D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research

Title: ID FRAUD DECOMPOSED

The discussion of the European legal framework shows that no specific ID crime related provisions exist at this level. This has prompted us to study various jurisdictions with respect to ID-related crimes in more detail. This study is part of the ID law survey that is carried out in FIDIS workpackage five (WP5). At present only a limited number of countries have been studied, and even here the depth of the analysis is insufficient to pretend to have a clear overview. What the analysis so far reveals, however, is that there are no specific ID theft provisions in at least, Belgium, France, Greece, Italy, the Netherlands, Slovakia, Spain, and the UK. The US, as mentioned, has specific provisions, both on a Federal level, as well as in various states.

Specific provisions to address types of ID fraud and ID theft may not be necessary as the actions involved may already encompass criminal actions under current legislation. And in fact, as sections and will illustrate, this may be sufficient to cope with the relatively new forms of ID fraud. The ID law survey tries to gain insight in the way the various jurisdictions handle ID-related crimes. The initial typology used in the survey showed the following distribution across the various jurisdictions.

Table . ID Law Survey summary (as of May 2005)

The taxonomy currently used for the survey is less fine grained than depicted in and consists of the following types:

1. ID-specific crimes 

2. Fraud 

3. Forgery 

4. Damage 

5. Data Abuse 

6. Imposture 

7. Tort 

8. Personality rights 

The detailed analysis of these types of crimes in various (European) jurisdictions goes well beyond the scope of this deliverable, but in order to give a flavour of what such a comparative study entails we will discuss some of these items in somewhat more detail, drawing from the WP5 ID law survey, Mitchison et al and other sources.

1     ID-specific crimes

This category includes specific criminalisation of ID theft, ID fraud, or ID document crimes (e.g., fraud, forgery, theft, damage, trade, receiving of official ID document or of unofficial ID document).

As discussed earlier, the ‘taking’ of a person’s identity may or may not comprise theft. In the Netherlands (and Belgium) at least, the crime of theft relates to tangible goods (‘things’), of which can be said that the owner loses control over it when it is stolen. This includes electricity as electricity can only be used once. Entities that may have multiple incarnations can not be stolen. Information (such as a PIN code) and computer data which can be copied without undermining the owner’s capabilities of use (multiple use), can therefore not be stolen. Unauthorised copying of computer software is an offence under the Copyright law, though.

In the UK, the story with respect to theft is different. The central provision here is the UK Theft Act 1968, which states (in 1-(1)) "A person is guilty of theft if he dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it ; and ‘thief’ and ‘steal’ shall be constructed accordingly". Property includes, according to 4-(1) of the same act ‘money and all other property, real or personal including things in action and other intangible property.’ This is much broader than property under the Dutch regime as it includes intangible property without defining what this encompasses. But in a sense it is also stricter as tangibles such as ‘wild mushrooms, fruits or foliage on wild plants’ are excludes, as is land (4-(2) and 4(3)). What is stolen has to belong to another, meaning that the person (‘owner’) has possession or control of it, or has any proprietary right or interest. Appropriation according to section 3 of the 1968 Ac means: any assumption by a person of the rights of an owner. The thief has to have the intention of permanently depriving the other of it, which excludes lending as a criminal offence, unless the period and circumstances make it equivalent to an outright taking or disposal. According to the UK Crown Prosecution Service, tampering with electricity supply is not theft, since electricity is not property. This offence is addressed in section 13 of the 1968 Act.

Given the discussion on the Dutch and Belgian provisions, we are, on the basis of only looking at the provision and not at relevant case law inclined, to conclude that as no deprivation occurs when ID data is copied, theft does not entail ID theft under section 1 of the UK Theft Act 1968. Yet, mention is made of the possibility to prosecute ID theft under section 1 of the act, but only when the perpetrator made a monetary gain. Case law should provide an answer to the question whether section 1 of the 1968 Act offers any resort to fight Identity Crime. The UK Home Office Identity Fraud Steering Committee in any case is investigating whether specific provisions are required.

Depending on purpose and type of information acquired other provisions in the 1968 act may apply as discussed under the next heading. 

In other jurisdictions these distinctions with respect to what is, and what is not, subject to the action of theft may be absent.

2 Fraud

Mitchison et al (2004), when discussing fraud write: “Fraud is the crime of intentional use of deceit, a trick or other dishonest means to deprive another of his money, property or a legal right. Inherent in fraud is an unjust advantage over another which injures that person or entity.

Information fraud – provided for as a specific crime in some legal systems - mainly consists in the illegal enrichment through the illegal use of an information system (such as the alteration of data or software) (Mitchison et al., 2004)."

