Identity Theft Issue in Great Britain Term Paper

Introduction

Although not a clearly defined legal term, the concept of identity theft has been absorbed into the consciousness of the British public with some ease. The terms identity theft and identity fraud are used interchangeably by government agencies, the media, and marketing personnel, and most of us have a broad understanding of what they are talking about. For many people, identity theft invokes ideas of credit card fraud and benefit cheats; for others, it is more associated with illegal immigration and organized crime. However, although a broad understanding may be sufficient to raise public consciousness of the risks associated with identity theft, the lack of conceptual certainty has proved to be more problematic for those involved in policy and prevention.

Indeed, when we begin to unravel the different methods of identity theft and explore the motivations of its perpetrators, it becomes apparent that it is a complex, multidimensional concept. From the outset, it is important to differentiate identity thefts from other data crimes (Collins, 78-84). There are essentially two defining features of identity theft. First, there must be an appropriation of another individual’s personal data and, second, an act of impersonation in which the perpetrator masquerades as that individual to commit another crime. We must, therefore, discount cases of fraudulent misrepresentation in which dishonest individuals lie about some of their circumstances (for example, by giving a fake address to commit a benefit fraud). Before we move on to examine the different methods of, and motivations behind, identity theft in more detail, it is necessary to first consider the nature of personal data and to understand how it is used in the process of identification. Only then can we truly appreciate the skills and knowledge required to commit these offenses?

Personal Data

The term personal data is commonly defined as data relating to an identifiable individual or an identified (Sherri, 124-127). It does not necessarily have to identify the individual, but in cases of identity theft, it is identifying data that is targeted by the criminal. Three types of personal data may be used for identification purposes: attributed identifiers, biographical identifiers, and biometric identifiers (Collins, 78-84). Attributed data are the components of an individual’s identity, which are established or assigned at birth. These include name, date, and place of birth, and parent’s names, and are permanently associated with the individual. Biographical identifiers are the elements of identity that are accumulated after birth, as the individual progresses through life. They include educational achievements and qualifications, financial records, property ownership, marriage, and employment history, thus representing an individual’s interactions with public and private institutions. Biometric identifiers are biological characteristics that relate to an individual’s physical makeup. These may then relate to the physical appearance (e.g., fingerprints or facial structure) or the biomolecular profile (e.g., DNA) of an individual. Some will be permanent characteristics, and some will change as individual ages.

A portfolio of information, then, is collected throughout an individual’s life, and different pieces of personal data serve different functions. As a result, personal data can have intrinsic value or instrumental value, and that value can be attached to information by ourselves and by other people. For the criminal, it is the instrumental or commercial value of personal data that is attractive. Most personal information has business value in the sense that it can be a substitute (Frances, 99-102). It may be exchanged for goods and services or more information; thus it is described by Sherri, (2005) as persuasive data. In practice, different pieces of information have different levels of exchange value. A passport, for example, will open the doors to more facilities than a membership card for the local video store. Personal data is the key to the identification process.

Identification Process

Clarke’s (1994) theory of identification firmly establishes human identification as a process of association of data with a particular human being. (Doug, 157) More particularly, the identifier is trying to establish that a person who is the issue of one surveillance is also the subject of the previous scrutiny. (Frances, 99-102) Thus, identification is a layered process that always must refer back to a base layer in which the identifying characteristics were originally recorded as belonging to a specific individual. Accordingly, to commit an act of identity theft, the criminal must either intercept the relevant identifying characteristics present in the base layer or establish a new base layer.

The purpose and nature of the identification process reflect the needs of the identifier. When an individual interacts with a state agency or public institution, for example, the purpose of the identification process is to enable the state to monitor and control entitlement to public services and contribution to societal structures. Identification, then, is necessary when a person wishes to enter or leave the country (for the time being or permanently), access state reimbursement, use healthcare services, and enter the service system. This is most likely to require an individual to provide knowledge and evidence of attributed information. In contrast, for private sector institutions, the process of identification is less about control of citizens and more about protecting the interests of the business or service provider. Put simply, private sector institutions need to ensure the identity of an individual before entering into a contract or financial relationship to reduce the risk of nonpayment or fulfillment of some other contractual obligation. Thus, an individual probably will need to produce evidence of biographical information, in addition to attributed information.

Evidence of identity may take one of three forms: token-based identification (where documents or other tokens are used to prove identity), knowledge-based identification (information only the individual would know), and biometric identification (where physical characteristics are used to identify an individual). (Collins, 78-84) For an identifier to be effective, it must fulfill several different requirements. These include universality of coverage (all individuals must possess the identifier), uniqueness, permanence, precision, and acceptability (socially and ethically). The problem is that no single identifier can be said to satisfy all requirements. Although physiological identifiers are universal and usually indispensable, they are not necessarily unique or permanent. Yet, nonphysiological identifiers are equally problematic, because they are unlikely to be unique, permanent, or universal.

