A PROJECT

ON

IDENTITY THEFT IN THE INTERNET

SUBJECT: COMPUTER - II
(Submitted as a partial fulfilment of the requirements for B.A. LL. B (Hons.) 5 Year Course)

SESSION 2022-23

SUBMTTED ON: 25TH JANUARY, 2023

SUBMITTED BY: SUBMITTED To:

Keshav Narayan Harsh Mrs. Jyotsna Jain

Roll No. : 64 (Faculty, Computer - II)

Semester II A

UNIVERSITY FIVE YEAR LAW COLLEGE

UNIVERSITY OF RAJASTHAN

JAIPUR
 Declaration

I, Keshav Narayan Harsh, hereby declare that this project title “Identity Theft In The
Internet” is based on the original research work carried out by me under the guidance and
supervision of Mrs. Jyotsna Jain.

The interpretations put forth are based on my reading and understanding of the original
texts. The books, articles and websites etc. which have been relied upon by me have been
duly acknowledged at the respective places in the text.

For the present project which I am submitting to the university, no degree or diploma has been
conferred on me before, either in this or in any other university.

KESHAV NARAYAN HARSH Date: 15th May, 2023

Roll No. 64
Semester II-A
 TABLE OF CONTENTS
DECLARATION...................................................................................................................................................

CERTIFICATE......................................................................................................................................................

ACKNOWLEDGEMENT.....................................................................................................................................

CHAPTER I

INTRODUCTION

What has changed in the classic equation about anonymity and personal marketing?..............

CHAPTER II

IDENTITY THEFT AND LIABILITY

The Classical Approach.............................................................................................................

The Need Of Legislative Action.................................................................................................

The creation of new offence to protect the e-identity..........................................................

CHAPTER III

IDENTITY THEFT AND PROBLEM OF EVIDENCE

The certification of identity on internet.....................................................................

Computer crimes and the presumption of identity................................................
 CERTIFICATE

Mrs. Jyotsna Jain Date: 15 MAY 2023

Assistant Professor
University five year law college
University of Rajasthan, Jaipur

This is to certify that Keshav Narayan Harsh student of semester I Section A of

University Five Year Law College, University of Rajasthan has carried out project title
“Identity Theft In the Internet” under my supervision. It is an investigation of a minor
research project. The student has completed research work in stipulated time and
according to norms prescribed for the purpose.

Supervisor

Mrs. Jyotsna Jain

 ACKNOWLEDGMENTS

I have written this project, “Identity Theft In The Internet” under the supervision of
Mrs. Jyotsna Jain Faculty, University Five Year Law College, University of Rajasthan,
Jaipur. Her valuable suggestions herein have not only helped me immensely in making
this work but also in developing an analytical approach this work.

I found no words to express my sense of gratitude for Director Dr. Akhil Kumar Chauhan
constant encouragement at every step.

I am extremely grateful to librarian and library staff of the college for the support and
cooperation extended by them from time to time.

Keshav Narayan Harsh

Abstract:
The captivating issue of false identity on internet is already an old phenomenon, but until
now no uniform legal response really exists. For some, anonymity is deemed to be a right, but
for others, using a false identity will be a tort. Thus, the protection of the identity takes
various forms, both in civil action and in criminal procedure. However, the question involves
a second aspect, not only in substantial law, but also in the field of law of evidence: how does
one prove the real identity of the author of a computer related crime? The difficulty to
connect the use of an IP address, or even of an electronic certificate, to a real person leads
automatically to other legal responses which aim more directly to condemn identity theft and
unauthorised access to information systems! The objective of this paper is to discuss the need
of a reformulation of the concept of identity theft in order to correspond to the evolution of
the behaviour and frauds. On the internet, identity theft is not the same as in the real world –
a means of the commission of other offences, but is rather an autonomous crime.

Keywords:
 Identity theft;
 Liability;
 Privacy;
 Breach of confidence;
 Personal data protection;
 Identity fraud;
 Usurpation;
 Offence;
 Torts.
 INTRODUCTION

What has changed in the classic equation about anonymity and personal marketing?

