Challenges of Identity theft in the information society1

Hamid Jahankhani
Middlesex University, London, UK
h.jahankhani@mdx.ac.uk

Carlisle George
Middlesex University, London, UK
c.george@mdx.ac.uk

Abstract
Identify theft is a growing criminal phenomenon which presents a major threat to
individuals, businesses, governments and society in general. It can greatly affect the
privacy, security and financial wellbeing of its victims. The growth of this criminal
activity has been easily facilitated by the increasing reliance on technology and a global
information and communications infrastructure. Consequently it is a prevalent form of
cybercrime and causes concerns for the continued use of the internet for electronic
commerce and social networking. This paper discusses identity theft with a view to
assessing its impact, legislative responses to it and challenges that it brings. The paper
argues that greater understanding and awareness of identity theft needs to be created, and
that Internet usage requires laws and regulatory authorities, which should span across
national boundaries and legal systems. Effecting such laws will require international
treaties and conventions between nation states, and the active participation of the
international digital community to safeguard the Internetworked information society.

Keywords: Identity theft, cybercrime, privacy, information security

1. Introduction
The increasing importance of technology in our daily lives (especially the use of
computers and the internet) continually brings challenges related to legal, security and
privacy concerns to all stakeholders in the information society. One of these challenges
is the growing rise of identity theft (and subsequent fraud).
Identity theft constitutes the (illegal) use of the identity (e.g. name, address) of an
individual or organisation without the knowledge or consent of the holder of that
identity. Personal identity theft refers to the theft (and fraudulent use) of an individual’s
identity whereas corporate identity theft refers to the theft (and fraudulent use) of the
identity of a business (e.g. business address, credit cards). The appropriation and illegal
use of an identity can occur both offline and online. Online identity theft (e.g. gaining

1
Jahankhani, H & George, C (2008). Challenges of identity theft in the information society. In
Sylvia M Kierkegaard (Ed), Synergies and conflicts in Cyberlaw, The 3rd International
Conference on Legal, Security and Privacy Issues in IT (LSPI), Prague, Czech Republic,
September 3-5, 2008.

1
information to access and use email or bank accounts) is a one of the fastest growing
areas of cybercrime and represents a major challenge to the continued use of the internet
for commercial and social activities (BTplc, 2006). Further, since online identity theft
can be easily perpetrated across geographical boundaries it represents a greater threat
compared to offline identity theft.
This paper discusses the growing phenomenon of identity theft and examines the
impact that it has on the economy and as well as other micro and macro implications.
The paper then discusses mechanisms for facilitating the theft of an identity, some
legislative responses to identity theft and some challenges that identify theft brings. The
paper then makes suggestions for the way ahead.

2. Impact of Identity theft

The theft of an individual’s identity is not a new phenomenon, however, the
number of incidences have increased over the years. In 2002, in the United Kingdom
(UK) approximately 75,000 cases were identified and the cost to the UK economy was
estimated at £1.3bn per annum (Cabinet Office, 2002). By 2005, 137,000 cases were
identified (BTplc, 2006). This problem is not confined to the UK. In the United States of
America (‘USA’) the Federal Trade Commission (‘FTC’) estimated that in the year
ending April 2003, $47.6 billion was lost as a result of identity theft (Federal Trade
Commission, 2003). This represented an increase of 59% on the 2001 figure (Massey,
2004). It must be noted that a 2006 survey estimated the loss to be $15.6 billion, but
concluded that a different methodology was used to arrive at this figure compared to the
2003 estimate, and that it was not possible to conclude whether there was a significant
decline between 2003 and 2006 (Federal Trade Commission, 2006). The increase in
cases of identity theft (at least as seen in the UK) is due in part to new and more
imaginative methods being used to take control of a person’s or a business’s identity for
criminal purposes. This has become common place to the point where some believe that
it is both inevitable and unstoppable.
In the UK, there is mounting evidence to suggest that the financial impact of
identity theft is far greater than had previously been appreciated. A 2006 UK
Government Department study estimated that the losses sustained by the UK economy
stood at approximately £1.7bn per annum or £35 per adult per year (Home Office, 2006),
compared with 1.3bn in 2002. As is often the case with crime figures, it is difficult to
accurately assess the extent of losses sustained as assessment can only be made on the
basis of crimes that are reported and recorded. It is also dependent upon the Government
having a proper understanding of this particular species of fraud, in its various
manifestations, and the importance of official recording of this crime.
Estimates of the losses sustained as a result of corporate identity theft vary. One
source puts the current losses at just under £100m with an indication that they are likely
to increase to £700m by 2020, (Royal and Sun Alliance, 2006).
Corporate identity theft is having a profound effect upon business relationships
and perhaps more so than ever before commercial interactions are dependent upon trust
between the parties. This trust relates not only to the relationship between the parties but
it often extends to the systems and processes established by them; often by the dominant
party. When, for whatever reason, these systems and processes have been found wanting
there has been a detrimental effect upon the trust that has existed or would have existed
2
between the parties. This was exemplified in recent reports of data theft that took place
over an eighteen month period from the UK retailer TK Maxx (Green, 2007). The theft
resulted in sales dropping dramatically over an extended period. Whilst it was not the
company’s identity that was stolen nevertheless this serves to illustrate the speed of
impact and how widely confidence in an organisation can be damaged. In this case, TK
Maxx, through its market position and financial resources, was able to show that the
‘breach’ in its processes related only to one category of customer, namely credit card
users, and that the information itself was somewhat dated. That said there will be some
who will not be sufficiently convinced as to patronise the company in future. A much
smaller company would be unable to mount such an effective damage limitation
exercise; still less if it had had its identity improperly utilised.
The above example and others show that when an incidence of identity theft
occurs there can be both micro and macro implications such as the following:-