Identity theft is the blanket term for any type of crime wherein the offender uses another individual’s legitimate personal information to commit acts of fraud or deception, typically (though not exclusively) for illicit financial gain. The criminal activity extends beyond mere credit card fraud, for example, since offenders assume the victim’s identity, often using the assumed name to purchase cars and houses, rent apartments, take out loans, book travel reservations. The assumed identity may also be employed for outright criminal activity and furnished to authorities when the offender is arrested, posts bond, and so forth. If unchecked, the impact on a victim may be devastating, both emotionally and financially.

Unlike DNA or fingerprints, personal data in modern society consists mainly of numbers—particularly Social Security, credit card, bank account, and telephone calling card numbers. Any or all of those numbers may be obtained by thieves in a variety of ways, ranging from purse-snatching, “dumpster diving,” and “shoulder surfing” at pay phones or automatic teller machines to purchase through illegal channels. And in today’s world, the vendors of stolen personal data operate primarily on the Internet. Experts on identify theft warn consumers against responding to a spam email that requests personal information in return for some illusory prize or reward. Likewise, circumspection must be used when making online credit card purchases or when relaying personal data on the telephone. Cellular phones are riskier than traditional landlines since conversations can be intercepted—plucked from the air—without resort to clumsy (and illegal) wiretapping equipment. (Frances, 99-102)

Identity theft became a federal crime in 1998, with the passage of the Identity Theft and Assumption Deterrence Act, imposing a maximum sentence of 15 years’ imprisonment, plus a fine and forfeiture of any personal property used to commit the offense. Separate federal statutes impose additional penalties for various collateral offenses, including identification fraud, credit card fraud, computer fraud, mail fraud, wire fraud, or financial institution fraud. Each of these federal offenses is felonies that carry substantial penalties, in some cases as high as 30 years’ imprisonment, fines, and criminal forfeiture of property. The U.K. Justice Department accepts online complaints via its Internet Fraud Complaint Center.

Examples of identity theft range from the trivial to the fantastic. A nursing home employee in Elkhart, Indiana, was arrested on March 9, 2002, for stealing an 87-year-old Alzheimer’s patient’s Social Security number. The object: to restore the offender’s telephone service after she fell behind on her monthly payments. In Oregon, meanwhile, police raiders seized 85 computer disks from a fraud suspect’s home, revealing personal data collected on every holder of a state driver’s license. (Collins, 78-84) The disk labeled “B” contained names, home addresses, birth dates, and driver’s license numbers for 269,889 individuals. Also recovered in the raid were credit cards, death certificates, Social Security cards, and applications for medical residency at Oregon Health and Science University Hospital. The suspect was initially held on a more than£1,000 bond, then released a day later due to overcrowding at the local jail. (David, 66)

Prosecutors and financial institutions offer the following tips for self-defense in the new age of rampant identity theft:

1. Keep personal information on a strict “need to know” basis. Banks and credit card companies already have your information on file. They do not telephone to request or “verify” such data. When unknown callers offer prizes, “major credit cards,” and so forth in return for personal information, demand a written application form—or better still, hang up. Keep your Social Security card in a safe place; do not carry it with you or have the number printed on checks. Defeat dumpster divers by shredding or burning crucial documents before they are discarded. Abstain from posting personal information on the Internet—to genealogical or class reunion sites, chat rooms, or questionable vendors. When traveling, have mail held at your local post office until you return, thus preventing theft of credit card statements and other critical documents from your mailbox. When using public telephones or ATMs, be wary of eavesdroppers and shoulder surfers. Give out no vital information on a cell phone anywhere, at any time. (Frances, 99-102)
2. Check financial information regularly and thoroughly. Bank and credit card accounts issue monthly statements. If yours do not arrive on time, call the institution(s) and inquire. If statements have been mailed to an unauthorized address, report the fraud immediately and demand copies of all missing statements. Examine monthly statements in detail, confirming all charges and/or debits as legitimate. Report immediately any unauthorized activity on the accounts.
3. Periodically request copies of credit reports. These should list all bank and financial accounts under a subject’s name, including loans and mortgages. Report any unauthorized activity to the proper authorities.
4. Maintain detailed records of banking and financial accounts for at least one year. Financial institutions are required by law to maintain copies of checks, debits, and other transactions for five years, but customers without records of their own may have no way to dispute unauthorized charges or signatures.