It is the social network, of course. Nowadays, it has become a common practice for users to
use their true identity. At the same time, even pseudonym starts to take tangibility, from the
moment that is linked with very personal data about the everyday life of the pseudonym
owner. Just remember this huge scandal, recently, when a lesbian activist blogger from Syria
disappeared. This led to political ramifications until one middle aged guy from USA finally
confessed that he was the true author of the blog.

Identity theft is not a new phenomenon, even if the term itself could be described as relatively
new. It has been used and continues to be used in the frame of social security fraud, bank loan
fraud, assurance fraud, to evade criminal prosecution, etc… But in this project, we will focus
on a very specific aspect of the identity theft, which is new: the virtual identity theft, or the
theft of element of the identity in the internet.

I could define it for the purposes of this project as the appropriation of a person’s name,
image, e-mail or other notorious personal data in order to use as its own. Some elements of
the e-identity refer obviously to the real identity, while some others, like the e-mail, a
pseudonym, a blogger’s page, are specific in the internet sphere. The use of a false identity
can be very innocent, for example when we fill up a form with false name and birth date just
to be able to subscribe in a forum of discussion or to register in order to use software.

But we should also ‘consider not only the liar’s perspective but also the perspective of the
deceived. Should the person learn that she has been deceived, she is likely to feel betrayed,
resentful, manipulated, suspicious of others who would deal with her in future, and
mistrustful of the environment in which the deception occurred’. In a legal setting, using a
false identity can have consequences in terms of breach of the contract which binds the user
with the company, but the roughest problems lie elsewhere. When the user does not protect
himself behind the anonymity of a pseudonym, but chooses to borrow the identity of a true
person, false identity then becomes identity theft.

First of all, identity theft is deemed to create a liability and we will examine in the first part of
this paper the classic legal mechanisms but also the new legislative solutions adopted on this
point. But also, on internet a person is defined by his IP address, and a connection’s hack is
always possible. Therefore, in addition to the very direct identity theft, we also have to deal
with the indirect identity theft, thus the theft realised through the misuse of an internet access.
 IDENTITY THEFT AND LIBILITY

Identity theft is committed by phishing, by using an e-mail without the authorisation of his
owner and by using the name of others in a social network, etc. The various forms of identity
theft lead to different legal responses, according to the legal system of the country which is
competent to regulate the issue and to the nature of the acts. Traditionally and most of the
time, these legal responses will be in the form of a civil action. We will highlight their
inadequacy to the new behaviours on the Web 2.0 and we will analyse the initiative of
creation of a specific penal legal response.

2.1 The classic approach

2.1.1 In common law

In the common law system, torts actions provide various legal means to repress the conduct
of false identity or identity theft, according to the situation. It is noteworthy that even the tort
of trespass could be sometimes used. In the US case Food Lion Co v Capital Cities/ABC Inc.,
two journalists from ABC had provided false information and history in order to be employed
and to have access to a specific zone. They have been accused of fraud, trespass and breach
of the employee’s duty of loyalty. Similarly, in the US case Shiffmann vs Empire Blue cross
and Blue shield, the use of a false identity by the journalists to gather information about a
doctor was found to have negated the plaintiff’s consent to enter his premises.

The tort of defamation intervenes where the act of appropriating the identity of another
person is followed by declarations which harm the reputation of this person. Thus,
defamation can cover every situation where the rogue aims to ruin the reputation of the
victim by the way of the identity theft, but does not cover the act of usurpation of identity
itself.
 Privacy constitutes also a powerful legal tool in order to avoid identity theft and more
generally to condemn each non-authorised appropriation of the image and the name or other
characteristic used to define the identity of a person. Thus, in the opinion of the European
Court of Human Rights the concept of identity is protected under the stipulation of the article
8 of the Convention about protection of privacy. This idea is adopted in some common law
countries in the more specific form of a tort, the tort of appropriation. In the US case of the
Ninth District New combe v Adolf Coors Co, the plaintiff demonstrated that the use of the
image of a baseball player on an advertisement can fall in the scope of the legal framework of
protection of privacy if the identity of the player can be easily guessed.

In the UK, the protection of privacy will pass through the frame of the specific tort of breach
of confidence, as explained in the famous case Douglas v Hello!. 6 But this tort was primarily
conceived to protect the privacy of celebrities.

