D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research

Title: LEGAL ASPECTS

In this chapter, we provide a first analysis of the legal framework with respect to ID misuse, or ID-related crime in the online world. We will focus on the EU framework, as provided by the various E-society directives, as well as look closer to national legislation in some of the EU member states. We will draw examples of ID misuse from commercial transactions. The potential value of successfully offering e-services and selling goods online is huge and the market grows as it partially replaces the offline market. The value of identification data in online interactions is increasing rapidly, as is the potential to do damage when this data is abused. 

The potential for damage is further increased by the fact that generally electronic identification techniques are not secure, so that identity fraud is technically not too challenging for potential criminals; and a basic understanding of security techniques by average users is lacking, so that they are unaware of security risks and potential pitfalls. For example, the relative insecurity of e-mail (which has no reliable authentication mechanism integrated in its core functionality) means that an e-mail recipient can never be certain that an e-mail actually originated from the indicated sender. This basic requirement can only be met by using additional techniques, like digital signing, which also increases the complexity of e-mail communication somewhat. The lack of general public acceptance of these security techniques means that the average person still uses unauthenticated e-mail, which is a great facilitator to identity fraud in e-mail traffic. 

Another factor is the lack of user awareness of the risks of on-line transactions. For example, many eBanking clients promptly provide their login and password whenever requested to do so in a mail message appearing to stem from the bank. Such a message should trigger caution, as there is no reason for their bank to ask for their user data as this data originates from the bank and is therefore already stored in their databases. Only when users subsequently find their accounts severely depleted several days later do they raise an eyebrow. 

Also the legal framework leaves things to be desired. For instance, the phishing for data as described in the previous chapter is not a crime in many jurisdictions. It may be punishable under all sorts of legal provisions, but there is a relatively large amount of uncertainty if the behaviour is indeed punishable, and if so under which provisions.  

The conditions outlined are, to a large extent, factors of time: eventually, more secure techniques will find their way to the general public, and more users will know better than to send important data to strangers and lacunae in legislation will be fixed. But in the mean time, it is interesting to see what practical problems exist, and what effect the actions of our legislators (both on a European and on a national level) are having. This is the question that this chapter tries to resolve: are current identity crime policies effective, and could the actual situation be improved by modifying the legal framework?