• Micro Implications
o Loss of brand/business confidence.
o Damage to reputation.
o Credit rating damaged.
o Possible breach of legal obligation.

• Macro Implications
o Loss of confidence in a particular sector/industry.
o Loss of confidence in a particular way of doing business e.g. fewer
people using the internet.
o Insurance claims resulting in increased premiums for all.
o Losses recouped by increasing prices for goods and services.

Whilst it is important to make a distinction between individual and organisation

identity theft it would be a mistake to think of them as always being separate from each
other in all cases.

3. Facilitation Mechanisms
3.1 Bin Raiding
This method of obtaining information applies equally to individuals and
organisations. As the name suggests, a criminal can rout through dustbins to obtain
valuable information about an organisation. This includes obtaining bank account and
credit card details, computer passwords, letterheads, signatures and other information
which either on their own or added to other information allow a criminal to gain access
to an organisation’s accounts or those of its clients, trading partners, or suppliers. In a
survey commissioned by the security company, Fellowes, it was estimated that 97% of
households, approximately 21 million homes, disposed of information that could be
exploited by identity thieves by throwing it in their household refuse. (Leyden, 2006).

3.2 Phishing
One definition of phishing (pronounced fishing), is “technological subterfuge to
steal consumers’ personal identification data and financial account credentials” (Anti
Phishing Working Group, 2005) and is an effective means of gathering valuable personal
3
and organisation information. Phishing is one end of a two-ended criminal enterprise in
that it is the gathering of the information and the second part is the utilisation of that
information for criminal purposes.
Phishing is mainly now conducted through the medium of email given the ease of
use and the relative anonymity of email use. Criminals are able to ‘mass email’ potential
victims masquerading as their bank or other party who might have a legitimate interest in
contacting them about financial matters. The emails are crafted in such a way as to
appear as though the request for the information e.g. names, dates of birth, mother’s
maiden name, account details etc. is being legitimately made. In reality it is not and
many willingly provide this information only later to discover that they have unwittingly
passed them to an identity thief. Once in possession of this information the thief can use
it to steal an individual’s or organisation’s identity and divert money away from them.
A new development in phishing scams is the targeting of academics via email
asking them for research papers. Emails claiming to be from the publishing company
Elsevier have been sent to academics promising to publish their work in journals and
also disseminate their research in seminars around the world. The fake emails are used to
gain personal information and also to extort money for publishing by requesting
handling fees. (Stothart, 2008).
A forerunner to email phishing was identity theft by cold calling where much of
the same information was requested. With the advent of Voice Over the Internet
Protocol (‘VOIP’), where anonymous calls can be made from the other side of the world,
this is still an effective method of illegitimate data collection from both individuals and
organisations.

3.3 Skimming
This method involves the cloning of payment (credit/debt) cards using
information gathered by individuals who can gain access to payment card information,
or using devices which copy information when using a payment card.

