Identity Theft has evolved globally as a major issue, transcending national borders and winding through multistate proxy networks and diverse ring of conspirators. With the advent of internet, crime in cyberspace has also increased. Technically, identity theft occurs whenever a person steals other person’s personal information and uses that information to commit fraud or any other crime. Internet has always played a major role in disseminating information about identity theft, both in terms of risks and information on how individuals may avoid victimization. Internet has also been recognized as a major contributor to identity theft because it provides environment of anonymity and opportunity to offenders to obtain basic components of other person’s identities.
What exactly is Identity Theft and how it leads to other crimes?
Specifically, this kind of “theft” is linked with the notion of person. We can derive the meaning of identity from ancient Roman Law, where this concept was expressed by the term “persona” which comes from latin words “per” and “sono” meaning “sound through”, i.e. someone whose voice sounds through the mask. Persona expressed the external side of the individual. Earlier the concept of personal information was simple but now it is more of a complex system. In modern times, we can conclude that the object of “identity theft” is exactly this part- someone’s social mask. In today’s time, it is much more easy to obtain someone else’s identity because of its complexity. Nowadays “identity” as a concept includes more personal information such as gender, first and last names, date and place of birth, father’s and mother’s name, address etc. individuals can also be identified as various other information such as computer username and password, a blog, a web page, internet protocol(IP) address, bank account details, PIN code etc. The more global the world becomes, the harder is to protect these data, which means that the hazards in relation to the misuse of personal information for achieving illegal aim is greater.
Until the federal identity theft and assumption deterrence Act of 1998, there was no accepted definition of identity theft. This statute defined identity theft very broadly and made it easier for prosecutors to conduct their cases. The majority of states have now passed various legislations, and the generic crime of identity theft has become a major issue of concern.
Now, there are various definitions of identity theft accepted globally:
- According to UK Home office identity fraud steering committee “Identity fraud is also known as impersonation fraud. It is the misappropriation of identity (e.g., name, date of birth, current and previous address) of another person without their knowledge or consent.”
- According to the provision 18 U.S.C. §1028(a) (7) identity theft is: “knowingly transfers, possesses, or uses,without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable state or local law.”
These widely accepted definitions clearly suggests the threat to person’s identity and these crimes can lead to greater crimes. Conceptionally, identity theft can be separated into three distinct phases:
- Obtaining of personal information, for example, through physical theft, through search engines, insider attacks, or phishing and other social engineering techniques,
- Possession and disposal of identity information also, including the sale of information that plays an important role in e-underground economy where credit card information, bank account details and passwords are among the most offered goods
- Use of that identity information to commit fraud and such other crimes, for example impersonating someone to exploit bank accounts and credit cards, take out loans and credit, order goods and service to disseminate malware.
- HISTORICAL BACKGROUND OF IDENTITY THEFT
Some commentators have recognized cyberspace identity theft as a disaster which will increase day by day. They think that it is something that continually grows and become more devastating. While not being the same thing as an earthquake, tsunami, or hurricane, it is a phenomenon that can cause the same magnitude of damage to individuals, businesses and governments. (Schreft, 2007) This kind of theft evolved over the last 35 years to become an identity of its own. According to the reports, identity theft in cyberspace is on the rise, since criminals have found that how easy it is to transact fraudulent business activities with the help of new technologies that are being introduced every day. (Newman, 2005) thieves turned to modern and sophisticated techniques, which allowed them to operate anywhere in the world, and to swindle thousands of people, without being detected. There are significant differences between identity theft in cyberspace and in a real world. One of the major difference is that of technique, where in former case, the techniques are constantly evolving. Furthermore, cyberspace identity theft can inflict greater harm economically.
For hundreds of years, identity theft has been a gruesome crime as criminals steal the identity of some other person to escape from the punishment. This generally happens in the cases of murder where criminals steal name, address, family background, career and even a life story of another person. Some moralistic criminals also uses the identity of dead person for their benefit. This tactic is referred to as “ghosting”. By 1960s, identity theft by phone had become a threat. Many scams have been observed across the world, where criminals call a person and claims that the person with whom they are contacting has got a lottery, but to release that lottery they need bank information of that person. These were few scams referred to when the term “identity theft” was first coined in 1964, according to the Oxford Dictionary. The era of 90s introduced a home-based internet access. Within 10 years, above 62% of the cases of identity theft have been recorded by FTC over internet. These crimes have decreased the physical and emotional involvement of criminals because of which it became more appealing. By 2011, hacking by using viruses, malware and other methods of unauthorized access of computer made up a majority of identity theft.
