Identity Theft in Cyberspace

Background

Historically, fraud was involved when the communication was face to face. Nowadays due to high use of technology traditional rules cannot be implemented into today’s world due to increasing of e-crime.

As we are well versed with a fact that cyberspace is considered to be a global matrix. This is a place where people are interconnected with network which takes place by using internet protocol to communicate each other.

The number of person engaging in transaction through the use of internet in India has been increasing at an alarming rate. The broadness of the computer crime or e-crime is through cyberspace, where cyberspace is a world within itself.

Cyber identity theft is an online misappropriation of identity token. Identity theft is not only with regard to the number of offences but also with regard to the losses where there is serious challenge on society and law enforcement agencies.

Identity theft has become one of the most widespread crimes which is related to the vulnerability of the identification, where perpetrators who have criminal minded person use this information to assume a person’s identity through impersonate another’s information but these vulnerabilities are not created by the perpetrators, they are the ones who exploited. In this perpetrator could make things much more difficult and complicated by using advanced technology and encrypting techniques for gathering information. For them it is easy to find data from bit of information. Henceforth government has implemented governing laws because perpetrators are attempting to bypass security system through human elements.

The laws have implemented according to act, 2000 it was amended because it was not defined a cybercrime where as in 2004 compensation was awarded where there was unauthorized access by illegal act but this clearly focuses that these are lacuna in the Indian law and in its implementation. Hence implementation lags behind the legislation due to which the true efficiency of the present laws is not achieved.

Introduction

 This is a technology-based form which is perpetrated where Internet act as intermediate. Nowadays, perpetrators need not to snatch wallets from victims to obtain their personal objects rather they prefer through cyberspace.

Identity fraud and character extortion are common terms used to analyze a wrong doing in which someone improperly acquires and utilizes personal information for financial gains.

The name identity theft is neither frequently defined nor frequently used as per acts, where the perpetrator fraudulently attains and uses another person’s identity without his knowledge. This latitude must be operated as apt mechanisms so that the rights and properties of people are secured. The perpetrator attack on the target with a malafide intention urges the victim to disclose confidential information like user-id and password and uses it.

Identity Theft: One Concept with multiple shades

 Identity theft is committed in different steps, for different reasoning, by different people. The first divergence in the US is to determine the nature of identity theft pledged. Therefore, financial institutions dislike the formation of existing account fraud into the prevalence of identity theft.

In the US, financial institutions assume liability for fraud over existing accounts were victims of true name fraud[1] is considered in identity theft for modern accounts.

 If reducing prevalence of identity theft then it will help to reduce broader threats to national security. As we are aware, that the perpetrator obtain information for their financial gains. Identity theft becomes an indirect means to an end itself, especially transnational organized crime or terrorism; hence it is a major concern for national security and law enforcement agencies across the globe. The intrusion of September 11, 2001 was an example how terrorists used false stolen personal information to carry out the intermission of their operations.

Indian Perspective: The IPC And the IT Act

Identity theft is a kind of theft of specific kind which is involved by user data; it is not governed by Sec. 378(theft) of the IPC, 1860. This is because it caters to only movable property or such property which is capable of being severed from the earth and is tangible in nature. Initially, electricity was included within the sphere of theft but as in Avtar Singh v. State of Punjab[2], the SC held that u/s 39 of the Electricity Act, 2003 there was no intention of widening the sphere of Sec. 378 of the IPC, 1860. This identity information is in the form of binary data and is governed by streams of electronic waves like electricity therefore Sec. 378 cannot be read with identity theft.

  1. Laws Governing

India does not have an independent legislation but the IT (Amendment) Act, 2008 along with the IPC, 1860 provisions are used to furnish this crime. As identity theft has elements of both so the basic provisions of fraud, forgery by impersonation are provided in the IPC, 1860 along with it the IT Act is implemented.

  1. Provision of the IPC, 1860 that can be implied for Identity Theft

There are assertive preparatory measures made in the IPC, 1860 which is identical to fabrication and misrepresentation to administer such wrongdoings. There are certain provisions in the IPC,1860 like forgery and fraud, prior was governed w.r.t  false documents, later  were amended by the IT Act, 2000 to include electronic record.

