D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research

Title: ECOMMERCE RELATED ID CRIME: WHEN BUSINESS OPPORTUNITIES GO AWRY

eCommerce related ID crime: when business opportunities go awry

Given the reasons for assuming other people’s identity, it should not come as a surprise that in the online world Electronic Commerce (eCommerce from now on), and up to now to a lesser extent eGovernment, are obvious areas where ID-related crimes flourish. eCommerce is a phenomenon that is almost as difficult to describe as ID crime itself. Defined at its broadest (any form of business activity that is completed partially or in whole using telecommunications), it is as old as the notion of telecommunications itself. In a more strict sense, the notion refers solely to business transactions that have been concluded through the Internet or a similar network. It is in this sense that the expression is most commonly used nowadays, and this is also the interpretation of the notion that we use in this chapter.

The rising prevalence of ID crime is inextricably linked to the increase acceptance of eCommerce by everyday consumers. Indeed, the main selling point of eCommerce is and always has been the possibility of new business opportunities. eCommerce achieved its major breakthrough in the late nineties, when all involved parties began to realise this potential. For businesses, it was obvious that eCommerce offered the potential of reaching new markets, thus increasing user bases, revenue and (hopefully) profit. For consumers, the potential lay in the expected increase in competition, which could lower prices, improve service and offer more choices. However, as with any other form of social interaction, eCommerce also offered the possibility of abuse. The availability of personal information led to an increase in ID-related crimes, as privacy sensitive information suddenly became more vulnerable and more valuable than ever before.

A woman in Liège, Belgium discovered the truth of this assessment in February 2000, when her phone and e-mail were all of a sudden overrun with rather explicit romantic proposals from complete strangers. A brief investigation revealed that her vindictive ex-boyfriend decided after their painful break-up to assume her identity and express an interest in amorous adventures on an on-line dating forum, using a message that included her number and e-mail address. Suffice it to say that the culprit was quickly arrested, and soon thereafter convicted for forgery and stalking. Although the facts themselves are trivial enough, this decision is still interesting from a legal perspective, as the penalisation of neither crime (forgery or stalking) was specifically drafted with the internet or ID crimes in mind. In fact, the Belgian Penal code specifically requires the use of a writing (nl: geschrift; fr: écriture) in order for a given set of facts to qualify as a forgery. Nonetheless, the judge in this case decided to interpret this requirement in a flexible manner, and decided that assuming another one’s identity in an on-line forum without their consent could constitute forgery. Thus, existing general legislation was considered to be sufficient as a framework for sanctioning this instance of ID theft.

Of course, this particular case was fairly trivial, having neither large financial consequences for its victim, nor any real benefit for the perpetrator (other than, perhaps, a fleeting sense of satisfaction). However, the ease with which an alternate identity could be assumed in a social context is already indicative for the potential damage that ID crime can have. Besides its obvious boons, eCommerce offers the possibility of a fairly low risk crime, where low investments can potentially yield larger gains than more traditional forms of fraud. We shall take a closer look at these more serious crimes and their financial impact below.

That the prevalence of ID crimes is increasing is a fairly generally accepted fact, as indicated above. However, the size of this increase (or indeed, the prevalence and magnitude of the crimes themselves) are to a very large extent unknown. The two most major problems in accurately assessing the size of the problem lies both in the definition of ID-related crime and in the large dark number. The result is that statistics underestimate the prevalence and can not be compared on an international level.

As a quick indication, the US Federal Trade Commission claimed in February 2005 that ID fraud now affects 10 million Americans each year, and had a dollar volume of 52,6 billion dollars in 2004 (roughly 40,3 billion €). The exact meaning of both numbers is not explained. By way of comparison, a recent Gartner US survey stated that more than 1.4 million people have been victims of identity fraud, costing banks and credit card issuers $1.2 billion in 2003 in new account, checking account and credit-card fraud (Litan, 2004). Even keeping into account the difference in terminology, the discrepancy between both figures adequately demonstrates the lack of reliable metrics in this field.

As mentioned above, this increase in ID crime is a natural consequence of the increasing cash flow in eCommerce. This, in turn, is a consequence of consumers’ growing confidence in electronic payment transactions. To a large extent, this newfound confidence is not purely the result of natural market trends (i.e. consumers slowly becoming aware of the potential advantages of on-line transactions), but also of deliberate attempts to stimulate this new form of business. On a European scale, this becomes evident with only a passing glance at the eCommerce legal framework. As early as 1997, the European Commission declared the promotion of a favourable (e)Business environment to be a top priority, stating that the creation of consumer awareness and confidence was an essential part of such an environment. Additionally, a series of directives was passed that were intended specifically to achieve this goal of consumer confidence, by granting consumers an unprecedented level of protection in on-line transactions. One can only conclude that encouraging on-line transactions has (rightly) received a great deal of European attention. However, it appears that the same attention has not been given to protection against on-line ID crime.

This is unfortunate, as this means that consumers are less likely to be informed of on-line risks than of on-line benefits (the second condition mentioned in the introduction), possibly resulting in a false sense of security. As consumers become increasingly aware of the relative safety of electronic payments (both in an on-line and off-line context) criminal opportunities are augmented, and successful fraud schemes become largely a matter of acquiring and efficiently manipulating personal data.

One of the sectors that has been forced to become aware of this problem quite rapidly is eBanking. The reasons for this are apparent: users of eBanking are, by definition, at ease with sending important personal information over a network; and their data potentially allows access to larger sums of money, since damages in the case of eBanking ID theft are not necessarily limited to a single transaction. As such, eBanking is a model target for ID criminals, offering large rewards for a relatively small effort.