Fraud generally is defined in a technology neutral form, and hence many countries have fraud provisions that can be used in the battle against ID Fraud. Finland, for instance, in chapter 36 of the penal code, section 1 (1), defines a fraudster as ‘a person who, in order to obtain unlawful financial benefit for himself/herself or another or in order to harm another, deceives another or takes advantage of an error of another so as to have this person do something or refrain from doing something and in this way causes economic loss to the deceived person…’. Similarly, the German Criminal Code in section 263 defines Fraud as ‘(1) Whoever, with the intent of obtaining for himself or a third person an unlawful material benefit, damages the assets of another, by provoking or affirming a mistake by pretending that false facts exist or by distorting or suppressing true facts,…’. Sweden

More detailed provisions are also available. The UK Theft Act 1968 as amendend in 1996 in section 15a (1), Obtaining a money transfer by deception, declares ‘A person is guilty of an offence if by any deception he dishonestly obtains a money transfer for himself or another.’ In all cases the financial gain of the perpetrator is an essential element of the provision. 

Yet, here also, we are subject to the intricacies of national jurisdictions. Drawing again on the Netherlands and Belgium, as these are the countries the authors are most familiar with, we see clear differences.

The Belgian Penal code has two relevant provisions: article 496 which cover virtually any form of fraud where a person attempts to entice others to hand over any form of property (vermogensvoordeel), through the use of false names or assumed functions, or other forms of deceit (e.g., by suggesting the existence of a fictitious enterprise). In 2000, section IIIbis was added, containing a separate article 504quater on IT fraud (informaticabedrog), defined as “the fraudulent acquisition of a property advantage for himself or for another, through the introduction, alteration, deletion or modification of the possible use of data which is stored, processed or transferred by means of an information system through any technological means”.

In the Netherlands, article 236 of the Dutch Penal Code provides a provision that clearly resembles the Belgian one. However, there is a subtle difference that makes the provision totally unsuitable to address acts such as phishing. The provision requires the object that is taken (defrauded) from its owner to represent a value in legitimate trade. As there is no legitimate market for credit card data, user names, password etc, the act of phishing does not classify as fraud under said provision.

3

Forgery is "1) the crime of creating a false document, altering a document, or writing a false signature for the illegal benefit of the person making the forgery. This includes improperly filling in a blank document, like an automobile purchase contract, over a buyer’s signature, with the terms different from those agreed. It does not include such innocent representation as a staff member autographing photos of politicians or movie stars. While similar to forgery, counterfeiting refers to the creation of phoney money, stock certificates or bonds which are negotiable for cash. 2) a document or signature falsely created or altered."

With respect to forgery documents and signatures traditionally play an important role. In the digital world this raises the question whether electronic documents and digital signatures are entailed by the definitions in the provisions. The European electronic signature directive and the subsequent implementation in national legislation has harmonised traditional and electronic signatures, which should in principle pave the way and make forgery provisions applicable to forged electronic signatures as well. This may, however, not solve everything as it may not be entirely clear whether pincodes, usernames and passwords qualify as signatures. The harmonisation of documents and electronic documents is another topic that may present problems in forgery cases. Dutch public administrative law, for instance, until recently did not incorporate electronic documents in the definition of document (‘geschrift’ in Dutch).

In some jurisdictions a distinction is made between the various forms of forgery. The Belgian penal code, for instance, distinguishes between forgery in documents, in information technology and in telegrams.

5

This category contains the kind of misuse of personal data as protected by the data protection directives, to the extent that harvesting and abusing the victim’s personal data constitutes illegal processing.

6

“Identity (or qualification) usurpation means the use of a name or a qualification that is not yours. This act may be treated as a crime in its own right when the false identity or qualification is used or declared in certain types of act or deed, or in a request addressed to the public authority, or when the false identity is declared to a public officer. This act can be also defined as “false declaration concerning identity (or concerning qualifications)” to public authorities.

Impersonation – treated as a specific crime in some legal systems - consists in misleading somebody, by assuming somebody else’s identity or using a false name, status, qualification, in order to gain an unlawful advantage or to provoke damage to another (Mitchison et al., 2004)."

8

This includes intellectual property regulations, to the extent that the name or trademark of an unrelated organisation is abused for criminal purposes. On a European scale these problems are governed by a number of regulations including the Berne Convention and the directive on Copyright in the information society, also including portrait rights.

The brief analysis of specific provisions relating to Identity Crimes shows that there is a patchwork of legal provisions that can be mapped on the stages in the ID sequence described in figure 1 (see table 2). The different European jurisdictions differ in the way they regulate the various kinds of crimes and misdemeanors related to identity and identity data.  

Table . Mapping ID crime provisions on the ID frauds sequence