Professional Documents
Culture Documents
Hamid Jahankhani
Middlesex University, London, UK
h.jahankhani@mdx.ac.uk
Carlisle George
Middlesex University, London, UK
c.george@mdx.ac.uk
Abstract
Identify theft is a growing criminal phenomenon which presents a major threat to
individuals, businesses, governments and society in general. It can greatly affect the
privacy, security and financial wellbeing of its victims. The growth of this criminal
activity has been easily facilitated by the increasing reliance on technology and a global
information and communications infrastructure. Consequently it is a prevalent form of
cybercrime and causes concerns for the continued use of the internet for electronic
commerce and social networking. This paper discusses identity theft with a view to
assessing its impact, legislative responses to it and challenges that it brings. The paper
argues that greater understanding and awareness of identity theft needs to be created, and
that Internet usage requires laws and regulatory authorities, which should span across
national boundaries and legal systems. Effecting such laws will require international
treaties and conventions between nation states, and the active participation of the
international digital community to safeguard the Internetworked information society.
1. Introduction
The increasing importance of technology in our daily lives (especially the use of
computers and the internet) continually brings challenges related to legal, security and
privacy concerns to all stakeholders in the information society. One of these challenges
is the growing rise of identity theft (and subsequent fraud).
Identity theft constitutes the (illegal) use of the identity (e.g. name, address) of an
individual or organisation without the knowledge or consent of the holder of that
identity. Personal identity theft refers to the theft (and fraudulent use) of an individual’s
identity whereas corporate identity theft refers to the theft (and fraudulent use) of the
identity of a business (e.g. business address, credit cards). The appropriation and illegal
use of an identity can occur both offline and online. Online identity theft (e.g. gaining
1
Jahankhani, H & George, C (2008). Challenges of identity theft in the information society. In
Sylvia M Kierkegaard (Ed), Synergies and conflicts in Cyberlaw, The 3rd International
Conference on Legal, Security and Privacy Issues in IT (LSPI), Prague, Czech Republic,
September 3-5, 2008.
1
information to access and use email or bank accounts) is a one of the fastest growing
areas of cybercrime and represents a major challenge to the continued use of the internet
for commercial and social activities (BTplc, 2006). Further, since online identity theft
can be easily perpetrated across geographical boundaries it represents a greater threat
compared to offline identity theft.
This paper discusses the growing phenomenon of identity theft and examines the
impact that it has on the economy and as well as other micro and macro implications.
The paper then discusses mechanisms for facilitating the theft of an identity, some
legislative responses to identity theft and some challenges that identify theft brings. The
paper then makes suggestions for the way ahead.
• Micro Implications
o Loss of brand/business confidence.
o Damage to reputation.
o Credit rating damaged.
o Possible breach of legal obligation.
• Macro Implications
o Loss of confidence in a particular sector/industry.
o Loss of confidence in a particular way of doing business e.g. fewer
people using the internet.
o Insurance claims resulting in increased premiums for all.
o Losses recouped by increasing prices for goods and services.
3. Facilitation Mechanisms
3.1 Bin Raiding
This method of obtaining information applies equally to individuals and
organisations. As the name suggests, a criminal can rout through dustbins to obtain
valuable information about an organisation. This includes obtaining bank account and
credit card details, computer passwords, letterheads, signatures and other information
which either on their own or added to other information allow a criminal to gain access
to an organisation’s accounts or those of its clients, trading partners, or suppliers. In a
survey commissioned by the security company, Fellowes, it was estimated that 97% of
households, approximately 21 million homes, disposed of information that could be
exploited by identity thieves by throwing it in their household refuse. (Leyden, 2006).
3.2 Phishing
One definition of phishing (pronounced fishing), is “technological subterfuge to
steal consumers’ personal identification data and financial account credentials” (Anti
Phishing Working Group, 2005) and is an effective means of gathering valuable personal
3
and organisation information. Phishing is one end of a two-ended criminal enterprise in
that it is the gathering of the information and the second part is the utilisation of that
information for criminal purposes.
Phishing is mainly now conducted through the medium of email given the ease of
use and the relative anonymity of email use. Criminals are able to ‘mass email’ potential
victims masquerading as their bank or other party who might have a legitimate interest in
contacting them about financial matters. The emails are crafted in such a way as to
appear as though the request for the information e.g. names, dates of birth, mother’s
maiden name, account details etc. is being legitimately made. In reality it is not and
many willingly provide this information only later to discover that they have unwittingly
passed them to an identity thief. Once in possession of this information the thief can use
it to steal an individual’s or organisation’s identity and divert money away from them.
A new development in phishing scams is the targeting of academics via email
asking them for research papers. Emails claiming to be from the publishing company
Elsevier have been sent to academics promising to publish their work in journals and
also disseminate their research in seminars around the world. The fake emails are used to
gain personal information and also to extort money for publishing by requesting
handling fees. (Stothart, 2008).
A forerunner to email phishing was identity theft by cold calling where much of
the same information was requested. With the advent of Voice Over the Internet
Protocol (‘VOIP’), where anonymous calls can be made from the other side of the world,
this is still an effective method of illegitimate data collection from both individuals and
organisations.
3.3 Skimming
This method involves the cloning of payment (credit/debt) cards using
information gathered by individuals who can gain access to payment card information,
or using devices which copy information when using a payment card.
4
4. Legal Issues
4.1 Legislative measures in the UK/EU
One of the ways of indirectly combating identity theft in the UK and European
Union (EU) is through the protection (including maintaining privacy and security) of
personal data. The EU Directive 95/46/EC of the European Parliament and of the
Council of 24 October 1995 (thereafter referred to as the Directive) sets out the
legislative framework (variously implemented in the national legislation of EU member
states e.g. the UK Data Protection Act 1998) for the protection of individuals with regard
to the processing of personal data and on the free movement of such data. Amongst other
things, the Directive sets out: data protection principles to be followed by organisations
that collect personal data; rights for data subjects; and offences (e.g. relating to the
unauthorised access and disclosure of personal data).
