuwa), [2009] ewca (Crim) 452 (Eng.). 46. R. v. Sansregret, [1985] 1 S.C.R. 570 (Can.). 47. R. v. Sofroniou (Leon Florenzous), [2003] ewca (Crim) 3681 (Eng.). 48. R. v. Stewart, [1988] 1 S.C.R. 963 (Can.). 49. R. v. Taft, [2003] B.C.J. No. 444, 2003 bcca 104 (B.C. C.A.). 50. R. v. Thiel, [2005] A.J. No. 698, 2005 abpc 149 (Alta. Prov. Ct. Crim. Div.). 51. R. v. Tirnaveanu (Cornel), [2007] ewca (Crim) 1239 (Eng.). 52. R. v. Tonks, [2003] B.C.J. No. 3042, 2003 bcpc 475 (B.C. Prov. Ct. (Crim. Div.)). 53. R. v. Toska (Albert), [2010] ewca 2187 (Eng.). 54. R. v. Walowina, [2006] B.C.J. No. 830 (Can. Prov. Ct. Crim. Div.). 55. Richardson v. State, 309 S.W.3d 20, 2010 WL 3193558 (Tex. Crim. App. 2010). 56. Sibley v. State, 955 So. 2d 1222 (Fla. Dist. Ct. App. 2007). 57. State Analysis, Inc. v. American Financial Services Ass., 621 F. Supp. 2d 309 (E.D. Va. 2009). 58. State v. Fagan, 857 So. 2d 320 (Fla. Dist. Ct. App. 2003). 59. Stevens v The Queen, [2009] nswcca 260; 262 alr 91; 2009 WL 3536630; [2010] almd 3006. 60. Townshend v. State, 965 So. 2d 236 (Fla. Dist. Ct. App. 2007) 61. U.S. v. Opara, H.R. Rep. No. 108–528 at 782 (2004). 62. U.S. v. Abdelshafi, 592 F.3d 602 (4th Cir. 2010). 63. U.S. v. Alvelo-Ramos, 957 F. Supp. 18 (D.P.R.1997). 64. U.S. v. Amry, 2003 WL 124678 (S.D.N.Y. Jan. 16, 2003). 65. U.S. v. Andrade-Rodriguez, 531 F.3d 721 (8th Cir. 2008). 66. U.S. v. Arcadipane, 41 F.3d 1 (1st Cir. 1994). 67. U.S. v. Battles, 156 F.3d 852 (8th Cir. 1998). 68. U.S. v. Benavides-Holgun, H.R. Rep. No. 108–528 at 782 (2004). 69. U.S. v. Berry, 369 Fed. Appx. 500 (4th Cir. 2010). 70. U.S. v. Berry, 583 F. Supp. 2d 749 (E.D. Va. 2008). 71. U.S. v. Blixt, 548 F.3d 882 (9th Cir. 2008). 72. U.S. v. Bonilla, 579 F.3d 1233 (11th Cir. 2009). 73. U.S. v. Booker, 543 U.S. 220 (2005).
Table of Cases 74. 75. 76. 77. 78. 79. 80. 81. 82. 83. 84. 85. 86. 87. 88. 89. 90. 91. 92. 93. 94. 95. 96. 97. 98. 99. 100. 101. 102. 103. 104. 105. 106. 107. 108. 109. 110. 111.
U.S. v. Brown, 320 Fed. Appx. 58 (2d Cir. 2009). U.S. v. Castorena-Ibarra, 230 Fed. Appx. 846 (10th Cir. 2007). U.S. v. Chavez-Quintana, 330 Fed. Appx. 724 (10th Cir. 2009). U.S. v. Cline, 286 Fed. Appx. 817 (4th Cir. 2008). U.S. v. Cooks, 589 F.3d 173 (5th Cir. 2009). U.S. v. Fergerson, H.R. Rep. No. 108–528 at 782. U.S. v. Gaspar, 344 Fed. Appx. 541 (11th Cir. 2009). U.S. v. Grajeda-Gutierrez, 372 Fed. Appx. 890 (10th Cir. 2010). U.S. v. Green-Jones, H.R. Rep. No. 108–528 at 782 (2004). U.S. v. Gurumoorthy, 368 Fed. Appx. 773 (9th Cir. 2010). U.S. v. Harris, 597 F.3d 242 (5th Cir. 2010). U.S. v. Herrera-Martinez, 525 F.3d 60 (1st Cir. 2008). U.S. v. Jenkins-Watts,574 F.3d 950 (8th Cir. 2009). U.S. v. Kilbride, 507 F. Supp. 2d 1051 (D. Ariz. 2007). U.S. v. Kilbride, 584 F.2d 1240 (9th Cir. 2009). U.S. v. Lall, 607 F.3d 1277 (11th Cir. 2010). U.S. v. Lee, 502 F.3d 780 (8th Cir. 2007). U.S. v. Luke, 628 F.3d 114, (4th Cir. 2010). U.S. v. Maxfield, H.R. Rep. No. 108–528 at 782 (2004). U.S. v. McCants, 554 F.3d 155 (D.C. Cir. 2009). U.S. v. McNeil, 320 F.3d 1034 (9th Cir. 2003). U.S. v. Mobley, 618 F.3d 539 (6th Cir. 2010). U.S. v. Morris, 2010 WL 1752145 (5th Cir. 2010). U.S. v. Ogbemudia, 364 Fed. Appx. 72 (5th Cir. 2010). U.S. v. Omar, 567 F.3d 362 (8th Cir. 2009). U.S. v. Pearce, 65 F.3d 22 (4th Cir. 1995). U.S. v. Pena, 380 Fed. Appx. 623 (9th Cir. 2010). U.S. v. Perez-Rodriguez, 358 Fed. Appx. 700 (7th Cir. 2009). U.S. v. Persichilli, 608 F.3d 34 (1st Cir. 2010). U.S. v. Pham, 545 F.2d 712 (9th Cir. 2008). U.S. v. Popa, 361 Fed. Appx. 854 (9th Cir. 2010). U.S. v. Quinteros, 769 F.2d 968 (4th Cir. 1985). U.S. v. Scheller, H.R. Rep. No. 108–528 at 781 (2004). U.S. v. Taylor, 2010 WL 1500521 (4th Cir. 2010). U.S. v. Turley,352 U.S. 407 (1957). U.S. v. Valere, 388 Fed. Appx. 922 (11th Cir. 2010). U.S. v. Vieke, 348 F.3d 811 (9th Cir. 2003). U.S. v. Wadford, 331 Fed. Appx. 198 (4th Cir. 2009).
711
Appendix 2
Table of Statutes 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35.
5 U.S.C. § 552. 5 U.S.C. § 552a. 5 U.S.C. § 552a(b)-(d). 5 U.S.C. § 552a(e)(2), (10). 5 U.S.C. § 552a(e)(3)(A)-(D). 5 U.S.C. § 552a(e)(7), (9). 8 U.S.C. § 1105(b). 8 U.S.C. § 1253. 8 U.S.C. § 1306(d). 8 U.S.C. § 1365. 8 U.S.C. § 1365a(b). 8 U.S.C. § 1379(1). 8 U.S.C. § 1732. 8 U.S.C. §§ 1321–1328. 12 U.S.C. § 3402. 12 U.S.C. § 3403(b), (c). 12 U.S.C. § 3412. 12 U.S.C. §§ 3401–3422. 13 U.S.C. § 9. 13 U.S.C. § 9(a). 15 U.S.C. § 1602(i). 15 U.S.C. § 1681a(d), (p), (u). 15 U.S.C. § 1681c-1(a). 15 U.S.C. § 1681c-1(a)(1)-(2). 15 U.S.C. § 1681c-1(b)(1)(A)-(C). 15 U.S.C. § 1681c-1(c). 15 U.S.C. § 1681c-1(c)(1)-(3). 15 U.S.C. § 1681c-1(d)-(g). 15 U.S.C. § 1681c-1(h)(1)(A)-(B). 15 U.S.C. § 1681c-1(h)(1)(B)(i)-(ii). 15 U.S.C. § 1681c-1(h)(2)(A)(i)-(ii). 15 U.S.C.§ 1681c-1(h)(2)(B). 15 U.S.C. § 1681c-2(a), (b), (c)(1)-(3), (d), (f). 15 U.S.C. § 1681m(e)(1)(A)-(C). 15 U.S.C. § 1681m(e)(2).
© Koninklijke Brill NV, Leiden, 2020 | DOI:10.1163/9789004395978_013
Table of Statutes 36. 37. 38. 39. 40. 41. 42. 43. 44. 45. 46. 47. 48. 49. 50. 51. 52. 53. 54. 55. 56. 57. 58. 59. 60. 61. 62. 63. 64. 65. 66. 67. 68. 69. 70. 71. 72. 73. 74. 75.
15 U.S.C. § 1681w(a)(1). 15 U.S.C. § 1692(a). 15 U.S.C. § 1692c(a). 15 U.S.C. § 1693(a), (b). 15 U.S.C. § 1693d(a)(3), (a)(4). 15 U.S.C. § 1693g. 15 U.S.C. § 1693i(b)(1), (b)(4). 15 U.S.C. § 615(e). 15 U.S.C. § 6801(a)(b). 15 U.S.C. § 6802(b)(2). 15 U.S.C. § 6805(a). 15 U.S.C. §§ 1-8495. 15 U.S.C. §§ 1666-66j. 15 U.S.C. §§ 1691-91f. 15 U.S.C. §§ 1692-92p. 15 U.S.C. §§ 1693-93r. 15 U.S.C. §§ 1693-93r. 15 U.S.C. §§ 6501–6506. 15 U.S.C. §§ 6821, 6823 (Gramm-Leach-Bliley Act). 16 C.F.R. § 641.1(b), (b)(9). 16 C.F.R. pt. 312. 16 C.F.R. pt. 681 app. A supp. A. 16 C.F.R. pt. 681 app. A(II)(a). 16 C.F.R. Pt. 681 app. A(IV). 18 U.S.C. § 1001. 18 U.S.C. § 1001(a)-(c). 18 U.S.C. § 1010. 18 U.S.C. § 1015. 18 U.S.C. § 1015(b)-(f). 18 U.S.C. § 1018A(c)(1). 18 U.S.C. § 1028. 18 U.S.C. § 1028(a)(1)-(8). 18 U.S.C.§ 1028(b)(1)(A)(i), (ii). 18 U.S.C.§ 1028(b)(1)(B), (C), (D). 18 U.S.C.§ 1028(b)(2)(a), (b). 18 U.S.C. § 1028(b)(3)-(6). 18 U.S.C. § 1028(c). 18 U.S.C. § 1028(c)(1), (2). 18 U.S.C. § 1028(c)(3)(A), (B). 18 U.S.C. § 1028(d)(1)
713
714 76. 77. 78. 79. 80. 81. 82. 83. 84. 85. 86. 87. 88. 89. 90. 91. 92. 93. 94. 95. 96. 97. 98. 99. 100. 101. 102. 103. 104. 105. 106. 107. 108. 109. 110. 111. 112. 113. 114. 115.
Table of Statutes 18 U.S.C.§ 1028(d)(2)-(6), (10). 18 U.S.C. § 1028(d)(7)(A)-(D). 18 U.S.C. § 1028(d)(8), (9). 18 U.S.C. § 1028(f), (h), (i). 18 U.S.C. § 1028A. 18 U.S.C. § 1028A. 18 U.S.C. § 1028A. 18 U.S.C.§ 1028A(a)(1), (2). 18 U.S.C. § 1028A(b)(1), (2), (4). 18 U.S.C. § 1028A(c)(1)-(11). 18 U.S.C. § 1028A(c)(1), (4). 18 U.S.C. § 1029. 18 U.S.C. § 1029(a)(1)(2). 18 U.S.C. § 1029(c)(1)(A)(i)(ii). 18 U.S.C. § 1029(c)(1)(B), (C). 18 U.S.C. § 1029(e)(1)-(6). 18 U.S.C. § 1030. 18 U.S.C. § 1030(a)(2)(A)-(C). 18 U.S.C. § 1030(a)(3)-(7). 18 U.S.C. § 1030(e)(2)(A), (B). 18 U.S.C. § 1035. 18 U.S.C. § 1037. 18 U.S.C. § 1037(a)(2)-(5), (b), (c), (d)(2). 18 U.S.C. § 1039. 18 U.S.C.§ 1039(a)-(e). 18 U.S.C. § 1040. 18 U.S.C. § 1049. 18 U.S.C. § 1111. 18 U.S.C. § 1324a(b). 18 U.S.C. § 1341. 18 U.S.C. § 1342. 18 U.S.C. § 1343. 18 U.S.C.§ 1347(a) (b). 18 U.S.C. § 1546. 18 U.S.C. § 1546(a), (b). 18 U.S.C. § 2332b(g)(5)(A). 18 U.S.C. § 2702. 18 U.S.C. § 2703. 18 U.S.C. § 2710. 18 U.S.C. § 2721.
Table of Statutes 116. 117. 118. 119. 120. 121. 122. 123. 124. 125. 126. 127. 128. 129. 130. 131. 132. 133. 134. 135. 136. 137. 138. 139. 140. 141. 142. 143. 144. 145. 146. 147. 148. 149. 150. 151. 152. 153. 154. 155.
18 U.S.C. § 2721(b). 18 U.S.C. § 2721(b)(13). 18 U.S.C. § 2721(c). 18 U.S.C. § 2721(d). 18 U.S.C. § 2721(e). 18 U.S.C. § 3663(a)(1)(A). 18 U.S.C. § 3663(a)(1)(B). 18 U.S.C. § 3663(b)(6). 18 U.S.C. § 402.2(1). 18 U.S.C. § 510. 18 U.S.C. § 511A. 18 U.S.C. § 512 18 U.S.C. § 514. 18 U.S.C. § 641. 18 U.S.C. § 656. 18 U.S.C. § 664. 18 U.S.C. § 911. 18 U.S.C. § 922(a)(6). 18 U.S.C. § 981(a)(1)(C). 18 U.S.C. § 982(a)(2). 18 U.S.C. § 982(a)(6), (8). 18 U.S.C. §§ 1001–40. 18 U.S.C. §§ 1002–07. 18 U.S.C. §§ 1028(a)(2), (a)(5), (a)(7), (a)(8). 18 U.S.C. §§ 1341–44. 18 U.S.C. §§ 1346–47. 18 U.S.C. §§ 2510–2522, 2701–2712. 18 U.S.C. §§ 2701-01. 18 U.S.C. §§ 470–514. 18 U.S.C. §§ 493–507. 18 U.S.C. §§ 508–09. 18 U.S.C. §§ 641–669. 18 U.S.C. §1028A. 18 U.S.C. §1029(a)(2)-(6), (10). 18 U.S.C. §1029(b)(1). 18 U.S.C.§641. 18 U.S.C.at ch. 47. 18 U.S.C.at ch. 63. 18 U.S.C. at ch. 69 18 U.S.C. at ch. 75.
715
716 156. 18 U.S.C. ch. 42. 157. 18 U.S.C. ch. 47). 158. 18 U.S.C.§ 1001(a). 159. 18 U.S.C.§ 1028(a)(4)-(6). 160. 20 Ill. Comp. Stats. § 2505/2505–680. 161. 20 U.S.C. § 1232g. 162. 225 Ill. Comp. Stats. § 425/9.4(a). 163. 225 Ill. Comp. Stats. § 425/9.4(a)(1). 164. 225 Ill. Comp. Stats. § 425/9.4(a)(2). 165. 225 Ill. Comp. Stats. § 425/9.4(a)(2). 166. 225 Ill. Comp. Stats. § 425/9.4(d). 167. 225 Ill. Comp. Stats. § 425/9.4(e) 168. 225 Ill. Comp. Stats. § 425/9.4(f). 169. 26 U.S.C. §§ 6103, 6108, 7609. 170. 28 U.S.C. § 1028(d)(1)-(2). 171. 31 U.S.C. § 5318(l). 172. 40 U.S.C. § 11331(b)(1)(A). 173. 42 U.S.C. § 408(a), (b). 174. 42 U.S.C. § 408(a)(7)(C). 175. 42 U.S.C. § 1320d(4). 176. 42 U.S.C. § 1383a(2). 177. 42 U.S.C. § 1383a(a)(3)(A). 178. 42 U.S.C. § 242m(d). 179. 42 U.S.C. § 3789g. 180. 42 U.S.C. § 408. 181. 42 U.S.C. § 408(a)(7)(B). 182. 42 U.S.C. §§ 1011, 1307(b), 1320a-7b(a), 1383a. 183. 44 U.S.C. § 3532. 184. 44 U.S.C. § 3534. 185. 44 U.S.C. §§ 3503, 3544. 186. 45 C.F.R. § 164.506. 187. 45 C.F.R. § 164.508. 188. 45 C.F.R. § 164.520. 189. 45 C.F.R. §§ 164.104, 164.105. 190. 45 C.F.R. §§ 164.524, 164.526. 191. 47 U.S.C. § 222. 192. 47 U.S.C. § 227. 193. 47 U.S.C. § 227(e). 194. 47 U.S.C. § 551. 195. 47 U.S.C. § 605.
Table of Statutes
Table of Statutes
717
196. 5 Ill. Comp. Stats. § 155.42. 197. 505 Ill. Comp. Stats. § 505/2VV. 198. 720 Ill. Comp. Stats. § 5/16G-10(a), (b), (d). 199. 720 Ill. Comp. Stats. § 5/16G-13(a)-(c). 200. 720 Ill. Comp. Stats. § 5/16G-15(a). 201. 720 Ill. Comp. Stats. § 5/16G-15(a)(3)-(7). 202. 720 Ill. Comp. Stats. § 5/16G-15(d)(1)-(4). 203. 720 Ill. Comp. Stats. § 5/16G-15(d)(1)(A). 204. 720 Ill. Comp. Stats. § 5/16G-20(a), (e). 205. 720 Ill. Comp. Stats. § 5/16G-21. 206. 720 Ill. Comp. Stats. § 5/16G-30. 207. 720 Ill. Comp. Stats. § 5/16G-30(a)-(c). 208. 720 Ill. Comp. Stats. § 5/16G-5(a), (b). 209. 720 Ill. Comp. Stats. § 5/16G(d)(5). 210. 720 Ill. Comp. Stats. § 5/16J-15. 211. 720 Ill. Comp. Stats. § 5/17-3. 212. 720 Ill. Comp. Stats. art. 16G. 213. Australian Foreign Passports (Law Enforcement and Security) Act 2005 (Cth) s 05 (Austl.). 214. Australian Foreign Passports (Law Enforcement and Security) Act 2005 (Cth) ss 18–20 (Austl.). 215. Australian Foreign Passports (Law Enforcement and Security) Act 2005 (Cth) s 21(1)-(5) (Austl.). 216. Australian Foreign Passports (Law Enforcement and Security) Act 2005 (Cth) s 22(1)-(3) (Austl.). 217. Australian Passports Act 2005, (Cth) s 29(1) (Austl.). 218. Australian Passports Act 2005, (Cth) s 30(1)-(2) (Austl.). 219. Australian Passports Act 2005, (Cth) s 30(2) (Austl.). 220. Australian Passports Act 2005, (Cth) s 31(1)-(3) (Austl.). 221. Australian Passports Act 2005, (Cth) s 32(1)-(5) (Austl.). 222. Australian Passports Act 2005, (Cth) s 33 (Austl.). 223. Australian Passports Act 2005, (Cth) s 34(1) (Austl.). 224. Australian Passports Act 2005, (Cth) s 35(1), (3) (Austl.). 225. Australian Passports Act 2005, (Cth) s 36(1) (Austl.). 226. Australian Passports Act 2005, (Cth) s 37(1) (Austl.). 227. Cal. Penal Code§ 470(a), (b), (d). 228. Cal. Penal Code § 470a. 229. Cal. Penal Code § 484. 230. Cal. Penal Code § 484d(2), (6). 231. Cal. Penal Code § 484d(d)
718 232. 233. 234. 235. 236. 237. 238. 239. 240. 241. 242. 243. 244. 245. 246. 247. 248. 249. 250. 251. 252. 253. 254. 255. 256. 257. 258. 259. 260. 261. 262. 263. 264. 265. 266. 267. 268. 269. 270. 271.