Could the online identity of daily users be protected by the tort of breach of confidence?

In a recent case in the UK, someone had created a false account on face book with
information about the sexual, political and religious orientations of the persons concerned by
the account. The judge logically assimilated this information with private information whose
disclosure gave rise to a cause of action for misuse of private information. More surprisingly
as it has been noticed, he did not consider as private information the various comments made
on the facebook page about the activity and the geographical position of the victim of identity
theft. To apply the tort of breach of confidence, the judges in UK demand that the person has
reasonable expectation of privacy in relation with his information. This position does not
favour automatically the e-identity, which is of hybrid nature: it serves both to differentiate
the person from the rest of the society and also to communicate with others. Nevertheless,
since it is an element of the personality of the internet user, it is not meant to stay into his
sphere of privacy.

Finally, one should consider the possibility of the liability not only of the rogue but also of
the company which detains the account which has been stolen, each time that the identity
theft has been accomplished through negligence in establishing sufficient computer security
measure.9 For example, if my account on facebook has been hacked and used because of an
insufficient protection of the code, could I accuse facebook for negligence? This new kind of
liability will surely extend and take shape in the EU with the application of the new Directive
of 200910 which obliges the ISP to declare every breach of personal data that they are aware
of.
2.1.2 In civil law
In the continental legal system, the question could be analysed at first on the aspect of the
fault, in the scope of the civil liability. By definition, to endorse a false identity is linked to an
unfair conduct. But in most civil legal systems, privacy has become an autonomous notion,
derived from the rights of personality. The same way as common law countries, in
continental law countries identity theft on internet is therefore mostly handled under the
prism of the right of privacy. For example, someone created a Facebook page in France,
where he pretended to be a famous artist (Omar). The real artist asked for reparation under
the stipulations of the right of privacy and obtained reparation.

Civil action seems to be the most natural legal response offered classically to combat the
usurpation of identity, but also some other domains of the law can apply. False identity
should also be analysed in the scope of the legal protection of the consumer. When some
societies, for example trip advisor, are paid to write some comments in a social network
comments which pretend to be written by final users expressing their real experience (and
even reproducing some spelling mistake), there is a kind of theft of identity which is
significant of a lack of good faith and of misrepresentation.

One form of identity theft on internet is related to the acquisition of some sensitive
information of the victim using some artifices in order to ensure the victim’s consent. This
activity, named phishing, often leads to the creation of false website, with a similar domain
name to the true one and an identical graphical chart. In these cases, another legal response
emerges in the form of counterfeiting. For example, in France, someone has been convicted
for the trademark counterfeiting and the counterfeiting of a website since he created a copy of
the register page of Microsoft Messenger.13 Copyright law thus could be of some use in this
matter. Also, it has been invoked to protect the virtual identity on some occasions and when
the legislation of the country permits it. For example, in Japan, it has been defended that the
avatar of the player of an online multiplayer game should receive copyright protection.

Finally, identity, even in its numeric form, constitutes personal data. Therefore, the legal
mechanism of protection of personal data, for example in Europe the Directive 95/46,15
prohibits the use of e-identity without the consent of the owner. However, the strict legal
framework of the personal data protection leads the judge to a narrow interpretation of the
notion of ‘identification’ and paradoxically, not all elements of the e-identity will fall into the
definition of a personal data.
2.2 The need of a legislative action

2.2.1 The internet’s specificity

Identity theft possesses this original characteristic that often the victim does not learn
immediately about the theft. In civil action, the question is resolved by the mechanism of
appreciation of the damages, but in the penal field a legislative action which statutes that the
prosecution is tolled until the victim takes notice of the crime is surely useful to discard any
ambiguity.16 We can cite for example the Californian legislative Act (chapter 73).

However, new elements appeared that lead to the consideration that civil action is not
enough to fight the phenomenon of identity theft. First of all, phishing, in these various
forms, is growing exponentially and has become a real problem of society. Then, in the case
of identity theft, the victims are often not aware of the prejudice. Moreover, the traditional
legal tools used to protect identity in its classic form or even sometimes only statute on the
illegal consequences of the identity theft and ignore the act itself. The question of whether to
extend it or not to virtual elements, like the e-mail, is left to the interpretation of the judges.18
Finally, identity theft does not harm only the true owner of the identity but also the rogue
propagates false information, sometimes false transaction by the mean of the theft. At the
end, all the users are victim of the usurpation.

