DR.

RAM MANOHAR LOHIYA NATIONAL LAW UNIVERSITY

ACADEMIC YEAR: 2019-2020

TERM PAPER ON:

IDENTITY THEFT AS A CRIME IN CYBERSPACE

PRESENTED TO: DR. AMANDEEP SINGH

ASSISTANT PROFESSOR (LAW)

PRESENTED BY: ADITYA PRATAP SINGH

ENROLL. NO: 160101009
SEMESTER: VII
Introduction

In view of the media coverage, results of recent surveys, as well as numerous legal and
technical publications in this field, it seems appropriate to speak about identity theft as a
mass phenomenon.

The term identity theft – that is neither consistently defined nor consistently used –
describes criminal acts where the perpetrator fraudulently obtains and uses another person’s
identity1. These acts can be carried out without the help of technical means as well as online
by using Internet technology. Internet-related identity theft cases in particular are to a large
extent based on highly sophisticated scams that demonstrate the capability of automated
attacks on the one hand and show the difficulties that law enforcement agencies are faced
with when investigating such offences on the other. These attacks generally aim for the
weakest point of the target.
Examples are:
• The perpetrator persuades the victim to disclose confidential information on a website and
uses it in criminal activities.
• The perpetrator obtains credit-card information from the victim to use it for the ordering of
goods and services.
• The perpetrator obtains the password of the victim’s email account and uses it to send out
emails with illegal content.

Current surveys show that identity theft is a serious challenge for societies as well as law
enforcement agencies not only in terms of the number of offences, but also in terms of the
losses.
With regard to the reliability of such data, one should keep in mind that most statistics focus
on single states and that it is uncertain if the results of the surveys are comparable to other
countries. Furthermore, it is uncertain to what extent users are reporting identity theft
related offences. Nevertheless, statistics indicate trends and the scope of the problem.
Recent surveys and analysis assume for example that:
1
Peeters, Identity Theft Scandal in the U.S.: Opportunity to Improve Data Protection, MMR 2007, 415.
• In the United Kingdom, the cost of identity theft to the British economy was calculated at
£1.3 billion every year.
• Estimates of losses caused by identity theft in Australia vary from less than US$1 billion
to more than US$3 billion per year.
• The 2006 Identity Fraud Survey estimates the losses in the US at US$56.6 billion in 2005.

The crime of identity theft consists of two steps:2

 Wrongful collection of personal identity of an individual
 Wrongful use of such information with an intention of causing legal harm to that
person information
An identity theft involves both theft and fraud, therefore the provisions with regard to
forgery as provided under the Indian Penal Code, 1860 (IPC) is often invoked along with
the Information Technology Act, 2000. Some of the Sections of IPC such as forgery
(Section 464), making false documents (Section 465), forgery for purpose of cheating
(Section 468), reputation (Section 469), using as genuine a forged document (Section 471)
and possession of a document known to be forged and intending to use it as genuine
(Section 474) can be coupled with those in the IT Act.
The Information Technology Act, 2000 (IT Act) is the main act which deals with the
legislation in India governing cybercrimes. Some of the Sections dealing with Cyber Theft
are: -
 Section 43 If any person without permission of the owner damages to computer,
computer system, etc. he/she shall be liable to pay compensation to the person so
affected.
 Section 66 If any person, dishonestly or fraudulently, does any act referred to in
section 43, he shall be punishable with imprisonment for a term which may extend to
three years or with fine which may extend to five lakh rupees or with both.
 Section 66B Punishment for dishonestly receiving stolen computer resource or
communication device is Imprisonment for a term which may extend to three years
or with fine which may extend to rupees one lakh or with both.
 Section 66C provides for punishment for Identity theft as: Whoever, fraudulently or
dishonestly make use of the electronic signature, password or any other unique
identification feature of any other person, shall be punished with imprisonment of

2
https://www.mondaq.com/india/x/785836/White+Collar+Crime+Fraud/Cyber+Theft+A+Serious+Concern+In
+India
 either description for a term which may extend to three years and shall also be liable
to fine with may extend to rupees one lakh.
 Section 66 D on the other hand was inserted to punish cheating by impersonation
using computer resources.
With the increase in the number of frauds and cyber related crime, the government is
coming up with refined regulations to protect the interest of the people and safeguard
against any mis happening on the internet. Further, stronger laws have been formulated with
respect to protection of "sensitive personal data" in the hands of the intermediaries and
service providers (body corporate) thereby ensuring data protection and privacy.

