By Nicole van der Meulen, Researcher, International Victimology Institute Tilburg, Tilburg University, the Netherlands
he May 2007 issue of the Police Chief provided a brief overview of attempts to address the problem of identity crime in the European Union (EU).1 More than a year later, progress remains slow. Although identity crime is gaining an ever more prominent place on the policy agenda of the EU in particular and the international community in general, most EU stakeholders appear to be caught in a web of insecurity. Discussions about the lack of a universally accepted definition and the need for accurate prevalence data overshadow the actual problem and prevention measures. Fortunately, however, some initiatives do offer a more promising outlook for the future. The following article highlights some of the recent developments introduced at the EU and, at times, the member state level.
Fraud Prevention Expert Group Activities
Within the EU, the Fraud Prevention Expert Group (FPEG) is equipped to address the challenges associated with identity crimes. As proposed in the European Commission’s action plan 2004–2007,2 the FPEG conducted and finalized a study on identity theft and identity fraud in October 2007. The final report sheds light on the scope of the problem, the identity chain in the financial area, preventive measures, and difficulties with prosecution.3
Unfortunately, however, the report fails to go beyond previous research. The FPEG highlights the same problems that others, from academics to policy makers, previously identified. The lack of clarity about the definition of the problem and how to measure it exemplifies the failure to move forward. Furthermore, the report reemphasizes the need for joint cooperation in an effort to prevent and counter the problem. In the report, the authors also acknowledge, “It appears that more public awareness and education on Internet issues in connection with financial services are needed. Current efforts to make sure that the chain of responsibility is made of high levels of security should be enhanced. The whole e-society should be secured, not only the banking industry.”4 In general, however, the study fails to generate innovative insights on how to take new steps in the fight against identity crime.
The most important recommendations the report makes for law enforcement officials are how “through the creation of dedicated specialised units with operational responsibilities” the capability of police forces can be improved because “[t]hese dedicated units, if created in all EU Member States, would provide a significant added value in the fight against identity theft/fraud.”5 Other benefits associated with dedicated specialized units include the ability to enhance cross-border policing and judicial cooperation by creating central points of contact. As the FPEG rightfully notes, “It is essential to be able to conduct rapid end-to-end investigations (thus covering the whole chain) in an international context. This is the only means to stop the criminal money flows.”6 To what extent these units exist or are currently being initiated within the member states is unclear.
In addition to the continuous, sometimes dead-end, discussions about identity-related crime, the EU is also trying to move forward, albeit with baby steps. One way to combat identity-related crimes would be to criminalize identity theft at the EU level. Criminalization has been mentioned as a potential countermeasure among EU officials. Although perspectives differ, a spokesperson for EU justice and home affairs commissioner Franco Frattini claimed, “Law enforcement cooperation would be better served were identity theft criminalised in all member states.”7 This sentiment is echoed within the communication from the commission to the European Parliament, the Council, and the Committee of the Regions titled “Towards a General Policy on the Fight against Cyber Crime.” It states, “It is often easier to prove the crime of identity theft than that of fraud.”8 This means that prosecutors would benefit from a separate criminal provision on identity theft. Currently, the status of any discussions about a potential EU criminal provision is unclear. The arguments set forth in favor of criminalization, however, have been proven correct in individual member states, namely the United Kingdom.
On January 15, 2007, a major instrument against identity-related crime in the United Kingdom, the Fraud Act of 2006, came into force. The Fraud Act “created a new offence of fraud that can be committed in three ways: by making a false representation (dishonestly, with intent to make a gain, cause loss or risk of loss to another), by failing to disclose information, and by abuse of position. Offences were also created of obtaining services dishonestly, possessing equipment to commit frauds, and making or supplying articles for use in frauds.”9 The Fraud Act criminalizes many aspects of identity crime, which could help in the prosecution of perpetrators of the crime. According to Kevin McNulty, head of the Identity Fraud Reduction Team at the Home Office, the new legislation has made it easy to prosecute.10 So far, approximately 525 people have been prosecuted under the new legislation. As Anne Savirimuthu and Joseph Savirimuthu state, “[T]he Fraud Act 2006 facilitates the prosecution of identity theft and therefore makes a valuable contribution to Internet governance.”11 The main benefit of the legislation is the change regarding fraud. Previously, fraud could not be conducted against a machine (such as a computer or an ATM). Now, as a result of the Fraud Act, deceiving a machine is a prosecutable offense. Savirimuthu and Savirimuthu provide concrete examples of how simply sending a phishing e-mail provides prosecutors with grounds for prosecution. As the authors state, “There is no requirement for the phisher to be shown to have used the information to access the funds in the victim’s account. The victim need not respond to the email or act on the request.”12
Whereas Savirimuthu and Savirimuthu welcome the Fraud Act and its changes to the landscape of criminal prosecution, others recognize the potential pitfalls of the act. Maureen Johnson and Kevin M. Rogers describe how the Fraud Act has made fraud into a crime of conduct rather than one of result. As the authors note, “The shift of the fraud offence into the realms of the conduct crime should not be underestimated. Conduct will now be caught and criminalised which would not even have sufficed for an attempted offence prior to the Act, and as a result fraud has become a very wide offence indeed.”13 Others agree and claim that the broadness of the provisions of the act are both a blessing and a curse.14
