By Nicole van der Meulen, Researcher, International Victimology Institute Tilburg, the Netherlands
n recent years, the topic of identity theft and the novel challenges associated with the crime have gained significant attention and prominence. The United States has generally been considered the country most victimized by identity theft. However, the immediate association between identity theft and the United States is slowly fading, and individuals within other countries are becoming more aware of the potentially global impact of identity theft. Consequently, the common perception that identity theft is an exclusively American problem, held for the past few years, is fortunately beginning to decline. This development is partially a result of media headlines all over the world featuring the problems that the United Kingdom and Australia are experiencing with identity theft. As a result, policy makers within the European Union (EU)1 are gradually opening their eyes and beginning to analyze to what extent identity theft is a problem within their geographic territory.
The European Approach
Despite increasing attention devoted to the topic of identity theft within the European Union, authors and policy makers still identify a number of reasons why identity theft is not as significant a problem as it is in the United States. These reasons often relate to attitudes and actions set forth by governments, businesses, and citizens.
Simon Davies, director of Privacy International, notes that most citizens within the European Union are far less willing than Americans to provide their personal identifying information without having strong reasons for doing so. Their reluctance stems from an understanding of the potential consequences of providing someone with their personal information: once they give out that information, they can never “take it back.” Part of this reluctance stems from historical events such as World War II, where the gathering of personal information was used to identify Jewish citizens.
A similar concern is the role governments play in safeguarding personal identifying information through strict data protection laws. As Davies notes in his National Public Radio interview, “We would never have a ChoicePoint. We couldn’t have a ChoicePoint operating in Europe. It wouldn’t happen.”2 The idea is that since businesses are not allowed to collect as much data, less information can be stolen and subsequently abused.
Furthermore, social security or social insurance numbers are generally used only for their initial purpose: social security. This is in contrast to the United States, where social security numbers are widely used and can be easily obtained by perpetrators to take advantage of a victim’s identity.
Another difference is that EU citizens use fewer credit cards, and credit card applicants are subjected to higher standards of verification and approval than are Americans. Citizens within the European Union are less connected to their credit cards and still seem to prefer cash payments. Through the increasing presence of digital technology, however, this may change as individuals begin to use their credit cards more frequently to make purchases online.
Prevalence of Identity Theft in the European Union
Although most people assume that identity theft is not a problem in the European Union, some do recognize it as a problem and manage to provide some indication of the prevalence of the crime. Unlike the United States, the European Union lacks a central complaint database or center that collects data exclusively on identity theft. Individual countries or regions do, however, have some indicative statistics on the problem. The United Kingdom, for example, reported in 2006 that damages as a result of identity fraud totaled £1.7 billion per year.3 These damages proved a significant increase from previous years, especially in comparison with statistics provided in 2002, when the Cabinet Office reported a loss of £1.3 billion per year.4 The Cabinet Office furthermore claimed that the presented amount is far below the actual damage caused to the U.K. economy because the office relies only on available data, which represent but a part of the whole figure. Others disagree, however, and claim that identity fraud causes far less financial damage and is exaggerated to assist the government in gathering support for new legislative initiatives.
Within the European Union, officials make global statements usually without mentioning concrete figures. In 2002, Bernard Clements et al. concluded in their report “Security and Privacy for the Citizen in the Post-September 11 Digital Age: A Prospective Overview” that identity theft is comparatively less prevalent in the European Union as opposed to countries such as Canada and the United States. Clements et al. identified possible reasons for this, including the existence of “stronger authentication mechanisms in the physical world (in a number of EU countries ID cards are commonly used) and different purchasing patterns, which, in the EU, rely more on face-to-face contact than on distance purchasing.”5 Furthermore, the authors noted, just as Davies did, “that more effective privacy protection in Europe limits the ease of access to personal data needed by would-be identity thieves.”6 Even so, Clements et al. do recognize the potential threat that identity theft poses for the EU member states, especially as the information age progresses and e-commerce advances.