Difficulties in the fight against identity theft

The fact that identity theft has become one of the most widespread cybercrimes is related to
the vulnerability of the identification architecture. These vulnerabilities are not created by
the perpetrators that commit the crime but exploited by them.3 Criticism regarding this
vulnerability particularly concerns single identification data that are not protected by
sufficiently secure systems. One example is the Social Security Number (SSN) in the
United States. The SSN was created to keep an accurate record of earnings.4 Due to this
aim, no security regime was developed to ensure that the use of the SSN in identification
processes would not involve security risks. Contrary to its original intentions, the SSN is
today widely used for identification purposes.5 And as it is insufficiently protected,
perpetrators are able to cause great harm (e.g. by gaining access to a person’s existing
accounts, applying for credit in the victim’s name and obtaining even more information
about the victim for further use) solely based on the SSN.

Two developments are responsible for the increasing amount of publicly available identity
related information. Currently a number of highly successful Internet services like
“facebook”, “MySpace” and “Second Life” are based on the principle of developing a
culture of digital identities. Users assigned to such services transfer a part of their social
activities to the Internet. This process often involves the disclosure of private information
which can be abused by perpetrators. Due to the fact that the majority of Internet users use a
limited number of very popular services, as well as the availability of search engines that
are specialized in the detection of private information about a person, it is rather easy for a
perpetrator to collect that information and use it for criminal purposes.

The second development is closely related to the transfer process. As highlighted

previously, the information that is often made publicly available cannot in general be used
on its own, but only in combination with other data in order to take over the identity of
another person. The perpetrators are therefore highly interested in linking different identity-
related information. In this they are – indirectly – supported by the current global trend

3
Solove, The legal construction of Identity Theft, page 4, Symposium: Digital Cops in a virtual environment
Yale Law School (March 26-28, 2004).
4
Sobel, The Demeaning of Identity and personhood in National Identification Systems, Harvard Journal of
Law & Technology, Vol. 15, Nr. 2, 2002, page 350.
5
Garfinkel, Database nation: The Death of privacy in the 21st Century, 2000, page 33-34.
trends in the e-business to link digital identities. Data mining systems are used for example
to analyse the behaviour of customers; they even try to predict their future behaviour based
on an analysis of consumer-related data collected in various databases. A recently published
study highlights the threats of this process for society as well as for the individual. If the
perpetrators manage to improve their skills in linking digital identities, they can commit
offences by using the identity of another person without referring to illegal means, while
obtaining the identity-related information.

The popularity of digital identities and the related process of transferring parts of one’s
social life to the Internet are combined with the problem that the instruments that were
developed to identify and prevent perpetrators from abusing other people’s identity do not
in general apply in the digital world. Many of these instruments are based on the personal
contact of the people acting. Checking tangible identifying documents or physical
recognitions (especially between individuals who previously established a relationship) is
easy in the real world but difficult in the digital world. The development of effective
identification instruments that can be used on the Internet has just started.

When investigating internet-related identity theft, law enforcement agencies are faced with
a number of challenges comparable to those regarding other cybercrimes, but not
necessarily comparable to more traditional investigations. Some of the most important
challenges are:

• Potential number of victims

There seem to be more than 1 billion Internet users worldwide. This number is expected to
increase continuously in the coming years. With this the number of potential victims of
identity theft increases.

• Availability of instructions on how to carry out an offence

It is not just identity-related information that perpetrators can find on the Internet. Reports
highlight the risks that go along with the legal use of search engines for illegal purposes. A
perpetrator who plans an attack can find detailed information on the Internet that explains
how to build a bomb by using chemicals that are available in regular supermarkets. With
regard to identity theft, instructions, including information on how to obtain and create an
identity, are available on various websites.

