Title: COUNTERMEASURES

Criminal law

Belgium has in principle no specific legal provision which criminalizes identity fraud/theft as such, understood as ‘fraud or another unlawful activity committed with identity as a target or tool for illegal activities’. Article 231 of the Penal Code (see below), however, can be seen as an article which comes close to a provision criminalizing identity fraud, understood as ‘unlawful identity creation’ and, in some cases, ‘identity theft’ (both in the category of ‘unlawful identity change’). Furthermore, several other provisions in (mainly) the Penal Code punish activities related to identity theft/fraud. Legal provisions which criminalize activities related to identity fraud/theft are the following.

i) Adoption of a false name (‘valse naamdracht’ or ‘aanmatiging van naam’) (Article 231 Penal Code) 

In the Belgian Penal Code, article 231 penalizes ‘adopting in public a name which does not belong to oneself’ (‘valse naamdracht’ or ‘aanmatiging van naam’). The article was introduced with the adoption of the Penal Code by Act in 1867 and is part of Title III ‘Criminal offences against the Public Trust’ and in particular of a Chapter which penalizes the unlawful adoption of functions, titles, or names. The purpose of the legislator was to abolish uncertainty with regard to someone’s identity. The article is related to public order (‘openbare orde’). Three elements have to be combined: (1) the adoption of a name, (2) in public, and (3) the name should not belong to oneself. In addition, one shall do this ‘knowingly’ (‘wetens en willens’).

Some authors state that the first element which requires for the individual to ‘adopt a name’ (‘aanmatiging van een naam’) only refers to the family name, but this is unclear. The Supreme Court has stated that it is sufficient that someone uses a nickname which is not on his certificate of birth or that someone wants somebody else to believe that the false name is his own name. It is hence irrelevant for this criminal offence whether the name is the name of someone else or not, but rather essential that it is not the name as mentioned on the birth certificate.

There is also some confusion with regard to the second requirement of adopting a name ‘in public’. The use of a false name for registration in a hotel register has been considered to fall under this qualification, even though such hotel registers are in principle not public documents. Therefore, some hold that it is sufficient that there is a certain degree of publicity whereby the adoption of the name is visible.  

The third requirement is that the name should not belong to oneself. As stated before, it is not required that the name should belong to someone else. The use of a pure fictitious name is sufficient. It is not required that third persons are involved or incur negative consequences. It is not required for this offence that one has the intention to hide his identity; merely using a false name is satisfactory. 

Article 231 of the Penal Code covers in fact a rather broad area of use of a false name. The article refers to some extent to the category of acts of unlawful identity change as described and defined in the FIDIS typology. It is not exactly the same, because for the application of article 231, the mere change of identity in public is sufficient and does not require other crimes or unlawful activities committed with this new identity. The use by someone of a (family) name other than the one mentioned on the birth certificate in chat rooms on the Internet, for signing comments in an electronic visitor’s register of a website or even in an e-mail address, would in principle be sufficient for criminal liability. The principle that criminal provisions should not be interpreted in an analogous way does not seem to prevent the application of this article to cases in an online environment. Article 231 Penal Code seems to have been invoked in prosecutions in 2000 1400 times, increased to 2100 cases in 2004.

ii) Theft (‘diefstal’) (Article 461 Penal Code) 

Article 461 of the Penal Code states that someone commits theft if ‘he takes away a thing which does not belong to him’. Such theft has to be done with malicious intent. The theft of someone else’s identity as such encounters problems under this article. First of all, theft is traditionally understood as the taking away of a material thing. Unless the identity papers also have been stolen, there is a problem with the theft of ‘identity’ in the sense of the identity of someone else as attributed in the certificate of birth, and further built up by that person over time by registration in the social security registers, other governmental agencies, banks, etc. Courts, however, have been creative in the interpretation of theft, and have for example in the case of hacking of a computer (before the Act of 28 November 2000) accepted the theft of electricity. Whether courts would have the same attitude towards the theft of identity, is uncertain.