Table of Statutes Cal. Penal Code § 484e(a)-(c). Cal. Penal Code § 484f(a)-(b). Cal. Penal Code § 484g. Cal. Penal Code § 484h(a). Cal. Penal Code § 484i(a)-(c). Cal. Penal Code § 484j. Cal. Penal Code § 487. Cal. Penal Code § 529. Cal. Penal Code § 529.5(a)-(c). Cal. Penal Code § 529.7. Cal. Penal Code § 529a. Cal. Penal Code § 530. Cal. Penal Code § 530.5. Cal. Penal Code § 530.5(a), (b). Cal. Penal Code § 530.5(c)(1)-(c)(3). Cal. Penal Code § 530.5(d)(1), (d)(2). Cal. Penal Code § 530.55(a), (b). Cal. Penal Code § 530.6(a)-(d). Cal. Penal Code § 530.7(a)-(d). Cal. Penal Code § 530.8. Cal. Penal Code § 530.8(a). Cal. Penal Code § 530.8(d)(1)-(2). Computer Misuse Act, 1990, c. 18, § 1(1)-(3) (Eng.). Computer Misuse Act, 1990, c. 18, § 2(1)-(6) (Eng.). Computer Misuse Act, 1990, c. 18, § 3(1)-(5) (Eng.). Computer Misuse Act, 1990, c. 18, § 3A(1)-(5) (Eng.). Crimes Act 1900 (nsw) § 184A (Austl.). Crimes Act 1958 (Vic) § 81 (Austl.). Criminal Code Act, 1995, § 131.1 (Austl.). Criminal Code Act, 1995, § 131.1(1)(a)-(b) (Austl.). Criminal Code Act, 1995, § 131.3 (Austl.). Criminal Code Act, 1995, § 132.1(1), (3)-(8) (Austl.). Criminal Code Act, 1995, § 133.1 (Austl.). Criminal Code Act, 1995, § 134.1(3), (5)-(13) (Austl.). Criminal Code Act, 1995, § 134.2 (Austl.). Criminal Code Act, 1995, § 135.1(1), (3), (5), (7) (Austl.). Criminal Code Act, 1995, § 135.2(1)-(2) (Austl.). Criminal Code Act, 1995, § 135.4(1), (3), (5), (7), (9)-(12) (Austl.). Criminal Code Act, 1995, § 136.1 (Austl.). Criminal Code Act, 1995, § 136.1(1)(a), (1)(b), (1)(c), (2), (3)-(6) (Austl.).
Table of Statutes 272. 273. 274. 275. 276. 277. 278. 279. 280. 281. 282. 283. 284. 285. 286. 287. 288. 289. 290. 291. 292. 293. 294. 295. 296. 297. 298. 299. 300. 301. 302. 303. 304. 305. 306. 307. 308. 309. 310. 311.
Criminal Code Act, 1995, § 137.1 (Austl.). Criminal Code Act, 1995, § 137.1(1) (Austl.). Criminal Code Act, 1995, § 137.2 (Austl.). Criminal Code Act, 1995, § 143.1(1)-(2) (Austl.). Criminal Code Act, 1995, § 143.2(1)-(2) (Austl.). Criminal Code Act, 1995, § 143.3 (Austl.). Criminal Code Act, 1995, § 144.1(1), (3), (7) (Austl.). Criminal Code Act, 1995, § 145.1(1), (3), (5), (7) (Austl.). Criminal Code Act, 1995, § 145.2(1), (3), (5), (7) (Austl.). Criminal Code Act, 1995, § 145.3(1)-(4) (Austl.). Criminal Code Act, 1995, § 145.4 (Austl.). Criminal Code Act, 1995, § 145.4(1)-(2) (Austl.). Criminal Code Act, 1995, § 145.5 (Austl.). Criminal Code Act, 1995, § 145.5(1)-(2) (Austl.). Criminal Code Act, 1995, § 471.1(1)-(3) (Austl.). Criminal Code Act, 1995, § 471.2(1), (2), (5) (Austl.). Criminal Code Act, 1995, § 471.3 (Austl.). Criminal Code Act, 1995, § 473.1 (Austl.). Criminal Code Act, 1995, § 474.4(1)-(3) (Austl.). Criminal Code Act, 1995, § 474.5(1)-(2) (Austl.). Criminal Code Act, 1995, § 477.1(1) (Austl.). Criminal Code Act, 1995, § 477.1(3), (4), (6), (7), (9) (Austl.). Criminal Code Act, 1995, § 477.2(1), (3) (Austl.). Criminal Code Act, 1995, § 477.3(1) (Austl.). Criminal Code Act, 1995, § 478.1(1) (Austl.). Criminal Code Act, 1995, § 478.2(1) (Austl.). Criminal Code Act, 1995, § 478.3(1) (Austl.). Criminal Code Act, 1995, § 478.3(4) (Austl.). Criminal Code Act, 1995, § 478.4(1), (2) (Austl.). Criminal Code Act, 1995, § 480.4 (Austl.). Criminal Code Act, 1995, § 480.5 (Austl.). Criminal Code Act, 1995, § 480.5(1)-(2) (Austl.). Criminal Code Act, 1995, § 480.6 (Austl.). Criminal Code Act, 1995, § 73.10 (Austl.). Criminal Code Act, 1995, § 73.11 (Austl.). Criminal Code Act, 1995, § 73.7(1)(a), (b), (d), (e) (Austl.). Criminal Code Act, 1995, § 73.7(2) (Austl.). Criminal Code Act, 1995, § 73.8 (Austl.). Criminal Code Act, 1995, § 73.9 (Austl.). Criminal Code Act, 1995, § 73.9 (Austl.).
719
720 312. 313. 314. 315. 316. 317. 318. 319. 320. 321. 322. 323. 324. 325. 326. 327. 328. 329. 330. 331. 332. 333. 334. 335. 336. 337. 338. 339. 340. 341. 342. 343. 344. 345. 346. 347. 348. 349. 350. 351.
Table of Statutes Criminal Code Act, 1995, § 73.9(1)-(3) (Austl.). Criminal Code Act, 1995, ch. 10 Dictionary (Austl.). Criminal Code, R.S.C. 1985, c C-46 § 380.1 (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 342(1)(a), (b) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 356(1)(a.1) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 356(1)(a)-(c) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 402.2(1) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 130 (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 131 (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 321 (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 322(1)-(4) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 342 (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 342.01 (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 342.01(1)-(2) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 342.1(1) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 342.1(1)(d) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 342.1(2) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 342.2(1)-(2) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 342(1), (c) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 342(1)(e), (f) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 342(3)-(4) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 354(1), (2), (4) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 355(1), (b) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 361(1) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 362 (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 362(1)(a)-(d) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 362(4)-(5) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 363 (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 364(1)-(2) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 365 (Can.). Criminal Code, R.S.C. 1985, c. C-46§ 366 (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 366(1)-(5) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 367 (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 368 (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 368.1 (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 368.2 (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 368.2 (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 368(1.1) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 368(1)(a)-(d) (Can.). Criminal Code, R.S.C. 1985, c. C-46 § 368(2) (Can.).
Table of Statutes
721
352. Criminal Code, R.S.C. 1985, c. C-46 § 371 (Can.). 353. Criminal Code, R.S.C. 1985, c. C-46 § 372(1) (Can.). 354. Criminal Code, R.S.C. 1985, c. C-46 § 374 (Can.). 355. Criminal Code, R.S.C. 1985, c. C-46 § 375 (Can.). 356. Criminal Code, R.S.C. 1985, c. C-46 § 380 (Can.). 357. Criminal Code, R.S.C. 1985, c. C-46 § 380.1(1)-(2) (Can.). 358. Criminal Code, R.S.C. 1985, c. C-46 § 380(1) (Can.). 359. Criminal Code, R.S.C. 1985, c. C-46 § 380(1)(b), (2)-(4) (Can.). 360. Criminal Code, R.S.C. 1985, c. C-46 § 381 (Can.). 361. Criminal Code, R.S.C. 1985, c. C-46 § 382 (Can.). 362. Criminal Code, R.S.C. 1985, c. C-46 § 387 (Can.). 363. Criminal Code, R.S.C. 1985, c. C-46§ 402.1 (Can.). 364. Criminal Code, R.S.C. 1985, c. C-46 § 402.2 (Can.). 365. Criminal Code, R.S.C. 1985, c. C-46 § 402.2(1)-(3), (5) (Can.). 366. Criminal Code, R.S.C. 1985, c. C-46 § 402.3 (Can.). 367. Criminal Code, R.S.C. 1985, c. C-46 § 403 (Can.). 368. Criminal Code, R.S.C. 1985, c. C-46 § 403(1)-(2) (Can.). 369. Criminal Code, R.S.C. 1985, c. C-46 § 404 (Can.). 370. Criminal Code, R.S.C. 1985, c. C-46 § 405 (Can.). 371. Criminal Code, R.S.C. 1985, c. C-46 § 430(1) (Can.). 372. Criminal Code, R.S.C. 1985, c. C-46 § 463 (Can.). 373. Criminal Code, R.S.C. 1985, c. C-46 § 464 (Can.). 374. Criminal Code, R.S.C. 1985, c. C-46 § 56.1 (Can.). 375. Criminal Code, R.S.C. 1985, c. C-46 § 56.1 (Can.). 376. Criminal Code, R.S.C. 1985, c. C-46§ 56.1(1)-(4) (Can.). 377. Criminal Code, R.S.C. 1985, c. C-46 § 57 (Can.). 378. Criminal Code, R.S.C. 1985, c. C-46 § 57(2), (3), (5) (Can.). 379. Criminal Code, R.S.C. 1985, c. C-46 § 58 (Can.). 380. Criminal Code, R.S.C. 1985, c. C-46 § 738(1)(d) (Can.). 381. Criminal Code, R.S.C. 1985, c. C-46 §§ 25.1–25.3 (Can.). 382. Criminal Code, R.S.C. 1985, c. C-46 §§ 380–387 (Can.). 383. Criminal Code, R.S.C. 1985, c. C-46 §§ 56.1–58 (Can.). 384. Criminal Code, R.S.C. 1985, c. C-46. § 57(1) (Can.). 385. Criminal Law Consolidation (Identity Theft) Amendment Act 2003 (SA) (Austl.) (amending South Australia’s criminal statutes) 386. Data Protection Act, 1998, c. 29, § 1 (Eng.). 387. Data Protection Act, 1998, c. 29, § 13(1)-(3) (Eng.). 388. Data Protection Act, 1998, c. 29, § 2 (Eng.). 389. Data Protection Act, 1998, c. 29, § 55(1) (Eng.). 390. Data Protection Act, 1998, c. 29, § 55(2)(a)-(d) (Eng.).
722
Table of Statutes
391. Data Protection Act, 1998, c. 29, § 55(3)-(7) (Eng.). 392. Data Protection Act, 1998, c. 29, § 7(1)(a)-(d) (Eng.). 393. Data Protection Act, 1998, c. 29, § 7(2)-(9) (Eng.). 394. Data Protection Act, 1998, c. 29, sch. 1, pt ii, § 1(1)-(2) (Eng.). 395. Data Protection Act, 1998, c. 29, sch. 1, pt. ii, § 2(1)(a), (1)(b), (2)(a), (2)(b) (Eng.). 396. Data Protection Act, 1998, c. 29, sch. 1, pt. ii, § 3 (Eng.). 397. Data Protection Act, 1998, c. 29, sch. 1, pt. ii, § 4(2) (Eng.). 398. Data Protection Act, 1998, c. 29, sch. 1, pt. ii, § 5 (Eng.). 399. Data Protection Act, 1998, c. 29, sch. 1, pt. ii, § 6 (Eng.). 400. Data Protection Act, 1998, c. 29, sch. 1, pt. ii, § 7 (Eng.). 401. Data Protection Act, 1998, c. 29, sch. 1, pt. ii, § 8(a)-(d) (Eng.). 402. Data Protection Act, 1998, c. 29, sch. 1, pt. ii, § 9 (Eng.). 403. Data Protection Act, 1998, c. 29, sch. 1, pt. ii, §§ 10–15 (Eng.). 404. Data Protection Act, 1998, c. 29, sch. 2, §§ 1–6 (Eng.). 405. Data Protection Act, 1998, c. 29, sch. 3, § 55(1), (3)-(5) (Eng.). 406. Data Protection Act, 1998, c. 29, sch. 3, §§ 1–10 (Eng.). 407. Fla. Stats. § 775.082(3)(d). 408. Fla. Stats. § 775.083(1)(c), (f). 409. Fla. Stats. § 775.084. 410. Fla. Stats. § 817.034(4). 411. Fla. Stats. § 817.468 (2011). 412. F la. Stats.§ 817.568(1)(c), (1)(f), (1)(g) (2)(a)-(b), 3(c), (4)-(7), (8)(a)-(c), (9)-(11), (13)(a)-(b), (19). 413. Fla. Stats. § 817.59 414. Fla. Stats. § 817.60. 415. Fla. Stats. § 817.60(1)-(3), (5), (6)(a)-(b), (7). 416. Fla. Stats. § 874.12(a)-(b). 417. Fla. Stats. ch. 817. 418. Fla. Stats. ch. 874. 419. Forgery and Counterfeiting Act, 1981, c. 45, § 1 (Eng.). 420. Forgery and Counterfeiting Act, 1981, c. 45, § 2 (Eng.). 421. Forgery and Counterfeiting Act, 1981, c. 45, § 3 (Eng.). 422. Forgery and Counterfeiting Act, 1981, c. 45, § 4 (Eng.). 423. Forgery and Counterfeiting Act, 1981, c. 45, § 5(1)-(5) (Eng.). 424. Forgery and Counterfeiting Act, 1981, c. 45, § 6(1)-(2), (4) (Eng.). 425. Forgery and Counterfeiting Act, 1981, c. 45, § 7(1)-(2) (Eng.). 426. Forgery and Counterfeiting Act, 1981, c. 45, § 8(1), (8)(2) (Eng.). 427. Forgery and Counterfeiting Act, 1981, c. 45, § 9(1)(a)-(h), (2) (Eng.). 428. Fraud Act, 2006, c. 35, § 1(1)-(4) (Eng.). 429. Fraud Act, 2006, c. 35, § 2(1)-(5) (Eng.).
Table of Statutes 430. 431. 432. 433. 434. 435. 436. 437. 438. 439. 440. 441. 442. 443. 444. 445. 446. 447. 448. 449. 450. 451. 452. 453. 454. 455. 456. 457. 458. 459. 460. 461. 462. 463. 464. 465. 466. 467. 468. 469.
Fraud Act, 2006, c. 35, § 3 (Eng.). Fraud Act, 2006, c. 35, § 4(1)-(2) (Eng.). Fraud Act, 2006, c. 35, § 5 (Eng.). Fraud Act, 2006, c. 35, § 6 (Eng.). Fraud Act, 2006, c. 35, § 7 (Eng.). Fraud Act, 2006, c. 35, § 8 (Eng.). Identity Cards Act 2006, c. 15, § 1(3), (1)(5)-(6) (Eng.). Identity Cards Act 2006, c. 15, § 25 (Eng.). Identity Cards Act 2006, c. 15, § 25(1)-(3), (5)-(7) (Eng.). Identity Cards Act 2006, c. 15, § 26(1), (4), (5) (Eng.). Identity Cards Act 2006, c. 15, § 27(1)-(5) (Eng.). Identity Cards Act 2006, c. 15, § 28(1), (2), (3)(a)-(c) (Eng.). Identity Cards Act 2006, c. 15, § 29(1)-(3), (5)-(7)(a)-(c) (Eng.). Identity Cards Act 2006, c. 15, §§ 31–34 (Eng.). N.Y. Gen. Bus. Law § 380-s. N.Y. Gen. Bus. Law § 604-a(1), (2)(a). N.Y. Gen. Bus. Law § 604-a(2)(b). N.Y. Gen. Bus. Law § 604-a(5)-(7). N.Y. Gen. Bus. Law§ 604-b. N.Y. Gen. Bus. Law § 604(3). N.Y. Gen. Bus. Law art. 29-HH. N.Y. Penal Law § 60.27(4)(b). N.Y. Penal Law § 15.05(2). N.Y. Penal Law § 155.05. N.Y. Penal Law § 156.30. N.Y. Penal Law § 156.35. N.Y. Penal Law § 165.17. N.Y. Penal Law § 170.05. N.Y. Penal Law § 170.20. N.Y. Penal Law § 190.25(1)-(4). N.Y. Penal Law § 190.26. N.Y. Penal Law § 190.77(1). N.Y. Penal Law § 190.78. N.Y. Penal Law § 190.78. N.Y. Penal Law § 190.79. N.Y. Penal Law § 190.80-a. N.Y. Penal Law § 190.80. N.Y. Penal Law § 190.81. N.Y. Penal Law § 190.82. N.Y. Penal Law § 190.83(1)-(3).
723
724
Table of Statutes
470. N.Y. Penal Law § 190.85(1)-(2). 471. N.Y. Penal Law § 190.86. 472. N.Y. Penal Law § 190.95. 473. N.Y. Penal Law § 60.27(1)-(2). 474. N.Y. Penal Law § 60.27(5)(a)-(b). 475. N.Y. Penal Law tit. K . 476. New South Wales Crimes Amendment (Fraud, Identity and Forgery Offences) Act 2009 (nsw) (Austl.). 477. New South Wales’ Crimes Act 1900,pt 4AA (Austl.). 478. New South Wales’ Crimes Act 1900, s 192B(1)-(2) (Austl.). 479. New South Wales’ Crimes Act 1900, s 192C(1)-(5) (Austl.). 480. New South Wales’ Crimes Act 1900, s 192D(1), (2) (Austl.). 481. New South Wales’ Crimes Act 1900, s 192E(1)-(4) (Austl.). 482. New South Wales’ Crimes Act 1900, s 192G (Austl.). 483. New South Wales’ Crimes Act 1900, ss 116-154D (Austl.). 484. pipeda, S.C. 2000, c. 5 § 2 (Can.). 485. pipeda, S.C. 2000, c. 5 § 4(1)-(2) (Can.). 486. pipeda, S.C. 2000, c. 5 § 7(1)-(3) (Can.). 487. pipeda, S.C. 2000, c. 5 at sched. 1 §§ 4.1-4.10 (Can.). 488. Privacy Act 1988 (Cth)s 18G (Austl.). 489. Privacy Act 1988 (Cth) s 18H (Austl.). 490. Privacy Act 1988 (Cth) s 18J (Austl.). 491. Privacy Act 1988 (Cth) s 18K(1)(a), (1)(ab), (1)(ac), (1)(b)-(k), (1)(m)-(n) (Austl.). 492. Privacy Act 1988 (Cth) s 18K(1A) (Austl.). 493. Privacy Act 1988 (Cth) s 18K(2), (4), (5), (6) (Austl.). 494. Privacy Act 1988 (Cth) s 18Q(1) (Austl.). 495. Privacy Act 1988 (Cth) s 18S (Austl.). 496. Privacy Act 1988 (Cth) s 18T (Austl.). 497. Privacy Act, R.S.C., 1985 c. P-21 § 10(1)-(2) (Can.). 498. Privacy Act, R.S.C., 1985 c. P-21 § 12(1)-(2) (Can.). 499. Privacy Act, R.S.C., 1985 c. P-21 § 3 (Can.). 500. Privacy Act, R.S.C., 1985 c. P-21§ 7 (Can.). 501. Privacy Act, R.S.C., 1985 c. P-21 § 8(1)-(2) (Can.). 502. Pub. L. No. 103–322, 108 Stat. 1796 (1994). 503. Pub. L. No. 103–414 § 101, 108 Stat. 4279 (1994) (codified as amended at 47 U.S.C. §§ 1001–1010. 504. Pub. L. No. 104-104, § 702, 110 Stat. 56 (1996). 505. Pub. L. No. 104–191 §§ 262, 264, 110 Stat. 1936 (1996) (codified primarily at 42 U.S.C. §§ 1320d-1320d-9).