In its European Union Organised Crime Report 2003, Europol (the EU law enforcement organization charged with sharing criminal intelligence and assisting member states in fighting organized crime) acknowledged that the incidence of identity theft and credit card fraud continued to increase within the European Union.7 A year later, however, the European Commission held a forum on identity theft and concluded, “Identity theft is growing fast outside the EU (US, Canada, Australia) and is very relevant in the UK. For now, it does not seem to be equally prominent in the other Member States.”8
It should be noted that the comparatively low prevalence of identity theft in the European Union results to a certain extent from the classification of individual crimes. An example is a case in the Netherlands in September 2006, where suspects had retrieved bank statements from numerous individual mailboxes and subsequently managed to set up online banking identities, through which they were able to drain numerous accounts. The police arrested them and charged them with bank fraud, which is not regarded as a type of identity theft. However, the charge against them could have easily been account takeover instead, which is classified as a form of identity theft. In this manner, the classification of various crimes influences the statistics that can be gathered about the problem and therefore public perception of its significance—which leads into the next issue: legislation, or the lack thereof.
According to a questionnaire distributed and analyzed by Fabio Marini, an attendee of the previously mentioned forum on identity theft, eight member states have specific legislation on identity theft. Yet he also notes that legislation differs significantly among these member states, and during the forum Marini expressed the need for common guidelines and training programs to streamline investigative countermeasures in the European Union.9 Harmonized EU rules with regard to identity theft could, according to the forum participants, simplify the investigation and prosecution of offenders. Researchers Katy Owen, Gemma Keats, and Martin Gill noted, “In 2004 the FIDIS Consortium in conjunction with Tilburg University surveyed a variety of countries including a number of EU members on identity theft legislation. The survey revealed that there are very few specific provisions in criminal law in the EU member states about identity theft or identity fraud.”10 A further analysis of these results is unfortunately not possible due to a lack of more specific information provided in the minutes of the forum. The only additional important remark made in the forum minutes is that “most countries (11) said they consider ID theft as a part of conspiracy to commit another crime, an aggravating circumstances [sic] in other crimes or it is included in other forms of crime such as fraud, forgery, computer crimes, counterfeiting etc.”11 As a result, one can safely conclude that there is no specific legislation with regard to identity theft, as other surveys indicated, but that “in most EU member states, the actions involved in identity theft will generally be sanctioned under other provisions, such [as] those concerning fraud, information fraud, identity usurpation, impersonation, or illegal use or processing of personal data.”12
Despite lacking a clear indication of the actual prevalence of identity theft within the European Union, policy makers do devote attention to the problem. In 2004, the European Commission developed its new Action Plan for 2004–2007 to prevent fraud on noncash means of payment. In the Action Plan, the commission recognizes that fraud is evolving and that “criminal actions such as data hacking or identity theft are growing at a worrying pace and new scams are emerging.”13 As a result, the commission identifies the need for specific initiatives to prevent identity theft in the European Union as an objective within the Action Plan. The commission explains that “identity theft is a cross-sector problem affecting governments, businesses and citizens, which is growing rapidly in some sectors or countries and is often linked to organised crime.”14 To address issues related to identity theft, the commission outlined a number of action points:
- “The Commission will promote the creation of a database of original and counterfeit identity documents accessible to both the public authorities and the private sector.”
- “The Commission will assess the merits of establishing an EU single contact point for citizens and businesses on identity theft, which could include a register of bodies engaged [in] the prevention of identity theft.”
- “The Commission will continue to discuss the implementation of a single phone number in the EU for notification of lost or stolen cards.”15
Furthermore, the commission strengthened the role and reorganized the functioning of the EU Fraud Prevention Expert Group (FPEG) as part of the Action Plan. The FPEG identifies all major stakeholders in payment fraud prevention in the European Union, including representatives of national and EU banks, ministries, law enforcement agencies, retailers, consumer groups, and network operators. The FPEG “provides an added value as a platform where stakeholders could effectively exchange information and best practice to prevent fraud.”16 As part of the Action Plan, the commission identified the need for the FPEG to meet at least twice a year.