iii) Forgery of documents, informatics and telegrams and use thereof (‘Valsheid in geschriften, in informatica en in telegrammen’) (Article 193 et seq. Penal Code) 

Someone commits a crime if he changes with fraudulent intent or with the intent to harm the truth in documents specified in the Penal Code or if he makes use thereof (Article 193 through 212 Penal Code). These articles specify four categories of documents: (a) authentic and public documents, commercial or bank documents and private documents, (b) travel documents, permits to be armed, labour booklets, travel orders and certificates, (c) informatics systems, and (d) telegrams. The documents (or systems) which are protected are documents (or systems) which confirm a specific act or fact and which are relevant for the public trust. Forgery in informatics was added to this list (article 210bis Penal Code) by the Act of 28 November 2000 on computer crime. Article 210bis criminalizes fraud in legally relevant data stored in an informatics system by entering, changing, deleting or modifying by any other technological means the use of such data. Log books and data of e-mail messages could qualify as such legally relevant data.

iv) Abuse of confidence and misappropriation (‘Misbruik van vertrouwen en verduistering’) (Article 491 through 495bis Penal Code; Article 240 Penal Code)) 

The provisions of the Penal Code with regard to the misappropriation or embezzlement with fraudulent intent of handed over (for return) ‘goods, money, commercial goods, notes, receipts, writings of whatever kind, which contain or create an obligation’ with possible detrimental consequences may in specific circumstances also be relevant for identity fraud (see articles 491 through 495bis Penal Code). In addition, a similar crime of misappropriation exists for persons acting in a capacity as public official.

Because the misappropriation requires in principle a material good (and not immaterial goods such as ‘identity’), the application of these criminal provisions to identity fraud cases will be limited to those cases in which an identity document has been handed over (for example, the temporary handing over of an identity card as caution for the rental of a bike) and misappropriated (for example, when the identity document is not returned or photocopied). It might however also apply to cases in which for example the data of credit cards are misused when the card is temporarily handed over, for example, for payment in a restaurant. 

v) Fraud (‘Oplichting en bedriegerij’) (Article 496 through 504 Penal Code) 

Identity-related crimes involve the gathering of identity data of others or creating new identity data and, in a second stage, the using of these data in some unlawful way. If the intent is to obtain the handing over of money, goods, obligations, receipts or debt releases belonging to others, in a fraudulent way, including by the use of false names or functions, or by the use of deceitful tricks (‘listige kunstgrepen’), one commits fraud (‘oplichting en bedriegerij’). Phishing may fall under this article if the mails and other tricks are material for obtaining money or goods (e.g., the phishing of the username and password for obtaining access to an online banking account).

vi) Fraud in informatics (‘Informaticabedrog’) (Article 504quater Penal Code)

By Act of 28 November 2000, several computer crimes have been defined and introduced in the Penal Code. Article 504quater of the Penal Code criminalizes the act (and the attempt) of obtaining an illicit economic advantage for oneself or for a third party by inputting data in a computer system, changing such data, deleting or changing the normal use of such data by any other technological means with fraudulent intent.

Legal provisions relating to offences against the confidentiality, integrity and availability of computer data and systems 

vii) Computer hacking (‘Hacking’) (Article 550bis Penal Code) and sabotage of data and informatics (‘Data- en informatica sabotage’) (Article 550ter Penal Code)

If one accesses a computer system or part thereof without authorization, from the outside (external hacking, in which case it is sufficient to know that one accesses the system) or from the inside by someone who exceeds his authorization (internal hacking, in which case fraudulent intent or the intent to harm is required), he commits the crime of computer hacking (Article 550bis Penal Code). If one deletes or damages data in a computer system, with the intent to obtain illicit gain or with malicious intent, he is committing data sabotage (Article 550ter Penal Code). Producing, possessing, selling, obtaining, importing or distributing tools, including software tools, which facilitate such crimes is also punishable.  

