Title:    “D 5.1: A survey on legislation on ID theft in the EU and a number of other countries”

Author:    WP5

Editors:    Bert-Jaap Koops

Reviewers:    Mireille Hildebrandt (VUB),

Sarah Thatcher (LSE) 

Identifier:    D 5.1

Type:    [Deliverable]

Version:    1.0

Date:    9 May 2005

Status:    [draft]

Class:    [Public]

File:    

Copyright Notice: 

This document may not be copied, reproduced, or modified in whole or in part for any purpose without written permission from the FIDIS Consortium. In addition to such written permission to copy, reproduce, or modify this document in whole or part, an acknowledgement of the authors of the document and all applicable portions of the copyright notice must be clearly referenced. 

The circulation of this document is restricted to the staff of the FIDIS partner organisations and the European Commission. All information contained in this document is strictly confidential and may not be divulged to third parties without the express permission of the partners. 

All rights reserved. 

This document may change without notice. 

Table of Contents 

The activity in Work Package 5, ID Theft, Privacy and Security, focuses on surveying technologies and legislation (and, if relevant, case law) on ID theft in the EU and the United States. Part of this activity concerns a survey of ID theft in the various national legislations, in particular a survey of specific provisions in criminal law on ID theft or ID fraud.  

FIDIS Background

FIDIS objectives are shaping the requirements for the future management of identity in the European Information Society and contributing to the technologies and infrastructures needed. FIDIS work is structured into 7 research activities: 

• “Identity of Identity” 

• Profiling 

• Interoperability of IDs and ID management systems 

• Forensic Implications 

• De-Identification 

• HighTechID 

• Mobility and Identity 

As a multidisciplinary and multinational NoE FIDIS, appropriately, comprises different country research experiences with heterogeneous focuses, and integrates European expertise around a common set of activities. Additionally, all relevant stakeholders are addressed to ensure that the requirements are considered from different levels. FIDIS overcomes the extreme fragmentation of research into the future of identity by consolidating and fostering joint research in this area. Research results will be made accessible to European citizens, researchers and in particular to SMEs. 

ID Theft and ID fraud

Identity theft is a growing concern in the information society. One definition of this is as follows: 

• ‘Identity theft, in what in this paper is called its ‘paradigm’ form, occurs when one person – in this study a “rogue” – obtains data or documents belonging to another - the victim - and then passes himself off as the victim.’ (N. Mitchison, M. Wilikens, L. Breitenbach, R. Urry, S. Portesi (IPSC), Identity Theft. A Discussion Paper, March 2004, p. 5)

In fact, ID theft is a somewhat misleading term, since the identity is copied but not taken away from the original ‘owner’. Particularly from a legal point of view, an identity cannot be ‘stolen’, since the person whose identity has been taken, will still retain his or her identity. Here, ordinary language may diverge from the legal classification. A relevant comparison may be made with the theft of electricity versus the ‘theft’ of computer data. The first can be stolen, since electricity is unique and can only be used once; the second, however, are not unique but multiple, and can therefore be at the disposal of more people at the same time. This is why legislation will usually have different provisions dealing with physical property or goods,  and intellectual property or data.

A better and more general term, therefore, will be ID fraud, which can be described as follows: 

• Identity fraud means “that someone with malicious intent consciously creates the semblance of an identity that does not belong to him, using the identity of someone else or of a non-existent person” (Grijpink, ‘Identiteitsfraude als uitdaging voor de rechtstaat’ [Identity Fraud as a Challenge to the Rule of Law], Privacy & Informatie August 2003, p. 148ff) [translation BJK].

• ‘Identity fraud concerns forms of misuse or fraud with respect to identity and identity data, with which a person or a group of persons intends unlawfully to claim government services [overheidsprestaties], or otherwise to derive a benefit unlawfully’ (Dutch Ministry of Justice, ‘Hoofdlijnen kabinetsbeleid fraudebestrijding 2003-2007, 24 June 2003) [translation BJK]. 

Two major forms of ID fraud which emerge from these descriptions are creating a false identity which does not otherwise exist, and taking the identity of an existing person. In the second category, there may also be a qualitative difference between identity fraud with intent to derive a benefit, and identity fraud with intent to cause harm to the person whose identity is assumed.  

There are more distinctions relevant to ID fraud, which seems an umbrella term for a wide variety of activities. What distinctions are relevant within ID fraud may also vary from the perspective taken: in terms of technology, one might categorise ID fraud in different ways than from a legal perspective. The above definition of ID theft, for instance, seems more a functional-descriptive definition that focuses on how the actual act is performed, whereas the definitions mentioned of ID fraud are worded more in legal terms, focusing on the fraudulent intent of the perpetrator. 

The conceptualisation of ID fraud, with its various forms and perspectives, and the relationship between ID theft and ID fraud, are not the subject of this deliverable, but of another one, D5.2, with various papers being written for the WP5 workshop to be held on 18 May 2005 in Tilburg, precisely to get a grasp on this concept of ID fraud. 