The members of the FPEG represent seven subgroups. The primary objective of one subgroup is to provide recommendations and propose countermeasures to effectively prevent, detect, and react to attempts of identity theft and phishing. The group focused its previous work primarily on the prevention and detection of identity theft, and a new group is now established to specifically address phishing.17
Another subgroup focuses specifically on developments and ways to advance law enforcement within the European Union. With the assistance of Europol and the European Banking Federation, this subgroup conducted a survey to gather information on the possibility of establishing a central law enforcement unit to fight noncash payment fraud, including identity theft. According to the law enforcement subgroup, “The survey shows that there are big differences between the countries with regard to the structure and organization of law enforcement concerning the prevention and fight against non-cash payment fraud, though the investigation of non-cash payment fraud committed in the on-line environment might be dealt with by or with assistance of specialised computer crime or high tech crime units.”18 Furthermore, the survey demonstrated that “it appears that currently these kind of central units specialising in non-cash payment fraud exist in only two Member States. . . . In many Member States, combating non-cash payment fraud is not a priority, or only if linked to associated organised crime.”19 In the EU Organised Crime Threat Assessment of 2006, Europol focused on the fact that identity theft can assist the commission of other forms of organized crime, such as money laundering. Measures against identity theft at the EU level can therefore potentially disrupt organized criminal activity early on, during the stage where criminals gain unlawful access to personal information.20
Conflicts and Concerns within Public Policy
In general, the European Union emphasizes the need for coordination and cooperation among the various levels of authority and the different agencies. Furthermore, individuals have stressed the importance of harmonizing both the legal definition of identity theft and the initiatives of the member states in response to this problem. Although the European Union recognizes identity theft as a potential major security issue, actual implementation of countermeasures appears slow. As Owens, Keats, and Gill note, “[T]here is little evidence to suggest much progress has been made.”21 Whether measures against identity theft at the level of the European Union will actually gain the necessary momentum is questionable. For now, the United Kingdom appears to be the primary prominent site of identity theft and, more generally, identity fraud. Judging from interviews conducted by Owens, Keats, and Gill, officials in France, Germany, and the Netherlands also appear concerned about identity theft. Perhaps a difference in priorities among the various member states will decide just how much attention and resources are ultimately devoted to fighting this problem.
Challenges of European Law Enforcement
Several years ago, Amanda Hoey and Ivan Topping stated, “At the European level, we have witnessed the development of a ‘borderless Europe,’ in which it is asserted that crime will know no boundaries and national police forces will lack the necessary control to maintain law and order.”22 To a certain extent, the development of “borderless” regions is a global trend, especially with regard to transnational organized crime, the investigation of which requires the involvement of law enforcement officials in different parts of the world. Within the European Union, however, the challenge of maintaining law and order requires significant involvement of the member states. In light of this, policy makers and academics often point to the need for effective coordination and cooperation.
Through the years, the European Union has taken many crucial steps toward the improvement of cooperation and coordination. A major example is the creation of Europol. The primary goal of Europol is to provide a system of information exchange designed to combat and prevent organized crime in Europe. In the new Europe, where the exchange of security-related information plays a crucial role in law enforcement cooperation, Europol can play an important role.23 Criminology professor Ian Loader comments, “In undertaking this role, Europol maintains a database of ‘intelligence’ on transnational crime which it deploys to provide national forces with crime analysis and ‘technical expertise.’”24
Even with the creation of Europol, however, significant challenges remain. Identity theft cases are generally rather difficult to solve—especially when they involve digital identity theft—because of the anonymity and the cross-jurisdictional nature of the crime. Through the use of digital technology, perpetrators are hardly ever bound to a geographic area, which means they can commit crimes from a location quite distant from their victims. Solving such cases clearly requires the involvement of multiple law enforcement agencies. Although Europol can provide crucial assistance with regard to technical expertise and information exchange between agencies, member states rarely take advantage of this agency, which may reflect, as Loader labels it, a “Euro-police sceptical” view of law enforcement agents.
Other obstacles to optimal cooperation include language difficulties, a lack of common working procedures, and the absence of a common European criminal law. Due to a lack of legislation targeting identity thieves, law enforcement within the European Union may be viewed by victims as highly inadequate, because they are often not recognized or treated as victims. This can complicate their attempts to restore their credit and reputation. One solution could be to include certain kinds of identity crime in the category of fraud, allowing for identity theft offenses to be investigated as part of other crimes.
The global incidence of identity theft is not expected to subside in the foreseeable future, particularly due to its profitability and apparently low rate of conviction. Compared with the United States, the European Union experiences fewer incidents, but EU citizens are certainly confronted ever more often with phishing e-mail and spyware, increasing the potential threat of identity theft. Overall, EU policy makers and law enforcement officials could benefit from the experience of their counterparts in the United States by recognizing the relative strengths and weaknesses of U.S. counterefforts.