Hence, the ambit of such crimes was expanded to encompass computer data related crimes like forgery.

Furthermore, Sec. 419 can be initiated where the accused has used the personal identity information of the victim and impersonates to commit fraud or cheating. Sec. 420 is generated if anything is capable of being converted into a valuable security.

The Expert Committee upon amendments to the IT Act, 2000 had also recommended assertive amendments in the IPC,1860 section 417A and 419A but still they are not incorporated yet.

  1. Provisions in the information technology act, 2000

The main legislation in India governing cybercrimes is the IT Act, 2000.An intention was to recognize e-commerce but the word cybercrimes is not defined till date. Before its amendment in 2008, Sec.43 of the Act was used to impose civil liability and compensation was rewarded up to 1 Cr. for unauthorized access to a computer network and for providing assistance to facilitate such illegal act.

Sec. 66 , 66 B,66 D which was identical to the Sec. 419 (A) and several provisions were inserted including punishment for violation of privacy and for cyber terrorism. The ambit of sensitive personal data is defined by the IT Rules like password. There are exceptional cases where such data can be revealed only by the State or Central govt authorizes for surveillance, monitoring u/s 69 of the IT Act.

1.4. Punishment:

As per Sec. 66C of the IT Act, 2000 clearly states whoever fraudulently or dishonestly makes use of the electronic signature or any other identification feature of any other person will be[3] punished with imprisonment up to 3 yrs and a fine extended to Rs. 1 Lakh. Therefore, laws are applied depending upon the crime committed.

1.5. The loss caused to the victims

The victim gets aware about the identity theft when he scrutinizes the credit history. The real trauma begins after the identity theft has been perpetrated not due to authentic crime it is due to perpetrator’s act. The perpetrator’s act cause economic loss to the victim such as creating fake social media figure. As we know, there is a quantitative monetary damage but in both the scenario, there is an implicit and immense loss caused to the reputation.

With respect to Indian lexicon, CIBIL was the first credit bureau in India and other bureaus were Equifax and Experian. These organizations keep a check of the credit value of borrower. When a lender claims a false report to the bureau or defaults in payment is made then the genuine identity holder is denied. Horizontally, when a victim wins his case and proves that he is a victim of identity theft, he himself has to reach to the credit bureau to get the records updated. Therefore, no compensation is paid to the victim for such loss by the credit bureau. In India, there is no law making where credit bureau are liable or accountable for the mistake or negligence in the credit report of an individual.

1.6. Cases

In the landmark case of NASSCOM v. Ajay Sood and Ors[4], declared identity fraud on the cyberspace as an illegal act where damages could be claimed. This case was decided in the year 2005 when there were no specific laws implemented for punishing identity fraud. These days we often use online sources to interact but overusing is harmful as it might lead to identity theft. In another case, ex-employee cheated US customers of Citibank with enduring Rs.1.5Cr by sustaining unauthorized access to the personal information in the Electronic Account Space of the customers was used to perpetrate fraud. Under the IT Act, 2000 use of electronic documents is considered to be a crime when there is breach of trust, cheating etc. Hence it is an offense u/s 66 and 43 of the IT Act, 2000 and liable for imprisonment along with a fine to pay damages to the victims.[5]

In this case[6] a complaint was filed against NRI. The payment was through a credit card after the completion of all the procedures and the product was cancelled hence the transaction was named unauthorized. The company filed a complaint u/s 418, 419 and 420 of the IPC where the misuse of credit card was done by the perpetrator. It is India’s first cybercrime doctrine in 2013 and CBI recovered the products and the accused admitted his guilt. The Court accused perpetrator and it showed doctrine of leniency as it was first-time convict by releasing him on probation for 1 yr.

International Regulatory Framework: The US and The UK

It is necessary to distinguish the sociological and philosophical name ‘identity’ –that is used to describe the sum of elements that are creating an identity of a person and the target. As the defines ‘identifying information’ in 15 U.S.C. 1681 a(q)(3), states it is not fundamental that the identity must be abused by the perpetrator. Some digital data are not considered as elements of a person’s legal identity, but such data can be identified.