The crime of hacking will occur in many cases of online identity-related crime. In a criminal case before a Belgian court, where someone (with the intention to show a bank the weak or absent security measures of its Internet banking system) had hacked the beneficiaries’ list of an internet banking user and changed one beneficiary on this list (with the message ‘Hacked Bacob is aware of the problem’), article 550bis Penal Code was applied.

Legal provisions relating to the secrecy of communications  

viii) Wiretapping of private communications (Article 259bis and 314bis Penal Code)  

By Act of 30 June 1994 penalizing wiretapping, penalties are provided for the crime of interception of a private communication between other parties during the transfer thereof and the use of such interception, by public officials or civil servants in the execution of their functions, in cases not foreseen by law (Article 259bis Penal Code). A similar provision sanctions interception and use thereof by other persons (Article 314bis Penal Code).

The interception of communication over the Internet (such as the communication with a web server) for purposes of identity-related crimes, such as obtaining usernames and passwords, and the use of the information obtained in such way, is hence penalized.  

ix) Secrecy of the existence and details of a communication (Article 124 Electronic Communications Act) 

The existence of an electronic communication amongst third persons, including the identification of the persons involved and other related data, shall remain secret, and the taking knowledge thereof or the intentional use or revealing of such information is a crime (Article 124 Electronic Communications Act).  

This article (in its previous version of article 109terD) has been applied by the courts in the case ReDaTtack where someone had, through the use of an e-mail account of someone else, downloaded details of payment transactions of clients of Internet banking services of a large bank and had sent this information to the press. Usernames, passwords and pin codes which were obtained by the hacker, were in the decision qualified as ‘data relating to the communication’.  

Conclusion ‘Nullum crimen sine lege’ (‘No crime without legal provision’) is one of the basic principles of penal law. This principle could be invoked by criminals because there is in Belgium no specific legal provision which criminalizes identity theft/fraud as such. However, perpetrators of identity-related crime will in many cases be punishable under one of the legal provisions discussed above. Authors who have analysed identity-related crimes under the aforementioned articles have concluded that, despite the lack of a specific legal provision which criminalizes identity theft as such, identity-related crimes can be tackled. We concur only partly with this finding: each relevant article of the Penal Code has specific requirements which may not always be fulfilled. ‘Theft’ in article 461 of the Penal code, for example, requires the taking away of an object. Interpretation by analogy is not accepted. In addition, not all aspects of an identity-related crime may always be covered. If for example article 231 of the Penal Code is applied, the aspect of ‘theft’ will not be taken into account. The aforementioned provisions of the Penal Code therefore have their limitations if used to prosecute identity theft/fraud cases.

In addition, victims need to be recognized and their position improved by for example having the possibility to file a complaint, which might be more difficult if there is no evidently appropriate article for the identity-related crime committed in the Penal Code. Nevertheless, the establishment of a central complaint database (which later became the ECops site in 2007) has been a start for this purpose.  

Data Protection Law

Other legal countermeasures can be found in the Law of 8 December 1992 on the protection of private life and the processing of personal data (hereinafter the ‘Data Protection Act’) which imposes specific obligations upon the controller and the processor of personal data. Under this Act, they should take appropriate technical and organizational measures for the protection of the personal data, in particular against accidental or illicit deletion, accidental loss, modification, access to and any other unauthorized processing of the data (Article 16 §4). Controllers are also obliged to restrict access to the personal data. Personnel which need personal data for the execution of their tasks shall only be authorized to access data which are needed for their tasks or which are needed for the necessities of the department (Article 16 §2 2°). The controller shall also inform its personnel about the relevant provisions of the Data Protection Act. If the controller engages a processor of the personal data, the liability of the processor shall be agreed in writing (Article 16 §1 3°). 

