Resources
Identity Use Cases & Scenarios.- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
 |
Title: COUNTERMEASURES |
 |
Countermeasures
Legal countermeasures
Identity fraud is protected in several ways under French law but not as a specific offence. First of all, identity theft will qualify as an offence in circumstances that lead or could have led to the initiation of a criminal prosecution against such a person (Article 434-23 of the Penal Code). To qualify as a conduct of identity theft under this provision, the thief also has to “assume the name of another person”. As of today, no judgement has been rendered in the sense that the concept of “name” could be understood to include IP addresses, email addresses or pseudonyms.
In most cases, identity theft is only a means to perpetrate other crimes. For this reason, article 434-23 of the Penal Code states that the conviction of identity theft is cumulative with other sanctions. This article is however hardly used in legal actions against online identity fraud. Other crimes provide better grounds for prosecution.
Indeed, in many cases, the sole act of assuming the name of another person will qualify as an offence. For example, offences such as fraud (article 313-1 Penal Code), forgery (article 441-1 Penal Code) or public defamation (Article 29 of the Press Act of 29 July 1881) could be mentioned. In a 2004 judgment, the First Instance Tribunal of Paris sanctioned a perpetrator of a phishing attack on the basis of fraudulent representation. The convict had mirrored a bank website and managed to order transfers of funds from his victims’ bank account.Other crimes prove useful for sanctioning identity-related crimes. Such is the case for unauthorised access to automated data processing systems (Article 323-1 Penal Code), mainly used as a legal basis in IP spoofing or in sniffing; brand counterfeit (Article L713-1 of Intellectual Property Code), phishing being here an example of a conduct that could be punished under this article; or fraudulent breach of trust (Article 314-1 Penal Code). In that sense, in the aforementioned judgment, the offender was also convicted for attempted fraud and fraudulent access to an automated data processing system; he received a suspended prison sentence of one year and a fine of 8,500 euros.
It is worth mentioning that, lately, some jurisprudence has also sanctioned phishing on the basis of brand counterfeit. In a judgment of 21 September 2005, the First Instance Tribunal of Paris convicted an offender who had created a mirror website of the registering page of MSN Hotmail with the aim to collect login and passwords of users to their email accounts on the basis of brand counterfeit. The court considered that this mirror website illegally owned the brand of Microsoft and reproduced and distributed it without prior authorisation. The sanction, however, remains low (500 euros of fine in suspended sentence and 700 euros of damages to be paid to the Company) because of the young age of the offender and the fact that no personal data had been gathered.
The victim of the theft could also hold the fraudster liable in civil proceedings on the basis of the general rules of civil liability. For instance, if the perpetrator of the crime were to reveal part of the private life of the victim using his/her name, he/she could be found liable under article 9 (which acknowledges the right to privacy) and 1382 (general rules of civil liability) of the Civil Code. The most notable example lies in a judgment of the First Instance Tribunal of Carcassonne of 16 June 2006. In this case, a woman used different pseudonyms in a dating service website and described herself as an “easy woman willing to have sexual relations”. She provided her colleague’s contact details who started receiving numerous messages from individuals eager to meet her. This led her to fall into a depression and to ask for a sickness leave. The woman was deemed liable for voluntary duress (“violences volontaires”) with premeditation and had to compensate both her victim and the Public Health Insurance.
Finally, according to part of the doctrine, civil liability could even exist without any misconduct. The mere use of the name of third parties without their prior consent could be the basis for a tort action. This doctrine is based on an old judgement of 1965 which states that identity theft victims should be protected from any theft of their name even if the victim is not ‘damaged’ in any sort of way. However, as of today, no jurisprudence in that sense has been pronounced.
Finally, it is worth mentioning a Bill presented in July 2005. This proposal tried to introduce a new crime (and thus the identity theft terminology) into the Penal Code entitled “digital identity theft on electronic communications networks”. This Bill would have made punishable everyone assuming the identity of another person, company or public authority, in an electronic communication network, with a prison term of up to one year and a fine of up to 15.000 euros. On the basis that “identity is what forms the legal existence of a person”, the proposal intended to address identity theft in the “virtual world”. Its author argued that in the “real world” identity mainly consisted out of the information written in the Civil Registry and is protected as such by French law. However, in the “virtual world”, identity is a broader concept with undefined borders. Identity could be materialised by “identifiers”, e.g., a login and a password, elements not acknowledged by French law as part of the legal identity of a person. This law proposal would actually be useful in cases where the identity fraud were not intended for fraudulent representation or without any fraudulent access to an automated data processing system. As mentioned above, the other cases are actually covered by the provisions of the Penal Code.
The Bill was rejected, however, because the government in place at the time considered identity theft sufficiently covered under existing French law. Nevertheless, in a recent discourse about the next measures the government will take to fight cybercrime, the Ministry of Defence has mentioned the introduction of a new offence punishing on-line ID theft with a prison term of one year and a fine of up to 15.000 euros.
| |
   |
|
| 13 / 34 |
