Title: CONCLUSION

Conclusion

In the United States, the debate about identity theft took on such proportions in the past decade that it came close to a hype. Although there was, and is, sufficient empirical evidence that financial identity theft in particular is indeed a problem in the US, media reports and movies, as well as many research reports and articles outdid each other in calling it the fastest growing crime or the biggest crime of the information age. Such epithets were, and are still, hard to underpin with data about real-life occurrences of identity crime, not the least because of conflicting assessments of available data. Slowly but surely, and true to the nature of a hype cycle, the US debate seems to get back to more realistic proportions.

In the wake of US reports, hyperboles for identity theft like ‘the fastest growing crime’ also start showing up in Europe, and reports and articles about identity crimes are mushrooming. The debate is not at a ‘peak of inflated fears’, to paraphrase the hype cycle: with relatively low-key attention in the general mass media or in discussions in the pub, it is not a big hype in Europe – yet. Nevertheless, the attention to identity theft is growing fast. Is this warranted by reality, and is it becoming a true problem in Europe as well as in the United States?  

This report has tried to sketch a picture of the actual European prevalence of identity crimes, in order to help put our concerns over identity-related crime, in particular identity theft, in perspective. The result is, unfortunately, only a piecemeal picture: studies appear scarce, and most authors of the country chapters point out how the lack of a separate criminal provision makes it more complicated to gather information on the problem, since crimes are not being specifically reported or registered as identity-related crime.  

Alongside the lack of specific provisions in criminal law, terminology and concepts are far from clear in most countries. The terms ‘identity theft’ and ‘identity fraud’ are often used, but with potentially differing interpretations. The FIDIS network has tried to develop a clear and consistent typology and terminology of identity-related crime, but this is as yet one of many definitional studies that have not yet yielded an authoritative, generally accepted definition. In fact, uncertainty and unclarity are dominating themes in many discussions with regard to identity theft. The unclarity about definitions and about the actual prevalence of identity theft prevent many officials within both the public and the private sector, or so they claim, to take action.

Nevertheless, the contours of our picture of the European prevalence of identity-related crime shimmer through the available data and reports. Document fraud is an on-going concern, with tens of thousands of cases yearly in countries like Belgium and France. The traditional forms of document forgery have, perhaps because of better security features in documents, been supplemented more recently with look-alike fraud, which is a major concern in several countries.

However, in the past few years, a shift is occurring – at least in policy debates if not also in practice – from document and look-alike fraud to online forms of fraud, in particular financial identity fraud or identity theft. In Belgium, for example, Nigerian scams and phishing, although yet limited in numbers, are mushrooming, and Germany appears to be the major host in Europe of phishing websites. Moreover, phishing – which traditionally relies on luring ICT users by deceptive email messages to false websites – seems to be increasingly replaced by covert forms of fraud, in particular by botnets that assemble identity and personal data from infected computers. In Germany, Trojan-infected computers already seem to account for 90% of phishing attacks.  

Altogether, identity-related crime, particularly document forgery and look-alike fraud as well as computer-related financial identity theft, are significant forms of crime that, particularly for the latter, are on the rise. There is insufficient empirical evidence to call it a big problem yet, but the upward trend that is perceptible warrant taking expeditious measures to prevent it becoming a big problem in the first place.  

Like the US, European countries are indeed taking countermeasures to combat identity-related crimes. This part of the picture is fairly clear, and it is largely similar for the European countries studied in this report.  

Rather surprisingly in view of regulatory traditions, in Europe, legal measures are much less prominent than in the United States. Criminal law has not been adapted to accommodate identity crimes specifically; existing provisions – both traditional ones like theft, fraud, and forgery, and newer ones relating to cybercrimes – are considered an adequate basis to prosecute identity-related crimes. Only in very few cases, when no fraud or damage has occurred, does an identity-related crime not seem to be punishable. The main exception is the United Kingdom, which introduced its notable Fraud Act of 2006. The Act does not literally mention or introduce identity theft or identity fraud as a separate crime category, but it does introduce provisions which are extremely applicable to incidents of identity-related crime. Furthermore, at the European level, the European Commission has been discussing the potential for an overarching criminal provision identifying identity theft as a separate crime for quite some time. Whether such a provision will actually be introduced at the European level remains unclear and rather speculative.  

Apart from criminal law, other areas of law may also serve to prevent or address identity crimes, such as data-protection law where data controllers can sometimes be held liable for data breaches, and tort on the basis of abusing someone’s name. The European Union is perhaps also following the American lead with regard to this type of countermeasures. On a more national level, the United Kingdom is certainly considering similar provisions as a result of several data losses within both the public and the private sector.  