Data Breach Notification
Besides criminalization, the EU is also advancing other efforts similar to those in the United States. Proposed amendments to the directive on privacy and electronic communications introduce a data breach notification requirement. The European Data Protection Supervisor (EDPS) particularly welcomes this amendment. The strong support for a breach notification provision is quite similar to the arguments offered by advocates in the United States. Within its formal opinion,
|the EDPS particularly welcomes the adoption of a mandatory security breach notification system (Amendment to Article 4 of the ePrivacy Directive, adding paragraphs 3 and 4). When data breaches occur, notification has clear benefits, it reinforces the accountability of organizations, is a factor that drives companies to implement stringent security measures, and it permits the identification of the most reliable technologies towards protecting information. Furthermore, it allows the affected individuals the opportunity to take steps to protect themselves from identify theft or other misuse of their personal information.15|
Peter Hustinx, European data protection supervisor, wants such legislation to go beyond telecoms and Internet service providers to include “providers of public electronic communication services in public networks but also to other actors, especially to providers of information society services which process sensitive personal data (e.g., online banks and insurers, online providers of health services, etc.).”16 Whether the legislation will actually work like this in practice remains a question that only time can answer. Individuals, however, both at the national and at the EU level seem to believe, based on experiences in the United States, that this is a valuable measure to fight identity crime.17
Wrong Type of Progress
Unfortunately, as EU policy makers discuss and attempt to battle identity crime, perpetrators continue their practices in increasingly innovative and lethal ways, targeting even the most sophisticated systems. A prime example is the current online banking system present in many EU member states. These systems are based frequently on a two-factor authentication mechanism. This mechanism implies that the client logging on needs both a piece of information (generally a username and a password) and an identification calculator (a little machine that generates random authentication codes that the user must then enter on the screen). This system appeared to be particularly strong and managed to protect itself from early phishing attacks, which simply asked users to verify their information. Without a doubt, most people in the Netherlands and other countries within the EU who use two-factor authentication for online banking never imagined perpetrators would find a way to crack the security system. However, these perpetrators proved to be persistent and developed a method that combines phishing e-mail and the use of spyware (usually Trojan horses) to redirect the traffic of the clients’ computers and subsequently drain clients’ accounts.
This news shocked many information security specialists and is slowly reaching the general public. To commit this type of fraud, identity criminals send a rather sophisticated phishing e-mail message from a financial institution requiring users to download or install some sort of program. When users comply, they generally install some form of software that allows a perpetrator to become a “man in the middle,” directing victims to his own version of the bank’s Web site. Perpetrators can use their victims’ personal information to log onto the authentic bank Web site without an identification calculator. These attacks have proven successful in the Netherlands, Belgium, Switzerland, and Sweden. The level of sophistication is frightening, and many people are still unaware of the existence of these types of attacks. Even worse, perpetrators can now take their attacks one step further through drive-by infections. Drive-by infections occur when victims visit a particular Web site that automatically installs spyware on their computers. This allows perpetrators to take control of all Internet traffic to and from infected computers.
Within the Netherlands, the High Tech Crime Center was able to investigate fully one man in the middle of an attack that successfully victimized 200 clients of a Dutch bank. This full investigation was made possible as a result of the willingness of the bank in question to hand over all relevant information about the incident. Although the full information disclosure certainly helped, the High Tech Crime Center still encounters many challenges related not only to the inherent difficulty of working with and collecting digital evidence but also to major language barriers. For instance, Russian-speaking identity criminals were found to communicate via instant-messaging programs using slang words, forcing law enforcement officials to rely heavily on translators to interpret exchanges among the different perpetrators within the network.
During a presentation at the Sixth International GOVCERT Symposium in October 2007, the High Tech Crime Center identified ways to intervene at other stages of an identity crime.18 Perpetrators, for example, rely on “mules” to transfer money from a victim’s account and into an account where the money is accessible yet untraceable. Money mules, according to officials from the High Tech Crime Center, are the bottleneck of the operation; if these individuals were wiped out, perpetrators would find themselves in a difficult position. Blacklisting clients who have served as money mules could serve as a deterrent for others considering committing identity crimes.
The progress of EU policy makers is slower than many had hoped for. Furthermore, perpetrators continue to surprise everyone through their innovative capacity to commit acts of identity theft. The recent successful attacks mentioned earlier have made even the most skeptical Europeans realize the seriousness of the situation. The response of the High Tech Crime Center in the Netherlands has been a textbook example of the importance of having a specialized and dedicated unit to combat identity crime—a recommendation that the FPEG set forth in its study of last year and one that will hopefully receive the necessary attention in all member states.