BACKGROUND OF INTERNATIONAL LAW IN RELATION TO IDENTITY THEFT
Crimes relating to identity theft was increasing year by year until government has stepped into it. These types of crime are difficult to trace as unlike other crimes they can be perpetrated without face-to-face interaction. There are no specific international organization to deal with the cases of identity theft but international organizations have introduced certain legislations to deal with these type of offenses. For instance, council of Europe’s convention on cybercrime is the first treaty which aimed at computer and internet crimes through regional laws, improving investigation techniques and enhancing cooperation among European nations.
- The Council of Europe’s Convention on Cybercrime
The Convention on Cyber crimeof the Council of Europe (CETS No. 185), also known as the Budapest convention, is the only binding international treaty in this field. It was elaborated by the council of Europe with the participation of four other states, Canada, Japan, South Africa and the USA, and opened for signature in Budapest in November,2001. It came into force in July 2004 and has become a treaty with a global scope in that it serves countries worldwide as a guideline for the development of national laws against cybercrime, where an increasing number of countries are moving towards accession and in that it serves parties to the convention as a framework for international cooperation. The Budapest Convention requires countries to criminalize certain act as the illegal access to a computer system (hacking, circumventing password protection, key-logging, exploiting software loopholes etc.), the illegal interception (violating the privacy of data communication), data interference (malicious codes, viruses, trojan horses etc.), system interference (such as denial of service attacks through botnets and other means of hindering the lawful use of computer systems), the misuse of device (including the developments of tools and resources to commit cyber related offences), computer-related forgery (such as phishing attacks), computer related fraud, child pornography, the infringement of copyrights and other related rights, and in a separate protocol-hate speech, xenophobia and racism. This convention is supplemented by protocol on Xenophobia and Racism committed through computer systems.
“The convention drafters’ principle concerns were two folded. First, they wanted to ensure that definitions need to be flexible enough to adapt to new crimes and methods of committing existing crimes as they evolve. Second, the drafters wanted this convention to remain sensitive to the legal regimes of nation-states”. (Jain, 2005) The convention requires countries to introduce a range of procedural laws to give law enforcement and other criminal justice system the means to investigate, prosecute, and adjudicate cybercrimes more effectively. Inter alia, this should allow for the possibility to take immediate actions to preserve electronic records, to search and seize computer data or to intercept communications.
- United Nations
United Nations has also recognized the extent and seriousness of identity related crimes and took counter steps as per of its crime prevention agenda. The Bangkok declaration synergies and responses: Strategic Alliances in Crime prevention and criminal justice endorsed by the United Nations General Assembly resolution reaffirmed the responsibilities vested in United Nations Crime Prevention and Criminal Justice Programme and suggested to work together in this field with member states and regional and international organization. The great concern highlighted in this declaration, are drug trafficking, money-laundering, smuggling of migrants.
In line with Economic and social council(ECOSOC) Resolution 2004/26, the United Nations office on Drugs and Crime(UNODC) commissioned a study on fraud and criminal misuse and falsification of identity. (UNODC,2014) The study had wide scope than in OECD. Firstly, the general term for identity related crime was broadened and included any illicit conduct involving cyberspace identity theft. Secondly, it widened the scope of criminal activities whether online or offline and included transnational organized crime and other criminal activities in its ambit. Lastly, identity related crime was constituted a part of fraud. (Handbook on identity related crime,2014) There are other UN resolutions which also note the challenges related the identity theft in cyberspace. Based on ECOSOC resolution 2004/26 and 2007/20, UNODC has established a group of experts to discuss and suggest best course of action in this field.
INTERPOL, established in 1923, is an international criminal police organization to facilitate cross border police cooperation. It also works where no diplomatic relation between countries exist. The involvement of INTERPOL in countering cybercrime at international level began very early. In June 2020, INTERPOL Cybercrime Directorate’s Global Malicious Domain Taskforce has identified and analyzed about 200,000 malicious domains affecting more than 80 countries. These domains were used for a wide variety of malicious activities exploiting the public’s thirst for information during the pandemic. INTERPOL also identified a spike in online scams, phishing, ransomware, data-harvesting, malware and misinformation related to COVID-19. (INTERPOL, COVID-19 specialized crime report on cybercrime) To counter these cyber related crimes, INTERPOL helps member countries by collaborating with private cybersecurity partners who share complete data on threat, risks etc. it uses these data to generate cyber intelligence to assist countries.