In UK, it is coined as identity fraud and in US it is coined as identity theft. The different ways in which term is explained :

The report ‘Combating Identity Theft –A Strategic Plan’ is published by the US President’s  on Identity Theft Task Force in criminalizing. The report acknowledges in 18 U.S.C. § 1030(a)(5) where acts are aiming at the integrity and availability of data and criminalizes them.

2.1. Existing Legislation

As we know, only assertive states have implied criminal law provisions which explicitly aim at a criminalization of identity theft as stated in definition. The approaches of defining identity theft are.

  • As per 18 U.S.C. § 1028(a)(7)[7], that defines identity theft as:

This provision clearly states for identification, whereas the term identity theft is used in the Consumer Fraud and Identity Theft Complaint Data survey, which especially states as not mandatory with regard to §1028(a)(7) that the act is related to fraud[8].

  • By the US FTC, the provision 15 U.S.C. 1681a (q)(3)[9] specifies the term identity theft.

The major difference obtained by 18 U.S.C. § 1028(a)(7) is that 15 U.S.C. 1681a(q)(3) affix the name identity theft to fraud. This limits the provision where the perpetrator is using the information for other offences but the provision covers only the use of the information and not the act of obtaining it whereas 15 U.S.C. 1681 a(q)(3), covers the act of using the information.

2.2. The Fight against Identity Theft

2.2.1. The US

2.2.1.1. Prevalence in the US

The magnitude of victims and financial costs keeps on progressing and the damage remains ambiguous. The statistics originate from the Identity Theft Data Clearinghouse, a complaint database which is maintained by the FTC were reports were 6, 85,000 consumer complaints in 2005. In total, 37% of these complaints are related to identity theft whereas 63% involved general fraud.

Types of Identity TheftReported to FTC
Credit card fraud26%
Phone fraud18%
 Bank fraud17%
Employment fraud 12%
Government fraud9%
Loan fraud5%

The percentages are at descent whereas the actual no. of complaints is ascending. The declining percentages of identity theft complaints are from 40%-37% in 2003-2005. As per the survey it was stated as the suspicions of identity theft are briskly developing complications are distorted. This trend could potentially be explained through different methods of perpetrators are:

i)  Criminalization

In 1996, the State of Arizona became the first government to inaugurated legislative action against identity theft through passing a law which made identity theft a felony and punishable imprisonment up to 1.5 years and a fine of up to 1.1 Cr. Then the US government introduced, in 1998 Federal Identity Theft and Assumption Deterrence Act, identity theft as a federal crime. In an enlargement, the Identity Theft Data Clearinghouse was created harmonious and began its operations in November 1999. The Clearinghouse provides valuable information to victims in an attempt to mitigate their losses and to grove identity theft complaints.

In 2004, the US expanded the potential punishments for convicted perpetrators. The Identity Theft Penalty Enhancement Act, states 2 years imprisonment to any individual and also forthright the US Sentencing Commission to have a glance over enhancing the penalties for employees who illegally obtain personal database.

Therefore, if identity theft is committed as an independent crime then penalties are equivalent.  This Act applies to U.S. Postal Service and interstate acts of identity theft. The Acts of intrastate identity theft, still these acts don’t consider it as a felony and the perpetrator is given a doctrine of leniency.

ii) Increasing Organizational Responsibility

In 2003, California became the first state to pass two significant data security breach laws.

  • The California Security Breach Information Act requires any company which stores customer data electronically to notify its California customers about security has unencrypted information.
  • The California Financial Information Privacy Act, establishes advanced ceiling on the financial institutions to non-public personal information about their customers with affiliates and third parties.

 In 2003, FACTA was implemented which increases organizational responsibility.

iii)Use of SSN

The legislation tried to curb the use of SSNs, which is a vulnerable aspect of the American identification structure. An SSN is the main identifier for both citizens and permanent residents.