A 2006 EU survey found that there were very few laws in EU member states to
directly address identity theft and fraud (Owen et al, 2006). In many instances these
offences were addressed by general criminal law (e.g. fraud offences), or data protection
offences. The absence of such specific laws were in part due to the perception that
compared to the US, identity theft was not a significant problem in the EU (van der
Meulen, 2007). This perception stemmed from factors in the EU such as less multiple
usage of identification numbers (e.g. social security numbers), fewer credit cards, and
stronger data protection legislation. This however may be changing due to the increasing
use of the Internet and digital information.
Recently, the UK government took major steps to directly address identity theft
and fraud, by enacting the The Identity Cards Act 2006 and The Fraud Act 2006.
The Identity Cards Act 2006 was enacted to develop a national identity register
and a UK national identification cards scheme (OPSI_a, 2006). The Act also created
various offences related to identity theft and fraud. Under Section 25 of the Act,
possessing or controlling an identity document (including an identity card, passport,
immigration document, driving licence - Section 26) to which one is not entitled is an
offence. Section 25 also makes it an offence to possess or control any apparatus or
materials to create false identities.
The Fraud Act 2006, created various fraud offences including fraud by false
representation (Section 2), fraud by failing to disclose information (Section 3) and fraud
by abuse of position (Section 4), (OPSI_b, 2006). For these offence to be established a
person’s conduct must be dishonest, and there must be an intention to gain something or
cause loss or risk of loss to another person/business. The Act also created other offences
such as possession of articles for use in frauds (Section 6) and making or supplying
articles for use in frauds (Section 7).
6. Conclusions
It is clear that identity theft is a growing problem, which presents a threat to
economies and society. It is also a major threat to the privacy of individuals and
businesses especially in the Internetworked information society. Government and non-
government bodies and organizations can only contribute in laying the foundations,
developing the strategies and overseeing the developments in terms of compatibility with
general policies and national and international legal frameworks. It is a challenge for the
rapidly increasing global digital community, to specify, modify, dictate, evaluate and
safeguard sound legislation that would allow for efficient and socially responsible use of
the Internetworked world.
7
Organizations are highly exposed to the vulnerabilities inherent in Internet
connectivity, and the exposure increases every day as viruses become more virulent and
users neglect to exercise ever-greater caution. Moving away from the Internet is not an
option for most organizations. Competitiveness demands an ever-increasing presence,
and therefore reliance, on all things electronic. But many organizations have grown
much larger by using their reliance on the Internet, as the face of business transactions
has changed dramatically over the last generation.
References
1. Anti Phishing Working Group (2005). Phishing Activitry Thrends Report. June
2005, Retrieved July, 28, 2008 from
http://www.antiphishing.org/reports/APWG_Phishing_Activity_Report_Jun_05
.pdf
3. Cabinet Office (2002). Identity Fraud: A Study July 2002: The Stationery
Office. Retrieved July, 25, 2008 from
http://www.identitycards.gov.uk/downloads/id_fraud-report.pdf.
6. Green, C. (2007) TK Maxx data theft may have hit 94 million cards. ITPRO
website. Retrieved July, 25, 2008 from
http://www.itpro.co.uk/133187/tk-maxx-data-theft-may-have-hit-94-million-
cards
9. Home Office (2006). Home Office Identity Fraud Steering Committee 2006
Updated Estimate of the Cost of Identity Fraud to the UK Economy. 2006: The
Stationery Office.
8
11. Leyden, J. (2006). Brits in their Identity as ID thieves prosper. The Register
Magazine. Retrieved July, 25, 2008 from
http://www.theregister.co.uk/2006/10/16/id_fraud_prevention_week/
12. Massey, R. (2004). The growing concern of e-identity theft. Electronic Business
Law 2003 5 EBL 9, p.3. Retrieved May, 15, 2008 from
http://global.lexisnexis.com/uk.
14. OPSI_a (2006). The Identity Cards Act 2006. Retrieved July, 25, 2008 from
http://www.opsi.gov.uk/acts/acts2006/ukpga_20060015_en_1
15. OPSI_b (2006). The Fraud Act 2006. Retrieved July, 25, 2008 from
http://www.opsi.gov.uk/Acts/acts2006/ukpga_20060035_en_1
16. Owen, K, Keats, G and Gill, M (2006). The Fight against Identity Fraud: A
Brief Study of the EU, the UK, France, Germany, and the Netherlands
(Leicester, United Kingdom: Perpetuity Research & Consultancy International,
2006). Retrieved June, 28, 2008 from
http://www.perpetuityresearch.com/publications.html#idfraudstudy
17. Royal and Sun Alliance (2006). RSA UK Press Releases, 18.09. 2006:
Corporate Identify Theft to cost businesses £700 million a year. Retrieved July,
28, 2008 from
http://www.rsagroup.com/rsa/pages/media/ukpressreleases?type=press&ref=35
2&view=true
18. Stothart, C (2008). E-mail fraudsters target academics, THES, 24th July 2008.
Retrieved July, 25, 2008 from
http://www.timeshighereducation.co.uk/story.asp?sectioncode=26&
storycode= 402936&c=2
19. Van der Meulen (2007), The Spread of Identity Theft: Developments and
Initiatives within the European Union, The Police Chief, vol. 74, no. 5, May
2007. Retrieved July, 25, 2008 from
http://policechiefmagazine.org/magazine/index.cfm?fuseaction=display_arch&a
rticle_id=1190&issue_id=52007