CO-TEXTO ANTERIOR PALABRA CO-TEXTO POSTERIOR

In 1998, the United States introduced a specific criminalization of acts related to identity theft with 18 U.S.C. § 1028(a)(7).221 _{The provision covers a wide range of offences related} to identity theft. In 2004 penalties for aggravated identity theft was introduced. A draft Identity Theft Enforcement and Restitution Act that focuses on closing existing gaps in the legislation was presented in 2007 and was recently passed in the United States Senate, although it has not yet come into force:

216 _{Albania, Armenia, Austria, Azerbaijan, Belgium, Bosnia and Herzegovina, Bulgaria, Canada, Croatia, Cyprus, Czech}

Republic, Denmark, Estonia, Finland, the Former Yugoslav Republic of Macedonia, France, Georgia, Germany, Greece, Hungary, Iceland, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Montenegro, Netherlands, Norway, Poland, Portugal, Republic of Moldova, Romania, Serbia, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Ukraine, the United Kingdom, the United States.

217 _{Albania, Armenia, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Denmark, Estonia, Finland, the Former}

Yugoslav Republic of Macedonia, France, Hungary, Iceland, Italy, Latvia, Lithuania, Netherlands, Norway, Romania, Slovakia, Slovenia, Ukraine, the United States.

218 _{The need for a ratification is laid down in Article 36 of the Convention.}

219 _{Interpol highlighted the importance of the Convention on Cybercrime in the Resolution of the sixth International}

Conference on Cyber Crime, Cairo: “That the Convention on Cyber Crime of the Council of Europe shall be recom- mended as providing a minimal international legal and procedural standard for fighting cybercrime. Countries shall be encouraged to consider joining it. The Convention shall be distributed to all Interpol member countries in the four official languages.”, available at: http://www.interpol.com/Public/TechnologyCrime/Conferences/6thIntConf/Resolution. asp (last visited October 2008); The 2005 WSIS Tunis Agenda points out: “We call upon governments in cooperation with other stakeholders to develop necessary legislation for the investigation and prosecution of cybercrime, noting existing frameworks, for example, UNGA Resolutions 55/63 and 56/121 on “Combating the criminal misuse of infor- mation technologies” and regional initiatives including, but not limited to, the Council of Europe’s Convention on Cybercrime”, available at: http://ec.europa.eu/information_society/activities/internationalrel/docs/wsis/tunis_agenda.pdf (last visited October 2008).

220 _{Gercke, Internet-related Identity Theft, supra n. 165.}

221 _{Identity Theft and Assumption Deterrence Act 1998. For further information about the act, see Zaidi, Identity}

Theft and Consumer Protection: Finding Sensible Approaches to Safeguard Personal Data in the United States and Canada, Loyola Consumer Law Review, vol. 19, issue 2, page 99 et seq.; Finkelstein, Memorandum for Assistant Regional

Council on Identity Theft and Assumption Deterrence Act of 1998, 1999, available at: http://www.unclefed.com/ ForTaxProfs/irs-wd/1999/9911041.pdf; Gordon/Willox/Rebovich/Regan/Gordon, Identity Fraud: A Critical National and

1028. Fraud and related activity in connection with identification documents, authentication features, and information

(a) Whoever, in a circumstance described in subsection (c) of this section:

[…]

(7) Knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Fed- eral law, or that constitutes a felony under any applicable State or local law; or […]

shall be punished as provided in subsection (b) of this section. 1028A. Aggravated identity theft

(a) Offenses:

(1) In general. Whoever, during and in relation to any felony violation enu- merated in subsection (c), knowingly transfers, possesses, or uses, without law-

ful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.

As highlighted above, the provision is a broad approach to criminalize various forms of identity theft. By criminalizing the “transfer” of means of identification with the intent to commit an offence, the provision enables the prosecution of offences related to the above mentioned Phase 3 that is very often not covered by traditional approaches. Yet given that the provisions focus on the direct interaction with identity-related data, preparatory acts like sending out phishing mails and designing malicious software that can be used to obtain computer identity-related data from the victims are not covered by 18 U.S.C. § 1028(a)(7) and 18 U.S.C. 1028A(a)(1). The Identity Theft Enforcement and Restitution Act of 2007 is undertaking an approach to close those gaps, for example by criminalizing certain acts related to spyware and keyloggers.

Canada

In 2007 Canada introduced a draft law to create a specific identity theft related criminal offence.222 _{The draft law contains two relevant provisions: 402.1 defines the covered} identity-related information while 402.2 contains the criminalized acts.

402.1

For the purposes of sections 402.2 and 403, “identity information” means any information—including biological or physiological information—of a type that is

222 _{See: http://www.parl.gc.ca/LEGISINFO/index.asp?List=ls&Query=5333&Session=15&Language=e#idtheft (last}

visited October 2008). In October 2009, Bill S-4 was adopted as an amendment to the Canadian Criminal Code (identity theft and related misconduct).

commonly used alone or in combination with other information to identify or pur- port to identify an individual, such as a fingerprint, voice print, retina image, iris image, DNA profile, name, address, date of birth, written signature, electronic signature, digital signature, user name, credit card number, debit card number, financial institution account number, passport number, Social Insurance Number, health insurance number, driver’s license number or password.

