D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research

Title: ID FRAUD FROM A LEGAL POINT OF VIEW

ID fraud from a legal point of view

In the previous chapter we have provided a brief analysis of ID-related misuse and we have looked at two areas in which these misuses come to light. In this section we explore the legal side of ID misuse in the on-line world.

As we have seen in figure 1, the process associated with ID-related crime can be broken down into four steps: fishing for data, misappropriation, misuse, and criminal action. Each of these steps can be covered by legal provisions. So, the phishing for data, its appropriation, misuse as well as the crimes committed with the acquired identity could all be subject to their own provisions in legislation. For instance, under the US Anti-phishing act 2005, which was introduced by Senator Patrick Leahy on 28 February 2005, phishing would become a crime under Chapter 63 of title 18, United States Code:

Sec. 1351. Internet fraud

(a) Website- Whoever knowingly, with the intent to carry on any activity which would be a Federal or State crime of fraud or identity theft—

(1)

(2)

The broadest provision, and in fact the only one (or one of the only ones) that covers stages one to three, is the already mentioned US Identity Theft and Assumption Deterrence Act. It addresses ID theft, as the knowing transfer or use, without lawful authority, of a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.

From the ID law survey that is being compiled as part of FIDIS work package 5, we may conclude that this in fact is the only provision in the countries studied so far that covers ID fraud as such. As we have seen in the preceding sections, also the entry of computer systems that contain personal data (hacking) and the consequential modification of these systems for criminal purposes are used as criminal offences related to ID fraud. Another focus appears to be stage four: the crimes that can be committed using the false identity, such as tax evasion, or credit card fraud. Also from the side of the victim there are relevant legal provisions, as storing and using the victim’s identity can be a breach of the victim’s privacy. Hence, data protection legislation may be relevant.

We will start our exploration with the European legal provisions relevant to our area of study.

The European legal framework

As EU Directives, as well as the Council of Europe Convention on Cybercrime play an important part in European jurisdictions, it is useful to take a closer look at the Directives relating to ID-related crime, as well as the Cybercrime treaty.

Unlike the US provision on ID theft, neither EU Directives, nor the Cybercrime treaty explicitly contain ID theft or ID fraud provisions. Rather, most relevant regulation is either focused on privacy protection in general, or on ICT crime in general. Identity theft and identity fraud, being at the crossroads of these two subject matters, will usually be covered by both, as the examples below will show.

The Privacy Directives

Where electronic transactions are concerned, the core of the European privacy protection framework consists of two directives:

• Directive 95/46/EC of the European Parliament of and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (commonly referred to as the “Privacy directive”).

• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the “Directive on privacy and electronic communications”).

Examining these directives in any detail would take us too far (especially considering their relative complexity). Suffice to say at this point is that they both concern the protection of personal data (defined as any information relating to an identified or identifiable natural person), and seek to protect the privacy of European citizens by determining the circumstances under which such data may be lawfully collected and processed. While the first directive treats this subject in the most general sense, the second directive focuses on privacy protection in the field of electronic communication (e.g. the protection of traffic data).

To show the relevance of these Directives and their transposition into national legislation, we can point at the provisions that regulate processing of personal data, which includes Identity data. In general data may be processed only under the following circumstances (Directive 95/46/EC, art. 7):

• when the data subject has given his consent; 

• when the processing is necessary for the performance of or the entering into a contract; 

• when processing is necessary for compliance with a legal obligation; 

• when processing is necessary in order to protect the vital interests of the data subject; 

• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; 

• processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. 

The particular relevance of these directives lies in the fact that fraudulent collection and use of personal data (e.g. by intercepting personal communications and subsequently using another person’s captured login data) will typically be a violation of these directives and their transpositions, as the data subject (the victim) will generally not have given her consent, not will any of the other requirements have been met. An interesting issue is whether a victim of phishing can be said to have consented to the acquisition of their personal data.

But even if the subject can be said to have consented tot the acquisition of the personal data, then still the processing of these data will generally not be in accordance with the directive, as article 6b states that personal data can only be processed for specified, explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes. We can be fairly certain that the phisher will not reveal the purpose of the phishing expedition, and hence the consent would not include agreement to the phisher’s hidden motives. Possibly also the purposes will be illegal, which would inhibit the legitimacy of the data collection even further.

As the Member States are required to impose sanctions on this sort of conduct in their national data protection legislation, some forms of identity fraud will, at a minimum, be punishable as a violation of the privacy directives.

The Council of Europe’s Cybercrime Treaty

The Cybercrime Treaty is presently the most influential European text regarding cybercrime. Since its adoption on 23 November 2001, it has been signed by 32 nations, including a number of non-European states such as Japan, Canada and the USA. Its most significant contribution is the introduction of a number of harmonizing provisions, both in substantial and procedural criminal law. Although the Treaty only entered into force as recently as 1 July 2004, Member States have been aligning their legislations to its provisions since its inception, so that its provisions can be considered indicative for general European cyber crime legislation.

As with the Privacy directives, the provisions of the Cybercrime Treaty do not specifically address identity crime as such. They do, however, define a number of crimes that are typically committed in conjunction with identity crimes, such as:

• article 2 - illegal access: intentionally accessing a computer system without right, e.g. by hacking into a computer system with the intention of stealing personal data from it

• article 3 - illegal interception: intentionally intercepting without right, made by technical means, of non-public computer transmissions of computer data. E.g. monitoring internet traffic in the hopes of capturing login names or passwords.

• article 7 - computer-related forgery: intentionally introducing, altering or deleting data in a computer system without right and with the intent that is be considered or acted upon for legal purposes as if it were authentic, e.g. by introducing a false password into an eBanking system and transferring the victim’s funds to another account

• article 8 - computer-related fraud: intentionally and without right, causing of a loss of property to another person by;

  • any input, alteration, deletion or suppression of computer data,

  • any interference with the functioning of a computer system, with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.

These provisions may apply to stages two to four of the sequence outlined previously, even though they were not specifically drafted for this purpose. As the treaty is not binding to citizens and states have to transpose these provisions in national law, the scope of the resulting provisions can either include or exclude ID-related crimes.

It is worth noting that a similar, more limited instrument has been taken in the European Union. The Council Framework Decision of 24 February 2005 on attacks against information systems has a similar objective as the Cybercrime Treaty, although its scope is more limited by targeting a number of crimes against computer systems (“information systems”), such as illegal access and illegal interference, which could also be used to combat identity crime.