The importance of the law leads GAO to propose and recommend developing a unified approach to protect SSNs at all levels of government.

iv) Law Enforcement Initiatives

In May 2006, COPS developed a national strategy to combat identity theft. COPS provided 5 recommendations. They are:

  1.  To promote collaboration, cooperation and intelligence synthesis among different agencies.
  2.  Improving assistance through developing standard operating procedures.
  3.  Public awareness through a national campaign must be boosted.
  4. Establishing a database which encloses all legislative action at both levels so that there is efficiency in the development.
  5.  Adequate training and information protection to prevent identity theft.

2.2.1.2. Victims of Identity Theft and the Judicial System

In addition to legislative action and trying to receive aid from law enforcement agencies, victims of identity theft also try to access the facilities of judicial system. In U.S, there are about 114 Cr. residents whose identities are fraudulently used and total loss is 38,000 Cr. In 2001, the US SC ruled against Adelaide Andrews for claiming the statute of limitations which was expired. The decision made in Adelaide’s case with regard to the statute of limitations provides a peculiarly negative inclination for future victim to identity theft and it was discovered after the statute has expired. As in another case Huggins v. Citibank, N.A., et al[10]  the plaintiff, pressed charges against 3 banks claiming the banks were liable for negligent entitlement of imposter fraud. The South Carolina SC dismissed the plaintiff’s claim because did not consider a duty of care to exist from the defendant and there must be a legal relationship between them, which was not there. The New York appellate court decision, have decline to recognize of a legal duty of care between credit card issuers and individual. The relationship between them is far too constricting to surge to the level of a duty among them[11].In the U.S, the Fair Credit Reporting Act provides for strict penalties for faulty reporting or non-maintenance of the standards, to protect the interests of the victim and grant speedy redressal.

2.2.1.3. Recent Efforts

In May 2006, the US government launches the Identity Theft Task Force. The task force is assigned to promote a strategic plan to enhance the effectiveness and efficiency of government endeavor to deter, prevent, detect, investigate, and prosecute identity theft. The FTC launched a public awareness campaign and the national education program as ‘Avoid ID Theft: 3D’s- Deter, Detect, Defend’. These were the most recent endeavor that helped the U.S to fight against identity theft.

As we know, Arizona in 1996 was the first identity theft law and California in 2003 was the first state to demand companies to notify consumers when a data security breach occurs. However, what must be taken into consideration is that at the both the levels there must be competing interests.

2.2.2. The UK

2.2.2.1. Prevalence in the UK

 In February 2006, the UK economy suffers a financial loss of Rs.1295 Cr. per yr in identity fraud. The rate of victims is rapidly expanding. Therefore, the UK lacks a law which specifically defines identity theft as a crime.

2.2.2.2. Developments

In 2002, the UK government took action to develop means to prevent and detect identity fraud. The IFSC and IFF members have implemented various steps to reduce the occurrence of identity fraud. These are:

(a) Identify advanced opportunities for data-sharing across sectors.

(b) Establish the huge amount by the fraudsters.

(d) Research the impact on victims and tracking those cases.

 (e) Improve both the public awareness and render training facilities in financial sector for checking customer’s identity.

Important measures by the Government was aligning with penalties, defining a new criminal offenses. The Government decided to the render max. punishment for fraudulently obtaining a driver’s license of fine 2.37 Lakh and 2 yr imprisonment. Furthermore, in 2003 under the new criminal offense, any individual who commits any violation of the law will be subjected to criminal sanctions. The motive behind new criminal offense is the nexus between use of false identity documents and organized crime which will help to disorder the activities of organized criminals at initial stages.

Loopholes in the Information Technology Act, 2000

There are assertive modification required in the legislation and laws on identity theft

1) Sec. 66 C of the amended Act protects ‘unique identification feature’, the meaning has not been specified anywhere in the Act as in The IT Rules, 2011 has defined ‘sensitive personal information’ which is to be protected by the intermediaries.

2) There is a jurisdictional issue which cannot be reconciled because there are no uniformity laws associated to identity theft within India hence arrest of such cannot be undertaken.

3) The compensation awarded to the victim as per the Act is inadequate as victim faces mental trauma to regain its reputation.

Sec. 43  of the IT Act1 Cr.
Body Corporate5 Cr.