The present deliverable, in contrast, is concerned with a relatively simple issue: are ID theft and ID fraud used in law as specific categories of crime? That is, are there specific criminal provisions penalising ID theft and ID fraud as such? 

Description of activity

The survey of ID theft legislation started in December 2004, co-ordinated by Tilburg University with the help of the FIDIS network members. Since then, a network of country correspondents has been set up of legal experts who provide information about the legal situation in their country. This network is still evolving, since only a minority of the 25 EU member states are represented in FIDIS. We have so far restricted ourselves to finding contacts in the countries with FIDIS members, and will extend the network with correspondents of the other EU countries in the second Workplan period. 

The activities of the country correspondents, like the basic literature search undertaken by Tilburg University, initially focused on ID theft and ID fraud legislation. Towards the end of the first Workplan period, it gradually became clear that there are few if any specific provisions in criminal law in the EU member states about ID theft or ID fraud. Therefore, it was decided to extend the scope of the survey with a search for traditional criminal-law provisions that may cover various forms of ID fraud. This is an on-going process, since these provisions differ in character and kind from country to country and are spread across the entire field of criminal law. Hence, this deliverable can present only the first, preliminary results of the survey, focusing on ID theft and ID fraud. The work on the survey on criminal provisions that cover ID fraud will continue well into the second Workplan, and an updated version of this deliverable will be presented towards the end of the second Workplan.  

All results of this survey are incorporated in the ID Law Survey that is part of WP8, a prototype of which is available at <http://rechten.uvt.nl/idls/>. We refrain from listing all findings in this document, since it can be better presented in a more structured way in the online website. In the Annex, the current entries on ID theft and ID fraud are listed. In addition, on the website, the first results have already been incorporated of the survey of specific criminal provisions.

Country Correspondents

• Belgium, Hans Graux, KU Leuven

• Czech Republic, Vaclav Matyas, Masaryk University, Brno

• Denmark, Henrik Udsen, University of Copenhagen

• Finland, Tuomas Pöysti, Ministry of Finance and University of Helsinki

• France, Cyril Murie, Eric Freyssinet, Forensic Research Institute of the Gendarmerie Nationale, Engineering & digital technologies division (IRCGN/DCIN)

• Germany, Henry Kraseman, Independent Center for Privacy Protection, Schleswig-Holstein

• Greece, Vagelis Papakonstantinou, Drakopoulos Law Firm

• Hungary, Gábor Hontert, ISRI

• Netherlands, Mark Dekker, Tilburg University

• Slovakia, Jozef Vyskoc, VAF

• Sweden, Helena Andersson, Stockholm University

• United Kingdom, Peter Sommer, LSE

Findings

The United States passed the Identity Theft and Assumption Deterrence Act of 1998 (Identity Theft Act) in 1998. This Act amended 18 U.S.C. § 1028 to make it a federal crime when anyone ‘knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law’ (18 U.S.C. § 1028(a)(7)). Apart from this federal legislation, most US states have enacted specific ID theft legislation. It is interesting to note that this criminalisation of ‘ID theft’ focuses not on the identity of someone else, but on the ‘means of identification’ (a document, card, password, etc.)  that may be used or transferred. It thus seems somewhat narrower than the definition of ID theft mentioned above in section 1.2, which includes all kinds of documents and data that may be used to pass off as someone else, not only ‘identification’ data. Nevertheless, it is a general criminalisation. And despite the title of the Act, it penalises ID fraud rather than ID ‘theft’.

Contrary to the US, however, so far, no specific provisions about ID theft or ID fraud have been found in European Union member states. Perhaps, the reason for this is the lack of usefulness of the term ID theft, as well as the multifacetedness of the term ID fraud, which, as explained in section 1.2, can cover various forms and be perpetrated with varying intentions and goals. 

Specific forms of ID fraud, therefore, may be penalised in specific, detailed criminal provisions, such as the forgery of official ID documents or impersonation, but the usurpation of someone else’s identity to commit fraud or to enhance any other unlawful activity is as such not generally criminalised. This is not to say that usurpation of a false identity is always lawful – in certain circumstances, it might, for instance, be criminalised as an attempt to defraud or attempted theft. Moreover, the subsequent use of a false identity will usually be criminalised by traditional offences like fraud, theft, or forgery. These traditional criminal provisions, however, were not the subject of the initial scope of the survey.

This leads to the conclusion that the survey must be broadened with a search for traditional criminal-law provisions that may cover the various forms of ID fraud. Therefore, the survey of ID fraud legislation will continue into the second Workplan period. Intermediate results will be published directly in the ID Law Survey, and a revised version of this deliverable will be presented at the end of the second Workplan period.  

ANNEX: Preliminary findings on ID theft and ID fraud

taken from http://rechten.uvt.nl/idls/, where an up-to-date overview can be found