• International dimension
Similarly, to other cybercrimes, identity theft offences often have an international
dimension. If the perpetrator and the victim are not based in the same country, then the
investigation requires the co-operation of law enforcement agencies in all countries that are
involved. The principle of national sovereignty does not in general allow one country to
carry out investigations within the territory of another country without permission from the
local authorities. The related formal requirements and especially the average time that is
necessary to respond to requests from foreign law enforcement agencies often hinder the
investigations.

• Automation
One of the greatest advantages of information technologies is the possibility to automate
certain processes, and perpetrators make use of this potential. One of the most notorious
examples is spam. The abuse of email services to send out unsolicited bulk messages is
based on the automation of the sending process. Without that it would not be possible to
deliver millions of emails within a rather short period of time. The same technology is used
in email-based “phishing” scams.
The Facebook-Cambridge Analytica Data Scandal

Political data firm Cambridge Analytica obtained the data of 50 million Facebook users,
constructed 30 million personality profiles, and sold the data to US politicians seeking
election to influence voters, without the users’ consent. Although this was revealed in 2015,
in March 2018 a former employee of the firm came forward with more details, placing
Facebook's practices under intense scrutiny, and raising questions as to the responsibility of
the Internet industry. The facts, wide-reaching implications, and open questions are
explained below.

How was the data obtained?

In 2014, a researcher from Cambridge University, Alexandr Kogan, developed an app called
‘thisismydigitallife’. The app paid users ($1‒$2) to take a personality quiz,6 but to take the
quiz, users had to consent to give the app access to their Facebook profiles and those of
their friends. The paid task was advertised to remote freelance workers on Mechanical Turk,
a crowdsourcing online marketplace controlled by Amazon.

Over 270,000 users took the quiz; however, the app was able to access the full profile of
over 50 million friends’ accounts – which, at the time, Facebook’s API (application program
interface, i.e., the platform for building applications) allowed by default. To harvest such
data through Facebook’s API, the researcher obtained a license from Facebook, ‘for
research purposes only’.

How was the data used?

6
https://theintercept.com/2017/03/30/facebook-failed-to-protect-30-million-users-from-having-their-data-
harvested-by-trump-campaign-affiliate/
Kogan violated his agreement by giving the data to political data firm Cambridge Analytica,
which was co-founded by Republican donor Robert Mercer. The firm reportedly funded $7
million for Kogan’s exercise.7

Once in Cambridge Analytica’s hands, the data of 30 million users (out of the original 50
million) was matched with other records to construct personality profiles on millions of
American voters. Cambridge Analytica classified voters using five personality traits known
as OCEAN – Openness, Conscientiousness, Extraversion, Agreeableness, and Neuroticism.
The aim was to identify the personalities of American voters and influence their behavior,
using psychographic modelling techniques.

In December 2015, The Guardian revealed that Cambridge Analytica was selling
psychological data to Ted Cruz’s presidential campaign. Although the New York Times
reported that Facebook did not verify how the information was being used, Facebook said it
had removed the app in 2015 after learning of the subsequent violation of platform policies.
Kogan, Cambridge Analytica, and another former employee Christopher Wylie certified to
Facebook that they had deleted the data.

Once Donald Trump became the presumptive nominee, Cambridge Analytica contacted, and
was later engaged by, his campaign team. The first payment of $100,000 was made in July
2016. The relationship is now under scrutiny by the Special Counsel investigating the
alleged Russian interference in the US election. There may also be ties with the UK’s
Leave.EU campaign, the group which campaigned for Brexit in 2016.

In March 2018, the former Cambridge Analytica employee, Christopher Wylie, provided
documents and first-person testimony to The Times and the Observer which confirmed the
details. He also confirmed that a large amount of the data was still on the company’s
servers. How much the data actually contributed to influencing voters is still being debated
and is unclear.