Table of Statutes
725
506. Pub. L. No. 106-102, 113 Stat. 1338 (codified as amended in 15 U.S.C. §§ 6801 to 6827). 507. Pub. L. No. 107–173, 116 Stat. 543 (2002). 508. Pub. L. No. 107–56, 151 Stat. 272 (2001) (codified as amended in scattered sections of the U.S.C.). 509. Queensland Criminal Code, 1899, s 408D(1), (1A), (2)-(7) (Austl.). 510. South Australia Criminal Law Consolidation Act 1935 (SA) s 144A (Austl.). 511. South Australia Criminal Law Consolidation Act 1935 (SA) s 144B(1)-(3) (Austl.). 512. South Australia Criminal Law Consolidation Act 1935 (SA)s 144C(1)-(2) (Austl.). 513. South Australia Criminal Law Consolidation Act 1935 (SA) s 144D(1)-(3) (Austl.). 514. South Australia Criminal Law Consolidation Act 1935 (SA) s 144E (Austl.). 515. South Australia Criminal Law Consolidation Act 1935 (SA) s 144F(a), (b) (Austl.). 516. Tasmanian Criminal Code Act 1924 s 257B (Austl.). 517. Tasmanian Criminal Code Act 1924 s 257C (Austl.). 518. Tasmanian Criminal Code Act 1924 s 257D (Austl.). 519. Tasmanian Criminal Code Act 1924 s 257E (Austl.). 520. Tasmanian Criminal Code Act 1924 s 257F (Austl.). 521. Tex. Bus. & Com. Code Ann. § 20.01(7). 522. Tex. Bus. & Com. CodeAnn.§ 521.002(a)(1)-(2). 523. Tex. Bus. & Com. CodeAnn.§ 521.051(a). 524. Tex. Bus. & Com. CodeAnn. § 521.052(a), (d). 525. Tex. Bus. & Com. Code Ann. § 521.053(b)-(d). 526. Tex. Bus. & Com. Code Ann. § 521.101. 527. Tex. Bus. & Com. Code Ann. § 521.102. 528. Tex. Bus. & Com. Code Ann. § 521.103. 529. Tex. Bus. & Com. Code Ann. § 521.104. 530. Tex. Bus. & Com. Code Ann. § 521.105. 531. Tex. Bus. & Com. CodeAnn. § 521.151(a, (b), (f). 532. Tex. Bus. & Com. CodeAnn.§ 521.152. 533. Tex. Bus. & Com. CodeAnn.§ 522.002(a). 534. Tex. Bus. & Com. Code Ann. § 523.001(a), (b). 535. Tex. Bus. & Com. Code Ann. § 523.002(a), (b). 536. Tex. Bus. & Com. CodeAnn. § 523.051(b), (c). 537. Tex. Bus. & Com. CodeAnn. § 523.052. 538. Tex. Bus. & Com. CodeAnn. subtitle 11B. 539. Tex. Bus. & Com. Code Ann.. § 20.01(4). 540. Tex. Bus. & Com. CodeAnn.§ 521.151(e). 541. Tex. Penal Code Ann. § 32.21(a), (a)(1)(A)(i). 542. Tex. Penal Code Ann. § 32.21(b).
726 543. 544. 545. 546. 547. 548. 549. 550. 551. 552. 553. 554. 555. 556. 557. 558. 559. 560.
Table of Statutes Tex. Penal Code Ann. § 32.31(b). Tex. Penal Code Ann. § 32.51(a)(1)-(2). Tex. Penal Code Ann. § 32.51(b)-(h), (b-1), (b-2), (c-1). Tex. Penal Code Ann. ch. 32. Tex. Penal Code Ann. subchapter 32D. Tex. Penal Code Ann. subchapters 32B, 32C. Theft Act, 1968, c. 60, § 1(1), (2), (3) (Eng.). Theft Act, 1968, c. 60, § 13 (Eng.). Theft Act, 1968, c. 60, § 2 (Eng.). Theft Act, 1968, c. 60, § 22 (Eng.). Theft Act, 1968, c. 60, § 22 (Eng.). Theft Act, 1968, c. 60, § 24(2)-(3) (Eng.). Theft Act, 1968, c. 60, § 3 (Eng.). Theft Act, 1968, c. 60, § 4 (Eng.). Theft Act, 1968, c. 60, § 5 (Eng.). Theft Act, 1968, c. 60, § 6 (Eng.). Theft Act, 1968, c. 60, § 7 (Eng.). U.S. Const. art. I, § 8.
Bibliography Acohido, Byron and Jon Swartz, While He Served Abroad, His Credit Was Under Siege, USA Today (June 5, 2007), http://www.usatoday.com/money/perfi/credit/2007-06- 04-credit-report_N.htm. Agre, Philip E. and Marc Rotenberg eds., Technology and Privacy: the New Landscape (1998); Lawrence Lessig, Code and Other Laws of Cyberspace (1999). Akram, Misbahuddin and Varaprasad, A Usable and Secure Two-Factor Authentication Scheme, 21 Info. Security J.: A Global Perspective, 169 (2012), available at http://www. tandfonline.com/doi/abs/10.1080/19393555.2011.629340#.UoLiopGGQY0. Arshad, Jamal, Towards a Taxonomy of Privacy Concerns of Online Social Network Sites Users: A Case Study of Facebook Beacon 36–37 (Aug. 2010). Australian Attorney-General’s Department, Privacy Impact Assess ment: National Document Verification System (June 2007), available at https://web.archive. org/web/20120228061352/http://www.ag.gov.au/Documents/FINAL%20PIA%20 for%20publication%20on%20webpage%20-%20June%202007.pdf. Australian Institute of Criminology, Identity fraud and theft in Australia (Crime Facts Info. No. 164) (Feb. 2008), available at https://web.archive.org/web/20120919235318/ http://www.aic.gov.au/en/publications/current%20series/cfi/161-180/cfi164.aspx. Barker, Ken, et al., A Data Privacy Taxonomy, in Dataspace: The Final Frontier at 42–44 (2009), available at http://download.springer.com/static/pdf/232/bok%253A978-3- 642-02843-4.pdf?auth66=1392258046_23485b2421120badb6ca0777271a8493&ext=. pdf. Barrigar, Jennifer, Office of the Privacy Commissioner of Canada Guided Literature Review: Identity Management Systems (2011), available at http://www.priv.gc.ca/information/research-recherche/2011/barrigar_201102_e.asp. Batson, Andrew, China Begins Effort to Replace Citizen IDs With Digital Cards, Wall Street Journal, Aug. 12, 2003, http://cryptome.org/cn-1bn-ids.htm. Baum, Katrina, First Estimates from the National Crime Victimization Survey: Identity Theft, 2004, Bureau of Justice Statistics Bulletin, April 2006, at 4, available at http:// bjs.ojp.usdoj.gov/content/pub/pdf/it04.pdf. Baumgarthuber, Daniela, How Much Will ID Theft Cost Me?, identitytheftfacts.com (July 7, 2009) (on file with author). Beach, Gartrell and Han, q-Anon: Rethinking Anonymity for Social Networks, in Pro ceedings: SocialCom 2010, The Second IEEE International Conference on Social Computing; PASSAT 2010, The Second IEEE International Conference on Privacy, Security, Risk and Trust 185–192 (2010). Becker, Gary S., Crime and Punishment: An Economic Approach, 76 J. Political Econ. 169 (1968).
728 Bibliography Becker, Gary, Crime and Punishment: An Economic Approach, Journal of Political Economy 12 (1968). Benner, Janine et al., Privacy Rights Clearinghouse, Nowhere to Turn: Victims Speak Out on Identity Theft – A Survey of Identity Theft Victims and Recommendations for Reform, (May 1, 2000), available at www.privacyrights.org/ar/idtheft2000. htm. Best, Reba A., Identity Theft: A Legal Research Guide (2004). Bhargav-Spantzel et al., Privacy Preserving Multi-Factor Authentication with Biometrics, in DIM ‘06 Proceedings of the Second amc Workshop on Digital Identity Management 63–72 (2006), available at http://delivery.acm.org/10.1145/1180000/ 1179540/p63-bhargav.pdf?ip=169.229.32.136&id=1179540&acc=ACTIVE%20SERVICE&key=C2716FEBFA981EF180AFFA68148A758BBB00FA0C3D166145&CFID=378505853&CFTOKEN=41208727&_ _ a cm_ _ = 1384321373_ d ea8a06a9ca2166cdb1dbb6e2105ff38. Borden, Anne, The Cost of Credit Card Fraud, LawyersandSettlements.com (April 27, 2007, 9:00 PM), http://www.lawyersandsettlements.com/features/credit-card- fraud.html. Bostwick, Gary L., A Taxonomy of Privacy: Repose, Sanctuary, and Intimate Decision, 64 Cal. L.Rev. 1447, 1450 (1976), abailable at http://scholarship.law.berkeley.edu/ californialawreview/vol64/iss6/2. Boudreau, Abbie and Scott Zamost, Identity theft nets some tax refunds, stimulus checks, Cnn.com (Mar. 20, 2009), http://www.cnn.com/2009/CRIME/03/19/tax.scams/ index.html#cnnSTCText. Brill, Alan and Troy Allen, Identity Theft: How Companies –and Consumers –Can Protect Themselves, Marsh and McLennan Companies, https://web.archive.org/ web/20100520040144/http://www.mmc.com/knowledgecenter/viewpoint/archive/brill2006.php Broache, Anne, White House Panel Pushes New Identity Fraud Laws, CNet News (apr. 23 2007, 1:57 PM), http://news.cnet.com/White-House-panel-pushes-new-identity- fraud-laws/2100-7348_3-6178441.html?tag=nw.5. Brown, George, Fighting Credential Fraud: A Brief Critique of Australian and American Approaches to Qualification Verification and Authentication, World Education News & Reviews (Oct. 2005), http ://www.wes.org/eWENR/05oct/feature.htm. Browning, Lynnley, Report Finds Two Kinds of Tax Fraud Have Spread, New York Times (April 10, 2008), http://www.nytimes.com/2008/04/10/business/10identity.html?_r=0. Calaunan, Sarah, Phishing Attack Targets Microsoft Outlook Users, TrendMicro, (Jun. 2, 2011) http://blog.trendmicro.com/trendlabs-security-intelligence/phishing-attack- targets-microsoft-outlook-users/. Cameron, Kim, The Laws of Identity, Kim Cameron’s Identity Weblog (Jan. 8, 2006), http://www.identityblog.com/?p=352.
Bibliography
729
Campana, Joe, Identity Theft 101: What is an Identity Their?, Examiner.com (July 19, 2009) https://web.archive.org/web/20121014053305/http://www.examiner.com/article/identity-theft-101-what-is-an-identity-thief. Campana, Joe, Identity Theft 101: What is Employment Fraud?, Examiner.com (Aug. 10, 2009) http://www.examiner.com/x-9215-Identity-Theft-Examiner~y2009m8d10- Identity-theft-101-what-is-employment-fraud. Campana, Joe, Identity Theft 101: What is Government Benefits Fraud?, Examiner.com (Aug. 27, 2009), http://www.examiner.com/x-9215-Identity-Theft-Examiner~y2009m8d27- Identity-theft-101-what-is-government-benefits-fraud. Campana, Joe, Identity theft 101: What is Insurance Fraud?, Examiner (Sept. 8, 2009), http://www.examiner.com/article/identity-theft-101-what-is-insurance-fraud. Campana, Joe, Identity theft 101: What is Medical ID Theft?, Examiner (Aug. 3, 2009), http://www.examiner.com/article/identity-theft-101-what-is-medical-id-theft. Canadian Anti-Fraud Centre Criminal Intelligence Analytical Unit, Annual Statistical Report 2009, Mass Marketing Fraud & ID Theft Activities, 23 (2009), available at https://web.archive.org/web/20131031160927/http://www.phonebusters.com/english/documents/AnnualStatisticalReport2009_001.pdf. Canadian Bankers’ Association, cba Submission to the Standing Committee on Legal and Constitutional Affairs, Bill S-4, An Act to amend the Criminal Code (identity theft related misconduct) (June 3, 2009), available at https://web.archive.org/web/20130320164541/http://www.cba.ca/contents/files/submissions/ sub_20090603_01_en.pdf. Canadian Bar Association, Bill S-4 Criminal Code Amendments (Identity Theft) (June 2009), available at https://web.archive.org/web/20130425072818/http://www.cba. org/CBA/submissions/pdf/09-31-eng.pdf. Canadian Internet Policy and Public Interest Clinic (cippic), Canadian Legislation Relevant to Identity Theft: An Annotated Review 6 (CIPPIC ID Theft Series, Working Paper No. 3A, March 2007), available at http://www.cippic.ca/sites/default/files/ bulletins/Techniques.pdf. Canadian Internet Policy and Public Interest Clinic (cippic), Legislative Approaches to Identity Theft: An Overview (CIPPIC ID Theft Series, Working Paper No.3, 2007), available at http://www.cippic.ca/sites/default/files/bulletins/Legislation.pdf. Canadian Internet Policy and Public Interest Clinic (cippic), Policy Approaches to Identity Theft 16 (CIPPIC ID Theft Series, Working Paper No. 6, May 2007), available at http://www.cippic.ca/sites/default/files/bulletins/Policies.pdf. Canadian Internet Policy and Public Interest Clinic (cippic), Techniques of Identity Theft (CIPPIC ID Theft Series, Working Paper No. 2, March 2007), available at http:// www.cippic.ca/sites/default/files/bulletins/Techniques.pdf. Caplan, J. and J. Torpey (eds.) Documenting Individual Identity: The Development of State Practices in the Modern World, 2001, available at http://web.mit.edu/gtmarx/ www/identity.html.
730 Bibliography Cate, Fred H., The Failure of Fair Information Practice Principles, in: Consumer Pro tection in the Age of the “Information Economy” (2006), available at http://www. informationpolicycentre.com/files/Uploads/Documents/Centre/Failure_of_Fair_ Information_Practice_Principles.pdf. Cavoukian, Privacy by design: The 7 Foundational Principles (2009), available at http:// www.ipc.on.ca/images/resources/7foundationalprinciples.pdf. Chatterjee, Pratap, The Data Hackers: Mining Your Information for Big Brother, tomdis patch.com (Oct. 8, 2013 8:04 a.m.), http://www.tomdispatch.com/blog/175757/. Cheddar Berk, Christina, Identity Fraud Rises to New High, cnbc Consumer Nation (Feb. 10, 2010, 6:10 AM), http://www.cnbc.com/id/35205179/Identity_Fraud_Rises_ to_New_High. Cheney, Julia S., Identity Theft: Do Definitions Still Matter? 9 (Payment Cards Center, Discussion Paper, Aug. 2005), available at http://www.philadelphiafed.org/ consumer-credit-and-payments/payment-cards-center/publications/discussion- papers/2005/identity-theft-definitions.pdf. Cherry, Kendra, Identity Crisis –Theory and Research, About.com, Psychology, http:// psychology.about.com/od/theoriesofpersonality/a/identitycrisis.htm (last visited Jan. 31, 2012). Chow, Mokbel and Liu, Spatial Cloaking for Anonymous Location-Based Services in Mobile Peer-to-Peer Environments, 15 Geoinformatica 351 (2009). cifas, The Anonymous Attacker: A Special Report on Identity Fraud and Account Takeover (Oct. 2009), available at http://www.cifas.org.uk/secure/contentPORT/uploads/documents/CIFAS%20Reports/The_Anonymous_Attacker_CIFAS_Special_ Report_Oct_2009.pdf. Clark, Kim, Five Charged With $690,000 in Student Loan Fraud, U.S. News (June 25, 2008), http://www.usnews.com/articles/education/2008/06/25/five-charged-with- 690000-in-student-loan-fraud.html. Clark, Marilyn, Commitment to Crime: The Role of the Criminal Justice System, European Journal of Criminology (Apr. 2006), http://euc.sagepub.com/cgi/content/abstract/3/2/201. Cohen, Mark A., The Cost of Crime: Methods and Findings From Past & Recent Research, Presentation given at the European Seminar on Costs and the Distribution of Costs of Crime and Disorder and Crime Prevention, (April 2, 2004), available at http:// www.rikoksentorjunta.fi/uploads/bhw8jg0vde5.pdf. Copes, Heith and Lynne M. Vieraitis, Understanding Identity Theft: Offenders’ Accounts of Their Lives and Crimes, Criminal Justice Review (Sept. 2009), http://cjr.sagepub. com/cgi/content/abstract/34/3/329. Copes, Heith and Lynne Vieraitis, Identity Theft: Assessing Offenders’ Strategies and Perceptions of Risk 4 (July 2007), available at http://www.ncjrs.gov/pdffiles1/nij/grants/ 219122.pdf.
Bibliography
731
Copes, Heith, Lynne Vieraitis and Jennifer M. Jochum, Bridging the Gap between Research and Practice: How Neutralization Theory Can Inform Reid Interrogations of Identity Thieves, 18 J. of Criminal Justice Educ., 444, 445 (2007). Council of Europe, Convention Committee on Cybercrime, Additional Protocol to the Convention on Cybercrime, Concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed Through Computer Systems, Nov. 23, 2001, E.T.S. No. 189, available at http://conventions.coe.int/Treaty/en/Treaties/Html/ 189.htm. Council of Europe, Convention on Cybercrime, Opened for Signature Nov. 23, 2001, E.T.S. No. 185, available at http://conventions.coe.int/Treaty/en/Treaties/Html/185. htm. Cukier, Kenneth and Viktor Mayer-Schonberger, Big Data: A Revolution that Will Transform How We Live, Work and Think 15 (2013). Dais, Erin Suzanne, A World Wide Problem on the World Wide Web: International Responses to Transnational Identity Theft via the Internet, 12 Wash. U. J.L. & Pol’y 201 (2003). Derene, Glenn, The Coming Cyberwar: Inside the Pentagon’s Plan to Fight Back, Popular Mechanics, http://www.popularmechanics.com/technology/military/4277463 (last visited Dec. 12, 2010). Deutsch, Harry, Relative Identity, The Stanford Encyclopedia of Philosophy (Apr. 22, 2002), http://plato.stanford.edu/entries/identity-relative/. Digital Resolve, Fraud Prevention for Online Merchants and Building E-Confidence for Online Customers, at 2 (Digital Resolve White Paper, n.d.). Digital Resolve, How Securities and Brokerage Firms Fight Online Fraud and Identity Theft 3 (n.d.). Dilworth, Kelly, 12 Creepy Details Data Collectors Know About You, creditcards.com (Oct. 04, 2013), http://www.foxbusiness.com/personal-finance/2013/10/03/12-creepy- details-data-collectors-know-about/. Dilworth, Kelly, Scared of Big Brother? Too Late, Says “Big Data” Co-Author Viktor Mayer-Schönberger, creditcards.com (May 2, 2013), http://www.creditcards.com/credit- card-news/qa-big-data-author-viktor_mayer-schonberger-1278.php. Dilworth, Kelly, Tracking Your Card Purchases: Big Data Becoming Big Business, cred itcards.com (April 19, 2013), http://blogs.creditcards.com/2013/04/tracking-card- purchases-big-data-business.php. Dixon, Pam, The World Privacy Forum, Medical Identity Theft: The Information Crime That Can Kill You (2006), available at http://www.worldprivacyforum.org/pdf/wpf_ medicalidtheft2006.pdf. Donnino, William C., Supplementary Practice Commentary to the Identity Theft Laws, N.Y. Penal Laws § 190.77 (McKinney 2011).