But the principal change in this field of law from the classic approach of identity theft lies on
the fact that the e-identity by definition is related to an act of communication to the public.
The identity is clearly a component of the personality of an individual and its protection
could be achieved by the right of privacy. At the opposite, the e-identity is first of all a
creation for a very specific purpose: the expression of thoughts or feeling on internet.
Nonetheless, legal doctrine has already analysed the issue of the multiple nature of the
concept of identity. Most of the time, virtual identity is integrated in the legal protection of
the identity: however, privacy cannot cover every misuse of a virtual identity and it will end
with an amount of legal uncertainty. Therefore, independently of the various civil responses
that we have already analysed, a penal response should be established to apprehend the
reality of the identity theft on internet.
2.2.2 The Draft EU Directive on attacks against information

To facilitate cross-borders investigation and prosecution, a harmonised answer to the

phenomenon of identity theft should be found in an EU level. It would be a mistake to believe
that the EU organisations stand inactive on this question, as we conclude from the recent
proposal of a European Directive on this issue. The Draft Directive creates certain new
offences: the illegal access to information systems, the illegal system interference, the illegal
data interference, the illegal interception, and offences related to tools used for committing
offences. Identity theft is also present on the article 10 par. 3 of the Draft Directive but only
as an aggravating circumstance. When these offences are committed by “concealing the real
identity of the perpetrator and causing prejudice to the rightful identity owner” the maximum
term of imprisonment should pass, according with the proposal, from two or three years to
five years.

We can conclude from this draft directive that the classical approach which apprehends the
identity theft as an aggravating circumstance has been chosen for now by the European
legislator. This does not reflect the fact that nowadays the identity on internet has become one
of the most valuable assets of the companies and the central element of the reputation of the
individuals and thus it needs to be protected through an autonomous offence.
2.3 The creation of new offence to protect the e-identity

Various legislative actions have emerged in response to the need of protection of the e-
identity. We will continue for the scope of this paper to use the term ‘identity theft’ even if in
most criminal law systems the term ‘identity fraud’ is preferred. Now also the term of
‘usurpation of identity’ has made its appearance. It has been proposed to talk in general about
‘online identity crime’.

As an example, we will use the initiative of the French, since they have created a new
offence23 which added in the French penal code an article 226-4-1 stipulating that:

“The act of usurpation of the identity of a third person or of using one or more data which
identify him in order to disturb his or others tranquillity, to detract his honour or reputation, is
punished by one year of imprisonment and a fine of 15 000 Euros. This offense is
characterized also when it is committed in an online network of communication.”

We must underline the fact that the offence does not require the perpetuation of another
crime. It is the simple act of usurpation that defines the offence. This constitutes the real
change, because most of the time identity theft is apprehended in relation with other
connected offences. In consequences, the e-identity or cyber-identity becomes protected as an
element of the personality of a person.25 In order to limit an offence which otherwise would
be too large, the French legislator demands a special mens rea: the will to trouble the inner
space of the person. However, this method possesses some defaults linked to the proof of the
intention. Finally, the law does not define the notion or identity or usurpation. The
legislator’s purpose was to extend the legal protection of identity to new elements but the
clear delimitation of the offence will wait for a judiciary’s analysis.
 IDENTITY THEFT AND THE PROBLEM OF
EVIDENCE

At times, the internet is presented as a cyberspace with his own customs, territories and, to
say it, law. We have just seen how on the internet the very classic notion of identity finds a
way to redefine itself. At the same time, we should not forget that all these virtual worlds are
just built on a very real network of computers, servers, wires, cables and transmitters. The
concept of identity theft is often analysed in its virtual aspect but it takes also another form,
more material, related to the misuse of materials which provide access to internet. How can
one be concretely sure of who is behind the computer? There is clearly an assimilation of the
user to its computer (computer or assimilated, there is no interest in a legal approach to
distinguish between PC, modern game consoles or smart phones). This very basic question
leads to two problematic issues which are a little bit more complex: how to prove that we are
who we pretend we are, and, how to prove that we are not the one who used the computer to
commit a crime?