7
https://www.vox.com/policy-and-politics/2018/3/21/17141428/cambridge-analytica-trump-russia-mueller
Implications for digital policy

The revelations have placed the practices – and responsibilities – of Facebook and other
companies under intense scrutiny.

Convergence

Once considered as separate industries, the media and the Internet industry have now
converged around the data model. In this model, users provide their own data in exchange
for using the service. Data in large quantities is then used for advertising and marketing
purposes. For example, in 2017, Facebook’s advertising revenues were close to $40 billion;
that same year Google’s revenues from advertising reached over $27 billion. Harvested data
has many more uses. Amazon is using customer data to target deals. Uber is using customer
data to develop autonomous vehicles. Hardware companies are also collecting data: Recent
Wikileaks revelations show that a smart TV manufacturer was allegedly collecting data on
users’ viewing habits. This ‘gold rush’ for data means that any issues, challenges, or risks
associated with the industry’s data model are increasing exponentially.

Intermediaries

One of the main questions relates to the liability of intermediaries regarding the data they
collect, and the users’ rights over their personal data.

The data trail in the Cambridge Analytica case shows that two main actors were involved:
the network (Facebook), and third parties (the researcher, Cambridge Analytica, and the
political campaigns). It also raises several questions: Why did Facebook’s API allow the
automatic gathering of friends’ data, and how will potential breaches of data (which was
collected back then) be dealt with? If the terms between Facebook and third parties were
breached, who is responsible. Data breaches, misuse of data, and breaches of users’ rights
are inherently connected.

Content Policies

Facebook and other companies collect a large amount of data.8 The company not only
records the ‘likes’ but also geographical information based on GPS or Wifi signal,
information from websites and apps which the user logs onto via their Facebook login
credentials, and any contact information the user allows Facebook to access. Facebook even
creates ‘shadow profiles’ of nonusers, inferred from other data. One of the main criticisms
levelled against both Internet companies and authorities relates to the large amounts of data
points the companies are allowed to harvest. Once harvested, legal and ethical questions also
arise, related to how the data and data analyses will be used.

Consumer Protection

Facebook and other companies collect a large amount of data. The company not only
records the ‘likes’ but also geographical information based on GPS or WIFI signal,
information from websites and apps which the user logs onto via their Facebook login
credentials, and any contact information the user allows Facebook to access. Facebook even
creates ‘shadow profiles’ of nonusers, inferred from other data. One of the main criticisms
levelled against both Internet companies and authorities relates to the large amounts of data
points the companies are allowed to harvest. Once harvested, legal and ethical questions
also arise, related to how the data and data analyses will be used.

Privacy and data protection

8
http://www.facebook.com/full_data_use_policy
While users did consent to giving Facebook their data, the network did not specifically
inform them that their data had been passed on to the Cambridge Analytica researcher.
Although the transfer of data may be legal due to blanket provisions in the company’s data
policy, the lack of disclosure in this case could violate laws in Britain and in many
American states. Cambridge Analytica’s connection to the US elections may also be illegal.
Regulators in the USA and the UK are investigating.

Tougher rules in Europe will come into effect on 25 May 2018. The EU’s General Data
Protection Regulation (GDPR) obliges companies handling the personal data of EU citizens,
regardless of where the company is located, to obtain clear and unequivocal consent for the
processing of data. It also includes hefty fines for non-observance.

Economic

The practice of collecting data from users in exchange for services or content has also raised
questions related to compensating users for their data. Users give away significant amounts
of data without financial compensation. The data has contributed significantly to the
revenues of the Internet industry. Two trends have emerged with the aim of compensating
users or giving some of the value back to society.