732 Bibliography Douglas-Stewart, Jeremy, South Australian Laws Target Identity Theft, Privacy Law and Policy Reporter, available at http://www.austlii.com/au/journals/PLPR/2004/ 8.html (last visited Feb. 1, 2010). Duff, James C., Director, Administrative Office of the United States Courts, Judicial Business of the United States Courts: 2009 Annual Report of the Director 219–222 (2009), available at http://www.uscourts.gov/uscourts/Statistics/JudicialBusiness/ 2009/JudicialBusinespdfversion.pdf. Duke, Alan, Corey Haim’s Death Linked to Prescription Drug Probe, AG Says, cnn.com (Mar. 12, 2010, 11:01 PM), http://www.cnn.com/2010/SHOWBIZ/Movies/03/12/corey. haim.drug.probe/index.html. Duxbury, Thomas R., Identity Theft Still Victimizes 9–10 Million People per Year, Identity Theft Exceprts from the Advisor, in Nat’l Ass. for Bank Security, Identity Theft 5–8 (n.d.), available at http://www.banksecurity.com/advisor_new.shtml. Emigh, Aaron, ITTC Report on Online Identity Theft Technology and Countermeasures, Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures 7 (Oct. 3, 2005), available at http://www.antiphishing.org/Phishing-dhs- report.pdf. European Union Fraud Prevention Expert Group, Report on Identity Theft/Fraud (Oct. 22, 2007), available at http://ec.europa.eu/internal_market/fpeg/docs/id-theft- report_en.pdf). Fearon, James D., What Is Identity (As We Now Use The Word)? 9 (Nov. 3, 1999) (unpublished draft), available at www.stanford.edu/~jfearon/papers/iden1v2.pdfSimilar. Federal Financial Institutions Examination Council, Supplement to Authentication in an Internet Banking Environment (2011), available at http://www.ffiec.gov/pdf/Auth- ITS-Final%206-22-11%20%28FFIEC%20Formated%29.pdf. Federal Trade Commission, Consumer Sentinel Network Data Book for January- December 2008, (Feb. 2009), available at http://www.ftc.gov/sentinel/reports/sentinel- annual-reports/sentinel-cy2008.pdf. Federal Trade Commission, Taking Charge, What to Do if Your Identity is Stolen (Jan. 2012), available at http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04. shtm. Finklea, Kristin M., Identity Theft: Trends and Issues (2010). Fragala, Tom, Mobile phone account takeover fraud, Truston, (Mar. 9, 2008), http:// www.mytruston.com/blog/identity_theft/mobile_phone_account_takeover_fraud. html. Frank, Thomas, States take steps to cut down on driver’s license fraud, USA Today, May 26, 2009, www.usatoday.com/news/nation/2009-05-25-licenseinside_N.htm. Frieden, Terry, U.S.: Identity Theft Grows as Hackers Get Savvier, cnn.com/world (Mar. 31, 2009), http://www.cnn.com/2009/US/03/31/identity.theft/index.html#cnnSTCText.
Bibliography
733
Gambs, Killijian and Cortez, Show Me How You Move and I Will Tell You Who You Are, 4 Transactions On Data Privacy 103 (2011), avialiable at http://dl.acm.org/citation. cfm?id=2019320. Gellman, Robert, Fair Information Practices: A Basic History 12 (2013), available at http://www.bobgellman.com/rg-docs/rg-FIPShistory.pdf. Gercke, Marco, Legal Approaches to Criminalize Identity Theft, United Nations Office of Drugs and Crime, Handbook on Identity Related Crime 1 (2011), available at http:// www.unodc.org/documents/treaties/UNCAC/Publications/Handbook_on_ID_ Crime/10-57802_ebooke.pdf. Gercke, Marco, Project on Cybercrime, Internet-Related Identity Theft 14 (Nov. 22, 2007), available at http://www.itu.int/osg/csd/cybersecurity/WSIS/3rd_meeting_ docs/contributions/Internet_related_identity_theft_%20Marco_Gercke.pdf. Gill, Alastair J. et al., Privacy Dictionary: A Linguistic Taxonomy of Privacy for Content Analysis, CHI 2011 Proceedings of the SIGCH I Conference on Human Factors in Computing Systems at 3227–3236 (2011), available at http://dl.acm.org/citation. cfm?doid=1978942.1979421. Givens, Beth, Testimony for U.S. Senate Judiciary Subcommittee on Technology, Terrorism, and Government Information, Identity Theft: How It Happens, Its Impact on Victims, and Legislative Solutions (July 12, 2000), available at http://www.privacyrights. org/ar/id_theft.htm. Godwin, Garrett, 2010 ftc Identity Theft Statistics, Examiner.com (Mar. 5, 2010), http:// www.examiner.com/x-15313-Detroit-Pop-Culture-Examiner~y2010m3d5-2010-FTC- Identity-Theft-Statistics. Golle, Philippe, The Uniqueness of Simple Demographics in US Population, Proceedings of the 5th ACM Workshop on Privacy in Electronic Society 77–80 (2006), available at http://crypto.stanford.edu/~pgolle/papers/census.pdf. Goodin, Dan, “Thereisnofatebutwhatwemake” –Turbo-Charged Cracking Comes to Long Passwords, Ars Technica (Aug. 26, 2013), http://arstechnica.com/security/ 2013/08/thereisnofatebutwhatwemake-turbo- charged-cracking-comes-to-long- passwords/. Gordon, Gary et al., Identity Fraud: A Critical National and Global Threat, 2 J. Econ. Crime Mgmt. 1 (2004), available at http://www.utica.edu/academic/institutes/ecii/ publications/articles/BA2C8FE1-D0EC-26B6-50870F45EA5CC991.pdf. Gordon, Gary R. et al., Identity Fraud: A Critical National and Global Threat: A Joint Project of the Economic Crime Institute at Utica College and LexisNexis 30 (2003), available at http://www.utica.edu/academic/institutes/ecii/publications/media/identity_ fraud.pdf. Gordon, Peter, SANS Institute Infosec Reading Room, Data Leakage-Threats and Mitigation (2007), available at http://www.sans.org/reading-room/whitepapers/awareness/data-leakage-threats-mitigation-1931.
734 Bibliography Guilloton, Sheila, Medical identity theft is a fast growing crime that can endanger your life, Examiner (Mar. 9, 2010), http://www.examiner.com/article/medical-identity- theft-is-a-fast-growing-crime-that-can-endanger-your-life. Handbook for Safeguarding Sensitive Personally Identifiable Information, Department of Homeland Security (2012), available at http://www.dhs.gov/sites/default/files/ publications/privacy/Guidance/handbookforsafeguardingsensitivePII_march_ 2012_webversion.pdf. Harbitz, Mia and Bettina Boekle, Democratic Governance, Citizenship, and Legal Identity: Linking Theoretical Discussion and Operational Reality (Inter-American Development Bank, Working Paper 16, May 2009), available at http://www.iadb.org/intal/ intalcdi/PE/2009/03791.pdf. Harmon, Jennifer, Mortgage Assistant Pleads Guilty to Identity Theft, Mortgage Fraud Blog (Feb. 10, 2010, 2:00 AM), http://www.nationalmortgagenews.com/nmn_features/-466472-1.html. Hedding, Judy, Fake Loan Scam: Recognize and Avoid Fraudulent Fake Loan Offers, About.com, http://phoenix.about.com/od/scam1/a/fakeloan.htm (last visited Feb. 12, 2012). Heller, Ian, How the Internet has Expanded the Threat of Financial Identity Theft, and What Congress Can Do to Fix the Problem, 17 Kan. J.L. & Pub. Pol’y 84, 97 (2007). Henderson, Les, Crimes of Persuasion: Schemes, Scams, Frauds: How Con Artists Will Steal Your Savings and Inheritance Through Telemar keting Fraud, Investment Schemes and Consumer Scams (2003). Herley, van Oorschot and Patrick, Passwords: If We’re So Smart, Why Are We Still Using Them?, Financial Cryptography and Data Security, Lecture Notes in Computer Science Volume 5628, 230 (2009). Hervieux, Linda, French Bank Loses $7B in Trade Fraud, NY Daily News (Jan. 25, 2008), http://www.nydailynews.com/news/world/french-bank-loses-7b-trade-fraud- article-1.341604. Hinde, S., The Law, Cybercrime, Risk Assessment and Cyber Protection, 22 NY Daily News, 90–95 (February 2003). Hinder, Bob, Tradeoffs between Anonymity and Identifiability, Presentation at ietf 63, Paris (Aug. 3 2005), available at http://www.ietf.org/proceedings/63/slides/alien- 4.pdf. Hirsch, Rachel, Identity Theft Continues to Top FTC’s List of Consumer Complaints, Nat’l L. Rev. (March 28, 2012). Hoar, Sean B., Identity Theft: The Crime of the New Millennium, 80 Or. L. Rev. 1423 (Winter 2002). Ibarra, Peter R. and Edna Erez, Victim-centric Diversion? The Electronic Monitoring of Domestic Violence Cases, in 23 Behav. Sci. & L. 259 (2005).
Bibliography
735
International Association of Chiefs of Police, Identity Crime Toolkit for Investigators, To Identity Thieves, Everyone is Just a Number (nd.), available at http://www.theiacp. org/investigateid/pdf/binder-resources/identity-crime-toolkit.pdf. Internet Business Law Services, Internet Law –Identity Theft from Wireless Networks, http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=2177 (last visited Feb. 10, 2012). Janger, Edward J. and Paul M. Schwartz, The Gramm-Leach-Bliley Act, Information Privacy, and the Limits of Default Rules, 86 Minn. L. Rev. 1219 (2002). Javelin Strategy and Research, Javelin Study Finds Identity Fraud Reached New High in 2009, but Consumers are Fighting Back, (Feb. 10, 2010), https://www.javelinstrategy.com/news/831/92/Javelin-Study-Finds-Identity-Fraud-Reached-New-High-in- 2009-but-Consumers-are-Fighting-Back/d,pressRoomDetail. Jeffers, Dan, Privacy, Anonymity and Identity Part iii: Types of Privacy, Mobility Labs (Sept. 10, 2013), http://mobility-labs.com/2013/privacy-anonymity-and-identity- part-iii-types-of-privacy. Johannes, Rubina, Javelin Strategy and Research, 2006 Identity Fraud Survey Consumer Report 7 (Jan. 2006), available at http://itsecurity.und.edu/2006%20Identity%20 Fraud%20Survey%20Report.pdf. Johnson, Maureen and Kevin M. Rogers, The Fraud Act 2006: The E-Crime Prosecutor’s Champion or the Creator of a New Inchoate Offense?, Paper Presented at the annual British and Irish Law, Education, and Technology Association conference, Apr. 16– 17, 2007. Johnson, Vincent R., Cybersecurity, Identity Theft, and the Limits of Tort Liability, 57 S.C. L. Rev. 255 (2005). Kang, Brown and Kiesler, Why Do People Seek Anonymity on the Internet? Informing Policy and Design, (Research Paper, Human Computer Interaction Institute, Carnegie Mellon University, 2013), available at http://www.academia.edu/2668114/Why_Do_ People_Seek_Anonymity_on_the_Internet_Informi. Kim, Rachel, Javelin Strategy and Research, 2009 Identity Fraud Survey Report: Consumer Version: Prevent, Detect, Resolve 6 (Feb. 2009), available at www.javelinstrategy. com/brochure/113. Kimmerle, Joachim and Ulrike Cress, Knowledge Communication with Shared Databases, Handbook of Research on Computer Mediated Communication 424–435 (2008), available at http://www.igi-global.com/chapter/knowledge-communication- shared-databases/19763. Kipper, Gregory, Wireless Crime and Forensic Investigation 38 (2007). Klein, Sandra R., Identity Theft & Bankruptcy Fraud, abi Committee News (June 2005), http://w ww.abiworld.org/c ommittees/n ewsletters/C FTF/v ol2num1/t heft. html.
736 Bibliography Koops, Bert-Jaap and Ronald Leenes, ID Theft, ID Fraud and/or ID-related Crime. Definitions Matter, 30 Datenschutz und Datensicherheit (“Privacy & Security”) 9, 553–56 (2006). Kotz, David, A Threat Taxonomy for mHealth Privacy, Communication Systems and Networks (comsnets), 2011 Third International Conference ON (2011). kpmg, Data Loss Baromoter: A Global Insight into Lost and Stolen Information (2012), available at http://www.kpmg.com/UK/en/IssuesAndInsights/ArticlesPublications/ Documents/PDF/Advisory/data-loss-barometer-2012.pdf. Krebs, Brian, New Federal Law Targets ID Theft, Cybercrime, Wash. Post, Oct. 1, 2008, http://voices.washingtonpost.com/securityfix/2008/10/new_federal_law_targets_ id_the.html. Lau, Kathleen, Bill S-4 tightens noose around identity thieves, IT World Canada (Jan. 11, 2010), http://www.itworldcanada.com/news/bill-s-4-tightens-noose-around- identity-thieves/139723. Lau, Kathleen, Reckless data handling could violate ID theft law, IT World Canada (Nov. 26, 2007), http://www.itworldcanada.com/news/reckless-data-handling-could- violate-id-theft-law/01580. Lafferty, Latour, Medical Identity Theft: The Future Threat of Health Care Fraud is Now, 9 J. of Health Care Compliance 11 (2008). Lawson, Philippa and John Lawford, Identity Theft: The Need For Better Consumer Protection 36, (2003), available at http://www.ic.gc.ca/app/oca/crd/dcmnt. do?id=1603&lang=eng. Lawson, Philippa, Identity-Related Crime Victim Issues: A Discussion Paper 11, U.N. Commission on Crime Prevention and Criminal Justice, E/CN.15/2009, available at www. unodc.org. Lawton, George, New Technology Prevents Data Leakage, Computer, Sept. 2008, at 14. Leary, Margaret S., Quantifying the Discoverability of Identity Attributes in InternetBased Public Records: Impact on Identity Theft and Knowledge-Based Authentication 6 (2008), available at http://udini.proquest.com/view/quantifying-the- discoverability-of-goid:304834287/. Li, JianQiang et al., A Top-Down Approach for Approximate Data Anonymisation, 7 En terprise Info. Sys. 272 (2012), available at http://www.tandfonline.com/doi/abs/ 10.1080/17517575.2012.688223#.UoPrPJGGQY0. Lin, Yu-Ting, Who Bears the Cost of Credit Card Fraud? Re-Examining the Zero-Fraud- Liabilities and the No-Surcharge Rule, Presentation at the 2009 Annual Meeting of Law and Society, at 1–2, available at http://www.allacademic.com//meta/p_mla_ apa_research_citation/3/1/5/1/6/pages315164/p315164-1.php. Linker, Stephen A., Embezzlement: What? Who? Why? How? Detection!! Prevention!!, M&K Rosenfarb (Jan. 2006), http://www.envoynews.com/rwcpas/e_article000514029.cfm?x=b11,0,w.
Bibliography
737
Longshore, Douglas, Self-Control and Criminal Opportunity: A Prospective Test of the General Theory of Crime, 45 Social Problems 102 (1998); Pamela Wilcox et al., Guardianship in Context: Implications for Burglary Victimization Risk and Prevention, 45 Criminology 771 (2007). LoPucki, Lynn M., Human Identification Theory and the Identity Theft Problem, 80 Tex. L. Rev. 89 (2001). Mak, Lisa, Former Tax Agent Jailed for Identity-Related Tax Fraud, Australasian Business Intelligence (June 20, 2007), http://www.highbeam.com/doc/1G1-165298320.html. Maranga, Mercy, Bankruptcy Fraud: Three Ways Of Doing It, Articlesbase (Aug. 05, 2009), www.articlesbase.com/finance-articles/bankruptcy-fraud-three-ways-of-doing-it-1098707.html. Martin, Toddy, A Discussion on Identity Theft Cases in China, Ezine Articles (Jan 10, 2010), http://ezinearticles.com/?A-Discussion-on-Identity-Theft-Cases-in-China&id=3613843. Marx, Gary T., Identity and Anonymity: Some Conceptual Distinctions and Issues for Research, in. Massey, Aaron K. and Annie I. Antón, A Requirements-based Comparison of Privacy Taxonomies (Dept. of Comp. Science, North Carolina State University), available at taxonomy-akmassey-relaw08.pdf. Masters, Alex, Identity on the Internet: The Pros and Cons of Anonymity, The Indepen dent (Sept. 19, 2011, 1:16 p.m.), http://blogs.independent.co.uk/2011/09/19/identity- on-the-internet-the-pros-and-cons-of-anonymity/. McCallister, Grance, Scarfone, Nat’l Institute of Standards of Technology, Guide to Protecting the Confidentiality of Personally Identifiable Information (pii):Recommendations of the National Institute of Standards and Technology, Special Publication 800-122 (2010). McCormick, Lisa Wade, “House Stealing” Scam Combines Identity Theft, Mortgage Fraud, Consumer Affairs (Mar. 27, 2008), http://www.consumeraffairs.com/news04/2008/ 03/house_stealing.html. McFadden, Leslie, Detecting Synthetic Identity Fraud, Bankrate.com (May 16, 2007), http://www.bankrate.com/brm/news/pf/identity_theft_20070516_a1.asp?s=1#tab. McFarland, Michael, Ethical Implications of Data Aggregation, Santa Clara Unitversity, http://www.scu.edu/ethics/practicing/focusareas/technology/internet/privacy/ data-aggregation.html (last visited Nov. 12, 2013). McGlasson, Linda, Credit/Debit Card Fraud: New Trends, Incidents, Bank Info Security (June 23, 2008), http://www.bankinfosecurity.com/articles.php?art_id=891. McKelvey, Brandon, Financial Institution’s Duty of Confidentiality to Keep Customer’s Personal Information Secure from the Threat of Identity Theft, 34 U.C. Davis L. Rev. 1077 (2001).
738 Bibliography McMullen, John F., Digital Data: Why What’s Being Collected Matters, Techopedia (Oct. 2, 2012), http://www.techopedia.com/2/28826/security/online-data-why-whats-being-collected-matters. Mecia, Tony, Congress asks if data brokers invade consumers’ privacy, Creditcards.com (Aug. 1, 2012), http://www.creditcards.com/credit-card-news/congress-probes- data-brokers-1282.php. Meers, Elizabeth B. and Daniel S. Meade, FTC’s Red Flag Rule Likely to Affect Colleges, nacubo (Sept. 23, 2008), http://www.nacubo.org/Initiatives/Initiatives_News/ FTCs_Red_Flag_Rule_Likely_to_Affect_Colleges.html. Meulen, Nicole van der, Year of Preventing Identity Crime: Moving Forward? Identity- Related Crime in the European Arena, The Police Chief (Aug. 2008), http://www. policechiefmagazine.org/ m agazine/ i ndex.cfm?fuseaction=display&article_ id=1569&issue_id=82008#9. Milgate, Allan, The Identity Dictionary, Identity and Access Management (Aug. 21, 2006, 10:22 PM), http://identityaccessman.blogspot.com. Miller, Ted R., Mark A. Cohen and Brian Wiersema, Nat’l Institute of Justice, Victim Costs and Consequences: A New Look 1 (Jan. 1996), available at https://www.ncjrs. gov/pdffiles/victcost.pdf. Moore, Barrington, Jr., Privacy: Studies in Social and Cultural History 73 (1984). Mortensen, Ronald W., Illegal, but Not Undocumented: Identity Theft, Document Fraud, and Illegal Employment, cis (June 2009), http://www.cis.org/IdentityTheft. Mullady, Raymond G., Jr. and Scott D. Hansen, Identity Theft Litigation: A Roadmap for Defense and Protection, 2008 Utah L. Rev. 1, No. 2 (2008). Mullen, Tim, Tweaking Social Security to Combat Fraud (Feb. 13, 2008), http://www.securityfocus.com/columnists/465. Mulrine, Anna Pentagon: The global cyberwar is just beginning, The Christian Science Monitor, http://www.csmonitor.com/USA/Military/2010/1005/Pentagon-The-global- cyberwar-is-just-beginning (last visited Dec. 12, 2010). Nagesh, Gautham, IRS Develops System to Combat Tax-Related Fraud, Nextgov (July 9, 2008), http://www.nextgov.com/nextgov/ng_20080709_4805.php. Narkiewicz, David; Identity Theft: A Rapidly Growing Technology Problem, 26 Penn. Lawyer 58 (May/June 2004). Nazario, Mayra Cuevas, FBI: Thousands of Puerto Ricans Victims of ID Theft, CNN.com/ world (Apr. 1, 2009), http://www.cnn.com/2009/WORLD/americas/04/01/puerto. rico.theft/index.html#cnnSTCText. Nehf, James P., Recognizing the Societal Value in Information Privacy, 78 Wash. L. Rev. 1 (2003). Newman, Graeme and Megan M. McNally, U.S. Department of Justice Research Report Identity Theft Literature Review 30 (Dxoc. No. 210459, July 2005), available at www. ncjrs.gov/pdffiles1/nij/grants/210459.pdf.
