Title: BACKGROUND

Background

Identity

Before we proceed to analyse identity-related crimes, we need to briefly look at identity itself. Identity is a complex concept with, at least, philosophical, cultural, and psychological connotations. A basic distinction relevant here is the one between idem identity, i.e., sameness of things or persons, and ipse identity, i.e., personal identity in the meaning of an individual’s sense of self. In this article, we focus on idem identity, the match between an identifier and a natural person (see Hildebrandt, 2007). Idem identity needs to be further refined, though. The UK Cabinet Office (Cabinet Office, 2002) distinguishes three elements of identity that can be used to identify an individual:

1. attributed identity: attributes that are given to a person, usually at birth, such as name, date and place of birth;

2. biometric identity: attributes that are more or less unique to a person, such as iris, fingerprint, retina, DNA profile, gait, dynamic signature, keystroke behaviour;

3. biographical identity: attributes that build up over time, consisting of life events and how a person interacts with structured society, including registration of birth, details of education and qualifications, employment history, registration of marriage, mortgage account, and property ownership.

This distinction is not always sharp; identifiers such as credit-card numbers, for instance, are not obtained at birth, but fall somewhere between attributed and biographical identity. In this article, we will use attributed identity to denote the set of all attributes that are given to a person by the state, therefore including identifiers such as national ID numbers and social-security numbers, or by enterprises, such as credit-card numbers or bank account numbers provided by banks.  

In addition to the Cabinet Office’s aspects, at least one other element of identity should be taken into account:

1. chosen identity: attributes that are chosen by a person (author pseudonym, nickname, username, password, avatar, etc.).

The four elements of idem identity can be classified in various ways, which may help in illuminating strengths and weaknesses of identification processes. For example:

For the purposes of this article, it is useful to see how the elements of idem identity relate to crime. Attributed identity data are a prime area for identity-related crime because they generally provide access to services and are also relatively easy to obtain, e.g., by fabricating or stealing documents. Biographical identity relates to ‘softer’ attributes built up over time, such as employment history. These data are less likely to provide access to valuable services, although they can also be used to lure people into false beliefs that may subsequently facilitate fraud. For instance, a person could fabricate a curriculum vitae showing she is a very successful stockbroker, in order to persuade people to let her handle their investment. The third kind of identity data are biometric attributes. The Cabinet’s Office report states that these can not be assumed by someone else, but this is incorrect. Some biometrics can be mimicked by others, gait for instance, even though this may be difficult in practice. Other biometrics, such as fingerprints, can be forged and used for fraudulent purposes without knowledge or co-operation of the person the biometric features physically belong to. The fourth kind, chosen identity, contains data that are equally sensitive to identity-related crime as attributed identity, notably user names and passwords; other types of data, such as nicknames or avatars, are not directly prone to facilitate identity-related crime, although theoretically, they might facilitate more exotic forms of crime, such as posting a weblog comment under a renowned pseudonym that belongs to someone else.

Communication steps

Identity-related crime always takes place in a social context: if a (digital) identity is not used in social interactions, then obviously misuse is not an issue. Hence, we start our discussion from the perspective of social systems. In a communicational context, at least three aspects can be important:

1. the identity of the participants in the communication (who);

2. the social system (where):

   1. organisational, where participants take roles such as members or clients of organisations (e.g., enterprises or governmental agencies); 

   2. interactional, where participants take informal roles that show a certain variety, such as friends, neighbours, etc.; 

3. the role participants are taking in this specific communicational context (how), for example, the role of employee, customer, or teacher.

Usually, to set up a communication, people go through the following steps. 

1. Addressing: participants in a communication address each other, for example, with a salutation (‘Hello Mike!’ or ‘Mr. President’) or other identifiers such as bit strings in the digital world (e.g., e-mail addresses). In some cases, the chosen form also allows to determine which role in which social system the participants are going to take in the communication.

2. Authentication: participants check whether the identifier, the social system, and the claimed role properly link to a specific physical person. In the physical world, this is done for example by inspection (looking into each other’s eyes or at uniforms, badges, clothing), listening to the tone of voices, interpreting gestures, etc. In the digital world, formalised authentication procedures are used for this.

3. Authorisation: participants decide which claims for commitment are connected to the specific communicational context. A close friend, for example, can expect a high level of commitment, while a vendor will not expect this from an unknown customer. The role of a communication partner is important for defining her rights and duties: the same question may have quite different implications when asked by a police officer in function or when asked by her off the record during a game of golf among friends. In the digital world, authorisation is typically implemented based on technically defined roles, for example, in Identity Management Systems (IMS).

Step 1, addressing, is preparatory to identity management, which typically involves authentication and/or authorisation. Errors made in the addressing stage of step 1, also in the punishable sphere, need not be considered as identity-related crimes. For example, when a customer is addressed as ‘You filthy Jew, what do you want?’ or when a police officer is addressed as ‘Hey, motherf***ing scumbag’, this does not fit our notions of rearrangement of identity linkage or identity-related crime (see below) and idem identity, but rather falls into the category of hate speech and ipse identity. Nevertheless, some errors in step 1 may be considered as an identity-related crime, for instance when an e-mail address in a message in transport is changed by a hacker, thereby preventing the message from being delivered (see below on identity blocking).

Steps 2 and 3 lie at the heart of IMS as they are being developed today. They are often taken consecutively in communication processes. Step 2, authentication, establishes familiarity with the identity of the communication partner, and step 3, authorisation, creates familiarity with the role of the communication partner. Step 2 in practice is often skipped when for the purposes of the communication, only the role and not the identity is relevant (‘Doctor, I have a headache’). In these cases, problems may arise because of the assumption that the role is actually taken by a person authorised to play the role. For instance, the assumed doctor can be a quack or a con-artist who nevertheless does charge for a consultation concerning the headache.