D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research

Title: ID-RELATED CRIME: A PRELIMINARY DEFINITION

ID theft has entered the mainstream media judging from the fact that major newspapers have had specials on ID theft and regularly report about major incidences of large scale ID misappropriation. Also, magazines, such as Newsweek have featured cover stories on ID theft. 

Generally these reports describe some of the horror stories resulting from, for instance, the fact that a victim has lost identifying data (e.g. credit card) as a result of some internet scam. The culprit typically uses the data (name, credit card number and expiry date of the card) to buy goods thereby rapidly depleting the victim’s credit limit. The stories then continue to depict the obstacles the victim has to take in order to remediate the wrongs inflicted by the culprit. Finally words of caution and tips on ID fraud prevention are given. 

Often, these accounts lack a clear definition of ID theft and ID fraud. Although crimes relating to Identity and ID papers are not new – even before medieval times people impersonated others by taking on false identities – defining ID-related crimes in the online world is not completely without problems.

In this section we discuss some of the difficulties in delineating ID theft and ID fraud.  

Terms such as ID fraud, ID theft, and ID-related crime are used interchangeably, and are often taken to be synonyms. There are, subtle, differences and one of the objectives of the current chapter is to clarify the confusion with respect to the various terms. 

A common term for ID-related crime in the EU is ID fraud. In a study by the UK Cabinet Office (2002, p. 9), this is described as:  

‘ID fraud arises when someone takes over a totally fictitious name or adopts the name of another person with or without their consent.’  

Jan Grijpink in the Netherlands uses a slightly broader definition. Identity fraud means 

‘that someone with malicious intent consciously creates the semblance of an identity that does not belong to him, using the identity of someone else or of a non-existing person’ (Grijpink, 2003).  

In comparison to the former definition, not only the name, but also other identity tokens, such as facial resemblance, fingerprints, or other data can be used to put the recipient on the wrong foot. The notion of identity is not further specified in this definition, nor in many of the other ones. Elaborating on the nature of identity is necessary as will be discussed in chapter 4. An act that many would include in the list of ID fraud is pretending to be a representative of an organisation, such as the Social Security department, or the electricity board, in order to persuade people to pay for some kind of service. Hence, not only taking someone’s civil identity comprises ID fraud, but also the illegitimate assumption of an organisational role. Also note that Grijpink does not address consent, or the lack thereof, of the ‘victim’. Lacking in both definitions so far is the notion of context. Is someone who wears a (rented) police uniform during carnival committing ID fraud? Probably we would not go this far. However, if the same person on his way home confiscates someone’s car, it would be a case of ID fraud. In Grijpink’s definition the latter would comprise malicious intent, whereas this is absent in the former case. 

Apart from these general definitions, there are also domain-specific definitions. For instance, the Dutch Ministry of Justice uses the following definition:  

‘Identity fraud concerns forms of misuse or fraud with respect to identity and identity data, with which a person or a group of persons intends to unlawfully claim government services [Dutch: overheidsprestaties], or to otherwise unlawfully benefit himself’.

Another common term for identity related misuses is ID theft. Mitchison et al. in their JRC discussion paper on Identity Theft state:  

‘Identity theft, in what in this paper is called its ‘paradigm’ form, occurs when one person – in this study a “rogue” – obtains data or documents belonging to another - the victim - and then passes himself off as the victim (Mitchison, et al., 2004).’

In the same line, we find specialised forms of ID theft, such as the one described by Michael Perl:  

‘Criminal record identity theft occurs when the identity thief obtains a victim’s personal information and then commits crimes, traffic violations, or other illegal activities while acting as the victim. Instead of providing law enforcement with her own personal information, the identity thief provides the victim’s personal information in order for the identity thief to avoid criminal convictions and legal sanctions in her own name.’ (Perl, 2003) 

The US Identity Theft and Assumption Deterrence Act, one of the few statutes that contain provisions directly sanctioning identity theft, defines ID theft inter alia, as

‘the knowing transfer or use, without lawful authority, of a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.’ 

The ID theft and ID fraud definitions may seem to overlap sufficiently to warrant using them as synonyms at first sight. The also seem to be universally applicable. From a legal perspective this is not the case. The principle of legality which underlies most penal law systems requires crimes and misdemeanors to be formulated precisely to warrant legal certainty. Hence, the definition (or conditions for applicability) of ID-related misuse matters.  