Bibliography
739
Newman, Graeme R., U.S. Dept. of Justice, Office of Community Oriented Policing Services, Identity Theft 14 (June 2004), available at http://www.cops.usdoj.gov/files/ ric/Publications/e05042360.pdf. oecd, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm (last visited Feb. 10, 2014). oecd, OECD Privacy Framework 3 (2013), available at http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf. OECD, Scoping Paper on Online Identity Theft (Ministerial Background Report DSTI/ CP(2007)3/ FINAL, declassified 2008), available at http://www.oecd.org/sti/ 40644196.pdf. OECD, Centre For Tax Policy and Administration, Report on Identity Fraud: Tax Evasion and Money Laundering Vulnerabilities 4, available at www.oecd.org/dataoecd/23/5/ 42223740.pdfSimilar. Ohm, Paul, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization, 57 UCLA L. Rev. 1701 (2010). Okoey, Augustus C., Man Charged with Defrauding Lenders and ID Theft, Mortgage Fraud Blog (Feb. 09, 2010, 9:18), http://mortgagefraudblog.com/perp-walk/item/ 12969-milton_man_charged_in_mortgage_fraud_scheme. Ozer, Nicole A., Rights “Chipped” Away: RFID and Identification Documents, 2008 Stan. Tech. L. Rev. 1 (2008). Palace, Bill, What is Data Mining, Technology Note Prepared for Management 274A Anderson Graduate School of Management at ucla), available at http://www.anderson.ucla.edu/faculty/jason.frand/teacher/technologies/palace/datamining. htm. Parno, Bryan, Trust Extension as a Mechanism for Secure Code Execution on Commodity Computers (Dissertation 2010, Paper 28), available at http://repository.cmu.edu/cgi/ viewcontent.cgi?article=1029&context=dissertations. Passas, Nikos, Identity-Related Crimes: A Review of Research and Suggested Typologies, in International Scientific and Professional Advisory Council (ispac) of the United Nations Crime Prevention and Criminal Justice Programme, The Evolving Challenge of Identity-Related Crime: Addressing Fraud and the Criminal Misuse and Falsification of Identity 95 (2008), available at http://ispac.cnpds.org/ publications-23-the-evolving-challenge-of-identity-related-crime-addressing- fraud-23.html. Pastrikos, Catherine, Identity Theft Statutes: Which Will Protect Americans the Most?, 67 Alb. L. Rev. 1137 (2004). Patrick, Andrew, Identity Theft is Usually an Equal Opportunity, Unsophisticated Crime, http://www.andrewpatrick.ca/security-and-privacy/id-theft-criminals (last visited Feb. 2, 2012).
740 Bibliography Pfitzman, Andreas and Marit Hansen, A Terminology for Talking About Privacy by Data Minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management 35 (Internet Engineering Task Force, Working Document, Aug. 10, 2010), available at https://kantarainitiative.org/confluence/ download/attachments/45059055/terminology+for+talking+about+privacy.pdf. Poetzch et al., Future of Identity in the Information Society, D3.12: Federated Identity Management – What’s in it for the Citizen/Customer?, (2009), available at http:// www.fidis.net/fileadmin/fidis/deliverables/new_deliverables/fidis-wp3-del3.12. Federated_Identity_Management.pdf. Queensland Police Identity Crime Symposium, Policing with Intelligence http://policingwithintelligence.blogspot.com/2009/08/queensland-police-identity-crime. html (last visited Oct. 30. 2012). Rathgeb, Christian and Andreas Uhl, A Survey on Biometric Cryptosystems and Cancelable Biometrics, Eurasip J. Info. Security, 2011, available at http://jis.eurasipjournals. com/content/pdf/1687-417X-2011–3.pdf. Robertson, Elizabeth, A Phish Tale? Moving from Hype to Reality 2, Towergroup (Dec. 2004), i.i.com.com/cnwk.1d/html/itp/A_Phish_Tale.pdf. Rodgers, Melinda, U of U Medical Records Stolen, 2.2 Million Patients’ Data at Risk, Salt Lake Tribune (June 11, 2008), http://www.sltrib.com/ci_9540210. Rogers, Shaun, Testimonies: Identity Theft Horror Stories, Helium.com (Sept. 1, 2007), http://www.helium.com/items/570041-testimonies-identity-theft-horror-stories. Rouse, Margret, Definition: Data Aggregation, SearchSQLServer, http://searchsqlserver. techtarget.com/definition/data-aggregation (last updated Setp. 2006). Rundle, Mary et al., oecd, At a Cross-roads: “Personhood and Digital Identity in the Information Society” (sti Working Paper 2007/7, Feb. 29, 2008), available at www. oecd.org/dataoecd/31/6/40204773.doc. Ruppin, Adi, Data Loss Prevention Solutions Fail To Stop Information Leaks, Ciozone, http://www.ciozone.com/index.php/Enterprise-Software/Data-Loss-Prevention- Solutions-Fail-To-Stop-Information-Leaks.html (last visited Nov. 13, 2013). Ryu, Eun-Kyung, Kee-Young Yoo and Keum-Sook Ha, Efficient Unlinkable Secret Handshakes for Anonymous Communications, 7 Journal of Security Engineering 619 (2010), available at http://www.sersc.org/journals/JSE/vol7_no6_2010.php. Sadhu, Soham, Trusted Computing (Feb. 20, 2012), available at http://www.cs.rit.edu/ ~hpb/Lectures/20112/S_T/Src/34/Trusted_Computing.pdf. Samarati, Pierangela, Paper, Protecting Respondents Identities in Microdata Release (2001), available at http://spdp.di.unimi.it/papers/tkde_k-anonymity.pdf. Savirimuthu, Anne and Joseph Savirimuthu, Identity Theft and Systems Theory: The Fraud Act 2006 in Perspective, 4 Scripted 4 (Sept. 2007), available at http://www.law. ed.ac.uk/ahrc/script-ed/vol4-4/savirimuthu.pdf.
Bibliography
741
Schneier, Bruce, Identity Thief Steals House, Schneier.com (Aug. 29, 2005), http://www. schneier.com/blog/archives/2005/08/identity_thief.html. Schoen, Seth, Trusted Computing: Promise and Risk, Elecronic Frontier Foundation (Oct. 1, 2013), https://www.eff.org/wp/trusted-computing-promise-and-risk. Schwartz, Paul M. and Daniel Solove, The PII Problem: Privacy and a New Concept of Personally Identifiable Information, 86 N.Y.U. L. Rev. 1814 (2011). Seeger, Alexander, Presentation at UN ISPAC Conference on the Evolving Challenge of Identity-Related Crime, Identity Theft and the Convention on Cybercrime, (Courmayeur, Italy, Nov. 30–Dec. 2, 2007), available at http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/cy%20activity_events_on_identity_theft/ 567%20UN%20id%20theft%20and%20CCC_en.pdf. Sengupta, Somini, Beyond Passwords: New Tools to Identify Humans, New York Times (Sept. 10, 2013), http://cacm.acm.org/news/167614-beyond-passwords-new-tools-to- identify-humans/fulltext. Shostack, Adam and Paul Syverson, What Price Privacy? (And Why Identity Theft Is About Neither Identity Nor Theft), 12 Econ. of Info. Sec. 129, 137 (2004), available at www.nrl.navy.mil/chacs/pubs/04-1221.1-1128.pdf. Shoudt, Erin M., Identity Theft: Victims “Cry Out” for Reform, 52 AM. U. L. Rev. 339 (2002). Sofaer, Abraham D. et al., A Proposal for an International Convention on Cyber Crime and Terrorism, iws – The Information Warfare Site, (Aug. 2000) http://www.iwar. org.uk/law/resources/cybercrime/stanford/cisac-draft.htm. Soffer, Stuart, Taxonomy of Social Networking and Privacy (Dec. 15, 2009, 11:22 am), http://cyberlaw.stanford.edu/blog/2009/12/taxonomy- social-networking-and- privacy. Solove, Daniel J., A Taxonomy of Privacy, 154 U. Pa. L. Rev. 477, 477–78 (2006). Solove, Daniel J., Identity Theft, Privacy, and the Architecture of Vulnerability, 54 Hastings L.J. 1227, 1229 (2002–03). Solove, Daniel J. and Chris Jay Hoofnagle, A Model Regime of Privacy Protection, Ill. L. Rev. 1 (2006). Solove, Daniel J., The Digital Person: Technology and Privacy in the Information Age (2004). Solove, Daniel J., The New Vulnerability: Data Security and Personal Information, 9 (gwu Law School Public Law Research, Paper No. 102, 2008). Sovern, Jeff, The Jewel of Their Souls: Preventing Identity Theft Through Loss Allocation Rules, 64 U. Pitt. L. Rev. 343 (2003). Spring, Tom, Net Watchdog: Beware of Auto Loan Scams, PC World (Oct. 26, 2006), http://www.pcworld.com/article/127613/net_watchdog_beware_of_auto_loan_ scams.html.
742 Bibliography Sproule, Susan and Norm Archer, Measuring Identity Theft in Canada: 2008 Consumer Survey, McMaster eBusiness Research Center, http://www.business.mcmaster.ca/ IDTDefinition/WP23%20exec%20summ.htm (last visited Mar. 24, 2010). Stallman, Richard, Can You Trust Your Computer?, Free Software Free Society: Selected Essays of Richard Stallman, M. 117–121 (2002), available at http://www.gnu.org/philosophy/can-you-trust.html. Stana, Richard M., Identity Fraud: Prevalence and Links to Alien Illegal Activities, Statement Before the Subcommittee on Crime, Terrorism and Homeland Security, and the Subcommittee on Immigration, Border Security, and Claims, Committee on the Judiciary, House of Representatives (June 25, 2002), at 6, available at http://www.gao. gov/new.items/d02830t.pdf. Stana, Richard M., Identity Theft: Growing Prevalence and Cost, Almanac of Policy Issues (Feb. 14, 2002), http://www.policyalmanac.org/crime/archive/identity_ theft.shtml. Stephan, Michael J., Shane Pennington, Guha Krishnamurthi, and Jon Reidy, Identity Burglary, 13 Tex. Rev. L. & Pol. 401 (2009). Stickley, Jim, The Truth about Identity Theft (2008). Stilianos Vidalis and Andrew Blyth, Understanding and Developing a Threat Assessment Methodology (n.d.) (unpublished manuscript), available at http://tinyurl.com/ baueqsm. Suarez, Ray, Stealing Identities, Transcript, PBS News Hour Broadcast (Feb. 24, 2005), http://www.pbs.org/newshour/bb/business/jan-june05/identity_2-24.html. Sullivan, Bob, Hidden Cost of Illegal Immigration: ID Theft, nbc News.com (March 31, 2006, 10:00 AM), http://redtape.nbcnews.com/_news/2006/03/31/6346107-hidden- cost-of-illegal-immigration-id-theft?lite. Sullivan, Bob, Hit by ID Theft, Then Plagued by Sprint, nbc News.com (Mar. 7, 2008), http://redtape.nbcnews.com/_news/2008/03/07/6345893-hit-by-id-theft-then- plagued-by-sprint?lite. Sullivan, Bob, Your Evil Twin: Behind the Identity Theft Epidemic (2004). Sullivan, Clare, Digital Identiy (2011), available at http://www.adelaide.edu.au/press/ titles/digital-identity/Digital_Identity_Ebook.pdf. Sutherland, Edwin H., Principles of Criminology (1924). Sutter, John D., Is Chasing Cybercrooks Worth It?, cnn Tech (may 5, 2009, 10:09 AM), http://www.cnn.com/2010/TECH/03/05/cyberattack.prosecute/index.html?hpt=C2. Sward, Susan, A strange case of identity theft, SFGate (Mar 22, 2009), http://articles. sfgate.com/2009-03-22/news/17214604_1_streetcar-legal-bills-theft. Sweeney, Latanya, K-Anonymity: A Model for Protecting Privacy, 10 Int’l J. Uncertainty, Fuzziness & Knowledge- Based Sys., 557 (2002).
Bibliography
743
Sweeney, Latanya, Uniqueness of Simple Demographics in the U.S. Population, Laboratory (International Data Privacy Working Paper, lidap-w p4, 2000). A subsequent study placed the number at 61% (for 1990 census data) and 63% (for 2000 census data). Sylester, Erin Leigh, Identity Theft: Are the Elderly Targeted?, 3 Conn. Pub. Interest L.J. 371 (Spring 2004). Talmor, Eli, Authentication vs. Authorization vs. Identity verification, Sentry-com.net Blog (Dec. 21, 2008), http://sentry-com.net/blog/?p=28. Towle, Holly K., Identity Theft: Myths, Methods, and New Law, 30 Rutgers Computer and Tech. L.J. 237 (2004). Umbreit, M. S., R. B. Coates and B. Kalanj, Victim Meets Offender: The Impact of Restorative Justice and Mediation (1994), available at http://www.ncjrs.gov/App/publications/abstract.aspx?ID=147713. United Nations Crime and Justice Information Network International Review of Criminal Policy, United Nations Manual on the Prevention and Control of Computer Related Crime, http://www.uncjin.org/Documents/EighthCongress.html (last visited Feb. 14, 2012). U.N. Secretary-General, U.N. Commission on Crime Prevention and Criminal Justice, International Cooperation in the Prevention, Investigation, Prosecution, and Punishment of Fraud, the Criminal Misuse and Falsification of Identity and Related Crimes [Draft 1 Short Version], 48, U.N. Doc. E/CN.15/2007/8 (2007), available at https:// www.unodc.org/unodc/en/organized-crime/identity-related-crime.html.). U.N. Secretary-General, U.N. Commission on Crime Prevention and Criminal Justice, Results of the Second Meeting of the Intergovernmental Expert Group to Prepare a Study on Fraud and the Criminal Misuse and Falsification of Identity, U.N. Doc. E/ CN.15/2007/8/Add.3 (Jan. 31, 2009), available http://www.unodc.org/documents/ organized-crime/E_CN_15_2007_8_Add_3.pdf.www.unodc.org/documents/treaties/UNCAC/Publications/Handbook_on_ID_Crime/10-57802_ebooke.pdf. Vacca, John R., Biometric Technologies and Verification Systems(2007). Vacca, John R., Identity Theft (2003). Valentine, Debra A., Symposium Review, Privacy on the Internet: The Evolving Legal Landscape, 16 Santa Clara Computer & High Tech. L.J. 401, 416 (2000). Vamosi, Robert et al., Javelin Strategy & Research, 2010 Identity Fraud Survey Report: Identity Fraud Continues to Rise – New Accounts Fraud Drives Increase; Consumer Costs at an All – Time Low (Feb. 2010), available at https://www.javelinstrategy.com/ research/brochures/Brochure-170. Van, Jerry le, Credit Repair Specialist Pleads Guilty to Fraud Scheme, Mortgage Fraud (Feb. 11, 2010), http://mortgagefraudblog.com/perp-walk/item/12974-credit_repair_ specialist_pleads_guilty_to_ fraud_scheme.
744 Bibliography Vandenabeele, Caroline, Legal Identity for Inclusive Development, Bangladesh, Cambodia, Nepal (powerpoint presentation) 2, available at http://www.adb. org/Documents/PRF/REG/RETA-6188-Legal-Identity.pdf (last visited Jan. 31, 2012). Verton, Dan, Organized Crime Invades Cyberspace, Computer World (Aug. 30, 2004), http://www.computerworld.com/s/article/95501/Organized_Crime_Invades_Cyberspace. Vidalis, Stilianos and Andrew Jones, Geo Bureau, Analyzing Threat Agents & Their Attributes (nd.), available at http://tinyurl.com/avo8cvp. Weinberger, David, There’s No “I” in “Identity,” Journal of the Hyperlinked Organization (Apr. 15, 2004), available at http://www.hyperorg.com/backissues/joho-apr15- 04.html. Welsh, Amanda, The Identity Theft Protection Guide (2004). Wells, Joseph T., Why Employees Commit Fraud: It’s Either Greed or Need, Journal of Accountancy (Feb. 2001), http://www.journalofaccountancy.com/Issues/2001/Feb/ WhyEmployeesCommitFraud.htm. White, Anthony E., The Recognition of a Negligence Cause of Action for Victims of Identity Theft: Someone Stole My Identity, Now Who Is Going to Pay for It?, 88 Marq. L. Rev. 847 (2005). Williams, Christopher, Home Office death list ‘stops ID fraud,’ The Register (Sept. 23, 2008, 10:52 PM), www.theregister.co.uk/2008/12/23/gro_list/Cached – Similar. Winder, Davey, Online Identity Auction Selling Credit Cards for Half a Dollar, Daniweb.com (Sept. 17, 2007, 6:37 PM), http://www.daniweb.com/news/post1103582. html. Wootton, Andrew B. and Caroline L. Davey, Crime Lifecycle, Design Against Crim (2003), available at http://www.veilig-ontwerp-beheer.nl/publicaties/crime-lifecycle- guidance-for-generating-design-against-crime-ideas/at_download/f ile. Yuan, Yufei, Presentation for the Society of Internet Professionals, Combating Identity Theft: A Theoretical Framework, (Feb. 28, 2006), at 29, available at http://www.sipgroup.org/resources/ppt/ID_theft_Yufei_YuanI.pdf. Zeller, Tom Jr., Breach Points Up Flaws in Privacy Laws, The New York Times (Feb. 24, 2005), http://www.nytimes.com/2005/02/24/business/24datas.html?_r=0&pagewanted=all&position=. Zetter, Kim, DarkMarket Ringleader Pleads Guilty in London, Wired.com (Jan. 21, 2010), http://www.wired.com/threatlevel/2010/01/jilsi-pleads-guilty/. Zetter, Kim, Tightening the Net on Cybercrime, Wired.com (Jan. 1, 2007), http://www. wired.com/politics/onlinerights/news/2007/01/72581.
Bibliography
745
Zheng, Paloski and Wang, Working Paper, An Efficient User Verification System via Mouse Movements (2011), http://www.cs.wm.edu/~nzheng/paper/ccs11.pdf. Zieger, Anne, Organized Crime Getting Deeper Into Medical Identity Theft, Fierce Health Care (Oct. 23, 2009), http://www.fiercehealthcare.com/story/organized-crime- getting-deeper-medical-identity-theft/2009-10-23.
