Title: CONCLUSION: ADDRESSING IDENTITY-RELATED CRIME

Conclusion: addressing identity-related crime

It is not the aim of the article to analyse current initiatives to combat identity-related crime; we refer to other studies providing overviews (Gill et al. 2006; Van der Meulen 2006). Here, we restrict ourselves to noticing that the strategies – if existent at all – seem partial at best. Although the United States seems to be more developed than most European countries in initiatives to combat identity-related crime, both in criminalisation and public-awareness campaigns (cf., Van der Meulen 2006), the US approach is largely restricted to identity ‘theft’ and therefore tends to overlook other types, such as unlawful identity deletion and unlawful identity exchange or delegation. In the EU, some policy measures have been proposed, but these are quite limited and also largely restricted to financial identity ‘theft’ (European Commission 2004; Van der Meulen 2006, pp. 21-22). A striking reverse example is the Netherlands, where policy documents tend to focus on look-alike fraud with ID documents and giving false identification data in asylum procedures, but where – at least at the government level – financial identity ‘theft’ receives less attention. Our conceptual categorisation helps in showing the partial nature of these approaches and determining possible gaps in counter-strategies.  

This is particularly relevant since counter-strategies should integrate technical, organisational, and legal measures (Leenes 2006, pp. 116-118). It is not for nothing that we call identity-related crime a new type of crime that merits separate attention (supra, section 4): many types of identity-related crimes can be committed by similar modi operandi, and they may be facilitated by similar vulnerabilities in identity-management systems. An integrated approach is needed to determine the weakest links in identification management and to devise the most effective and efficient countermeasures. Here, the technical categorisation of identification attacks and the legal categorisation of identity-crime-related legal provisions can serve as tools to analyse these weaknesses and countermeasures.

To illustrate this, we briefly survey several countermeasures currently taken by governments or suggested in academic literature. The initial target of these often appears to be the perpetrator. In the United States, for example, the first policy initiative focused on criminalising identity ‘theft’. Over the years, however, many have argued for the ineffectiveness of fighting identity ‘theft’ simply through criminalisation. Pontell, for example, argued how ‘[t]rying to deal with identity fraud through criminalization alone, cannot serve as an effective means of control’ (Pontell 2002, p. 14). Solove provided a more extensive argument: ‘[u]nderstanding identity theft in this manner—as a form of criminal activity to be stamped out through criminal law—misconstrues the problem in a profound way. (…) Identity theft is a consequence of an architecture, one that creates a series of vulnerabilities. This architecture is not created by identity thieves; rather, it is exploited by them’ (Solove 2004, p. 4). Thus, the target of policy initiatives needs to shift from the perpetrators of the crime to the (in)direct enablers of the crime.  

Both policy makers and authors have recognised how increasing corporate liability and responsibility is another valid option in the fight against identity fraud. Bruce Schneier describes how ‘network security is a business problem. The only way to fix it is to concentrate on the business motivations. We need to change the economic costs and benefits of security. We need to make the organizations in the best position to fix the problem want to fix the problem’ (Schneier 2004, p.4). Because security is often far from a business priority, several US states have introduced breach-notification laws, requiring organisations to notify individuals when their personal information has been compromised. Some argue, however, that such laws are unnecessary and may cause more harm by forcing consumers to be notified even when no potential damage is envisioned; consumers could thus become desensitised and as a result, when there is a serious breach, would not take any precautionary measures.  

Another element in the technical-organisational sphere is introducing better methods of verification. Lopucki claims ‘that creditors and credit-reporting agencies often lack both the means and the incentives to correctly identify the persons who seek credit from them or whom they report’ (Lopucki 2001, p. 94), but this is only partially correct. Creditors and credit-reporting agencies, at least in the US, lack the incentive to correctly identify users, although the means certainly exist. From a cost-benefit perspective, however, it is currently more advantageous for creditors and credit-reporting agencies to continue existing practice, as their costs of identity ‘theft’ do not outweigh their costs of increased security. At the same time, from the consumers’ perspective, there is a trade-off between enhanced security and user-friendliness: using multi-barrier identification measures, i.e., two or more identification mechanisms rather than single ones, enhances security but is likely not to be adopted by users, unless strongly pressured by governments to adopt them (Mitchison et al. 2004, p. 29).  

Consumers, then, also need to be targeted by initiatives. Raising public awareness is an essential element of the overall fight against identity ‘theft’. As Johnson notes, however, ‘[i]t is important to recognize that public education efforts can only go so far with combating the growth of identity crime. Because social-security numbers (SSNs), in conjunction with other personal and financial identifiers, are used for such a wide variety of record keeping and credit related applications, even a consumer who takes appropriate precautions to safeguard such information is not immune from becoming a victim’ (Johnson 2004, p. 56).  

This brings us to a final remark illustrating the failure of current piecemeal approaches. The Dutch focus on identity fraud as look-alike fraud and asylum-seeker fraud imply that countermeasures are limited to ID documents. At the same time, the Dutch legislator introduced a unique citizen number, the ‘Citizen Service Number’, to be used broadly within government, rather mirroring the US social-security number, and thus severely enlarging the risk of financial identity fraud and identity ‘theft’. Since this type of identity-related crime was not prominent in the legislator’s mind, the risk was almost completely disregarded despite warnings by the Council of State and the Data Protection Authority (Van der Meulen, pp. 26-27).  

Our brief scan of countermeasures suggests that there is yet much work to do in combating identity-related crime. The conceptual, technical, and legal categorisations outlined in this article can assist researchers and policy makers in this task, by providing a comprehensive framework that covers all relevant aspects to be taken into account.