BACKGROUND OF REGIONAL LAWS RELATING IDENTITY THEFT
Apart from these international treaties and conventions, EU and OECD have adopted similar initiative to prevent crime in cyber field.
- Europol (European Union)
Europol established the European Cybercrime Centre (EC3) in 2013 to strengthen the law enforcement response to cybercrime in the European Union. It is to help to protect European citizens, businesses and governments from online crime. Each year, EC3 publishes the Internet Organized Crime Threat Assessment (IOCTA). EC3’s flagship strategic report to find emerging threats and developments in cybercrime. EC3 take a three-pronged approach to fight against cybercrime i.e., forensic, strategy, and operations. This regional organization protects the countries of Europe mainly member countries of European union from cyber threats.
The 1999 OECD guidelines for consumer protection in the context of electronic commerce (“the 1999 guidelines”) and the 2003 OECD guidelines for protecting consumers from fraudulent and deceptive commercial practices across borders (“the 2003 guidelines”) aims at strengthening member countries legal framework to fight against cyber fraud. The principles in the 1999 and 2003 guidelines serve as a solid basis to establish framework against online identity theft. The OECD countries have taken certain initiatives to fight against cyber threats such as United states, Australia, Canada,United Kingdom. In May, 2006, US Federal Trade Commission launched a nationwide education campaign titled “Deter, Detect, Defend”. Campaign aimed at helping consumers to take steps to reduce risk of Identity theft; monitor their personal information; and immediately react when identity threat is suspected. The US also launched website where they provided details of task force, the report and victims’ rights. The Australian government distributes an information kit as part of their educative initiatives. In 2007, they released a brochure, ID Theft: Dealing with identity theft, as part of Australian consumer taskforce’s Identity Theft Week. The government also distributes a booklet, E-crime – A Crime Prevention Kit for Small Business, it helps small business owners to identify what they have to do to prevent themselves from being victims of cyber fraud. Same as Australian government, the Consumer Measures Committee (“CMC”) of Canada also developed an information kit for consumers to help them in avoiding identity theft. CMC, an organization representing federal, provincial and territorial ministries responsible for consumer affairs, carried out various other initiatives to inform consumers about identity theft.
RELEVANT NATIONAL LAWS RELATING IDENTITY THEFT
As we have seen that identity theft has been recognized as a crime all around the world, India also considers this as a crime. There is no singular statute in India which deals with this kind of crime, whereas it is covered under various acts such as Indian Penal Code, 1860 and Information Technology (Amendment) Act, 2008. Though these acts widely cover the crime and punishment of identity theft yet there are certain lacunas.
- Identity theft under Indian Penal Code
In layman’s term, we can define identity theft as theft of identity, personal and private information of a person. Despite it being so delicate in nature, it has not been incorporated under section 378 of Indian Penal Code which deals with the provisions of theft. However, amendments in Indian Penal Code regarding the offences of forgery and fraud, tampering with electronic records were brought with the promulgation of the Information Technology Act, 2000. In addition, the code also makes a person liable for the forgery of websites where they trap victims to share their confidential information. On the recommendation of expert committee instituted by parliament, section 417-A was incorporated in IPC which punishes any individual who has cheated a person by using data and private information of other person. Further, it states that any form of cheating through a computer network is punishable with an imprisonment up to five years.
- Identity Theft under Information Technology Act
The Information Technology Act, 2000 is a foremost law in India governing cybercrimes. Earlier, it did not outlined cybercrimes per se as its goal was to recognize e-commerce in India. Prior to the amendment in 2008, section 43 of the Act dealt with the matter where any individual accessed someone else’s computer without the consent. The liability in this case was of civil nature, where offender had to compensate the amount which may extend to one crore. Further, section 66 dealt with the cases of cybercrime but according to that definition cybercrime could only come into play when there was any alteration, deletion or reduction in computer output. The concept of identity theft had no remedy. When the act was amended in the year 2008, concept of identity theft was introduced. In this amendment section 66, introduced the criminal liability whenever an individual has accessed someone else’s computer of abetted the same. Stringent laws have been introduced for the protection of “sensitive personal data”. In the case of Puttuswamy vs. union of India, court officially recognized privacy as a fundamental right, where data protection also considered within its ambit. Further, section 69 states that the central government or the state government can use data for the monitoring and surveillance. Though the Act of 2000 has gone through several considerable amendments in ensuring protection of personal and private data from being misused, it is still not as comprehensive as one would desire. Act still fails to provide the meaning of what would constitute an identification feature which is the essence of identity theft. Another major pitfall of this act is it does not provide provision for extra-territorial jurisdiction. On one hand, IPC provide extra territorial jurisdiction under section 4, whereas this act is only applicable in India.
