You are here: Resources > FIDIS Deliverables > Forensic Implications > D5.3: A Multidisciplinary Article on Identity-related Crime > 
A technical categorisation of identity-related crime: identification attacks  Title:
 Mapping the three categorisations


A legal categorisation of identity-related crime

The categorisations of concepts and attacks provide a good basis for analysing and combating identity-related crime. Still, we feel a need to add one more categorisation, namely of legal provisions. This is required to analyse one of the most obvious countermeasures, namely criminalisation. The problem is that, like criminals, criminal law tends not to abide by neat, conceptual distinctions, and unlike criminals, it often disregards modi operandi and defines crimes regardless of the way they are committed. And besides criminal law, also civil law (tort) and administrative law (data-protection infringements, for example, or giving a false identity in a naturalisation request) are legal countermeasures to be considered. Both the concepts and the attacks do not match neatly one-to-one unlawful activities as defined in law (for brevity’s sake, we will refer to unlawful activities hereafter as crimes). If we want to know the occurrence of identity-related crime in real life, we need to know which criminal and other legal provisions are used for which types, since available statistics are usually based on the crime for which people are convicted, not on the attacks they used or on the conceptual category of the concrete crime.

Not all the attacks will be punishable (criminal law) or otherwise unlawful (tort, administrative law) in practice. This depends, after all, on the existing legal context. Moreover, not all types in our conceptual categorisation need necessarily be criminalised; what is considered undesirable or criminal behaviour still depends to a considerable extent on social, cultural, and legal norms that vary from country to country. For example, the United States and European countries to date have varying approaches with respect to identity-related crime.  

In the United States, the Identity Theft and Assumption Deterrence Act specifically covers identity-related crime, albeit largely restricted to identity ‘theft’. This penalises anyone who ‘knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.’

In European countries, there is – to our knowledge – no specific criminal provision targeting identity ‘theft’ or identity fraud as such (cf., Koops 2005), nor do the Council of Europe’s Convention on Cybercrime or the EU Framework Decision on attacks against information systems contain identity-specific crimes. Some countries do have special provisions targeting specific subcategories of identity-related crime, such as deletion or forgery of official identity documents, but a general criminalisation of identity ‘theft’, identity fraud, or other types of identity-related crime is absent. Instead, countries largely rely on non-identity-specific, and often traditional, criminal provisions, such as fraud, forgery, data damage, illegal access to data, or imposture.

A major distinction in a legal categorisation of identity-related crime, then, is identity-specific versus identity-neutral crimes. Within identity-neutral crimes, major subdivisions can be made between criminal, civil, and administrative law, and between specific provisions, like fraud, and general provisions, such as aiding and abetting. This leads us to the following overview. [See Figure 4 in Appendix]

This is a tentative, not-exhaustive categorisation – it is not easy to create a definitive categorisation for legal provisions, since there is no international standard or relevant treaty and since provisions differ from country to country. Nevertheless, the basic distinctions in this categorisation are relevant for all countries, and many of the identity-neutral types will feature in most countries’ legislation. As such, the categorisation can be used by countries to detect potential gaps in their legislation with respect to identity-related crime. 


A technical categorisation of identity-related crime: identification attacks  fidis-wp5-del5.3-identity_related_crime_def_01.sxw  Mapping the three categorisations
9 / 12