What is more, the US have taken other legislative measures, including the Gramm-Leach-Bliley Act that imposes security measures, laws such as FACTA, which increase organizational responsibility, and security breach notification laws. These seem rather specific for the US situation. Security measures for personal data, since the Data Protection Directive of 1995, have been imposed in Europe generally, unrelated to identity crimes, on data processors. The FACTA type of measures, like free credit reports, seem particularly relevant in the US context, where credit cards are very easy to get and where credit reports are vital for people’s long-term financial abilities; in the European market, such measures may not be necessary. However, the mandatory truncation of credit card numbers on receipts, included in FACTA, has also been recommended in France and may be a valuable measure in Europe as well.  

Compulsory security breach notification has only very recently become an issue in Europe. Such a system requires organizations to provide their customers with notification whenever they have lost personal information. In Germany, a Bill to that effect has been proposed in parliament, although it is unlikely to be adopted. In a thorough information security study from economic and empirical perspectives, ‘a comprehensive security-breach notification law’ was recommended for Europe. Peter Hustinx, European Data Protection Supervisor, wants such legislation to go beyond telecoms and ISPs. As he states, “providers of public electronic communication services in public networks but also to other actors, especially to providers of information society services which process sensitive personal data (e.g. online banks and insurers, on-line providers on health services, etc.).” The strong support for a breach notification is quite similar to the arguments offered by advocates in the US. Breach notification provisions, according to the advocates, hold organizations accountable and also ‘force’ them to implement better security standards which subsequently will provide better protection for personal information and will also prevent breaches from occurring. Whether the legislation will actually work like this in practice remains a question which only time can answer. A danger, however, remains that individuals become immune to the notifications and as such to do not place any value on the incident itself, which means the need for organizations to alter their ways becomes less apparent.

Despite the US-specificity of the legal measures discussed, the picture emerging from our survey suggests that measures like those imposed in the US by legislation, are often taken by the financial sector itself, or by public-private partnerships, in Europe; a notable exception is the United Kingdom, even though the private sector is rather active in that territory as well. Financial institutions are acutely aware of the threat of identity theft, also in view of the reliability of the entire financial system, and hence they take the lead in enhanced technical and organizational security measures. Unlike in the US, these do not necessarily have to be backed up by legislation. A wide panorama of measures is visible, consisting of awareness raising campaigns and organizational measures like consultation platforms and complaint centers, as well as technical measures such as enhanced information security standards and innovative techniques like virtual dynamic cards (in France), homebanking computer interface (HBCI) and its follower FinTS, and enhanced transaction authentication numbers, eTAN and TANplus (in Germany). Some potential solutions, however, like the 3D secure system, are opposed in France by merchants and banks for economic reasons, suggesting that market failure – one of the reasons for the US to impose legal obligations – may not altogether be absent in Europe. 

Welcome as all these countermeasures are, there is a snag. One countermeasure consistently showing up is to introduce general-purpose electronic identity cards and numbers, often backed up by biometrics, aimed at preventing document or look-alike fraud. The downside of such measures is that they introduce considerable vulnerabilities: as the resulting identification infrastructure comes to rely heavily on the unique eID method, the risk of identity theft actually rises. If someone is able to appropriate someone’s eID, the damage for the victim is all the larger as the system is used for ever more government services, and perhaps for commercial purposes as well as the private sector is ready to embrace secured government-introduced identification mechanisms. Moreover, the burden of proving being a victim of identity theft becomes heavier as the system is supposed to be more secure. The incidence of identity theft in countries with all-purpose identification infrastructures may be limited, but the potential damage for victims is huge. Thus, large-scale secured eID cards and similar measures to curb document fraud are a two-edged sword, and governments need to carefully consider and monitor emerging side-effects. Sectoral identification infrastructures with sector-border control might turn out to be a more prudent balance between preventing document fraud and preventing identity theft.

Perhaps the most important lesson of this report’s survey is that, although it seems evident that countermeasures to combat identity-related crime should be targeted at relevant vulnerabilities in the identification infrastructures, this is not always the case. Europe has wisely chosen not to follow the United States too closely in choosing countermeasures, since the prevalence of identity theft in the US most likely stems from vulnerabilities in the US financial system and market orientation that are specific to the US situation, with its epidemic data brokers and lack of verification in the private sector. However, a closer look is needed at vulnerabilities in the European situation itself. The current policy debate sometimes, for example in France, focuses perhaps still too much on document fraud and too little on online financial identity theft, and a comprehensive plan of attack to combat phishing by botnets rather than by fake websites has yet to be developed.  

Therefore, rather than continue to harp on about generally accepted definitions, the lack of data, and whether or not to start registering identity-related crime incidence before countermeasures can be taken, a better approach to address the threat of identity-related crime may well be to start conducting more in-depth studies of the strengths and weaknesses of European financial and identification infrastructures in the information society. Now that identity theft is past the stage of big hype in the US, there is yet time to prevent it becoming a big problem in Europe.