Title: INTRODUCTION

Introduction

Identity theft, or rather identity ‘theft’ since identity is not usually taken away from the owner but rather copied, is generally perceived as a growing problem. Although it existed well before the Internet, its growth has accelerated enormously in the Internet era. Especially in the US, a large number of incidents involving identity data, such as social-security numbers and credit-card numbers, have been reported in recent years. The annual losses due to ID ‘theft’ in the US since 2003 are estimated at $50 billion. Also in Europe, identity ‘theft’ or, as it is also referred to in Europe, identity-fraud appears in the news on a regular basis and seems to be growing. The UK government repeatedly produced numbers proclaiming annual losses of at least £1.3 billion per year due to ID ‘theft’ (cf., critically, LSE 2005, pp. 103-109). Media coverage especially relates to phishing scams, ‘theft’ of identity data such as credit-card numbers from enterprises, etc.

The seemingly growing number of identity ‘theft’ or fraud should not come as a surprise in the information society. Face-to-face transactions are replaced by ICT-mediated ones, where one’s identity is represented by bits and bytes that are relatively easily obtainable by others. Identifiers – the keys to our digital identities, often numbers or usernames – together with a secret (PINs, passwords etc.) unlock access to financial services (e.g., credit-card transactions) or allow services to be obtained (e.g., social-welfare benefits) and so forth. Given the fact that some of these identifiers can be used for multiple purposes, e.g. systems applying single-sign-on, the attractiveness of appropriating them is obvious. What completes the intuitive explanation of the growth of identity ‘theft’ or fraud is the opacity of what happens with personal data online and the relative inexperience of both users and online service providers in preventing and handling (new) kinds of attacks on personal data.  

The importance of identity in the online world is clear and so is the fact that digital identities give rise to identity-related crime. Far less clear is the wide range of crimes that can be committed in relation to identity – identity ‘theft’ or fraud is actually only one instance of the multi-faceted category of identity-related crime (Koops & Leenes 2006). Moreover, it is also not at all clear what exactly constitutes ‘identity ‘theft’’ or ‘identity fraud’ and how these can be combated (LSE 2005, p. 98; Leenes 2005, pp. 113-117). This lack of precision becomes especially apparent when comparing the various official and media reports on these topics. Hardly ever are definitions provided, even though the statistics play a role in politically motivated discussions and policy decisions. Also, commonly accepted definitions are lacking in the literature. This means that we are at the stage where comparisons of apples and oranges abound and where it is virtually impossible to determine the real incidence of identity-related crimes.

Thus, in order to assess the nature and magnitude of identity-related crimes, and to be able to discuss how they can be combated, we first need to understand the various phenomena captured under the umbrella term ‘identity-related crime’. First key steps to this understanding are clear definitions and a typology of identity-related crime. Building on earlier work concerning definitions (Koops & Leenes 2006), the main aim of this article is to provide a typology of identity-related crime. With ‘typology’, we mean a classification based on types or categories. We will distinguish three kinds of relevant categories: conceptual, technical, and legal. These categorisations together make up a typology of identity-related crime, which is needed to provide a comprehensive framework for research, countermeasures, and policies related to identity-related crime. To our knowledge, the development of a comprehensive typology has rarely been undertaken in current literature; the best attempt to date (Sproule & Archer 2006) provides useful classifications, but is in our opinion too narrow because it pays less or no attention to types like identity deletion and consensual forms of identity fraud, which fall within our definition of identity-related crime (see section 4).

The article is organised as follows. In the following section, we briefly look at identity and communication processes to provide a background for our discussion of identity-related crime. In section 3, we sketch a categorisation of rearrangement of the linkage between persons and identifiers – formulated more easily: ‘things you can do to thwart identification’ – as the conceptual framework of which identity-related crime is a part. In sections 4 through 6, we describe the conceptual, technical, and legal categorisations of identity-related crime, followed in section 7 by a discussion of the complex relationship between these categorisations. By way of conclusion, we sketch some current initiatives taken to combat identity-related crime, and illustrate how our typology may help in exposing gaps in current approaches.