Part 1: Mitigating the Risks from Identification-based Crime
‘Identity theft’ draws much public attention in government and business circles. This predominantly North America term addresses a range of self-revealing consumer-centered crimes committed against personal financial accounts and credit. Self-revealing crimes are those that, by their nature, come to the attention of the victims.
Risk managers are aware of a much broader range of identification-based crimes that do not easily reveal themselves. Identification-based are those where genuine or forged/counterfeited documents are used as instruments to commit the crime. Identification-based crimes include personation for concealment, transnational trafficking in human beings, drug trafficking, money laundering, stock market manipulation and attacks against public and private automated payment systems, among others. Some types of identification-based crimes are self-revealing, others are not. For example, attacks on automated health and insurance payment systems can go on for months or years.
For the purposes of this article, the term ‘identification document’ is limited to documents issued by governments affirming status by right to citizenship or permanent residency, and status by law or privilege to temporary immigration status. Every other type of legitimate, lawful means of identification (MOI) is built on a foundation record.
This article will use the term identification token to describe a wide variety of commonly accepted government access to privileges, benefits and services ID cards. Examples include driver’s licenses, Medicaid cards, Social Security Numbers, employer ID, etc. Collectively, identification documents and tokens are MOI.
Anyone wanting to conceal themselves from authorities for lengthy periods will build an identity around foundation records. Less sophisticated criminals carry stolen ID gained from crimes of opportunity, or forged/counterfeited MOI, in order to avoid detection.
The term ‘identity theft’ gained prominence in North America with the US Identity Theft Assumption and Deterrence Act (ITADA) of 1998. The Bill emerged from intense lobby by consumers to the Federal Trade Commission. In the words of Senator John Kyle, the ITADA was “a victory for consumers.” The Bill recognises a consumer’s right, as a victim, for protection against crimes outside their control. The Bill requires damage caused to their financial accounts and credit-ratings to be addressed expeditiously. The Act made ‘aggravated identity theft’ a federal crime under the US Code, Title 18, Part I, Chapter 47, s. 1028a.
Consumer-centered crimes target personal checking and savings accounts and consumer credit-worthiness to commit fraud against lenders, vendors and services providers. One of the hallmarks of credit-dependent crime is the need for criminals to seek out Social Security/Insurance Numbers and other supporting personal information consistent with the header information on credit reports maintained by credit-rating services.
Hundreds of North American web sites, publications and the wider media have turned identity theft into its own form of pop culture. The recommended interventions focus on personal guardianship – what the consumer can do to prevent becoming a victim. This falls well short of a true understanding of the underpinnings of the much broader range of all identification-based crime.
Risk managers ought to ensure that the high profile afforded conventional rhetoric on consumer-centered identity theft does not take their eye off the ball. Experienced investigators intuitively understand the role that misappropriated MOI play in a wide variety of crimes. They recognize that identity theft, as a crime type nomenclature, is an oxymoron. Means of identification are physical property that can be stolen. A human identity cannot.
Why is identity theft [fraud] “the fastest growing crime in America?” The answer is not all that complex. It is very easy to do. More importantly, if it is happening to consumers, where else is our weakness in identifying people being exploited? If the average person can figure out how to dupe lenders, vendors and service providers for a few hundred dollars at a time, how do we think transnational organised crime, with their financial resources and legally trained assets, will fare against lending institutions, the stock market, and private and public payment systems among others?
What is more complex are the strategies required to reduce the opportunities for identification-based crime. Attacking the root causes of this problem goes well beyond conventional literature and wisdom on increasing the capacity of consumers to prevent identity theft. This mislabeling of a crime as a genre, given the technical capacities to forge high quality MOI, the exposure of personal identifiers linked to Social Security Numbers and other government information at levels heretofore unimaginable, creates a challenge for policy makers, crime analysts and risk managers alike.
As most Europeans would tell you, the terminology ‘identity theft’ is not consistent with the type of crime. It potentially misdirects public perception of the scope and nature of the problem. In most cases, identification fraud involves some form of forgery combined with the human art of creating a deceit or falsehood that does not arouse suspicion. In fact, the term ‘aggravated identity theft’ resides under Title 18, Part I, Chapter 47 of the US Code that addresses “Fraud and False Statements.” Its companion, section 1028, is titled: “Fraud and related activity in connection with identification documents, authentication features and information.”
In consequence, the remainder of this article shifts away from conversation about ‘identity theft’ to the broader topic of identification-based crime, limiting ‘identity theft’ to a term describing the sub-set of consumer-centered crimes.
Coining of the term ‘identification-based’, or some other that reflects the qualities of a human identity, is important to analysts and strategists. Australian Roger Clarke summed it up best in his 1994 publication on information technology and people:
“Human identity is a delicate notion that requires consideration at the levels of philosophy and psychology. Human identification, on the other hand, is a practical matter.”
Although some measures may be undertaken to prevent personal identifiers from getting into the wrong hands, it is highly unlikely with the vast amounts of personal information stored in public and private databases that the bleeding can be stopped for the foreseeable future. This is the issue of agency guardianship – what those in possession of vast electronic warehouses of personal information do to protect it against unlawful use, and what measures they undertake to ensure that people are who they say they are.
The ability to reduce the risk depends on an understanding of elements that combine to form a human identity. A July 2002 paper “Identity Fraud: A Study,” prepared for the UK Cabinet Office creatively defines three components. Building upon their work, I think the following version makes most sense here:
Contextually, there may be a different way to frame it – an individual holding, or getting back as the circumstances dictate, exclusive rights to their own legally-attributed personal identifiers. Governments seem to have this figured out with copyright – the rights of songwriters to their music. Yet our law doesn’t appear to afford the same weight to property-right over one’s legally-attributed personal identifiers. Personal identifiers are bought and sold in the interest of commerce.
Read part two of this article on gtnews next week.