Title: EXECUTIVE SUMMARY

Executive Summary

Identity fraud appears to be on the rise. The phenomenon is spreading from the USA, where ID theft already is one of the most frequent crimes, to Europe. ID theft seems to have a relatively clear meaning. However, when one scratches a little below the surface, the concept is less clear. The current deliverable provides an overview of some of the difficulties surrounding the area of Identity-Related Crimes. This work is based on three papers prepared for the FIDIS WP5 ID Fraud workshop, which was held on the 18th of May 2005 in Tilburg, the Netherlands. The three papers discussed identity-related crimes from three distinct perspectives: a legal, socio-economic, and technical one. The current document provides a consolidation of the three papers.  

The workshop and this document show that our understanding of ID theft and ID fraud is still limited. For instance, in everyday language we speak about ID theft. In many jurisdictions this term is imprecise from a legal perspective as the identity of the victim is not stolen – like one can steal a car –, but copied. The original identity bearer does not lose her identity by the act of ‘ID theft’. This may seem trivial, but in criminal law, the phrasing of criminal provisions is essential. This example suggests that we need to refine our concepts and define a proper ontology of the relevant phenomena. This document aims to be a starting point for this work. It elicits relevant distinctions in the field and provides for a common ground on which follow-up research can be founded.  

Chapter two delineates the field by defining a working definition that highlights essential features: 

‘ID fraud is when someone with malicious intent consciously creates the semblance of an identity that does not belong to him, using the identity of someone else or of a non-existing person.’ (Grijpink, 2003) 

This chapter furthermore shows that identity crime usually consists of a sequence of steps, starting with fishing for the identity data, the misappropriation, misuse of the data and finally, a criminal act. Part of the sequence, the fishing and misappropriation stages, are illustrated by means of two common techniques, phishing and sniffing.  

Chapter three discusses the legal aspects of identity crimes. It shows that, with the exception of the USA, identity theft and identity fraud as such are not criminal offences in most jurisdictions. Instead there is a patchwork of legal provisions, both on the European level as well as on the national level within the EU member states that cover some of the specific forms of identity crimes. These can be related to the sequence discussed in chapter two. The criminal action, for instance covers crimes such as the acquisition of financial benefits without right. The discussion on the types of identity-related crimes shows that there are differences between the EU jurisdictions that warrant further research in order to provide advice on harmonisation. 

Chapter four provides an analysis of the types of identity mix-up. This results in four basic categories: 

1. identity collision 

2. identity change 

3. identity deletion 

4. identity restoration 

Identity change can be further decomposed into four sub-types: 

a) identity takeover 

b) identity exchange 

c) identity delegation 

d) identity creation 

The four types of identity change introduced can all be legal or illegal. The illegal subset of identity change is generally called "identity fraud", but a better term would be "criminally motivated identity change".  

Chapter four also discusses some of the statistics on Identity crimes. This shows that reliable statistics are lacking and that there is a potentially large dark number. This is partly due to the fact that identity crimes (ID theft, for instance) are breeder offences which usually lead to other criminal activity. Hence, it is difficult to demarcate the costs and incidence. The impact of identity crime on individuals and companies is discussed. Furthermore the reasons why identity crimes are difficult to tackle are touched and potential measures and incentives for businesses to improve security are discussed. 

Chapter five approaches identity crimes from a technical perspective by analyzing the entities, both human and machines, involved. It discusses some examples of techniques that can be deployed by perpetrators, for instance, attacks on authentication in a (shopping mall) surveillance scenario, to show that also traditional settings enhanced by technology are prone to identity misuse. The final section of this chapter addresses ways to misuse biometrics, which shows that this relatively new technology on which high hopes are vested can also be misused. 

Chapter six presents a number of socio-cultural and technical countermeasures against identity crime. In the former category we find measures such as increasing risk awareness and reconsidering authentication needs. The technical guidelines focus on ways to improve authentication and digital identities. It also discusses the role of biometrics to improve authentication. Finally, the trusted computer platform is discussed as a means to enhance security in IDM systems.  

Chapter seven draws some conclusions and provides an agenda for further research.