3.4 Public Records Access

In the UK it has long been the case that certain personal and business records are
freely accessible to the public. Personal details may be obtained by the payment of a
small fee to the General Register Office for documents such as certificates of birth,
death, marriages and civil partnerships and there is no scrutiny of the identity of the
applicant. Business details and records are obtained in a similar way from Companies
House. These resources represent a rich source of information for identity thieves who
are then able to utilise them for the purposes of duplicating an identity. Information
from the latter source has been used in order to take over a company’s identity entirely
by altering the details to the thieves’ advantage.

3.5 Old Addresses

In some cases where a person has moved house, a mail carrier (e.g. Post Office)
may continue to deliver mail at an old address if the mail is not redirected or where a
redirection mandate expires. The identity of the person who has moved can therefore be
easily adopted and used by another person to gain services.

4
4. Legal Issues
4.1 Legislative measures in the UK/EU
One of the ways of indirectly combating identity theft in the UK and European
Union (EU) is through the protection (including maintaining privacy and security) of
personal data. The EU Directive 95/46/EC of the European Parliament and of the
Council of 24 October 1995 (thereafter referred to as the Directive) sets out the
legislative framework (variously implemented in the national legislation of EU member
states e.g. the UK Data Protection Act 1998) for the protection of individuals with regard
to the processing of personal data and on the free movement of such data. Amongst other
things, the Directive sets out: data protection principles to be followed by organisations
that collect personal data; rights for data subjects; and offences (e.g. relating to the
unauthorised access and disclosure of personal data).
A 2006 EU survey found that there were very few laws in EU member states to
directly address identity theft and fraud (Owen et al, 2006). In many instances these
offences were addressed by general criminal law (e.g. fraud offences), or data protection
offences. The absence of such specific laws were in part due to the perception that
compared to the US, identity theft was not a significant problem in the EU (van der
Meulen, 2007). This perception stemmed from factors in the EU such as less multiple
usage of identification numbers (e.g. social security numbers), fewer credit cards, and
stronger data protection legislation. This however may be changing due to the increasing
use of the Internet and digital information.
Recently, the UK government took major steps to directly address identity theft
and fraud, by enacting the The Identity Cards Act 2006 and The Fraud Act 2006.
The Identity Cards Act 2006 was enacted to develop a national identity register
and a UK national identification cards scheme (OPSI_a, 2006). The Act also created
various offences related to identity theft and fraud. Under Section 25 of the Act,
possessing or controlling an identity document (including an identity card, passport,
immigration document, driving licence - Section 26) to which one is not entitled is an
offence. Section 25 also makes it an offence to possess or control any apparatus or
materials to create false identities.
The Fraud Act 2006, created various fraud offences including fraud by false
representation (Section 2), fraud by failing to disclose information (Section 3) and fraud
by abuse of position (Section 4), (OPSI_b, 2006). For these offence to be established a
person’s conduct must be dishonest, and there must be an intention to gain something or
cause loss or risk of loss to another person/business. The Act also created other offences
such as possession of articles for use in frauds (Section 6) and making or supplying
articles for use in frauds (Section 7).

4.2 Legislative measures in the US

In the United States (US), The Identity Theft And Assumption Deterrence Act
1998 created the Federal crime of Identity Theft. Under the Act it is a criminal offence to
knowingly and without authority produce, possess with intent to defraud the US
government or transfer (amongst other activities) an identification document or false
5
identification document. Since 1998, many US states have strengthened their laws in
order to protect consumers from identity theft (NCSL, 2008). Such legislation have
included identity theft legislation (e.g. The Financial Identity Fraud and Identity Theft
Protection Act of North Carolina) was well as legislation addressing issues such as:
possession and use of credit card skimming devices (e.g. California Penal Code §502.6);
limiting/freezing a consumer report agency from releasing credit reports unless they
obtain consumer authorisation (New York General Business Law §380-a et seq.);
requiring that companies and state agencies disclose to consumers any security breaches
regarding personal information (e.g. Florida. Statues § 817.5681).