KINDS OF IDENTITY THEFT
Everytime, we hear of Identity Theft, or people stealing of private and personal information to commit fraud, we may think of financial theft such as stealing bank information or credit card details. But there are some other types of identity theft beyond that. These other types are:
- MEDICAL IDENTITY THEFT
This kind of identity theft occurs when the criminal uses the information of some other person to obtain medical facility or to claim insurance benefit. In this case medical records of criminal are added to the records of victim’s record. Thus, it can cause serious consequences on the records of victim. If it’s the specific case of insurance related matters then it is known as Insurance Identity Theft. Federal Trade Commission recorded 87,765 cases of medical and insurance- related identity theft in 2018. Sterling Price, health-care analyst at ValuePenguine, a financial website said, “Medical identity theft can be even more damaging than standard identity theft”.
- CRIMINAL IDENTITY THEFT
This kind generally happens when someone presents themselves to be another person when they are arrested for a crime. Criminals steal photo ID, social security number and other information associated with victim. In consequences, it criminal gets success in doing this activity, they will go with clear records whereas it will be listed in victim’s record. Though this type of identity theft is rare but it happens. The Identity Theft Resource Center (ITRC) says that in some situations, the identity thief commits criminal identity theft by using someone else’s information when cited for a traffic or misdemeanor violation. If imposter avoids a requirement to appear in court, authorities may issue an arrest warrant against him. There is a process in California to help victim to clear their names. If victimized, you may be able to clear your name by giving information on your identity theft to the law enforcement agency that requested the issuance of the arrest warrant.
- TAX IDENTITY THEFT
This type happens when someone uses your social security number (SSN) for filing phony tax return and collecting your refund. You won’t be able to identify such type of theft until you try to file for your real tax return and IRS rejects it as a duplicate filing. There are IRS imposters who are scammers, they claim that you owe taxes which you have to pay right now. Though this kid of theft reported major decline in cases. In 2017, IRS received 242,000 identity theft reports whereas in 2016, cases were 401,000. There is a fall of nearly 65% in victims of identity theft.
- CHILD IDENTITY THEFT
In this situation, thieves may use child’s information to open bank accounts or file taxes. Children are ideal targets as people rarely monitor their credit reports. A study found that as many as 10.2% of 40,000 children surveyed were victims of identity theft. (Richard,2013)The analysis also shows that it is quite difficult to detect some kind of identity theft, especially synthetic identity theft and identity cloning and concealment. In the former, for example, the crime does not appear directly on existing victims’ records, such as credit reports, but in new files, or as auxiliaries to those credit reports. This makes difficult for law enforcement to detect the crimes.
Hence, it should be noted that identity theft in cyberspace is not a standalone crime, whereas it is a initial stage of other crimes.
- TECHNIQUES OF MODERN IDENTITY THEFT
An appreciation of the techniques used in the commission of identity theft in cyberspace is vital to our understanding of crime, and possible modes of prevention. (OECD,2008) The most widely used techniques for committing the crime of identity theft is phishing,pharming, vishing, hacking, abuse of privileged access etc.
Through this technique, criminals impersonate legitimate organizations and send out fake text messages, emails (spoofing), or phone calls in the names of those organizations with the intention of luring victims into disclosing personal information. (Jakobson, 2013) the most common type of phishing scam is deceptive phishing. In this type, fraudsters generally impersonate a legitimate company to obtain personal information of a person by threatening them or by giving sense of urgencies. Other most common type of phishing are Email phishing, spear phishing, whaling etc. whaling is generally done by tricking with fake links or malicious URLs. Consequences of these techniques are same.