Index access code 339, 356, 368, 397 accountability 128, 438, 578, 616–18, 650, 657, 663 Accountability Act 163–64, 167, 347, 573, 664 account holders 122, 127, 330, 340, 606 account number 83, 87, 112, 120, 297, 300, 354, 363–64, 367–68, 397–98, 550–51 brokerage 373 complete 550 financial 489 new 336 savings 373 victim’s 120 accounts 110–12, 118–24, 153–55, 157–58, 177–78, 218–19, 224–25, 305–7, 330–33, 335–38, 340, 360, 366, 457–58, 472, 493, 495–96, 549–50, 637–39, 643 brokerage 395 checking 70, 126, 134, 231, 300, 331–32, 352 compromised 230 consumer’s 301 deposit 122, 335, 352, 398 e-mail 340 falsified 267, 307 legitimate 119, 121, 153 loan 457 savings 231, 332, 350, 352, 361, 371, 384, 393, 395 steal 211 victim’s 79, 126, 510 wireless 152 Accurate Credit Transactions Act 322, 329, 337, 538, 561 Acquisition Identity Cards Act 499 actions collections 165 criminal’s 50 government’s 286 international 568 preventive 560 active duty alerts 322, 327–28 activities compliance 159 individual’s 620
innocent 63 innocuous 239–40 non-criminal 238, 567 terrorist 173–74 acts 46–47, 49–52, 55–56, 239–41, 296, 319–22, 337–44, 346–48, 377–80, 421–23, 432–33, 453–55, 473–75, 477–78, 480–81, 509–12, 515, 517–19, 521–23, 526–29 criminalization of 250 deceptive 51 illegal 254 innocuous 241 overt 377, 459 terroristic 222 agencies 79, 146, 151, 157–58, 161, 221–22, 224–25, 232–34, 256, 280, 323–30, 342–43, 482–83, 584–85, 615, 624–25 appropriate 570 authorized 211 document-issuing 453 governmental 226, 276, 405 lending 319 private 218 regulatory 142, 629 reporting 224, 228, 302, 304, 323–29, 333, 366, 369–70, 382–83, 402–4, 481–84, 538–39, 575 algorithms 158, 631, 660, 665 aliases 315 aliens 139, 180, 315–16, 348–49 illegal 104, 106–7, 135–36, 179, 269 undocumented 140 amendments 19, 137, 220, 342, 700–701 amount 6–8, 142–43, 194–95, 214, 228, 230–31, 236, 255, 257, 286–87, 381, 386–87, 417, 458, 514 average 197 higher 384 refund 160 significant 95, 159, 197 yearly 69 analysis additional 557 cost-benefit 201, 205 identity crime cost 206 legislative 15
Index social network 631 anonymity 601, 603–5, 607, 609, 611, 613, 615, 617, 619, 621, 625–27, 633–35, 647–57, 659–61, 665–69 benefits of 21, 706 complete 607 fusing 650 individual 655 total 21, 706 visual 654 anonymization 213, 607, 651, 658, 660–62 application 131–32, 301, 334–35, 337, 360, 365, 370, 460, 473, 475, 480, 482, 632, 687–90, 698–700 broadest 684–85 electronic 360 false loan 150 foreign passport 446, 480 geolocation 632 hacking 90, 633 multiple 463, 472, 647 smartphone 627 telephone 360 approaches 14, 34, 205–6, 250, 541–42, 545–47, 549, 567, 569, 586–87, 638–39, 651–52, 654, 670–71, 707–8 basic 545, 706 casual 230 crime-centric 545 device-based 649 effective 704 governmental 542 international 547 multidisciplinary 600 recommended 545 regional 248 risk-based 552 technological 580 zero-sum 667 appropriation 466, 513–14, 619–20 approval 130, 299, 502, 578, 691, 693–94, 698–99, 701 easy credit 132 arrest 6, 18, 112, 114, 117, 126, 191–92, 201–2, 412, 416, 418 probability of 192, 201 provisional 691 artifice 260, 267–68, 307–9, 311, 313, 318 assets 7–8, 25, 31, 147, 155, 200, 230, 234, 321, 551, 553
747 protecting 102 victim’s 365 assistance 387, 453, 576, 682–83, 692–93, 697–98 agencies 224 personnel 190 atm (automated teller machine) 78, 112, 125, 127–28, 211, 419, 493, 497, 510 attacker 95, 121, 652–53, 655, 660, 663 attacks 8–9, 81, 83, 86–87, 92–94, 99, 103, 176, 184, 212, 538 inference 632 insider 67–68 man-in-the-middle 92, 94 system reconfiguration 17, 94, 704 attorney 143–44, 167, 318–19, 339, 368, 374, 378, 383, 431, 445 defendant’s 505 district 381 organization’s 438 attributes 28, 30–31, 33, 38, 42–43, 188, 281, 644, 647, 654, 658 psychological 31–32 auctions 89, 109 Australia 18–20, 23, 158–59, 221–22, 252–53, 444–45, 452, 454, 456, 458, 470–71, 541–42, 705 Australian Criminal Code 456, 473, 479–80 Australian Foreign Passports 474–75, 477, 480–81 Australian Passports Act 473, 479–81 Australian Privacy Act 481 Australian travel document 446, 448–51, 473–74, 479–81 authentication 168, 548, 550, 557, 580, 603, 609, 614, 634–38, 640–47, 653 biometric 641 brainwave-based computer 640 log-in 550 multi-layered 549–50 strong 636, 642 two-factor 549, 588, 638 authentication features 2, 4, 48, 258, 260–62, 269, 271–72, 279, 281–83, 294, 679–80 actual 263, 272 genuine 280 illicit 285 authorities 7–8, 57–58, 142, 179–80, 195–96, 277–78, 317–18, 320, 396, 399, 419,
748 Index authorities (cont.) 423–24, 520, 559–60, 576–77, 611–14, 683–84, 686–87, 691–95, 697–98 central 692–94 congressional 273 education 31 federal 135, 180, 185, 537–38 foreign 683 immigration 291, 315 issuing 4, 48, 277, 279–80, 679 legal 99, 138–39, 169, 570 licensing 562 public 247, 521 authorization 259, 264, 274, 278–80, 298, 302–5, 386, 388, 414, 603, 634–36, 638, 646–47 legal 362 prior 310 bank account information 96, 128, 130, 132, 663 bank account numbers 83, 125, 130, 134, 143, 159, 184, 190, 356, 581, 664 bank accounts 100, 103, 109, 112, 114, 120, 127, 309, 312, 385, 387 existing genuine 463, 472 joint 374 bank cards 112, 277, 496 sold stolen 111 bank fraud 55, 61, 65, 69, 125–28, 182, 285, 288, 309, 311–12, 350–51, 361–62, 384–85 bankruptcy 17, 65, 145, 172, 234, 674, 704 banks 63–64, 124–27, 131–32, 138–39, 142–43, 156–57, 178–79, 228, 230–31, 309–13, 329–31, 337, 366, 406–8, 539, 549, 565–67, 595, 602, 606 fake 89 foreign 143, 157 legitimate 89 local 142 monthly 561 victim’s 227 benefits 61, 134–37, 188–89, 195–96, 204–6, 217, 365, 374, 378–80, 434–35, 446–47, 454–55, 460–61, 478–79, 678, 683–85 disability 137 discretionary 434 economic 66 emergency 52
financial 55, 116, 566 governmental 13 high value 452 immigration 103 medical 161–62, 579 nonfinancial 486 social 613 victim’s 490 Benefits Fraud 350–51, 361–62, 371–72, 384–85, 393 Better Business Bureaus 133, 337, 406 bills 153, 155, 165–66, 170, 219–20, 302, 305, 318, 403, 405, 419–20, 560, 562 biometrics 23, 25, 31, 40, 42, 580–82, 588, 602, 606, 637, 640, 642–43 birth certificates 138–41, 276, 282, 291, 351, 357–58, 390, 395, 407, 413, 548, 562 birth date 73, 75, 97, 100, 133, 135, 145, 148, 165, 167, 561, 563, 625, 628 birthplace 253, 624 borders 6, 102–3, 112, 236, 244, 349, 474, 534 international 8, 16, 449, 474, 480, 538 national 6, 236, 250, 670–71, 704 southwest 181 botnets 17, 84–87, 98–99, 123, 703 boundaries international 6, 236 national 576 branch of law 6, 52–53, 317, 493 browser 90, 92, 646 burglary 4, 49, 108, 142, 321, 496 businesses 8–10, 12–13, 21–23, 72, 74–75, 103, 206–9, 211–12, 220–21, 226–28, 365–68, 398, 440–41, 543–44, 550–56, 578–80, 583, 587–88, 607–8, 668–69 fictitious 300 financial 564 large 221 legitimate 81, 89, 294 neighborhood 184, 578 private-sector 554 retail 277 business policies 14, 544, 551, 588 business practice 419, 667 accepted 441 accountable 667 business transactions 84, 102, 244, 583 online 222, 227 standard 131
Index Cable Communications Policy Act 341 California 104, 107–8, 124, 126, 136, 138, 181–85, 349–50, 352, 354, 357, 363 Canada 1–2, 4–5, 10, 18–20, 76–78, 103–5, 252–54, 404–8, 421, 423, 426, 428–30, 504–5, 539–40, 542, 562–63, 571, 573, 578, 616–17 Canadian Criminal Code 405, 408–13, 418, 420, 424, 427–28, 431, 440 Canadian Internet Policy 48, 405, 433, 549 Canadian law 5, 275, 406, 408, 432, 442, 540 Canadian statutes 5, 404, 408, 420, 441, 540, 681 card frauds 121, 123 cost of credit 228–29 involving credit 115 largest debit 78 cardholder 228–29, 330, 354–57, 365, 390–91, 429 card issuer 230, 241, 302, 330 cards 78–79, 100, 111–12, 120–21, 124, 175, 228–30, 291, 354, 356–58, 360, 365, 390–91, 395–96, 398, 413, 429, 502, 504–5, 581–82 additional 324–26 atm 230, 297 cloning 184 faked 502 fictitious 365 financial 497 gift 228 library 78 paper 40 platinum 112 point-of-sale 398 postal 267, 308, 320 prepaid 299 replacement 330, 335 visa 395, 428 cases 30, 54–55, 68, 70–71, 73–75, 88, 103–4, 113–14, 118–20, 142, 171–74, 196–98, 222–24, 231–33, 258–68, 409–12, 504, 572, 574–77, 595–96 bankruptcy 172–73 domestic 177 federal money laundering 178 high-profile 178 identity-crime 572 noncompliance 179
749 reported 116, 173, 504 transnational 569–70 cash 61, 125, 127, 177, 181, 183, 194–95, 204, 492–93, 565, 567 characteristics biological 31, 42 individual 27 personal 26, 324, 656 real-world 626 charges 100, 104–6, 150–53, 171, 176–77, 182–83, 230, 300, 303–4, 360, 396, 407, 418, 492, 496, 536–37 drug 123 false 229 federal 148 finance 325 lawful 356 unauthorized 88, 153–54, 230, 336 unexpected 562, 593 children 108, 136, 142, 164, 167, 180, 317, 340, 559, 592, 657 China 40–41, 85, 96, 104–5, 112, 123–24, 143, 169, 254, 512, 602 citizenship 12, 31, 35, 138–39, 293, 315–16, 414 Civil Liability Amendment Act 455, 488 Code of Fair Information Practices (fip) 609 collection 54, 58, 338, 342, 436–39, 496–97, 611–12, 614–16, 684, 688, 690–91, 697, 701 commercial 629 limiting 616 real-time 687–89, 697 unauthorized 47 collection agencies 165, 197, 217, 219, 225, 402–3, 405 Collection Limitation Principle 611 commerce, international 13, 272, 302–3, 309, 707 commitment 9, 18, 72, 191–92, 194–95, 197, 200, 608, 707 Commonwealth entity 456–60, 464–65, 469 Commonwealth laws 454, 460 communications 118, 121, 159–60, 302–3, 338–39, 394–95, 467–68, 651, 655–56, 684–85, 691, 693–94, 696–97 additional 651 improved 575, 579 nonverbal 566 private 413 radio 346, 467
750 Index communications (cont.) remote 207, 444 television 309 community 18, 35, 202, 204, 217, 228, 425–26, 635, 704 international legal 10, 707 companies 77, 81–82, 175, 178, 234, 288–89, 324–27, 440, 463, 472, 552–56, 628, 630–31 finance 332 nongovernmental 631 rental 341 telecommunications 332 videotape 341 complaints 69, 141–42, 160, 162, 171, 176, 229, 350–51, 361–62, 371–72, 384–85, 393, 575 identity-crime 233 total 117, 130 compliance 229, 330, 346, 369, 438–39, 460, 522, 616 organization’s 439 regulatory 667 components of identity crime 308, 310, 312, 314, 316–17, 319, 366, 428–31, 433, 465–66, 470–72, 532–33, 540, 588–600, 676 critical 559, 651 five 46, 62, 66, 186, 252, 408, 424, 533, 542, 676, 681–82 computer code 91, 109–10 computer data 54, 249, 254, 379–80, 485–86, 489, 494, 686–87 non-public 671 stored 695 computer disc 4, 48, 278, 397, 469, 679 computer firewalls 593 computer fraud 54, 167, 302–4, 310, 495–96, 534 computer fraud statute 304, 496 computer hacking 81, 111, 122, 177, 195 computer hardware 4, 48, 77, 278, 555, 591, 679 Computer Misuse Act 516 computer offenses 448–49, 468, 470 computer password 356, 410–11, 430–31, 593 computers 6, 54, 77–78, 80, 83–86, 90, 93–94, 98–99, 299, 302–5, 430–31, 447–48, 462–63, 468–70, 494–95, 497, 516–17, 590–91, 647–49, 687–88 compromised 87
desktop 74 home 68, 561 local 94, 649 multiple 95 offender’s 134 target 95 zombie 84–85, 93 computer security 76, 227, 653 computer systems 8, 91, 94, 249–50, 430–31, 494–95, 544, 548, 551, 671–72, 684–88, 690, 695–97 computer technology 17, 67–68, 80, 99, 195, 558, 572, 576, 596, 607, 633 conduct 237–38, 387–88, 427, 441, 455, 457, 459, 491, 508, 510, 529–30, 596–98, 691–92 criminalizing 244 deliberate destructive 9 identity-related 455 illicit 4, 237 innocuous 239–40 confidentiality 15, 232, 303–4, 339, 342, 345, 525, 532, 620, 625, 694–95 Congress 270, 272–73, 280, 282, 287–88, 295, 317, 329–30, 337, 339, 348–49 consent 344, 346, 348, 351, 356, 386–88, 398–400, 437–39, 508, 525–26, 530–32, 578, 610–11, 616–17, 698 authorized 137 cardholder’s 390 consumer’s 370 explicit 531 knowledgeable 578 parental 340 voluntary 697 consequences 9, 30, 119, 172, 202–3, 208, 212, 218–19, 342, 535, 568 deadly 162, 233 disastrous 606 far-reaching 427 life-altering 608 light 568 real 567, 595, 630 significant 656 conspiracy 127, 285, 288, 294–95, 299, 306, 308–9, 311–15, 446–47, 459, 461 consumer complaints 16, 132, 664 consumer confidence 207, 564 consumer education 14, 544, 558–60, 588
Index consumer report 323–27, 329, 332–35, 370 new, 328 consumers 68–71, 98–101, 116–19, 121–22, 227–28, 301–2, 304–5, 323–29, 333, 337–39, 369–70, 404, 538–39, 558, 560–62, 564, 593–94, 602–3, 628–31, 668–69 authenticate 563 costs 70 educating 70, 158 inform 328 national 561 victimized 229 contracts 2, 103, 155, 280, 319, 413, 434, 437–38, 529–30, 556, 591 futures 129 sales 151 student loan 559 vendor 556 Convention on Cybercrime 5, 10–11, 22, 249–50, 576–77, 598, 671–73, 677, 706 conviction 141, 143, 273–74, 291, 295–96, 299–300, 303, 386–87, 490, 492, 504–6, 508, 536 cumulative 296 defendant’s 315 prior 285 cookies 83–84 cooperation 242, 244, 247–49, 534, 538, 555, 559, 574–76, 578–79, 670, 672–74, 676, 692 cross-border 9, 22, 690, 707 corporations 42, 64, 190, 352, 375, 390, 395, 441–42, 459, 473, 486 costs 69–70, 117–18, 163, 188–89, 196, 200–201, 205–8, 210–13, 215–23, 226–29, 388, 444–45, 547, 576, 637, 640 administrative 174 average 101, 223 consumer 1, 116, 255 court 400 emotional 214, 226 financially-based 215 indirect 227, 229–30 intangible 212 low 109, 174, 603 medical 201 non-financial 189 out-of-pocket 214, 222, 388
751 prevention 18, 200, 208, 704 psychological 228 response 18, 201, 209, 216, 704 significant 220, 222, 662 societal 213 unexpected 219 victim 218 Council of Europe Convention on Cybercrime 11, 570, 577, 612 counterfeit 41, 48, 143, 262, 266, 278–79, 291, 297–98, 301, 353–54, 357, 387, 389–92 Counterfeiting Act 499, 501, 518–19, 521, 542 countries borders of 13, 707 developing 242, 244, 574, 584–85, 597 foreign 42, 139, 475–76, 478–79, 558 court 40, 285–86, 291–92, 295–96, 320, 353, 359, 364–65, 370–71, 376–78, 381, 383, 387–88, 396–97, 401, 406, 425–28, 490, 524–25, 572 appellate 505–6, 512, 519 federal 39, 296, 349 lower 291, 505 co-workers 67, 70, 116, 291, 303, 664 credit 96–97, 118–19, 123–25, 213–14, 219, 232, 297, 300–301, 324–27, 331, 338–39, 365–68, 370, 388–89, 394–95, 397–98, 404, 420–21, 481–84, 539 commercial 482–83 existing 120 negative 119 new 325 obtaining 212, 217, 421–22 unauthorized 299 credit bureaus 101, 224, 550, 589, 628 commercial 77 credit card accounts 70, 113, 123, 175–76, 287, 332, 374, 406, 457 credit card companies 13, 138, 156, 176, 228–29, 389, 406, 515, 550, 675 credit card data 96, 109, 175, 288, 410–11, 428, 442 credit card fraud 55, 61, 65, 69, 116–17, 120, 228–29, 350–51, 361–62, 371–72, 384–85, 391, 393 credit card numbers 73, 78, 82–83, 91, 100, 159–60, 376–77, 429, 556, 620, 624 credit cards 63–65, 74–76, 78–79, 109, 114–16, 121, 175, 182–84, 206, 230, 284,
752 Index credit cards (cont.) 297, 379, 390–92, 409–11, 419, 428–29, 441–42, 606–7, 672–74 actual 377 false 407 falsify 429, 442 forged 375, 540 lost 64 new 117, 123, 184, 550 pre-approved 74 stealing 183 credit history 100, 119, 171, 417 bad 539 personal 73 ruined 54 victim’s 388, 390 creditors 120, 217, 323–24, 329–36, 338, 382–83, 402, 405, 539 credit provider 63, 481–84 credit reports 77, 79, 98, 101, 214, 217, 481–82, 484, 550–51, 589, 593, 629–30 bad 230 consumer’s 100, 561 individual 560 yearly 211 credit score 118, 218, 294, 323, 325, 327 credit unions 125, 496 crime prevention 2, 4, 7, 14, 51, 55, 196, 201, 236–37, 241–42, 545, 555, 559 approaches 20, 545, 706 models 14, 545, 708 crimes 1–11, 13–19, 47–51, 53–57, 61–66, 99–104, 112–16, 172–76, 186–210, 214–32, 234–38, 281–87, 370–81, 418–23, 460–65, 533–35, 563–72, 668–73, 681–83, 707–8 borderless 11 commercial 244 computer 6, 54, 80, 94, 250, 564, 572, 583 credit card 429 drug trafficking 282, 314 economic 139, 242 federal 183, 293, 319, 321 financial 41, 102, 176, 223, 397 immigration 316, 535 organized 2, 8, 84, 164, 184–85, 202, 238, 242–43, 245, 704 privacy and identity 601, 604, 619, 625–26, 659, 669 terrorist-related 175 victimless 199, 222, 565