4) The Act doesn’t states the bar of fine or the manner in which it should be calculated and the discretion is of the judge.

5) Laws are meant to serve a dual purpose of prevention of a crime and deterrence. Henceforth, this can be initiated by imposing stricter punishment and fines.

Prevention

For Individuals & Organizations:

1) Personal information should not be disclosed. 

2) Undergo periodical credit check reports in financial institutions and report any irregularities to the bureaus.

3)  Don’t permit others to swipe credit cards and pin must be memorized.

4) Document shredding must be done before discarding in trash bins.

5) All mail should be removed simultaneously from mailbox.

6) Reputed business never request for account information therefore, these e-mail should be rejected.

7)  Security software must be updated.

8)  Don’t share personal e-mails with anyone.

9) Use secured websites before giving personal information.

10) Use strong passwords.

11) Victims must file a complaint in the nearest police station so that compensation can be availed.

12) Access an effective secured system by detecting red flags rule.  .

13) They must conduct an e-business risk assessment to identify red flags.

14) They must recognize fake applications of employees.

15) To adopt manageable solutions for employees and manage the organization network by documenting all activities like troubleshooting, installing, testing, and restoring.

16) To protect all data backup in organization.

By The Government to Investigate the Perpetrators

1) Digital Police are controlled by the Ministry of Home Affairs, Government of India.

2) The portal gives access to authorities by the state to use the National Database of Crime Records for the purpose of the case-investigation, policy making, data analysis, research.

3) There is an establishment of the C&IS which deals with the matters related to Cyberspace Policy & Guidelines and implementation of NISPG and NATGRID. In 2009, this department was created under C&IS to create a nationwide networking infrastructure for criminal tracking and crime detection system.

4) The police must use different fake social media accounts which will help their surveillance and investigations.

5) The IFSC launched a website (www.identity-theft.org.uk) to raise awareness and advices on how to prevent identity theft and to identify them.

Conclusion and Recommendations

In modern era, cyberspace identity theft is gaining its attention in public as well as in governments. There are 3,682 complaints registered out of which 1,600 have been arrested and only 7 of them have been convicted as per 2013 statistics. This happens due to improper implementation of the existing rules and infrastructure. Identity theft is dominant crime and developing across the globe as a threat to an individuals and organizations. Therefore it is anticipated that perpetrators use numerous techniques to obtain victim’s personal information especially in online environment. Whereas in U.S, judicial pronouncements have enforced the power to the police to ask the perpetrators to decode the digital evidence in return imprisonment concessions.

The recommendations are:

  • Need amendment in existing laws for imposing stricter punishment.
  • Police departments have their peculiar cyber-crime units where they can be trained to find the perpetrators.
  • Different countries should co-operate through multilateral treaties so that uniformity are maintained in sharing cybercrime information.
  • Awareness must be created.

Author: Supreet Sharma, Amity University, Noida.


[1] Heather M.Howard defines ‘true name fraud’ –takes a greater toll on its victims than does account theft: their financial losses are more substantial, more difficult to discover, and take considerably longer to resolve.

[2]  AIR 1965 SC 666

[3] <https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/india> accessed 16 February 2020

[4] 119(2005) Dlt 596

[5] Pune Citibank MphasiS Call Centre Fraud

[6] Sony Sambandh Case,2002

[7] 18 U.S.C. § 1028(a)(7) means that- ‘knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.’

[8] < https://www.scribd.com/document/73606731/Internet-Related-Identity-Theft-Marco-Gercke> accessed 23 February 2020

[9] 15 U.S.C. 1681 a(q)(3) means that:

(a) The term ‘identity theft’ means a fraud committed or attempted using the identifying information of another person without lawful authority.

(b) The term ‘identifying information’ means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any

(1) Name, Social Security number, date of birth, official state-or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number.

(2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation.

(3) Unique electronic identification number, address, or routing code.

(4) Telecommunication identifying information or access device.

[10] Huggins v. Citibank, N.A., 355 SC 329 (2003)

[11]  Polzer v.TRW, Inc., 256 A.D 2d 248 (1998)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s