In the Netherlands, for instance, theft relates to tangible ‘goods’ according to article 310 of the Dutch Penal Code. The Dutch High Court has ruled that an essential characteristic of ‘goods’ is that the possessor necessarily loses possession of the good as a result of the theft. Information, or data in general, can not be stolen by the act of copying: the owner still has his/her copy of the data. This implies that one’s (digital) identity can not be stolen. Identity papers can be stolen, but using someone else’s username and password, or using credit card data is not theft. And hence ‘ID theft’ is in effect an improper term for this kind of misconduct. The term ID fraud does not suffer from this problem, and would therefore in the Netherlands be the preferred term.

Theft also suffers from another problem. Since theft is a term from the penal domain, it hides the fact that ID fraud also, or maybe more so, belongs in the civil law domain. Using someone’s identity may result in Tort as the victim is likely to suffer damages as a result of the use of her identity without this person’s consent. This is another reason to use the term ID fraud (or ‘Identity crime’) instead of ID theft. 

We will return to this issue in chapter seven which summarises the analysis of ID-related crime from the different perspectives and presents plans for further research. 

For now, we will use Grijpink’s definition as it highlights a number of features that we deem essential for the phenomenon we are interested in: 

ID fraud is when someone with malicious intent consciously creates the semblance of an identity that does not belong to him, using the identity of someone else or of a non-existing person. 

The features of interest are: 

• malicious intent: this means the rogue has to act with the intent of committing criminal actions (after taking on the identity of the victim); 

• consciously: the rogue has to intentionally (knowingly) take on the ‘false’ identity; 

• create a semblance: any form that tricks a third party in believing that the rogue is indeed the victim is included; 

• another one’s identity: the use of one’s own identity is not ID fraud; 

• using: only actual use, not merely possession, of the acquired identity is what constitutes fraud. 

• existing or non-existing: identities of both living and dead, existing or fictitious identities can be used.

This definition also shows that ID fraud in itself usually is not the aim of the action. The perpetrator takes, or creates another one’s identity with the aim of using this identity for other, illegal or otherwise malicious, actions. So irrespective, whether ID fraud in itself is a criminal offence, which as we will see later is not the case in many jurisdictions, this definition emphasises a chain of events associated with typical ID fraud. Such a chain of events typically looks like figure 1 (Mitchinson et al, 2004).

Fishing for data is the step in which the perpetrator is looking for data to be used for the false identity. In the online world this may include actions such as phishing (see section )

Figure . ID fraud sequence, taken from Mitchison (2004, p. 21 )

Misappropriation concerns getting hold of the actual identification data, be it a document or just information (such as a social security number (SSN)). This stage corresponds to what the UK Home Office calls Identity Theft: when sufficient information about an identity is obtained to facilitate Identity Fraud.

By misuse the Mitchinson et al means that the false identity is established, but has not been used for any illegal action.

And finally, the criminal action is the stage in which the false identity is used for some illegal action, such as credit card fraud, or benefit or tax fraud. This stage corresponds to the UK Home Office’s definition of Identity Fraud: ‘when a False Identity or someone else’s identity details are used to support unlawful activity, or when someone avoids obligation/liability by falsely claiming that he/she was the victim of Identity Fraud’.

The sequence makes clear that the misappropriation, the act that best resembles the concept of ‘stealing’ the identity, is not the end, nor the beginning.  

Taking the other stages into account and also looking at the various reasons for acquiring another person’s identity is necessary to understand the nature of ID-related crimes, from a legal perspective, both also from the other perspectives adopted in this report.  

Reasons for appropriating another person’s identity, the reason for misuse in other words, can be found in three areas according to the UK Cabinet Office’s ID fraud study (2002, p.9): 

• To avoid being identified in the original identity (concealment); 

This includes illegal immigrants, people with poor credit histories trying to obtain financial services, but also people working under cover, including law enforcement officers.  

• To make financial profit from some form of fraud; 

In the private sector this reason includes credit card misuse while typical uses in the public sector include obtaining welfare benefits. 

• To avoid financial liability. 

Here a range of activities such as Tax avoidance, reneging outstanding debts and avoiding paying child benefit are prime examples. 

We should now have sufficient background to look at ID-related crimes in somewhat more detail.