If the identity-related crime is due to breach of one of these provisions, victims may invoke the Data Protection Act. 

For breach of most of the obligations imposed on the controller and processor by the Data Protection Act, criminal sanctions apply (Chapter 8).Victims can also claim damages from the controller (Article 15bis). The Data Protection Act states that the controller is liable for the damages which are caused by breach of any of the provisions of the Data Protection Act, unless the controller is able to prove that he is not responsible for the fact(s) which caused the damages (Article 15bis paras. 2 and 3). 

The Data Protection Act, and in particular the provisions briefly mentioned above, may prove to be an efficient countermeasure against identity-related crime in particular circumstances. For example, if a controller does not apply adequate security measures upon the transfer of personal data to a third party, online or offline, and the personal data are lost or illegally acquired by others, the controller may be (criminal and civil) liable under the Data Protection Act. Controllers should be made better aware of the responsibility and liability they have for the processing of personal data, and the possible consequences, including identity-related crime which may result from neglecting state of the art security measures. In particular circumstances, the legal provisions may not have the envisaged effect. Controllers often do take adequate and state-of-the-art security measures, but hackers typically try to break state-of-the-art security measures, for example, of an online bank. In other cases, the users may also be negligent, by using copied or not up-to-date software (where detected ‘holes’ are not sufficiently remedied) or by posting their username and password in places where these can be read.

Reference measures for the Protection of each Processing of Personal Data  

The so-called Reference measures for the Protection of each Processing of Personal Data (‘Referentiemaatregelen voor de beveiliging van elke verwerking van persoonsgegevens’) are also important in the fight against identity-related crime. These Reference measures deserve to be briefly mentioned although they are not specifically issued for identity fraud, because they provide generally applicable guidelines for the protection of the processing of personal data. The measures were issued by the Belgian Data Processing Authority (Commissie voor de Bescherming van de Persoonlijke Levenssfeer) some years ago in order to clarify and specify the measures which could or should be taken in furtherance of article 16§4 Data Protection Act. The measures give ten action domains in which controllers and processors of personal data shall take specific action in order to secure the personal data.

Technical

Technical countermeasures 

The Belgian eID card 

The government has decided to introduce the eID card for all Belgian citizens aged twelve years and older. The government advocates the use of the Belgian eID card as a tool for a safer Internet use. The eID card should enable the government, citizens and companies to exchange information over the Internet in a secured way. Many companies are in the process of developing software applications for the use of the card. The Minister for Computerization, Mr. Vanvelthoven, has announced that all sites which will use the eID card for authentication purposes will focus on fraud control. The Minister intends to prevent phishing attempts in which criminals want to obtain personal (and credit) data from persons. Without such extra control, ‘all developments relating to e-government become endangered’. The development and the introduction of the eID card for all Belgian citizens and the control over its use are therefore very important in the context of identity-related crime.

The introduction of biometric passports and travel documents 

Belgium will introduce biometric passports in furtherance of European Regulation 2252/2004. This Regulation explicitly states that specific biometric identifiers shall be used to verify whether the holder of the passport is the owner of the travel document The biometrics are introduced as a technical means to counter lookalike fraud.

Organizational countermeasures 

    Application of ISO standards

The government states that the security of its IT infrastructure is one of its key objectives. All government projects which imply the use of IT infrastructures need to comply with ISO 17799 standard relating to security. The security measures need to prevent inter alia ‘hacking’ and ‘fraud with personal identity information’.

    The Consultation Platform for Information Security

In order to cope with IT security in general, such as spam, spyware, viruses, botnets and theft of personal data, the federal government verlegplatform voor Informatieveiligheid) (hereinafter the ‘Platform’, also named by some the ‘Belgian Network for Information Security (BeNIS)). Many government institutions which have an important expertise with regard to a particular aspect of IT security participate in the Platform. They meet regularly and the Platform coordinates actions by the various institutions.