3.1 The certification of identity on internet

In common law countries, we usually distinguish between real evidence-, where the
computer has created the evidence through pure calculation or analysis, hearsay evidence,
where the digitalised data is the result of human activity, and derived evidence, which is
basically a mix of real and hearsay evidences. The traditional rule against hearsay prohibits
this kind of evidence as unfair for the other litigant but it will not be necessary here to
analysis the various exceptions of this principle in case of electronic evidence since the
evidence of the identity of the person who uses the computer seems to depend on the
automatic logs of the internet provider. Therefore, it should be managed as real evidence.

In EU law, the principle of the technological neutrality of the law of evidence prevails.27
This principle is for instance expressed through the Directive on electronic signatures.28 In
conclusion, identity theft or e-identity theft on this point follows the traditional mechanisms
of the law of evidence: each part is free to contest the legitimacy of the signature of the other,
if he can prove that there is a falsification somewhere. When the theft of identity on internet
is proven, it is governed by the general solutions of the law of contract (the theory of mistake
of identity). At this point, the law is dependent of the technology and of the politician’s will:
the generalisation of smart cards, which use strong enough cryptographic algorithms and
universal modules of connection, in order to create a certified e-identity would surely help to
secure the online transactions.
3.2 Computer crimes and the presumption of identity

The recent development of WIFI networks responds to a demand of mobility. People desire
wireless connection to internet everywhere and that comes with some legal issues. It is
common nowadays to be able to connect to three, four different networks at home and if the
neighbours do not secure properly their network, one could easily steal their connection. In
internet, each device is identified by an IP address. When a crime is committed online (for
example, counterfeiting or defamation), the IP address leads to the device and the device to
its legal owner.

This trust chain from the IP address delivered by the internet provider to the end user creates
a lot of legal issues. For example, we are facing a growing phenomenon of so called zombi
computers, which are used as means to commit crime in the total ignorance of their owner,
because of the exploitation of a breach in their security.

The importance given to the IP address means that a presumption is created, a presumption of
the true identity of the end user. Thus, the IP address becomes an identification number and
forms therefore the core of the e-identity. At the same time, it must be reminded that the
identification by IP address is indirect, since it needs both a special technical analysis and a
judiciary authorisation. The legal nature of the IP address is then very blurred: it plays a
central role in the struggle against cyber-crimes and illegal downloading and (or perhaps
because of that) its qualification as personal data still continues to be a polemic question. To
incorporate the IP address into the strict regime of personal data protection would have
extreme consequences on the daily function of service providers and in this context courts in
France31 and Germany had the opportunity to deny the quality of personal data to the IP
address. We arrive at this strange conclusion that IP address is deemed to be a mean of
identification for the law of evidence, but at the same time cannot be recognised as personal
data in regards of substantial law. Perhaps, and it is at the end the purpose of this paper, this
paradox could be resolved by reference to the notion of virtual identity.

Additionally, what about the roaming WIFI networks in public places, where it is practically
impossible to identify the person who is actually connected? The presumption of true identity
cannot apply there but the impunity of the end user is counterbalanced by the liability of the
server manager who leaves its network unsecured. If we push this idea to this logical end, we
conclude on this polemic position that there exists somehow an obligation of identification on
internet. The same reasoning applies for the public proxy servers, which offer to the user the
possibility to pass through a second server and thus to hide their true identity.
 CONCLUSION

The aim of this paper was to call for a redefinition of the notion of identity theft, from an
aggravated circumstance, a means to commit other crimes and to an autonomous notion
which should include elements of the virtual identity of the user. However, if we accept that
the IP address is a part of this identity, the problematic question of the IP’s theft refers more
to the classic approach than to the new one. This means that this new approach must be seen
as a second level of protection of the user, which does not replace the classical approach but
it strengthens it. At this moment when many are wondering if the cyberspace will become a
battlefield,34 it is important to remember that the identity and its protection constitute the
core of every civilised society.