violent 226, 282 white-collar 143, 194, 223 criminal activities 2–3, 7, 11, 60, 63, 140, 142, 237–38, 243, 533–34, 672, 674 potential 199 virtual 672 Criminal Code 2, 4–5, 19, 405–6, 408, 413, 417–18, 420–21, 423–25, 427–29, 431, 433, 440, 442–43, 540 Criminal Code Act 456, 463, 478, 480, 488, 494 criminal gangs 102, 104, 106, 200, 390–92 criminal histories 135, 195, 218, 522 criminal investigations 217, 369, 437, 675, 684, 695 criminalization 48, 50, 236, 239, 241, 250, 307, 309, 427, 533, 568–69, 571, 585, 588 inadvertent 241 criminal laws 4, 7, 46, 52, 56, 58, 236–38, 242, 247, 452, 456, 539, 541 crafting 239 federal 51, 272, 572, 596 criminals 12–14, 46–48, 56–58, 61–62, 100–102, 108–10, 113–15, 117–20, 122–24, 139, 157–59, 172–73, 182–85, 193–97, 202–3, 214, 545–48, 586–87, 672–73, 675–76 career 165 convicted identity 567 dangerous 105 dissuasive 684 domestic 22 immigration 104 international 139 low-level 183 organized 185, 502 potential 199, 537, 539, 554 professional 72, 141, 163, 166 synthetic identity 101 white-collar 110 criminal statutes 19, 52, 239–40, 272, 310, 454, 534, 541, 572, 596 Criminology 14, 194, 200, 202–3, 221, 445, 708 cryptographic systems 583, 599 customer records 211, 234, 339, 368, 621 customers 75, 77–78, 80–81, 83, 127, 183–84, 220, 310, 330, 333–37, 339–41, 343, 549, 621, 629–31 commercial 244
Index legitimate 550 potential 289, 512 reimbursing 220 cyberspace 37, 42–44, 184, 551, 614 damages 47, 49, 58, 140, 188, 213–14, 219, 222, 224, 227, 303, 400, 464, 494, 526–27 awarded 255 emotional 219, 227, 572, 596 financial 118 intangible 58 personal 75 psychological 226 punitive 338 reputational 669 significant 118, 234 dangers 11, 40, 75, 129–30, 151, 188, 221, 441, 549, 559, 662 DarkMarket 111–12 data big 627–28, 630–31 computerized 369 disclosure of 345, 612 databases 40, 43, 105, 110–11, 247, 328, 574, 579, 616, 621, 658, 661 data brokers 110, 628–33 data controller 521, 523–28, 611–12 data loss 529, 603–4, 641, 663, 666, 668 data minimization, principle of 552, 589, 614 data mining 626–27, 632–33, 662 data processing 38, 430, 497, 523, 529–30, 616, 618 data protection 246, 522, 526, 532, 580, 602, 618, 620, 663 personal 616, 685 Data Protection Act 500–501, 503, 521, 523, 526–28, 532 data systems 91, 348, 369, 553, 589, 609, 668 debit cards 67–68, 78, 120–21, 228, 230, 297, 299, 301, 364–66, 377, 379, 385–86, 486, 489 debt 197, 214, 234, 318, 338–39, 382–83, 388, 402–3, 438 debt collectors 13, 101, 119, 214, 337, 339, 383, 402–3, 675 defendant 273–74, 281–86, 291–94, 296, 303, 306–7, 312, 318–19, 351, 353, 363–64, 374–81, 387–88, 396–97, 407, 428–29, 431–32, 477, 505, 683
753 defraud 125, 158, 260, 267–68, 271–72, 298, 300, 307–11, 313, 352–58, 362–64, 378–80, 391–92, 423–25, 447–48, 494–96 demographics 185, 575, 630 deterrence research 568 device-making equipment 283, 298, 301 devices 239, 300–301, 317–18, 320, 355, 363, 377, 398, 419, 429–31, 442, 463–67, 469, 632–33, 640–41, 649 adaptation of 446, 448–49, 463 automated banking 442 catcher 633 digital 43, 626 electronic 4, 48, 278, 457, 461–63, 491, 679 external 87 interception 466 mobile 553, 589, 623, 632 skimmer 372, 377, 380 storage 75, 77 digital identity 27–28, 41–44, 613, 624, 626 disclosure 337, 339, 341, 343–47, 368–69, 434–35, 437–39, 483, 507, 522–23, 525–26, 528, 653, 655, 695–96 documents 3–7, 45–48, 56–57, 60–62, 102–8, 114–15, 238–41, 275–82, 314–17, 399–400, 413–14, 417–20, 422–24, 452–53, 460–65, 473–80, 502–6, 544–48, 561–63, 678–80 altered 104 authentic 105 authenticate 4, 48 counterfeited 105 credit card 561 fake 73, 102, 105–7, 136 genuine 76, 102, 175, 238, 278, 422, 505 incriminating 13, 675 international 610 misleading 446, 450, 460, 464–65, 473, 477–78, 480 mortgage 150 paper 75 proof-of-identity 453 sensitive 589, 665 shredding 288, 561 domain names 88, 90, 258, 267, 305–7 driver’s license 107, 110, 132, 134, 139–40, 282, 284, 287, 353–54, 357, 360, 390, 496–97, 557, 562 driver’s license fraud 140–41
754 Index drug trafficking 17, 86, 114, 139–40, 173, 178, 181–82, 704 dumpster diving 17, 63, 67, 74, 84, 561 economies national 156, 220–22 world’s 21 electromagnetic 430–31 electronic fund transfers 69, 126, 157, 300, 337, 350, 361, 371, 384, 393 e-mail fraud 258–59, 266–67, 306, 535, 538 e-mails 67, 69, 79, 81–83, 86–88, 91, 93, 110, 112, 121–22, 143–45, 159–60, 303–6 bogus 123, 160 phony 81 spam 88, 211 spoofed 87 unauthorized 303 unsolicited 143, 561, 593 employees 68, 77, 79, 190, 197–98, 288, 306, 426–27, 434, 436–37, 551–52, 554, 566–67, 589–90, 594–95 dishonest 568 educating 568 protecting 552, 589 rogue 440 unauthorized 664 employers 4, 7, 12–13, 79, 87, 135, 197–98, 274–75, 291, 554, 579 non-governmental 277 potential 630 prospective 168 employment 13, 17, 48, 134–35, 315–16, 394–95, 397, 434, 505, 507, 674–75 employment fraud 23, 69, 134–35, 157, 170, 350–51, 361–62, 371–72, 384–85, 393 enforcement 9, 14, 138, 181, 201, 249, 330, 541, 617, 621, 647 Equal Credit Opportunity Act 338 evidence 11, 13–14, 22, 273–74, 298, 300, 303, 315, 318–19, 569–70, 674–75, 688, 690–91, 697 documentary 314, 338 electronic 577 false 315 incriminating 506 medical 40 experts 98, 103, 184, 193, 222–23, 229, 538, 545, 549, 561, 563
cybersecurity 98 national 2, 243 exposure 18, 95, 192, 200, 204, 216, 223, 305, 620, 641 extradition 689–91, 698 Facebook 97, 110, 622, 628, 632, 645, 660 facilities electronic banking 496 minimum-security 223 new data processing 551 private 141 Fair and Accurate Credit Transactions Act 322, 329, 337, 538, 561 Fair Credit Reporting Act 302, 375, 615 Fair Debt Collection Practices Act 338 false documents 102, 105, 107, 418–19, 422–23, 461–63, 472, 475, 478, 501, 505, 519, 521 false identity 47, 99–102, 108, 110, 171–72, 207, 221–22, 306–7, 312, 314, 447–50, 454–55, 461, 485–86, 679 family members 67, 70, 72, 151, 200, 226, 241, 607 federal agencies 116, 137, 159, 342–43, 345, 553, 555, 563, 579, 585, 593 federal government 259–61, 271–72, 275, 321–22, 349, 535, 540, 552, 559–60, 562, 582, 585–86, 615–17 Federal Information Security Management Act 552, 585 federal law 137, 143, 259, 261, 263, 281–83, 287, 296, 302, 537–38, 540 Federal Sentencing Guidelines 282, 536 Federal Trade Commission 65, 69, 117, 119, 126, 130, 135, 153–55, 161–63, 229, 233, 321–22, 614–15 felony 261, 263, 281–84, 290–93, 295–96, 374, 376, 378–79, 381, 394, 396–97, 400 FIdMs (Federated identity management systems), 642, 645–47, 662 financial accounts 55, 76, 116, 227, 231, 233, 368, 370–71, 560, 562–63, 593 financial fraud 61, 84, 126, 139, 224, 227, 562 financial gain 48, 55, 61, 115–16, 120, 190, 195, 446–47, 450–51, 458–59, 461, 491–92, 494 financial institutions 64, 69–70, 83, 178, 197, 220, 227, 229–30, 289, 301–2, 311, 331–37, 339–40, 343, 366, 463, 472, 539, 643
Index financial losses 119, 196, 202, 216, 220, 222, 227–28, 233, 373, 380, 572 consequential 381 direct 213, 222, 229 estimated 119 initial 217 Financial Privacy Act 615 fingerprints 4, 7, 24–25, 37, 40, 42, 274–75, 415, 418, 581–82, 638, 640–41, 675, 677, 679 firearms 184, 270, 293 fisma (Federal Information Security Management Act of 2002) 552–53, 585 Florida law 385–86, 388, 391–92 Florida statutes 387, 390, 392 foreclosure 149, 151, 173, 231 Foreign Passports Act 451 foreign travel document 449–50, 475–77, 480–81 forged documents 77, 104, 142, 145, 410, 412, 416, 418, 423–24, 462–63, 465 forgery 140, 237, 239, 319–21, 354–58, 364, 366, 379, 399, 407, 414, 416, 422–23, 461–65, 521 exporting 411 thwart 563, 594 Forgery and Counterfeiting Act 499, 501, 518–19, 521, 542 forgery statutes 321, 380, 428, 465–66 framework 9, 14, 17, 56–57, 419, 544–45, 583, 585, 587, 615–16, 620, 703, 706–8 fraud 1–7, 10–11, 46–57, 65, 68–72, 115–22, 124–26, 145–48, 151–57, 172–74, 230–34, 237–40, 242–45, 307–15, 406–8, 424–27, 492–93, 497–99, 509–13, 674–76 bankruptcy 65, 234 brokerage 112 common 69 computer-related 250 consumer 119, 229 credit 14, 675 criminal 52, 371, 568 criminalizing 569 economic 2, 55, 116, 128, 243–45 extended 326–27, 404 generic 17, 704 government benefits 116, 136–37, 215 identity theft and identity 3–4, 46, 55, 228, 237, 405, 413, 415, 417–18, 533, 680
755 immigration 102, 264–65, 268, 315, 535 investment 65, 116 medical 61, 115, 164, 185 ordinary 9, 54, 58 passport 139–40 phone and utilities 152–54, 350, 361, 371, 384 postal 142 real estate 146, 148 rental 171, 674 social security 108, 138, 176 social security number 287 study on 7, 10, 207, 237–38 transnational 569, 575 victim of 323–24 Fraud Act 20, 307, 309, 498–99, 501, 509–10, 512–13, 542 fraud alerts 82, 219, 332 initial 323–25, 327 fraud cases 98, 126, 158, 196, 570 Fraud Law 2, 10, 56, 131 fraud prevention 229, 551, 555–56, 583, 643 fraud statute 3, 9, 18, 53, 58, 317, 407, 461, 492, 494, 540 Fraud Triangle 198 fraudulent activities 69–71, 73–74, 76, 120, 156, 200, 334, 559 funds 122, 126–28, 143–44, 146, 172–77, 179, 297, 300–301, 321, 363, 367, 418, 486 deposit 106 electronic 337 emergency 206 insufficient 420 transferred 299 withdrawing 398 yearly laundered 178 GEoPrivacy Enhancing TOolkit 632 Germany 109, 246–47, 254, 497 goods importing 319 medical 163 providing 53 public 650 government agencies 38, 40, 275, 277, 280, 354, 363, 565, 574, 614, 624 government benefits 49, 61, 65, 136, 162, 212, 289, 675, 708 government documents 19, 65, 69, 134, 350–51, 361–62, 371–72, 384–85, 393, 452, 675
756 Index governments central 58, 404, 498, 541, 699 foreign 6, 62, 275, 277, 320, 408, 413, 435, 577, 676, 678 high-security 581 hostile 190 national 222, 253 provincial 422 territorial 541 green cards 104, 140 groups 26, 33, 40, 174–76, 185, 189, 238, 246, 496, 651, 660–61 demographic 195 international 247 peer 202–3 self-help 656 social protest 632 hacking 17, 63, 68, 71, 80, 84, 94, 112, 124, 216, 603–4 health care 12, 161, 163, 196, 313–14, 619 provision of 347, 368 health care fraud 163, 233, 268, 313 health information 12, 167, 347, 564 Homeland Security 103, 180, 229, 345, 579, 609, 614, 625 homeowners 149, 170–71, 173, 232 Human Identification Theory 15 human trafficking 221 idcma (Identity Crime Model A) 20, 23, 543–46, 586–88, 706 identification 12, 23, 44, 53, 265, 271–72, 274–75, 277, 279–86, 290–93, 295–96, 334, 418, 473–74, 476, 536, 544, 603, 606, 634–36 automatic 211 employee 352 false 269–70, 394, 400, 418 legitimate 238 person’s 571 psychological 26 purpose of 30, 276, 278, 396 taxpayer 352, 373, 385 identification cards 139–40, 277, 309, 315, 353–54, 358, 382, 390, 402, 506, 548 biometric 582 electronic 40 laminated 279
personal 278, 282 universal 40 identification documents altered 278 fake 149 governmental 277 issues 79 nature of 7, 237 identification management 14, 544, 588 identification number 4, 7, 24, 26, 45, 138, 169, 274, 292, 320, 364 electronic 395 government-issued 363, 367–68 mobile 297, 363, 367, 373 nationwide 38 unique electronic 4, 7, 24, 274, 363, 367, 386, 679 identification purposes 31, 140, 276, 421, 503, 573, 578–79, 581 identifiers 23, 25, 27, 39, 53, 275, 467, 528, 560, 658, 662 biometric 349 financial 25 personal 137 unique 41, 553, 581, 590, 654 identity 1–19, 23–39, 41–45, 47–51, 54–58, 60–62, 204–11, 235–37, 241–42, 301–5, 402–6, 415–19, 635–39, 641–47, 649–51, 654–57, 668–70, 672–76, 681–82, 703–5 acquiring 61 actual 54 attributed 27, 37 authenticated 20, 706 biographical 27, 37 defined 31 fictitious 47, 184, 268, 363–64 financial 145, 227 hybrid 101, 679–80 official 103 personal 31, 33, 35, 673 psychological 32 synthetic 60, 68, 100, 257, 291–92, 319, 679 verifying 7, 237, 453 identity authentication 548, 639 Identity Cards Act 19–20, 253, 499–500, 502–7, 509, 542 identity crime 1–6, 8–26, 46–49, 53–62, 64–72, 110–20, 181–202, 204–15, 217–30,
Index 232–39, 245–68, 316–22, 443–52, 532–35, 541–44, 571–76, 594–609, 667–77, 680–84, 703–8 amount of 228, 576, 672 capability 18, 184, 188–94, 200, 546, 629, 661 combat 9, 18, 23, 248, 255–56, 288, 352, 502, 541, 704 common 141, 153 computer-related 572, 596 exposure to 204, 223 facets of 48, 60, 301 federal 272 fighting 257, 407 five components 22, 46, 62, 65, 113–14, 186, 253, 542–43, 676 hybrid 64, 99–101, 145 impact 22, 543 international 547, 569, 670 large-scale 185, 576 non-financial 134–35, 145 prosecuting 18, 20, 236, 252, 297, 515, 570, 596, 673, 676, 705 risk of 222, 227, 332, 336, 554, 558, 602, 604, 607, 664, 666, 668 statistics on 249, 405 study of 350, 361, 371, 384, 392 Identity Crime Biometrics 637, 643 identity crime cases 2, 136, 222–23, 514, 570–71, 582, 596, 598, 600 Identity Crime Framework 18, 46–47, 55, 57 Identity Crime Framework and Model Identity 73 Identity Crime Framework and Model table 117, 153 identity crime laws 2, 10, 56, 255, 381, 424, 443, 536, 547 current 409–12 federal 540 national 254 Identity Crime Legislation 17–18, 252–53, 255, 257, 259, 261, 263, 265, 267, 269, 271, 273, 275, 277, 704–6 Identity Crime Model 19–20, 22, 46–47, 115, 252–54, 428–31, 456–57, 465–66, 470–72, 532–33, 537, 540, 543, 588–600, 671, 705–7 Identity Crime Model Approach (idcma) 20, 23, 543–46, 586–88, 706
757 Identity Crime Model Diagram 57, 59 Identity Crime Privacy Model 21, 604–5, 607, 668–69, 706 Identity Crime Risk Assessment Model 17, 704 identity crime statistics Australian 1 canada 1 identity crime statutes Australian 446–51 california 357 canada 407, 409–12, 426 federal 271–72 Identity Crime Threat Model 20, 588–600 Identity Crime Toolkit 13, 165, 675 identity crime victims 2, 66, 69–70, 157, 161–62, 165, 196–97, 211–15, 217–22, 224–27, 359–60, 535, 578–79, 594, 596 identity documents 56–57, 60–61, 64–65, 240–41, 321–22, 408–9, 413–14, 446–48, 450, 456–57, 475–76, 478–80, 502–4, 509, 533, 540, 562–63, 593, 678, 682 identity fraud 1–5, 19–20, 46–51, 53–56, 69–71, 115–16, 121, 139–40, 180–81, 221–22, 227–29, 236–38, 255–57, 405–6, 413, 415–18, 497–98, 533, 540, 679–80 identity information 3–6, 36–37, 41–42, 47–48, 60–64, 68, 71–72, 75–76, 107–9, 111–15, 406–10, 415–19, 426–27, 429–31, 449–51, 488, 495–96, 533–34, 676–80, 685–88 sensitive 98, 115, 551–52, 554 trafficking in 19, 411, 413, 415, 440, 495 identity theft 1–5, 14–20, 47–51, 53, 70–72, 126–27, 147–52, 179–83, 246–49, 254–55, 287–89, 293–96, 323–24, 370–77, 380–83, 401–2, 404–11, 428–29, 533–36, 550–52 victim of 365–67, 370, 382, 404 Identity Theft and Assumption Deterrence Act 5, 254, 270 Identity Theft and Systems Theory 510 immigrants 179–80, 348, 504 illegal 108, 135, 140–41, 145, 171, 179, 213 impact of identity crime 187, 189, 191, 193, 195, 205, 207, 209, 211, 213, 215, 217, 219, 221, 235 impersonation 85, 169–70, 221, 237, 239, 350, 378, 497, 569, 585, 633–34
758 Index imprisonment 280–82, 289–90, 295, 299, 308–14, 318, 356–57, 386, 413–17, 420–25, 427–29, 431–32, 445, 456–60, 462–74, 476–79, 487, 504–8, 512, 515–18 India 254, 556, 602 indictment 13, 127, 296, 303, 493, 498, 504, 508, 510, 512, 519–20 Information Act 434, 521 information systems 39, 137, 245, 344, 555, 585 insurance 132, 140, 145, 165, 167, 170–71, 176, 324, 326–27, 666, 675 Internal Revenue Service 137, 157, 160–61, 180, 232, 312, 344, 539, 579, 599, 606 international community 10, 16, 21, 24, 251, 547, 583–84, 670–71, 703–4, 706 Internet 6–7, 15–17, 41, 71, 84, 95–96, 122–23, 575–77, 602–3, 607–8, 623–24, 640, 649–51, 655, 670–75 interstate 16, 272, 302–3, 309, 534, 541 investigations 9, 11, 13, 104, 106, 108, 146–47, 159, 176, 182, 222–23, 241–43, 359, 674–75, 690–92 congressional 53 cross-border 576 national security 256 jail sentence 374 five-year 159 judges 10, 14, 50, 52–53, 285, 295–96, 317, 320, 376, 401, 421, 425, 427 jurisdictions 8–9, 11, 13, 46, 49, 52, 55–56, 244, 250, 359, 547, 569–70, 670, 689, 691 civil law 39 common law 39 federal 253, 272, 297, 349 legal 6, 704 political 16 territorial 244, 689 justice 64, 255, 273, 275–80, 359–60, 414, 416, 531–32, 534, 551–52, 558, 565 obstruct 6, 282, 416, 680 k-anonymity 653–54 kba systems 644 knowledge 109, 111, 149, 193, 261–62, 271, 299, 365, 376–77, 437–39, 475, 496–97, 626–27, 649, 680 actual 313 defendant’s 292