The first relates to governments’ push for taxing the industry. Several countries in the EU
have proposed new concepts for taxing Internet companies’ revenue, in lieu of the standards
provided in the traditional tax system which are not proving adequate enough. In March
2018, the European Commission proposed short-term and long-term plans that better reflect
the online nature of digital businesses. In parallel, the Organization for Economic Co-
operation and Development (OECD) has issued its interim report which highlights the main
challenges of taxing the digital economy, and the need for a global approach to tax rules.
The second relates to calls for users to be compensated more directly. One emerging idea is
that of a data fund: Just like Alaskan citizens receive annual dividends from the Alaska
Permanent Fund, a constitutionally established fund funded by oil revenues, digital
companies would be required to pay a percentage of their data revenue into a sovereign
wealth fund, and pay out an annual dividend to users.
Security

Data breaches are on the rise, and typically, users learn about a data breach only after it has
been revealed by the companies. In some cases, notifications of a breach come long after it
happens:

In 2016, news of a breach that affected the data of 57 million Uber drivers was disclosed by
the company a year after the breach took place. At this time, it also emerged that after the
company’s servers had been breached in 2016, Uber paid $100,000 to the intruders to delete
the data and keep silent.

In the Cambridge Analytica case, a Facebook executive said: ‘This was unequivocally not a
data breach… No systems were infiltrated, no passwords or information were stolen or
hacked.’ The executive said that the violation had been committed only by Cambridge
Analytica, whose app ‘did not follow the data agreements’.At the time, however, the
researcher was able to exploit a loophole in Facebook’s API9 which allowed the developer
to gather information not only on the users of the app, but all the users’ Facebook
friends.This highlights a larger debate as to what extent Facebook is able to remove
potentially dangerous loopholes and secure its systems and the users’ data as it changes
hands.

Labour

The original source of data used by Cambridge Analytica was collected from remote
freelance workers who were paid small amounts of money is exchange for their data.
Although the case did not directly raise any issues with regard to the remote workers, it does
bring to the fore the social dimension related to workers in the gig economy.

Relevant provisions and Status quo in India

9
http://www.vox.com/policy-and-politics/2018/3/23/17151916/facebook-cambridge-analytica-trump-diagram
At 462.12 million, India has the second highest number of internet users in the world after
China but lacks the legal framework to ensure data protection and privacy with current laws
inadequate for the rapidly evolving sector, say cyber security experts.

Data theft is turning out to be an all-consuming monster in India and there seems to be no
mechanism to halt it in its tracks. According to a report by the Internet and Mobile
Association of India (IAMAI), the number of internet users in the country is expected to
reach 500 million by June 2018.The government of India under its flagship scheme "Digital
India", which aims to transform the country into a digitally empowered society and
knowledge economy, has made the delivery of public services using online platform(s)
resulting in increased access to the internet. Consequently, the digital footprint of Indians is
set to increase with a colossal amount of data being generated - voluntarily or involuntarily
- by users.

However, the framework under which data is collected, processed and stored is nearly non-
existent in India. Most Indians using internet have no or little idea about data privacy, and
this blissful ignorance exposes and makes them vulnerable to threats such as illegal data
harvesting, ID theft, profiling without their consent etc. The data generated by our activities
online can be analysed in ways we might not even know about. A case in point is the
recent controversy surrounding Cambridge Analytica, where mass harvesting of data of
Facebook users took place without their knowledge or consent and the results were
subsequently used to influence the voters in India.

At present, Section 72A of the Indian Information Technology Act, 2000, provides for data
protection, by making it a punishable offence to disclose information, knowingly and
intentionally, without the consent of the person concerned and in breach of the lawful
contract. However, its enforcement remains under question as the people tasked with
enforcement lack subject knowledge and technical know-how, leaving users exposed,
vulnerable and without any real protection against their data being misused.

The Supreme Court, while declaring the "Right to Privacy" a fundamental right, also held
that the same extends to both physical as well as virtual world. Justice Sanjay K Kaul in his
judgment had observed that privacy in the digital age includes the "right to be forgotten"
and hence empowers individuals with control of the information they put out enabling them
to seek removal of data concerning them.

The right is not absolute in nature and is subject to reasonable restrictions such as that
information which may have a social ramification or necessary for compliance of legal
obligations etc. This "Right to be Forgotten" has to be made an integral part of the existing
data protection regime in India. Reference in this regard can profitably be made to
regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on
the free movement of such data.

