Resources
Identity Use Cases & Scenarios.- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
 |
Title: EXECUTIVE SUMMARY |
 |
Executive Summary
Identity-related crime can be defined as all punishable activities that have identity as a target or a principal tool. In the FIDIS typology, identity-related crime is a container concept for different forms of crime, including identity fraud and, the most conspicuous, identity theft: using the identity of another existing person, without her consent, for a fraudulent purpose.
In the United States, identity theft has become a household word, and media continue to tell fear-igniting stories of stolen identities. The actual size of the problem, however, is contested, so that identity theft might be a hype rather than a big problem in real life in the US. In recent years, the problem – or the hype – and the subsequent need for policies and countermeasures have spread from the US to other areas, including Europe. The real extent of the problem in Europe is unknown. Rather than relying on (contested) US data and concerns – which may or may not be quite specific for the US situation – a description of actual European prevalence of identity crimes will help put our concerns about identity theft in perspective.
This report tries to help provide such a picture by shedding light on the situation in Belgium, France, Germany, and the United Kingdom; these countries have been chosen as EU Member States that have a policy debate about identity-related crime, so that a certain amount of reports and data are available. In each country chapter, a picture of the prevalence of identity theft and other forms of identity-related crime is sketched, as well as information on vulnerabilities and countermeasures. Altogether, this report provides a first indication of the prevalence of identity theft in Europe, on which subsequent studies can build.
The resulting picture is, unfortunately, only a piecemeal one: studies appear scarce, and most authors point out how the lack of a separate criminal provision makes it more complicated to gather information on the problem, since crimes are not being specifically reported or registered as identity-related crime. Moreover, uncertainty and unclarity about definitions are dominating themes in many discussions with regard to identity theft. The unclarity about definitions and about the actual prevalence of identity theft prevent policy makers, or so they claim, to take action.
Nevertheless, the contours of our picture of the European prevalence of identity-related crime shimmer through the available data and reports. Document fraud is an on-going concern, with tens of thousands of cases yearly in countries like Belgium and France. The traditional forms of document forgery have been supplemented more recently with look-alike fraud, which is a major concern in several countries.
However, in the past few years, a shift is occurring from document and look-alike fraud to online forms of fraud, in particular financial identity fraud or identity theft. Phishing – which traditionally relies on luring ICT users by deceptive email messages to false websites – seems to be increasingly replaced by covert forms of fraud, in particular by botnets that assemble identity and personal data from infected computers.
Altogether, identity-related crime, particularly document forgery, look-alike fraud, and computer-related financial identity theft, are significant forms of crime that are on the rise. There is insufficient empirical evidence to call it a big problem yet, but the upward trend warrant taking expeditious measures to prevent it becoming a big problem in the first place.
Like the US, European countries are indeed taking countermeasures to combat identity-related crimes. This part of the picture is fairly clear and largely similar for the European countries studied. Rather surprisingly in view of regulatory traditions, in Europe, legal measures are much less prominent than in the United States. Criminal law has not been adapted to accommodate identity crimes specifically; to a very large extent, existing provisions are an adequate basis for prosecuting identity-related crime. Apart from criminal law, other legal areas, like data-protection law and tort law, can also be used.
Other legislative measures taken in the US, like free credit reports, seem rather specific for the US situation. Some measures, for example mandatory truncation of credit card numbers on receipts, may nevertheless be valuable in Europe as well. Particularly laws requiring security breach notification have recently also become an issue in Europe. Such a system requires organizations to provide their customers with notification whenever they have lost personal information. This is a promising measure, although the danger of individuals becoming immune to frequent notifications must be taken into account.
Measures like those imposed in the US by legislation are often taken by the financial sector itself, or by public-private partnerships, in Europe. Financial institutions are acutely aware of the threat of identity theft, and they take the lead in enhanced technical and organizational security measures. Unlike in the US, these do not necessarily have to be backed up by legislation. A wide panorama of measures is visible, consisting of awareness raising campaigns, complaint centers, and innovative technical measures like virtual dynamic cards or enhanced transaction authentication numbers. Some potential solutions, however, are opposed by merchants and banks for economic reasons, suggesting that market failure – one of the reasons for the US to impose legal obligations – may not altogether be absent in Europe.
Welcome as all these countermeasures are, there is a snag. One countermeasure consistently showing up is to introduce general-purpose electronic identity cards and numbers, often backed up by biometrics, aimed at preventing document or look-alike fraud. The downside of such measures is that they introduce considerable vulnerabilities: as the resulting identification infrastructure comes to rely heavily on the unique eID method, the risk of identity theft actually rises, and the burden of proving being a victim of identity theft becomes heavier as the system is supposedly more secure. Thus, general-purpose eID cards and numbers to curb document fraud are a two-edged sword, and governments need to carefully consider and monitor emerging side-effects.
Perhaps the most important lesson of this report’s survey is that countermeasures to combat identity-related crime are not always targeted at relevant vulnerabilities in the identification infrastructures. Europe has wisely chosen not to follow the United States too closely in choosing countermeasures, since identity theft in the US most likely stems from US-specific vulnerabilities in the financial system and market orientation, with its epidemic data brokers and lack of private-sector verification. However, a closer look is needed at vulnerabilities in the European situation itself. The current policy debate sometimes focuses still too much on document fraud and too little on online financial identity theft, and a comprehensive plan of attack to combat phishing by botnets rather than by fake websites has yet to be developed.
Therefore, rather than continue to harp on about generally accepted definitions, lack of data, and whether or not to start registering identity-related crime before countermeasures can be taken, a better approach to address the threat of identity-related crime may well be to start conducting more in-depth studies of the strengths and weaknesses of European financial and identification infrastructures in the information society. Now that identity theft is past the stage of big hype in the US, there is yet time to prevent it becoming a big problem in Europe.
| |
   |
|
| 2 / 34 |
