You are here: Resources > FIDIS Deliverables > Forensic Implications > D5.3: A Multidisciplinary Article on Identity-related Crime > 
A categorisation of rearrangement of identity linkage  Title:
 A technical categorisation of identity-related crime: identification attacks


A conceptual categorisation of identity-related crime

‘Identity-related crime’ can be defined as all punishable activities that have identity as a target or a principal tool (Koops & Leenes 2006). It merits being treated as a distinct, novel category of crime, because combating these crimes requires special knowledge and understanding of identity-management systems and their vulnerabilities, because public awareness should be raised, and because victims suffer from these crimes in special ways, for instance, by being blacklisted.  

A categorisation of identity-related crime can be distilled from the categorisation of rearrangement of identity linkage, namely, by distinguishing in all categories a subcategory of unlawful activities.  

Identity collision has been defined as happening accidentally; the intentional colliding of identities falls within the category of identity change. Since crime usually involves intent, identity collision will be considered unlawful only in very rare cases. Unintentional acts are occasionally deemed unlawful, notably when a high risk is involved – e.g., accidentally cutting off the power of a hospital – or when someone is in a position, known in German legal doctrine as Garantenstellung, where she ought to be particularly careful; for example, a system administrator in a power plant is punishable if she accidentally uploads a program with a virus. Applying this to identity collision, someone might be considered to act unlawfully if she has the same name as a contentious public figure, such as Ayaan Hirsi Ali, and writes during the climax of cartoon-gate in a blog that she will visit Cairo next week, forgetting to mention that she is not the famous politician, and thus accidentally causes violent demonstrations in Cairo resulting in deaths of several by-standers. As she ought to have known that this was a possible result, she could be held liable through criminal law or tort. This admittedly is a far-fetched example, suggesting that the category of unlawful identity collision is small indeed and had presumably better be left out of the typology of identity-related crime.

Identity deletion is a more relevant category from a criminal perspective. When someone has (part of) her identity deleted by someone else or when identification is blocked, this can have severe consequences, for instance, when a hacker destroys patient records in a hospital computer system. For such an act to fall within the scope of ‘identity-related crime’, however, the destruction of the patient record should be done with the goal of destroying a patient’s identity. Otherwise, it simply is a matter of data interference that need not be labelled ‘identity-related crime’. Most instances of unlawful identity deletion will actually fall in traditional categories of crime (e.g., damage to property, data interference, slander). Nevertheless, it is useful for legislatures to analyse whether intentionally erasing someone else’s (partial) identity or intentionally blocking identification merits specific criminalisation, given that people can hardly function within (a sector of) society if their existence in (sectoral) files and computer systems is denied.

When someone destroys (part of) her own identity, this may well be considered unlawful; several countries, for instance, have criminalised destroying an official ID, and they consider it unacceptable when asylum seekers destroy their passport before arrival. However, as Rost, Meints, and Hansen rightly point out (Leenes 2006, p. 55), the latter could be seen as building up a new identity rather than merely destroying an old identity, and this could therefore be dealt with in the category of identity change. 

Identity restoration is usually perfectly acceptable, and will normally be done by the identity bearer herself. The prototypical example is Mark Twain, who, after having been proclaimed dead by a newspaper, told the world that reports of his death were grossly exaggerated. Unlawful identity restoration may, however, occur when someone reinstalls part of her identity without right, for example, when a physician with a disciplinary prohibition to work in the medical field reassumes the role of physician, thus misleading the public, or when an ex-Beatle announces a solo performance under the name of The Beatles. These examples suggest that unlawful identity restoration by the identity bearer usually involves roles rather than identifiers. When identity is restored by someone else without the consent or knowledge of the person whose identity is being restored, this may be unlawful as well. If an ex-mafia criminal, having served as a crown witness, has received a new identity in a witness protection program (which is lawful identity creation), it would be unlawful identity restoration to make public the link between the ‘new’ physical person and his old, ex-mafia, identity, thus putting his life at risk.

Altogether, the above categories can be thought of as overseeable and minor phenomena when compared to the category of identity change. It is enticing to equate unlawful identity change with ‘identity fraud’, because many uses of identity change indeed boil down to fraud. This risks neglecting the fact that unlawful identity change can also be driven by non-economic motives, and hence not all misuse amounts to fraud in the usual penal sense. One may, for instance want to use someone’s identity to harm his reputation, or to let someone else in for a crime, for example by giving, when drunk, another’s name to a police officer stopping your car; this, in the US, is usually called ‘criminal identity theft’ (PRC 2002). Nevertheless, the major part of unlawful identity change typically contains an element of fraud. We therefore call the category of unlawful identity change ‘identity fraud’, defined as fraud or another unlawful activity committed with identity as a target or principal tool (based on Koops & Leenes 2006). Each of the four subcategories of identity change has a substantial unlawful subcategory.

Unlawful identity delegation occurs, for example, when a director gives the password to her digital signature to her secretary to sign documents he is not authorised to sign, or when David Beckham authorises a look-alike to open a new supermarket and to share the considerable fee offered by the supermarket between them. Unlawful identity exchange can take the form of someone visiting his brother in prison and remaining behind while the convict walks out, or – depending on the terms and conditions – of customers swapping loyalty cards to thwart a supermarket’s profiling. Unlawful identity creation occurs when, for instance, someone uses a self-generated credit-card number that fulfils the characteristics of credit-card numbers.

Most importantly, unlawful identity takeover is when someone uses the identity of an existing person without that person’s consent, for some unlawful purpose. This is what is usually called ‘identity theft’: fraud or another unlawful activity where the identity of an existing person is used as a target or principal tool without that person’s consent. ‘Identity theft’ is a rather awkward term, since identity is not something that is typically stolen. A characteristic of theft, after all, is that the owner no longer possesses the stolen thing. With identity, this is usually not the case: the victim of identity takeover still retains her identity, or so we hope. We should therefore speak of ‘identity “theft”’ rather than of ‘identity theft’ (Koops & Leenes 2006).

On the basis of the distinctions we have made, the following – conceptual – categorisation is established of all forms of rearrangement of identity linkage and identity-related crime. 

Identity-related Crime 


Figure 2: Categorisation of rearrangement of identity linkage and identity-related crime 

This categorisation clarifies what constitutes identity-related crime, as a subcategory of rearrangement of identity linkage, at a conceptual level. This is a necessary first step in understanding identity-related crime, but it is only a beginning. In real life, after all, crimes are not committed through concepts, but through – often technical – tools and activities. If we are to combat identity-related crime, we therefore need to understand not only what type of crime is being committed, but also how it is committed. This calls for a categorisation of attacks on identification, which is technical in character.


A categorisation of rearrangement of identity linkage  fidis-wp5-del5.3-identity_related_crime_def_01.sxw  A technical categorisation of identity-related crime: identification attacks
7 / 12