Some progress in this regard was made in 2017 when BJD MP Baijayant Panda moved a
private member's Bill in Parliament by the name of Data (Privacy and Protection) Bill,
2017, which envisaged a right to "informed consent", wherein, only upon giving an express
and affirmative consent can a person's data be collected, used or sold. The Bill, in principle,
proposed to give every citizen a right over data produced by him/her. "Express consent" of
the individual was required before the data in question could be collected, used or sold.

Under the provisions of the proposed legislation, a quasi-judicial body would have allowed
juristic persons to file grievances against private as well as government bodies against any
breach of privacy. This was a great leap forward as this would have created a specialised
body with experts at the helm, who would be best equipped to handle the situation wherein
the individual whose privacy had been compromised would have approached and could
have had his breach of privacy addressed in a fast, reliable and time-bound manner.

The government constituted the 10-member committee headed by Justice Srikrishna in

August 2017. The committee is likely to submit the draft for a new law regarding data
privacy and protection by May 2018. The white paper released by the committee suggests
that it is in favour of a new law which would be applicable to both government and non-
government sectors, to collect and process data after consent. It also proposes to fix
accountability on data controller for any data processing; establishment of a high-powered
statutory authority for enforcement, supported by a decentralised enforcement mechanism;
and penalties for wrongful data processing to ensure deterrence.
The current provisions of law, which the masses are nearly oblivious about, face a problem
in implementation and are mostly inept in delivering their aim. The Bill moved by Panda
which called for an independent data protection authority can be used as a guide in order to
come up with a strong data privacy law. The government, in light of recent incidents like
Cambridge Analytica and growing importance of effective data protection should take
notice, step in and fill the gap which exists in current law and policy regime. Government’s
push towards delivery of services through internet needs to be backed by a full-bodied and
dynamic framework to ensure that the data being generated by users is not used without
their consent and also to give them the right to decide how this data may be used. It will
also bring accountability to data handlers, both government and non-government actors.

Conclusions10

10
UNODC,response,to,identity,related,crime.http://www.unodc.org/unodc/en/organized-crime/identity-related-
crime.html. (11 September 2014).
Recent technological advances have boosted the crime of cyberspace identity theft.
Although this crime is not new, the Internet has expanded its scope and created innovative
ways of committing it, leading to a new variant called cyberspace identity theft. Identity
thieves no longer need to search waste bins or come into personal contact with victims in
order to steal their personal information for fraudulent uses. In spite of these changes, there
is still no widely accepted definition for cyberspace identity theft. Without doubt, a clear
and acceptable definition is crucial to combating cyberspace identity theft in terms of
criminalising, investigating, prosecuting, and punishing it, as well as differentiating it from
other crimes. However, most of the existing definitions suffer from ambiguity or lack of
completeness. There are also stark differences in definition among countries, with some
viewing cyberspace identity theft as a crime and others, as a civil wrong. Moreover, the
definitions focus unduly on the act of obtaining information, further restricting the scope of
many penal provisions to data collection. In this recognition, attempts have been made at
the national, regional and international levels to grapple with the problem. At the national
level, efforts have been made by countries such as the United Kingdom, Malaysia and Iran
through the enactment of new pieces of legislation and the revision of old ones. At the
regional level, the EU and the OECD have adopted similar initiatives. Notable at the
international level are the efforts of the Council of Europe through the Convention on
Cybercrime, the UN, as well as Interpol. An additional difficulty is the confusion between
‘identity theft’ and ‘identity fraud’, with the UN Intergovernmental Expert Group
suggesting that the term ‘identity crime’ be used instead to cover both. As indicated earlier,
such a suggestion is equally problematic because cyberspace identity theft is not yet
perceived as a crime in some countries. These variations in perspectives have led to
correspondingly contrasting policies and laws. The differences in definition highlight the
difficulty faced in trying to reach an agreement on what cyberspace identity theft really is.
The resulting variations in legal perspectives, in turn, present obstacles to collective
attempts to combat the problem. Therefore, a clear and widely accepted definition of
cyberspace identity theft is needed in order to enact equally unequivocal laws.