personal 635 technological 85 victim’s 68, 91, 118 knowleged-based authentification (kba) 606, 643–44 landlords 79, 168, 171 larceny 10–11, 14, 49, 321, 350, 492, 675 larceny statutes 10, 257, 322 law enforcement authorities 177, 184, 212, 220, 533–34, 536, 545, 571, 574, 578, 580 Law Enforcement Effectiveness Law 570 lawful authority 3, 64, 261–63, 265, 271, 281–83, 290, 292, 296, 399–400, 423, 507, 519–21, 678, 680–81 laws 8–11, 16–19, 35–37, 113–15, 248–50, 252–55, 258–68, 316–18, 407–13, 437–39, 441–44, 446–51, 499–502, 537–40, 572–73, 576–77, 615–18, 674–76, 689–93, 703–7 civil 536 common 40, 253 domestic 681, 683, 685, 688, 690, 692, 695, 697 employment 14 immigration 314, 316, 534 international 10, 575, 595 local 261, 263, 271, 281–83, 296, 571 national 11, 18, 22–23, 240, 452, 541, 569, 609–10, 613, 674 regional 57 stolen property 56 legal identity 26–27, 35–37 legal systems 31, 34, 36, 38–39, 253, 569–70 legislation 18–19, 36–37, 237, 240, 287–88, 521, 523, 526, 544, 670–71, 684–85, 692, 694, 705, 708 federal 270 international 705 national 542, 705 lenders 120, 131, 133, 146, 149, 151–52, 173, 232, 289, 366 liabilities 31, 47, 50, 228, 230, 314, 322, 337, 440, 679, 684 civil 383 consumer’s 301 limiting 405 licenses 25, 64–65, 102, 105–6, 135, 138–41, 270, 294, 498, 502, 506, 579, 581
759
Index false driver 489 fishing 628 marriage 36–37, 106 mortgage broker’s 148 public 628 valid 14, 676 loan fraud 55, 65, 69, 116, 129–30, 231, 350–51, 361–62, 371–72, 384–85, 393 loans 97, 100, 116, 119, 129–30, 132, 146–48, 150–52, 214–15, 217, 229–31, 300, 332, 365–66, 482–83 government-insured 148 home 147 mortgage 148–49, 231, 274 losses 58, 68–69, 119–20, 188, 191–92, 196–97, 200–202, 206–7, 209, 212, 220–24, 229–31, 286–87, 374, 446–47, 458–59, 461–65, 511, 663–64, 668–69 accidental 527 annual 703 average 220 economic 381 non-financial 9, 196, 207 risk of 20, 458–59, 509, 511 social 201 mail redirecting 67, 73–74, 555, 591 registered 142 mailboxes 67, 183, 193, 566 mail receptacles 448, 465–66 mail theft 17, 70, 74, 84, 142, 183, 428, 572, 596 malware 17, 67, 80, 83–84, 89–92, 94, 190, 193, 703 markets 63, 71, 104, 107, 121, 129, 133, 425, 608, 613 expanding 104 worldwide 110 measures bioverification 581 legislative 699 organizational 527 media, major statewide 369 medical histories 166–67, 233, 564, 594, 664 medical identity crime 161–64, 167, 171, 233–34, 563–64, 594 medical records 162–64, 166, 233–34, 386, 481, 541, 629 Medicare services 137, 185
Methods alternative anonymity 660 computerized 255 data collection 631 risk-free 204 Mexico 103, 106, 112, 179, 181, 254, 289 misconduct 5, 47, 405, 413, 423, 440 mobile phones 87, 493, 632–33, 659 model current anonymity 660 economic 201 impact minimization 20 threat analysis 189 vector-space 642 money drug 181 easy 164 extort 178 launder 103, 174 loan 131 lost 132 obtaining 12, 309, 355, 398, 425, 457 refund 157 MoneyGram 131–32, 144 money-laundering 175, 238, 242, 569 mortgage companies 64 payments 149 National Document Verification Service 452, 541 National Identity Register 499, 502, 507–9, 542 National Identity Security System 452, 541 nationality 7, 237, 293, 348, 479, 601, 689, 691 nations foreign 537 island 88 largest 57 naturalization 315–16 network 22, 96–98, 123, 175, 622–23, 626, 647, 651, 697–98 personal 31 public communications 685 social 17, 97, 110, 632, 658–60, 704 telecommunications 467 wireless 96, 124 neutralization theory 198–99, 204, 567 New South Wales Crimes Act 451, 490
760 Index New York statutes 374, 380 noncompliance 179, 361, 436
password fatigue 644 passwords 77, 80–83, 87, 93, 303–4, 395, 397, 431, 548–50, 580, 588, 590, 637–41, oecd (Organization for Economic 643, 645 Cooperation and Development) 612 alphanumerical 639 offenders 66, 71–75, 79–87, 89, 92–96, reset 643 128–30, 137–38, 150–52, 191–96, 199, 201, Patriot Act 340, 348, 539 217, 222–23, 386, 396–97, 417, 425–26, Payment 468, 503–4, 565–68 avoiding 155 actual 220 initial 335 convicted 202 late 217 malware 87 missed 335 prosecuting 570 overdue 483 online received 289 fraud 549, 556 refund 157 identity theft 9, 86, 88, 110, 248 payment methods 428–29, 441–42, 677 transactions 158, 550, 638 payroll companies 559 organizations 30–31, 36–37, 67–68, 77, PbD. See Privacy by Design 187–90, 211–12, 391–92, 436–42, 546–47, Penal Law 322, 371–72, 374–79 551–55, 559–60, 577–78, 587, 602, penalties 605–8, 610–12, 620–21, 662, 664–70, civil 383 703–6 effective 247 charitable 144, 174 enhanced 290, 536, 571 financial 106, 220 legal 55 for-profit 14, 545, 708 misdemeanor 374 governmental 7 potential 537 international 10, 18, 236, 249, 435, 704 permission 44, 72, 151, 351, 380, 394, 649, large 94 653, 666 legitimate 159 personal information 47–48, 50, 66–68, loan 231 70–71, 75–77, 79–83, 89–93, 95–98, nonprofit 21, 616 121–23, 130, 132–34, 405–6, 433–39, telecommunication 431 442–44, 481–84, 559–61, 577–78, 602–3, terrorist 8, 174, 176, 287, 340 616–18, 656–57 third-party 75 Personal Information Protection Act 397 trusted 133 phishing 17, 67–68, 71, 81, 83, 85–86, 88–89, underground 97 91–93, 112, 121–22, 130 ownership 149–50, 425, 453, 455–56, 486, crimes 143 491, 586, 600 scams 81–83, 85, 89, 159, 216 systems 86 Palermo Convention 575, 598 photographs 37, 104, 139, 144, 275, 279, 303, passports 36–37, 97, 105–7, 134, 138–39, 274, 315, 334, 418, 443 276, 291, 409, 414, 418–19, 475–77, 502, pii (Personally Identifiable Information) 16, 519, 579 602–4, 609, 614, 623–25, 632, 634, 645, authenticate 548 661, 664, 667–69 bio-metric 102 pin (Personal Identification Number) 77–80, foreign 378, 474–75 112, 120, 352, 356, 363, 367, 395, 398, 549, forged 410, 414, 418 580, 638, 641 legitimate 104 pipeda (Personal Information Protection unique 180 and Electronic Documents Act) Passports Act 451 436–37, 616–17
Index policies common criminal 22, 250, 673 effective risk management 555 international 609 procurement 559 public 205 reasonable 330 powers defendant’s 374 procedural law 22 President’s Identity Theft Task Force 119, 162, 548, 563, 570, 574, 579, 584 prevention approaches 14, 213, 545, 708 principles legalistic 617 policy 248 privacy 15–16, 21, 213–14, 339, 346, 404–5, 481, 601–11, 613, 617–29, 631–35, 641, 649–53, 657–63, 665–69, 706 appropriate 574 concepts 618, 634 defining 622 increasing 605 medical 163 personal 214, 345, 582, 602 protecting 39, 603, 607, 615, 651, 653, 662, 669 risks to 627, 641, 645 significant 641, 659 violations of 608 Privacy Act 212, 221, 342–43, 405, 433–37, 481–82, 484, 610 Privacy by Design (PbD) 601, 603, 607, 615, 634, 666–69 Privacy Enhancing Technologies (pet) 652, 654, 662 privacy laws 164, 405, 455, 540, 559, 592, 610, 617, 629, 662 privacy policies 606–7, 615–16, 621 privacy protection 15, 344, 610, 616, 639, 653 privacy rights 650 individual 598 privacy technologies 601, 605, 668–69 private sectors 244, 247–48, 559, 563, 574–75, 577–79, 583–84, 597, 599, 608, 610, 614–15, 617 problems global 10 large 244
761 legal 171 tenant-related 171 procedures judicial 344 on-line searching 349 stringent 150 trading 129 proceedings, civil 371 process binary 665 credentialing 168 data mining 631 electronic 672 evaluation 587 lifecycle 666 passive 194 psychological 198 social 203 terminal 78 two-part 548 processing analytic 631 automatic 81 unlawful 527, 602 productivity, lost 209, 221 programs anti-money laundering 177 international 574 national 538 property 28, 34–35, 146–49, 151, 172–73, 232, 267–68, 285–86, 308–9, 321–22, 379–80, 416, 418, 425–26, 432–33, 454, 456–58, 491–92, 513–14, 682 appraised 274 foreclosed 147 intellectual 93 renting 219 vacant 147 prosecuting 14, 22, 158, 218, 223, 226, 244, 406, 533, 543, 545 protection comprehensive 57 consistent 618 criminal law 240 foreign 530 substantive 618 virus 99 pseudonymity 652, 662–63 punishment 58, 196, 201, 203, 280–81, 283–84, 295–96, 313–14, 317–18, 414–17,
762 Index punishment (cont.) 420–25, 427–29, 431–32, 462–65, 474, 504, 506–8, 515–16, 681–82 actual 568 basic 281 fitting 285 light 565 minimal 568 minimum 283 perceived 568 potential 429 Queensland Criminal Code Act 451, 488 ransom 113, 144 rationalizations for crime 18, 198–99, 203–4 refunds 103, 157, 159–60, 172, 289, 309, 312 lost 135 unwarranted 101 regulations 37, 329–30, 333, 336, 343, 347, 434–35, 437–38, 467, 586, 661–62 government compliance 664 regulatory authorities 629 relationship 27, 34, 38, 41, 44, 238, 242, 634–35, 652, 657, 695, 699 close 551 effective 657 mathematical 659 mediating 635 one-to-one 636, 646 significant 202 social 12, 25, 33, 35–36 reproduction 379 unauthorized 278 research marketing 1 medical 532, 650, 655 off-line 644 resources collective 584 digital 41 financial 163, 193, 286, 386, 395, 683 human 31 limited 136, 574 network’s 647 world’s 13, 707 rights expanded 563 fundamental 685
legal 532 subscriber 341 risk greatest 604 high-impact/high-probability 189 low 71 minimal financial 121 risk categories 553, 589 Risk Impact/Probability Chart 189 risk managers 556, 591 scams 81, 83, 85, 88, 106, 123, 127, 129–30, 143–44, 147–50, 159, 171–72, 176, 178, 231–32 astrological 145 financial 141 home improvement 146 prevalent 184 student loan 129 telemarketing 127 schools 12, 108, 131, 272, 277, 347, 417 government-sponsored 277 security 80, 84–85, 213, 339, 420–21, 424–26, 469, 474–75, 480–81, 553–55, 564, 573, 589–91, 597, 637–38, 640–43, 662–63, 669, 674–75, 695–96 actual 320 criminalize 249 extreme 141 global 583 high levels of 606, 649 increased 213 optimal 645 security measures 68, 79–80, 207, 439, 529–30, 559, 583, 643, 664, 667, 669 sentences appropriate 295 base 281 enhanced 285, 288, 536 fixed 517 guideline 284 service providers 332, 645–46, 685–86, 688–89, 696 financial 122 mobile 346 services communication 686 delivery 144 financial 54, 178
Index forwarding 360 healthcare 532 household 208 mail-forwarding 656 medical 17, 394, 704 military 123, 327 public utility 360, 404 social 40, 166, 196 support 317 telephone 217 sex trafficking 317 sites money-laundering 111 popular Internet shopping 110 social network 634, 660 skills, technological 98, 193 smishing 17, 87, 703 smuggling 139, 181, 212, 222, 444 Social Insurance Number 73, 413, 415, 677 Social Security Act 137, 276, 290, 293, 534 social security numbers 38–39, 100–101, 109–12, 123, 130–38, 150, 156–57, 160, 171–72, 179–80, 273–76, 283–84, 288–90, 309–10, 376–77, 547–48, 556–58, 560–63, 597, 663–65 society costs to 212 general 218 modern 28, 220, 657 software 4, 92, 96, 555, 561, 591, 593, 623, 626–27, 632–33, 647–49 malicious 91–93, 99, 123, 134, 248, 649, 664 South Australia 5, 19, 114, 253, 454, 456, 484 spyware 17, 71, 80, 90–91, 93, 95, 122, 133, 572, 596, 703 stability 425–26 emotional 32 financial 247 stakeholders, internal 554, 591 standards 11, 22, 41, 50, 345, 539, 543, 553, 610, 613, 617 statistics 11, 18, 54, 56, 68, 199, 223, 249, 256–57, 287, 405–6 statutes 4–5, 18–20, 239–40, 252–77, 280–81, 295–98, 300–319, 321–23, 350–51, 353–55, 373–76, 378–80, 397–98, 407–14, 440–43, 446–51, 490–92, 494–502, 519–20, 531–38
763 civil 322, 363, 534 critiqued 705 identity-crime-related 257, 296, 354, 390, 399, 407–8, 418, 499 non-criminal 252, 540 wiretap 346 strategies comprehensive 23, 542 international 585 prevention/minimization 546, 587 surveillance 174, 183, 205, 238, 619–20, 634, 685 systems 7, 91, 93–95, 536, 542, 547–48, 555, 585–86, 603, 607–8, 611–12, 627, 636–38, 641, 645, 647–49, 652, 662–63, 667–68, 687–88 automated 43, 549 bank card 111 bankruptcy 172 biometric 636, 640–41 client-server 644 constitutional 699 cultural 199 digital 67 e-commerce 647 electronic 337, 348 expensive 637 higher education 168 large 94 password-based 640 protected 646 two-factor authentication 548, 638 Tasmania Criminal Code Act 451, 494–95 taxes 17, 65, 103, 142, 145, 155–57, 160–61, 177, 179, 232, 435 tax refunds 145, 156, 160–61, 673 large federal 157 techniques 66, 68, 80–81, 85–87, 89, 543, 545, 559–60, 583, 586–87, 632, 634, 651, 659, 662 data theft 17, 80, 703 identity fraud prevention 574, 576 identity management 706 technologies commercial 244 computer chip 102 cyber 67 data mining 629
764 Index technologies (cont.) developing 21 eavesdropping 346 electronic screening 555, 591 emerging 642 modern 569 outdated authentication 644 privacy enhancement (pet) 606 retinal scan 581 tracking 659 wireless 95 Telecommunications Act 341, 467 terrorism 9, 61, 66, 173–76, 181, 190, 197, 238, 242, 287, 290 international 139, 177, 282, 314 national 282 Terrorist Financial Review Group 176 terrorists 8, 102, 139, 173–76, 189–90, 195, 197, 202, 287–88, 502 international 175 Texas court 365, 370 Texas penal law 363 theft 4–6, 10–11, 16–17, 46, 48–51, 66–68, 76–77, 187, 211–12, 230, 280–81, 293–94, 320–22, 355–56, 370, 401–6, 408–9, 426–27, 455–56, 513–15 bike 187 debit card 124 federal 322 non-identity-related 321 petty 355 Theft Act 500–501, 510, 513–15 theft statutes 18, 20, 426, 456, 705–6 federal 321 theory 32, 35, 200, 203–5, 567 threat agent assessment 23, 190, 543, 587 threat agents 187–93, 195, 197, 199, 201, 203, 205, 207, 209, 211, 213, 215, 233–35, 545–46, 586–600 addressing 187 criminal 189 examined Identity crime 205 identity-crime 669 incentivize 704 particular 189, 547 threats 10, 13, 176, 178, 187–90, 192, 197, 200, 211–12, 214, 303, 474, 479–80, 546–47, 707 anticipated 339 common malicious 22
cyber security 614 determination of 189, 546 external 664 growing 86, 708 major 158, 242, 632, 661 potential 213, 587, 610, 632 privacy-related 623 trafficking 19, 60–61, 113, 262–64, 298–99, 303–4, 411, 413, 415–16, 418, 440, 461, 480, 495, 512–13, 515 training 245, 247, 249, 577, 584–85, 599–600, 614 additional 227 security awareness 585 transactions 29, 31, 78, 120–21, 151–52, 228, 230, 296, 300–301, 326–28, 336–37, 394–95, 554–56, 590–91, 635–36 blocked 329 commercial 43, 647 daily 43 e-commerce 553 faceless 606 face-to-face 6, 80, 236 financial 80, 168, 177, 433 high-risk 549 legitimate 78 repeated 324 societal 666 transfer automatic 331 forced 196 order balance 551 unauthorized 283–84, 337, 493 transnationality 242, 245, 585 travel, international 238 United Nations Manual 549, 572 United States Code 51–52, 125, 137, 143, 269, 293, 319, 322, 534 United States Federal Bureau of Investigation 146 United States Federal Trade Commission 116 unlinkability, absolute 652 usernames 27, 87, 134, 306, 395, 489, 638, 641, 645–46 users atm 78, 193 authenticating 639
765
Index everyday 94 monitoring 580 smartphone 641 verified 636 value economic 379 equal 668 false appraisal 146 market 12 negative 29 retail 294 significant 80 street 106 verification 23, 74, 544, 547–48, 557, 599, 602–3, 606, 609, 634–37, 642 fake security 87 independent 667 knowledge-based 606 victims 65–71, 77–80, 82–83, 89–93, 115–19, 125–27, 130–32, 142–46, 160–64, 170–73, 195–99, 206–9, 214–19, 224–28, 230, 286–88, 358–61, 364–66, 380–81, 400–402 alleged 371, 402 direct 81 identity-fraud 47, 50, 679 multiple 206, 216, 256 violation federal 140
firearms 256, 534 immigration 180 technical 617 traffic 363 vulnerabilities cross-site scripting 89 exploiting security 92 sql injection 89 wardriving 17, 95–96, 704 weaknesses systemic 73 system’s 232 wire fraud 127, 156, 268, 293, 297, 309–12 wire fraud statutes 252, 309 wire transfers 144, 179 unauthorized 126, 178 workers 190, 233, 386, 554, 561, 590, 655 illegal 135 low-wage 135, 232 medical 163 social 137 temporary 290 world digital 41–42, 44 financial 246 global 168, 665 modern 39, 655, 670 physical 23, 28, 43 virtual 13, 23, 675