D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research

Title: SOCIAL ASPECTS

The social impact of identity theft and fraud can be regarded as a general cultural impact (Levi 2004) as it can occur to anybody. Some cases of ID-related crimes are clearly the result of victims being careless with their personal data, for instance, one can prevent becoming a spoofing victim as banks don’t ask for the kind of data the spoofers asks his victims to disclose. Yet, even if the victim is extremely careful, identity theft can not be ruled out. Consider, for instance, cases such as the CardSystems case mentioned in section , where millions of credit card numbers where stolen from an organisation that should not have stored them in the first place. Not a single entity is to be blamed for ID-related crimes alone. Many entities, victims, payment merchants, internet providers, etc, all have responsibilities in preventing and fighting ID-related crimes. In cases of investigation, such responsibilities have to be identified.

In the online environment, the role of financial institutions in transactions has increased tremendously as many online payments consist of credit card transactions, which amount to changes in databases. This places new responsibilities on these financial institutions. Potter (2002) highlights the following new responsibilities:  

• Providing a secure (integrity and confidentiality) process wherein financial transactions are completed

• Ensuring the privacy of account holders  

• Ensuring the security of the accounts they own 

• Ensuring that any financial activities are completed in accordance with the Uniform Commercial Code and Federal Reserve Bank regulations.  

Also on the part of the (potential) victims, new responsibilities and liabilities emerge. The presumption of innocence makes way for a presumption of liability. In cases of criminal activity perpetrated with a stolen identity, victims have to prove their innocence (CIFAS

The increase in numbers of identity-related crimes has leads to distrust in authentication procedures, especially from the viewpoint of clients and customers. Main reasons for this distrust are the lack of understanding of, and lack of control on, the technical authentication measures used in online transactions and the shift in the burden of proof in cases of identity misuse. Clients have to accept risks which they can’t really calculate and influence.  

To improve the trust within online transactions, trusted third parties have entered the market. This has, so far, not had the desired effects as it does not address the uncertainty and opacity of the online transactions. One example of this uncertainty is the implementations of PKI (Public Key Infrastructure) that uses Certificate Authorities (CAs). The chain of trust that should certify that a particular (encryption) key or message stems from an organisation that can be trusted is not very clear (question of the root of trust) (Ellison and Schneier 2000). Also, CAs are not responsible for the economic and social consequences of failed ore manipulated authentication. So, from the perspective of a client there is no reason to trust the trusted third party.  

This negative cycle of distrust may get worse when new and stronger technical authentications are introduced and identity theft occurs again. Distrust in the system also increases as the result of the usage of personal identifiers as credentials or the usage in improper contexts. One example for this is the proof of age (are you over 18 years of age?) by requesting a credit card number. This leads to a proliferation of identity data in a context where these data are irrelevant. 

Even in the case of properly functioning strong authentication, this fact has an influence on society. The implementation of security mechanisms such as logging and profiling procedures have to be paid for. Obviously it is the client or customer who bears the financial burden for authentication and authorisation mechanisms that increase security. But also other costs, such as loss of convenience, liberty, liberality and freedom are carried by the customers.  

The financial loss and decrease in trust as a result of identity related crime on the one hand, and increasing costs for security, loss of convenience, liberty, liberality and freedom on the other hand, can be seen a societal balance that is controlled by authentication and authorisation. The balance increasingly seems to tilt in one direction. If the financial losses and corresponding decrease in trust reaches the point of social inacceptability, security is improved by means of tighter authentication, and a gradual loss of liberty, liberality and freedom is accepted. Reactions in the opposite direction, relaxing security measures in response to lower risks of identity-related crimes, can only be observed in rare cases. One example is the abdication of the use of ID cards for personal authentication in Great Britain after the Second World War. 

Not only tighter security measures have an impact on privacy, liberty, liberality and freedom. Identity crimes themselves, of course, also have a strong impact on these rights and freedoms. Identity theft is a serious threat against privacy as the culprit gains access to the private sphere of the victim by having access to her identity. The imposter is treated as if he were the victim and therefore can gain access to information that should only be available to the victim. Also other dimensions of privacy, such as dignity, autonomy, individuality and integrity are affected. When a victim’s identity is stolen, the consequences of the impostor’s actions may for instance deny a victim rights to funds, services, benefits, and even result in detention if the victim is wrongfully arrested. 

This seems to result in an interesting tension: the need to protect privacy by protecting against identity theft and the need to partially surrender privacy in order to tackle identity theft. “To combat identity theft, business needs to verify the identity of applicants. To verify the identity requires access to personally identifiable information, but consumer unwillingness to provide that data contributes to the perpetuation of the crime.” (Chapman 2004). Section on countermeasures suggests ways in which this contradiction may be resolved.

One significant impact that affects virtually all victims is time loss (ITRC 2003). On average, the total active time spent by the victim to resolve a case is 607 hours. ITRC has reported a range of 2-11518 hours with the time spent sometimes extending over several years. provides a breakdown of the loss of time for the types of identity thefts the US FTC defines.

Other intangible impacts include the emotional impact (e.g. a feeling of being defiled, stress, shame, helplessness, etc.) but also reputation damage (e.g. loss of creditworthiness). In extreme cases, the effects may include job loss, false allegations, criminal proceedings against the victim, public humiliation and a drawn-out procedure before the case can be resolved.