D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research

Title: SOME CASES AND LEGAL RESPONSES

Some cases and legal responses

After this brief overview regulations pertaining to forms of ID-related crimes, we can now look at a couple of typical European eCommerce ID crime cases, and take a closer look at how the cases were actually handled by the legal systems. This could potentially allow the identification of certain trends in ID crime regulations, which will form the basis for our conclusion below. Our two cases involve one hacking in an eBanking context, and a series of fraudulent e-mails in which the author assumed the identities of several heads of a gambling corporation.

The first case took place in Belgium in 2002. A Dutch eBanking user who had been living in Belgium for quite some time noticed that his bank’s eBanking site suffered from some serious security issues. Due to his professional background as a system administrator, he was able to use this flaw to alter another user’s account preferences. He altered the identification data of the user’s frequently used accounts, so that every further money transfer by that user to these accounts would by default be directed to one of the hacker’s colleague’s account. During this hacking, he left a so-called “calling card”, stating that the account had been hacked, and that the bank was aware of the problem.

Two weeks later, noticing that the flaw had not been fixed, he reported the problem to his local banking agency. Unfortunately, the local branch had no technical know-how, and referred the well-intending hacker to the national IT department. After contacting them, the flaw was fixed, and the hacker received a friendly note, thanking him for his help. Several weeks after that, he received a slightly less welcome note: criminal charges had been pressed, and the bank was suing him for damages.

The Dutch hacker was only sued for violation of article 550bis of the Belgian criminal code, which sanctions hacking. Unfortunately for him, this specific article does not require malicious intentions, and the hacker was convicted. However, keeping the good intentions into account, the judge decided to grant suspension of the verdict. This type of hacking, where the hacker enters a system with the intention of finding security flaws and alerting the system administrator to them, is often referred to as a “white hat hacking”.

From an ID fraud perspective, it is interesting to note that the alteration of identification data was only indirectly mentioned in the lawsuit, as an aggravating element of the hacking. In this case, ID fraud was classified simply as “the use of a hacked system (altering the identification data)”. No specific attention was given to privacy regulations, or the possibility of classifying the facts as ICT forgery or ICT fraud. Part of the reason was undoubtedly that, according to Belgian penal law, only the strictest punishment is applied in case of multiple infractions, which would have rendered the additional (no more strict) qualifications pointless. Additionally, the novelty of the hacking crime in Belgian law was likely a factor. Anti-hacking legislation clearly applied, and considering the relatively limited seriousness of the offence, additional qualifications were likely considered inappropriate.

Regardless of the actual reasons, the only real conclusion can be that, in this specific instance, ID crime was adequately fought using generic ICT crime legislation.

In a more straightforward example of eCommerce related ID theft, the French gambling organization Groupement d’Intérêt Economique du Pari Mutuel Urbain (GIE PMU) was confronted in September 2001 with a series of e-mails claiming to contain enough information to hack into GIE PMU’s systems and transfer large sums of money. Part of the information appeared to have been captured during an earlier hacking in November 2000. The mails contained extensive documentation describing the technical details of the company’s computer systems, as well as a large series of usernames and passwords of (ex-)employees of GIE PMU. A brief check of this documentation showed that the information was largely accurate, if somewhat dated.

The mails were sent out to GIE PMU’s employees, and its contents were published on a website in December 2001. Despite the attention given to this turn of events in the national press, no hacking attempts followed. A second series of e-mails was sent out in March 2002, again containing the sensitive information. The perpetrator(s) who were responsible for the hacking and/or the e-mails and website were never identified.

The sender of both batches of e-mails had spoofed the from-addresses of the e-mails, to resemble the addresses of certain employees of GIE PMU. This is a common ID theft technique in fraudulent e-mails (also used in the phishing example above), through which the ID criminal hopes to inspire a certain trust in the receiver based on the false assumption that the mail originated from a trusted source. Whether or not the forging of the from-addresses had any measurable impact in achieving the sender’s goals (including damaging the reputation of GIE PMU) is debatable.

An interesting question is whether the assumption of another person’s identity to inspire a false sense of trust can be considered an ICT offence. As we will discuss below, this is not completely certain.

Obviously, this specific case could not yield a clear ruling on the exact applicability of French law, as there was no identified suspect, and the court had to limit its role to suspending of the proceedings until such a time as the perpetrator(s) could be identified. However, the judge’s ruling does specify the exact allegations: the unidentified intruder was accused mainly of illegitimately accessing and maintaining himself in another person’s computer system (i.e. hacking), obstructing the proper functioning of the system and violation of trade secrets.

Again, it is remarkable that the prosecution of a case that clearly encompasses ID crime aspects tends to focus on other elements, in this case most notably hacking. In part, this is likely related to the fact that hacking is the most well known form of ICT crime, whereas ID crimes occupy a fringe position. Quite possibly this will change over time, as the prevalence of ID crime increases and European prosecutors and judges alike become more aware of its significance.

The examples show that that prosecution of the imposters did not take place on the ground of ID fraud of theft, but instead on either entering a system that contains ID data (hacking) and on crimes related to the consequences of this entering (obstruction, violating trade secrets). In the light of the sequence of ID-related crime as presented in figure 1, this primarily concerns phases one and four (criminal action). Whether this is due to the fact that specific provisions with respect to ID fraud do not exist, or due to procedural matters (for instance, the chance of success in getting a conviction), or priorities of the courts involved, remains to be seen.

In any case, the cases above give the impression that the ID-threatening aspects were considered to be symptomatic of other crimes, sometimes as aggravating factors, but rarely worthy of prosecution in its own right. Perhaps this is due to the specific subject matter: as this section of the paper only examines eCommerce related cases, it stands to reason that the parties involved would be more likely to resort to the most obvious solution. Typically, this implies a classification that is immediately and obviously applicable, such as hacking, rather than a more complicated classification as a violation of privacy.