5. Challenges of Identity theft

A proper understanding of identity theft is essential as the opportunities for
criminals to steal the identities of individuals and businesses have increased and become
easier especially due to the pace at which organisations need to interact with each other
and due to e-commerce/internet usage. This represents a major threat to the privacy of
personal and business information. In order to raise awareness of this danger trade
organisations, law enforcement agencies and Government have sought to educate those
who would be most affected. This has been effective in that some businesses have
become more aware of the dangers posed by this form of criminal activity. However,
the speed and ever changing methods of this type of theft makes it difficult for
individuals and businesses to be successful in combating this criminal activity. An
example of changing methods is that once upon a time ‘bin-raiding’ was sufficient to
yield all the necessary details to effect an identity theft. However, as individuals and
businesses become more vigilant in the security/disposal of such information thieves use
more sophisticated and anonymous methods to obtain that information (James, 2006).
In addition to greater vigilance by some, in the last three to four years there has
been an increasing awareness of the existence, mechanics and possible consequences of
individual identity theft. The awareness that has taken place has been achieved by a
combination of news reporting, advertising, information from banks and credit card
companies, police and Government campaigns and the like. The awareness has been
such that the issue of individual protection and individual identity theft resulted in a UK
Parliamentary Committee being established to consider the matter (House of Lords
Science and Technology Committee, 2007). Also, the Home Office Identity Fraud
Steering Committee, a collaborative venture consisting of fourteen members (financial
bodies, government agencies and the Police) was established to tackle identity
theft/fraud. This Committee maintains a website to provide information and help (to UK
citizens) on issues regarding identity theft (Home Office, 2008). The rise in the number
of incidences of identity theft in the UK, however, implies that there is still work to be
done to increase awareness and tackle identity theft.
Currently, within the EU there is no central location where users can report
instances of cybercrime. Without such a facility, many victims will simply fail to report
the incidence. In many cases, users will fall victim of multiple cyber crimes, each event
eroding their trust in commercial or Government based Internet services.
In the US, the IC3 initiative, a partnership between the FBI and National White
Collar Crime Centre (NW3C) has proven to be a successful strategy as a portal for
victims of certain types of cybercrime (principally fraud). The IC3 allows victims to
report crime and provides statistical summaries of related crimes that can be categorised
6
by geographical locations within the US. The IC3 data, though biased towards fraud, is
quite comprehensive and has aided legal authorities on numerous occasions.
The borderless nature of the internet resulting in transnational criminal activity
possesses a major challenge for law enforcement regarding identity theft (van der
Meulen, 2007). The creation of Europol (European Law Enforcement Organisation) in
1992 was a positive step to improving cooperation and coordination between European
states, however, challenges still remain. In particular, the theft of identities online pose
many difficulties, such as the anonymity of criminals, difficulty in gathering/obtaining
evidence, differences in languages and procedures in different states and cross-
jurisdictional issues. The 2001 Council of Europe Cybercrime Convention was another
positive attempt to address cooperation between law enforcement agencies across many
countries. Amongst other provisions, the Convention mandates signatories to provide:
International cooperation in law enforcement - with obligations on signatory countries to
cooperate to the widest possible extent and minimise impediments to the rapid flow of
information & data; and Extradition and a mutual legal assistance network – with
obligations on signatory countries to maintain a 24/7 national contact point to give
technical or legal advice, preserve data, collect evidence, and locate suspects. Although
forty-five countries have signed the Convention, to date, only twenty-three have ratified
it (to make it a part of their national laws). Non-ratification of the Convention presents a
major barrier to the effective policing of cyber criminal activity such as online identity
theft.
Despite a plethora of Internet related legislation, cybercrime is still a growing
stigma for the e-society. It is evident that Internet usage requires laws and regulatory
authorities, which should span across national boundaries and legal systems. This will
require treaties and conventions between nation states, however, the experience of the
non-ratification of the 2001 Cybercrime convention by twenty-two out of forty-five
signatories, gives little hope for the future. Internet laws/regulations should be designed
to reflect national values for national issues and international values for international
issues. Suitable organizations should be set up to ensure that online organizations should
adhere to all legislations covering their operations where possible. Responsibility for
developing, evaluating, enhancing and safeguarding the Internet and its related activities
should lie with the International digital community. It should also be the e-community’s
responsibility to dictate the need for and to specify the extend of required legislation,
since they will be the ones directly affected by such legislation. Necessary evaluation
frameworks should be developed to assess the suitability and applicability of new laws,
acts and directives issued.

6. Conclusions
It is clear that identity theft is a growing problem, which presents a threat to
economies and society. It is also a major threat to the privacy of individuals and
businesses especially in the Internetworked information society. Government and non-
government bodies and organizations can only contribute in laying the foundations,
developing the strategies and overseeing the developments in terms of compatibility with
general policies and national and international legal frameworks. It is a challenge for the
rapidly increasing global digital community, to specify, modify, dictate, evaluate and
safeguard sound legislation that would allow for efficient and socially responsible use of
the Internetworked world.