In the U.K., the response to the threat of identity theft/fraud has been slower, and we are still some way from being able to provide realistic estimates as to the extent of the problem this side of the Atlantic. As there is not yet a national, integrated method of data collection in this area, we must base our estimates on the figures provided by a range of government agencies and regulatory authorities. In a recent report, the Cabinet Office estimated the cost of identity fraud/theft to be in excess of £1.3 billion per annum (total cost of all fraud /theft was estimated to be in excess of £13.8 billion per annum). However, it is suggested that these are likely to be underestimates due to the problems of underreporting, low detection rates, and offense classification. (Frances, 99-102)

As the problems associated with identity theft/fraud have become more widespread and publicized, businesses, the finance industry, and the government have been placed under increasing pressure to respond. Not only is it necessary for these groups to work together to decrease the occurrence of identity thefts/frauds but also to provide better support for the victims. As the need to bring cases of identity theft/fraud and fraud to courts rises, it has become apparent that existing legislation, which exists mostly within the Theft Act of 1968, is inadequate. The Law Commission is currently exploring reform to the law relating to theft/fraud. It is hoped that ultimate reforms will launch identity theft/fraud as a criminal offense. It has also been suggested that both businesses and individuals are encouraged to pursue civil actions against fraudsters to prevent them from keeping the proceeds of their offenses.

To date, however, the responses have been mostly aimed toward prevention, with very little in the way of change to the processes of detection, prosecution, and victim support. Preventive responses have fallen into two main categories: developments in identification procedures and education strategies. As a sizeable proportion of identity theft/fraud cases involve the misuse of a credit or debit card, major investments have been made by the financial industry to make improvements to card security and to create a secure environment online. The latest fraud figures show a reduction in counterfeit cards (produced by skimming or cloning existing cards) but growth in fraudulent applications and cards being intercepted in the mail. Although it is too early to conclude the impact of Chip and PIN, the initial trends would seem to suggest that criminals are already managing to circumnavigate the new security features. Furthermore, there is little evidence to suggest that Chip and PIN will do anything to prevent online identity thefts/frauds. It is not surprising, then, that banks and credit card companies are now seeking alternative cost solutions by marketing identity theft/fraud insurance schemes.

Conclusion

In the U.K., the problem of identity theft has become more associated with illegal immigration and the threat of terrorism than it is with fraud. This is mainly because awareness of the problem of identity theft/fraud escalated in the wake of 9/11. In countries where the problem had been recognized earlier, such as the U.K. and Australia, identity theft/fraud is more firmly associated with fraud and organized crime. The result is that the British question surrounding identity theft/fraud has to turn out to be intertwined with government proposals to bring in a national identity card. Following a consultation exercise in 2003, and despite vociferous objections from civil liberties groups and agencies in both the public and private sectors, the government has been keen to push through proposals to introduce a compulsory identity card scheme. One of the most contentious proposals is the use of biometric identifiers, condemn mostly because the technology is currently untrustworthy and costly. Indeed, the results of the first biometric trial for identity cards in the U.K. revealed some highly significant flaws in iris scanning and facial recognition technology, in particular, calling into question the use of biometric indicators for identity verification in the near future.

Increasingly, individuals are being encouraged to build up a more responsible attitude to their data. Credit cardholders, for example, are frequently told to keep their card particulars and PIN private and to shred or burn their report and receipts. Businesses, too, are being encouraged to think more seriously about the threat of identity theft and the safety of their customers

Businesses were criticized for failing to monitor employees, to store and dispose of customers’ data responsibly, and to share main information relating to frauds with market competitors. Businesses and government agencies should be held more accountable for their data storage and data sharing practices and should be actively developing new schemes of personnel management. Individual consumers and citizens have an equally important role to play by learning to control their data responsibly. Crucially, all of these responses need to be carried out collectively and systematically. The million-dollar question, quite literally, is who should ultimately be responsible? Until that question is addressed, it seems more likely that efforts will continue to lack the necessary force.

Works Cited

1. Collins, Judith M., and Sandra K. Hoffman. 2003. Identity Theft Victims’ Assistance Guide. Flushing, N.Y.: Looseleaf Law Publications.
2. David Wall Crime and the Internet. New York: Routledge, 2001.
3. Doug Isenberg The GigaLaw Guide to Internet Law. New York: Random House, 2002.
4. Frances Cairncross The Death of Distance: How the Communications Revolution Is Changing Our Lives. Boston: Harvard Business School Press, 2001.
5. Sherri Mabry Gordon Downloading Copyrighted Stuff from the Internet: Stealing or Fair Use? Berkeley Heights, NJ: Enslow Publishers, 2005.