Through small steps within the European Union, there is light at the end of the tunnel. Academic research, especially research that combines the expertise of individuals in different member states, can help to clarify various aspects of identity crime.19 Besides research, tactics of individual member states, namely the United Kingdom, serve as a useful guide to policy makers at the EU level. The success of the Fraud Act especially indicates how criminalization might be a crucial step both to deterring identity crime and to improving the prosecution of cases. For now, discussions and actions with regard to criminalization and data breach notification are welcome. They draw attention to the issue and serve as a means to combat crime in an effective way in all member states. Even though the introduction of data breach notification “reduces the likelihood of individuals becoming victims of identity theft and also may help victims to take the actions necessary to resolve problems,”20 this development should not overshadow the need for other measures to combat the problem. ■
1Nicole van der Meulen, “The Spread of Identity Theft: Developments and Initiatives within the European Union,” The Police Chief 74, no. 5 (May 2007): 59–61.
2European Commission, A New EU Action Plan 2004–2007 to Prevent Fraud on Non-cash Means of Payment (COM 679 final), October 20, 2004, http://eur-lex.europa.eu/LexUriServ/site/en/com/2004/com2004_0679en01.pdf (accessed June 27, 2007).
3The identity chain is the process of identifying, authenticating, and authorizing clients.
4Fraud Prevention Expert Group, Report on Identity Theft/Fraud, October 22, 2007, http://ec.europa.eu/internal_market/fpeg/docs/id-theft-report_en.pdf (accessed June 27, 2007), 34.
5Ibid., 35, 36.
7Quoted in “Europe Takes on Cyber-Criminals,” Onestopclick, May 25, 2007, http://www.onestopclick.com/news/Europe-takes-on-cyber-criminals_18160741.html (accessed June 27, 2008).
8Commission of the European Communities, “Towards a General Policy on the Fight against Cyber Crime” (COM 267 final), communication to the European Parliament, May 5, 2007, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52007DC0267:EN:NOT (accessed June 30, 2008).
9U.K. Home Office Identity Fraud Steering Committee, “Identity Theft: What Is Being Done?” http://www.identity-theft.org.uk/what-is-being-done.html (accessed June 27, 2008).
10Interview with Kevin McNulty, U.K. Home Office, London, April 22, 2008.
11Anne Savirimuthu and Joseph Savirimuthu, “Identity Theft and Systems Theory: The Fraud Act 2006 in Perspective,” SCRIPTed 4, no. 4 (September 2007), http://www.law.ed.ac.uk/ahrc/script-ed/vol4-4/savirimuthu.asp (accessed June 27, 2008).
13Maureen Johnson and Kevin M. Rogers, “The Fraud Act 2006: The E-Crime Prosecutor’s Champion or the Creator of a New Inchoate Offence?” paper presented at the annual British and Irish Law, Education, and Technology Association conference, April 16–17, 2007, Hertfordshire, United Kingdom, http://www.bileta.ac.uk/Document%20Library/1/The%20Fraud%20Act%202006%20-%20The%20E-Crime%20Prosecutor’s%20Champion%20or%20the%20creator%20of%20a%20new%20inchoate%20offence.pdf (accessed June 27, 2008), 4.
14G. R. Sullivan, “Fraud—the Latest Law Commission Proposals,” Journal of Criminal Law 67, no. 2 (2003): 139–148.
15Peter Hustinx, “Opinion of the European Data Protection Supervisor,” April 10, 2008, http://www.edps.europa.eu/EDPSWEB/webdav/shared/Documents/Consultation/Opinions/2008/08-04-10_e-privacy_EN.pdf (accessed June 27, 2008), 3.
16“EDPS Endorses Data Breach Notification Provision in ePrivacy Directive,” EDRI-gram 6.8, April 23, 2008, http://www.edri.org/edrigram/number6.8/edps-data-breach-notification (accessed June 30, 2008).
17Within the United Kingdom and Germany, discussions are ongoing about the possibility of introducing data breach notification legislation.
18GOVCERT (www.govcert.nl) is the Computer Emergency Response Team for the Dutch government.
19In an effort to gain more insight into the size of the problem and the developments within the several member states, the Future of Identity in the Information Society (FIDIS) research community recently published a study that provides an overview of the situations in the United Kingdom, Belgium, Germany, and France. See Nicole van der Meulen and Bert-Jaap Koops, eds., D12.7: Identity-Related Crime in Europe—Big Problem or Big Hype? June 9, 2008, http://www.fidis.net/uploads/media/fidis-wp12-del12.7_identity_crime_in_Europe.pdf (accessed July 1, 2008).
20Hustinx, “Opinion of the European Data Protection Supervisor,” 8.
From The Police Chief, vol. LXXV, no. 8, August 2008. Copyright held by the International Association of Chiefs of Police, 515 North Washington Street, Alexandria, VA 22314 USA.