7
 Organizations are highly exposed to the vulnerabilities inherent in Internet
connectivity, and the exposure increases every day as viruses become more virulent and
users neglect to exercise ever-greater caution. Moving away from the Internet is not an
option for most organizations. Competitiveness demands an ever-increasing presence,
and therefore reliance, on all things electronic. But many organizations have grown
much larger by using their reliance on the Internet, as the face of business transactions
has changed dramatically over the last generation.

References
1. Anti Phishing Working Group (2005). Phishing Activitry Thrends Report. June
2005, Retrieved July, 28, 2008 from
http://www.antiphishing.org/reports/APWG_Phishing_Activity_Report_Jun_05
.pdf

2. BTplc (2006), Security Report on Identity Theft, February, 2006. Retrieved

July, 25, 2008 from http://www.btplc.com/onlineidtheft/onlineidtheft.pdf

3. Cabinet Office (2002). Identity Fraud: A Study July 2002: The Stationery
Office. Retrieved July, 25, 2008 from
http://www.identitycards.gov.uk/downloads/id_fraud-report.pdf.

4. Federal Trade Commission (2003). Identity Theft Survey Report. September

2003. US Federal Trade Commission.

5. Federal Trade Commission (2006). 2006 Identity Theft Survey Report.

Retrieved July, 28, 2008 from
http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf

6. Green, C. (2007) TK Maxx data theft may have hit 94 million cards. ITPRO
website. Retrieved July, 25, 2008 from
http://www.itpro.co.uk/133187/tk-maxx-data-theft-may-have-hit-94-million-
cards

7. House of Lords. Science and Technology Committee (2007). Personal Internet

Security, 5th Report of Session 2006-07. London. The Stationary Office. (HL
Paper 165-I).

8. Home Office (2008).

http://www.identity-theft.org.uk/

9. Home Office (2006). Home Office Identity Fraud Steering Committee 2006
Updated Estimate of the Cost of Identity Fraud to the UK Economy. 2006: The
Stationery Office.

10. James, M. (2006). Aping to defraud – corporate identities at stake. Infosecurity

Magazine.

8
11. Leyden, J. (2006). Brits in their Identity as ID thieves prosper. The Register
Magazine. Retrieved July, 25, 2008 from
http://www.theregister.co.uk/2006/10/16/id_fraud_prevention_week/

12. Massey, R. (2004). The growing concern of e-identity theft. Electronic Business
Law 2003 5 EBL 9, p.3. Retrieved May, 15, 2008 from
http://global.lexisnexis.com/uk.

13. NCSL(2008). Identity Theft. Retrieved July, 25, 2008 from

http://www.ncsl.org/programs/lis/privacy/idt-legis.htm

14. OPSI_a (2006). The Identity Cards Act 2006. Retrieved July, 25, 2008 from
http://www.opsi.gov.uk/acts/acts2006/ukpga_20060015_en_1

15. OPSI_b (2006). The Fraud Act 2006. Retrieved July, 25, 2008 from
http://www.opsi.gov.uk/Acts/acts2006/ukpga_20060035_en_1

16. Owen, K, Keats, G and Gill, M (2006). The Fight against Identity Fraud: A
Brief Study of the EU, the UK, France, Germany, and the Netherlands
(Leicester, United Kingdom: Perpetuity Research & Consultancy International,
2006). Retrieved June, 28, 2008 from
http://www.perpetuityresearch.com/publications.html#idfraudstudy

17. Royal and Sun Alliance (2006). RSA UK Press Releases, 18.09. 2006:
Corporate Identify Theft to cost businesses £700 million a year. Retrieved July,
28, 2008 from
http://www.rsagroup.com/rsa/pages/media/ukpressreleases?type=press&ref=35
2&view=true

18. Stothart, C (2008). E-mail fraudsters target academics, THES, 24th July 2008.
Retrieved July, 25, 2008 from
http://www.timeshighereducation.co.uk/story.asp?sectioncode=26&
storycode= 402936&c=2

19. Van der Meulen (2007), The Spread of Identity Theft: Developments and
Initiatives within the European Union, The Police Chief, vol. 74, no. 5, May
2007. Retrieved July, 25, 2008 from
http://policechiefmagazine.org/magazine/index.cfm?fuseaction=display_arch&a
rticle_id=1190&issue_id=52007