To be sure, there are significant differences between the two geographic regions. Several authors and policy makers have claimed that due to stronger privacy and data protection laws, the European Union may continue to encounter less of a problem than the United States does. Consequently, the United States could perhaps learn from the European Union’s approach, as has been suggested by some authors.25
Although law enforcement situations differ geographically, officers everywhere encounter similar challenges and difficulties when faced with the anonymous and borderless nature of identity theft. As a result, the challenge for law enforcement remains and will only grow, as perpetrators continue to develop new methods of collecting and abusing the personal information of others. The proper response requires a less traditional mindset that incorporates the same innovative ideas and instruments that perpetrators currently use to their advantage.■
1The European Union (EU) is an intergovernmental union of 27 nation-states, established in 1993 by the Treaty on European Union. This union constitutes a single market with a common trade policy. It introduced a single currency, the euro, that to date has been adopted by 13 member states.
2Simon Davies, “Identity Theft in the International Arena,” interview by Eric Weiner, Day to Day, National Public Radio, March 14, 2005, www.npr.org/templates/story/story. php?storyId=4534021, April 9, 2007. As used in this reference, ChoicePoint refers to the U.S. company that has developed a computerized method of reviewing millions of public records by drilling deep into layers of infrastructure data using analysis software and data access technologies.
3U.K. Home Office, “Updated Estimate of the Cost of Identity Fraud to the UK Economy,” 2006, www.identity-theft.org.uk/ID%20fraud%20table.pdf. Within the United Kingdom, the term identity fraud is more frequently used and also includes data on identity-related crimes involving the use of false or nonexistent identities.
4U.K. Cabinet Office, Identity Fraud: A Study (London: U.K. Cabinet Office Publications, 2002), www.identitycards.gov.uk/downloads/id_fraud-report.pdf, April 12, 2007.
5Bernard Clements et al., “Security and Privacy for the Citizen in the Post-September 11 Digital Age: A Prospective Overview,” Report to the European Parliament Committee on Citizens’ Freedoms and Rights, Justice and Home Affairs (LIBE) (Seville, Spain: IPTS-JRC, 2003), 32.
7Europol, EU Organized Crime Threat Assessment 2003 (Luxembourg: Office for Official Publication of the European Communities, 2003).
8European Commission, Minutes of the Forum on Identity Theft (n.p., 2004), 2.
10Katy Owen, Gemma Keats, and Martin Gill, The Fight against Identity Fraud: A Brief Study of the EU, the UK, France, Germany, and the Netherlands (Leicester, United Kingdom: Perpetuity Research & Consultancy International, 2006), 8. FIDIS is the Future of Identity in the Information Society, supported by the European Union under the 6th Framework Programme for Research and Technological Development within the Information Society Technologies priority; for more information, see www.fidis.net.
11European Commission, Minutes of the Forum on Identity Theft (n.p., 2004), 6.
12Neil Mitchison et al., Identity Theft: A Discussion Paper (n.p.: European Commission Joint Research Center, 2004), 24.
13European Commission, A New EU Action Plan 2004–2007 to Prevent Fraud on Non-cash Means of Payment (COM 679 final), Brussels, October 20, 2004, 3, eur-lex.europa.eu/LexUriServ/site/en/com/2004/com2004_0679en01.pdf, April 13, 2007.
17Fraud Prevention Expert Group (FPEG), Draft Minutes of the 10th Meeting of the Fraud Prevention Expert Group, Brussels, May 22, 2006, 6.
18Fraud Prevention Expert Group (FPEG), “The FPEG and the Prevention of Payment Fraud in Europe,” FPEG News, March 2006, 3.
20Europol, EU Organised Crime Threat Assessment 2006 (n.p., 2006).
21Owens, Keats, and Gill, The Fight against Identity Fraud, 12.
22Amanda Hoey and Ivan Topping, “Policing the New Europe—the Information Deficit,” International Review of Law, Computers & Technology 12, no. 3 (1998): 504.
24Ian Loader, “Policing, Securitization and Democratization in Europe,” Criminology and Criminal Justice 2, no. 2 (2002): 125–153.
25See, for example, Nicole M. Buba, “Waging War against Identity Theft: Should the United States Borrow from the European Union’s Battalion?” Suffolk Transnational Law Review 23 (2000): 633–665.