402.2

1) Everyone commits an offence who knowingly obtains or possesses another per- son’s identity information in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence.

2) Everyone commits an offence who transmits, makes available, distributes, sells or offers for sale another person’s identity information, or has it in their possession for any of those purposes, knowing or believing that or being reckless as to whether the information will be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence.

3) For the purposes of subsections (1) and (2), an indictable offence referred to in either of those subsections includes an offence under any of the following sections:

(a) section 57 (forgery of or uttering forged passport); (b) section 58 (fraudulent use of certificate of citizenship); (c) section 130 (personating peace officer);

(d) section 131 (perjury);

(e) section 342 (theft, forgery, etc., of credit card); (f) section 362 (false pretence or false statement); (g) section 366 (forgery);

(h) section 368 (uttering, trafficking or possessing with intent forged document); (i) section 380 (fraud); and

(j) section 403 (identity fraud).

The draft legislation contains a number of interesting approaches. It first of all provides examples for the identity information which is covered by the provision, without narrow- ing the application of the provision.223 _{In addition it provides a set of indictable offences.} While this, on the one hand, narrows the applicability, it is, on the other, a very precise approach. Finally, it covers a wide range of offences. Similarly to the United States approach, the Canadian draft law does not cover preparatory acts as sending out phishing e-mails or designing malicious software.224

223 _{The term “such as” used in the 402.1 leaves space for an open interpretation if necessary, for example due to}

technical developments.

9. Essential elements of a legal approach

Developing a legal response to identity theft that goes beyond the adjustment of traditional instruments by creating specific provision requires a number of decisions and adjustments. An overview about those essential elements is provided below.

Identity

It is necessary to define the protected identity-related information. If an offender illegally enters a computer to obtain business secrets, this offence targets digital information but due to the missing link to identity-related information it would not be considered an identity-related offence. Within the definition there are several aspects that need to be taken into consideration:

Scope of definition

It is necessary to decide if a broad or a more precise definition of the identity-related information should be implemented.225 _{The answer to the question depends on the} underlying legal system as well as the legal tradition, in addition to the regional importance of certain identity-related data.226 _{While a closed enumeration is in gen-} eral more precise, it carries the risks of difficulties in the application after fundamental technical changes.

Some digital data, such as passwords, account names and login information, may not be considered elements of a person’s legal identity. But taking into account the use of data to log on to digital services,227 _{it is necessary to decide if that information needs} to be included in the definition.228

Synthetic identities

In addition, it is necessary to decide if only acts related to real identities should be covered, or if even the use of fictitious identity-related information should be crimi- nalized.229 _{As pointed out above, the criminalization of the use of fictitious identities} does not, at first sight, seem to be relevant, as in those cases where there is no impact for a legitimate user of an identity. Still, the absence of a natural person who is affected by the offence does not mean that such acts do not cause damage. By using synthetic identities offenders can mislead investigations and make his identification more dif- ficult.230 _{A major part of fraud-related cases are not based on true-name identities but}

225 _{In favour of a broad approach: Discussion Paper Identity Crime, Model Criminal Law Officers’ Committee supra}

n. 31, page 25.

226 _{One example is the Social Security Number, which is of great relevance in the United States but not, for example,}

in Europe. Regarding the SSN, see Sobel, The Demeaning of Identity and Personhood in National Identification Systems, Harvard Journal of Law & Technology, vol. 15, No. 2, 2002, page 350.

227 _{See supra, chapter 3.2.4.}

228 _{Paget, Identity Theft, McAfee White Paper, page 4, 2007, available at: http://www.mcafee.com/us/threat_center/}

white_paper.html (last visited October 2008).

229 _{For an overview of the arguments in favour of including synthetic Identities, see Discussion Paper Identity Crime,}

Model Criminal Law Officers’ Committee, supra n. 31, page 25.

230 _{Regarding synthetic identities related identity theft scams, see Schneier, Synthetic Identity Theft, 05.11.2007, avail-}

able at: http://www.schneier.com/blog/archives/2007/11/synthetic_ident.html (last visited October 2008); McFadden,

Detecting Synthetic Identity Fraud, available at: http://www.bankrate.com/brm/news/pf/identity_theft_20070516_a1.asp (last visited October 2008).

synthetic identities.231 _{Based on the results of a study by ID Analytics, less than} 15 per cent of all cases involved true-name identities.232 _{Synthetic identities can} either be based solely on generated data or combine generated and real identity- related data.233 _{Within the drafting process it is therefore necessary to decide if} an interference with an existing identity is a necessary requirement for the criminalization.