- PHARMING, SMISHING, VISHING
Pharming, or domain spoofing is derived from the word phishing only, and involves the use of a spoofed website to attract unwitting individual to give their personal information. It can be done by two ways, first, computer host’s file is compromised by entries, which send legitimate domain names to illegitimate IP addresses. Secondly, it exploits weaknesses in DNS software to gain control over the domain name of and existing website and the numeric address changed. This technique is known as Domain Name System (DNS) poisoning. Consequently, when Internet users enter the affected website address, they will automatically be directed to the spoofed website, even though their browser’s address bar will retain the original correct address and thus deceived into believing thatthe site is legitimate. (CIPPIC, 2007)
Under smishing, cell phone users receive a text message from company confirming their signing up of its dating services for which they will be charged a certain amount per day unless the order is cancelled at the company’s website. Such a website is in fact compromised and used to steal personal information. (Stroup,2014)
In a classic spoofed e-mail, appearing from legitimate businesses or institutions, the phisher invites recipients to call a telephone number, which requests personal data such as account number, or password for apparent security verification purposes. Victims usually feel this is safe as they are not required to go to a website to transmit that information. (Stroup, 2013)
Identity thieves may also break into computer systems, networks, and databases in order to extract large amounts of personal information. (Ealy, 2013) Hacking involves the unlawful access to a computer system (Australian Institute of Criminology, 2005) and is among the oldest computer related crimes, which has become a serious and widespread phenomenon. Apart from the famous and fixed targets like NASA, google, the pentagon, yahoo etc. criminals have started hacking regular users to obtain identity related information.
CASES AND STATISTICS
The FTC takes in report from consumer about problems experienced by the consumers in marketplace. All the reports are stored in the Consumer Sentinel Network, a secure database available only to law enforcement. Since 1997, sentinel received around tens of million reports related to fraud, identity theft and other consumer protection topics. According to 2019 reports, top three types of identity theft cases were Credit Card Fraud, Loan or Lease Fraud and Phone or Utilities Fraud, where 271,823 cases of credit card fraud; 104,699 cases of Loan or lease Fraud; and 83,535 cases of Phone or Utilities Fraud have been recorded. Reports also, shown highest rise in Federal student loan where difference between the cases of 2018 and 2019 is 188%.
According to the 2019 Identity Fraud study from Javelin Strategy & Research, identity theft fraud victims in 2018 bore heavier financial burden: 3.3 million people were responsible for some of the liability of fraud committed against them, nearly three times as many as 2016. In 2019, ransomware attacks- a type of malware that denies access to an organization’s system- more than doubled from 2018. In 2019, the ITRC reported that hacking was the most used method of breaching data, with 577 data breaches resulting in 15.3 million records exposed. In the first half of 2020, the ITRC tracked 540 breaches that impacted 164 million people.
As a fastest growing social issue, identity fraud is drawing attention of public, media and government. With the advent of internet, identity theft and other fraud has become a major threat. The glaring issue in identity theft is the absence of prescribed definition, because of which it is very difficult to formulate laws to tackle crime. Identity Theft has evolved globally as a major issue, transcending national borders and winding through multistate proxy networks and diverse ring of conspirators. As it is hard to arrive at general accepted definition, so we can infer from the various studies that it is a crime of obtaining personal information of another person and using it for own good without that person’s consent. There exist numerous types of identity fraud such as medical identity theft, synthetic identity theft, financial identity theft and criminal identity theft. Identity thieves take advantage of different methods such as phishing, smishing, vishing, preying on social networking sites, hacking etc. Other uses of cyberspace identity theft include terrorism and unauthorized immigration. However, cyberspace identity theft is not always used for criminal purposes. Sometimes, it may be motivated simply by the quest for fun or fame. (Ramage, 2005).
B. Koops et al, (2009). A typology of identity related crime: Conceptual, technical, and legal issues, 12 (1) Information, Communication & Society, p 3.
R. Garner, (2000). An overview of computer related crime, 7 (1) Telemasp Bulletin, p1. http://ww w.lemitonline.org/publications/telemasp/ Pdf/volume%207/vol7no1.pdf (7 Apr 2013).
United Nations, (2011). Handbook on Identity Related Crime, New York, United Nations Publication, P 2. GR Newman, (2005). Identity Theft Literature Review. http://www.consumer.gov/sentinel/pubs/Top10Fraud2003.pdf( 27 January 2005).
Convention on Cybercrimes, Budapest, 23 November 2001.
J. Stroup, (2020). A Brief History of Identity Theft. http://www.thebalance.com/a-brief-history-of-identity-theft-1947514.
Hoar, (2001). Identity theft: The crime of the new millennium, 80 (1), Oregon Law Review, P 14-21.