Belgium also participates in the European Network and Information Security Agency (ENISA) where it obtains expert advice on matters of network and information infrastructure security.

    ECops : A Central Complaint Database

In order to facilitate the overview of the Federal Police of all types of identity-related crime to allow appropriate action, citizens are encouraged to report computer-related crimes. At the initiative of the Minister for Economy, the Federal Department for Economy and the Federal Computer Crime Unit of the federal police have worked together in order to establish a unique central website for the filing of complaints relating to fraudulent activities on the Internet. The website is named eCops (‘Electronic Complaints Processing System’) and is operational since 2007. ECops is available at http://www.ecops.be/. The goal is to facilitate the filing of complaints of citizens if they encounter problems when surfing on the Internet, receiving mails or doing e-commerce transactions and do not know where to report the problem. The claims are automatically transferred by eCops to the competent authority for further investigation. In particular, if the claim relates to an unfair trade practice on the Internet, such as incorrect price announcements or the sending of unsolicited advertisement, the claim will automatically be forwarded to the Federal Department of Economy; if the claim relates to illegal content, a criminal offence or computer crime, the claim will be forwarded to the Federal Computer Crime Unit of the Federal Police. One of the objectives of eCops for the government and the Federal Police is to identify at an early stage new illicit practices on the Internet in order to combat them. This should in turn result in an increased confidence of citizens on the Internet.

    Other central processing of complaints

The Federal Department of Economy also sends claims relating to phishing, which it receives from citizens, to a central database, Consumer Sentinel, which collects complaints relating to transnational consumer problems from over 17 countries.

    Press coverage

With regular intervals, the theme of bank card fraud and Internet fraud in general, sometimes with mention of particular trends such as phishing, is covered in the Belgian press. Such coverage is often made in the form of a warning of a governmental body, such as the Cell Consumer fraud of the Federal Department of Economy or of a particular fraud case.

    Public awareness campaigns

The federal government informs the public at regular times on its federal web portal .be Belgium about the risks of the Internet.

    Unisys awareness study 2007

The awareness of consumers in Belgium about identity fraud has been measured by industry, in particular Unisys, a leading worldwide supplier of information (security) services. Unisys regularly publishes its ‘Unisys Security Index’ which reveals consumer perceptions about financial and personal security. The index is based upon surveys of over 13,000 people in 14 countries, including Belgium (where 1,022 persons were questioned). In October 2007, the Belgian Unisys Security Index stands at 131/300 (where 300 is the highest level of perceived anxiety). Belgium seems to be at an average level for Europeans. From the survey, it appears that especially online security and fraud is a source of concern. 34 % of Belgians are ‘extremely concerned’ and 24% ‘very concerned’ about credit/debit card fraud. Furthermore, a majority of Belgians is seriously concerned about unauthorized access to or misuse of personal information (identity theft): 29% are ‘extremely concerned’ and 28% of Belgians are ‘very concerned’. 31% are somewhat concerned, so that altogether 88% of Belgians is concerned about fraud with financial and personal information.

Credit reporting

By Act of 10 August 2001, the central database kept by the National Bank of Belgium with the registration of defaults under credit agreements with consumers and mortgage loans has been reorganized in the Central Database for the registration of Credit agreements to Individuals (‘Centrale voor Kredieten aan Particulieren’) and regulated by law. In the database, the credit agreements concluded by individuals are registered, including any defaults of payment. The database shall be consulted by credit institutions before granting a new credit agreement.

The individuals are registered through an unique National Register number, their name, gender, date of birth as mentioned in their identity document and domicile or place of stay. This should prevent that persons are incorrectly listed (e.g., because of similar names). The credit information shall only be communicated to the persons identified in article 8 of the Act and shall only be used for the conclusion and the management of credit agreements. Although access to the central database is limited, the Privacy Commission stated in its opinion relating to the draft law that the conditions for communicating the information are very general and that abuse remains possible.