Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
An in-depth analysis of identity theft in cyber space, its issues, challenges, and legal frameworks. It covers various aspects of identity theft, including its purposes, methods, and consequences. The document also discusses the legislative provisions in india and the us to combat identity theft and the confusion between identity theft and cheating by personation.
Typology: Essays (university)
1 / 24
This page cannot be seen from the preview
Don't miss anything!
The present project on the “ Identity theft in cyberspace : issues and challenges ” has been able to get its final shape with the support and help of people from various quarters. My sincere thanks go to all the members without whom the study could not have come to its present state. I am proud to acknowledge gratitude to the individuals during my study and without whom the study may not be completed. I have taken this opportunity to thank those who genuinely helped me.
With immense pleasure, I express my deepest sense of gratitude to Mr.Kumar Gaurav , Faculty for Cyber Laws, Chanakya National Law University for helping me in my project. I am also thankful to the whole Chanakya National Law University family that provided me all the material I required for the project. Not to forget thanking to my parents without the co-operation of which completion of this project would not had been possible.
I have made every effort to acknowledge credits, but I apologies in advance for any omission that may have inadvertently taken place.
Last but not least I would like to thank Almighty whose blessing helped me to complete the project.
The researcher has adopted a purely doctrinal method of research. The researcher has made extensive use of the library at the Chanakya National Law University and also the internet sources.
INTRODUCTION
The terms “identity theft” and “identity fraud” describe the theft for fraudulent purposes of personal information, such as account numbers, social security numbers (SSNs), and other personal identifiers such as mother’s maiden name. Victims of identity theft and phishing attacks primarily suffer financial losses. This imposes an additional societal cost—loss of consumer
confidence in conducting business online. 1 Whilst numerous variations of this crime exist, an identity thief can fraudulently use personal identifying information for any of the following purposes:
(a) Opening new credit card accounts;
(b) Taking over existing credit card accounts
(c) Applying for loans;
(d) Renting apartments;
(e) Contracting with utility companies;
(f) Issuing fraudulent checks using another person’s name and account number;
(g) Stealing and transferring money from existing bank accounts;
(h) instituting bankruptcy proceedings; and/or
(i) Obtaining employment using a victim’s name and details.
On such account, identity theft is a serious crime that merits due consideration and adequate prevention and combating.9 Identity theft may be committed in whole or in part by the use of information and communication technologies (ICTs), which dispenses with face-to-face physical contact and allows for distant encounters. Historically, fraud involved face-to-face communication since physical contact was primarily the norm. Even when remote communication—i.e., snail mail—could be used to set up a fraudulent transaction, it was often still necessary for the parties to meet and consummate the crime with a physical transfer of the tangible property obtained by deceit. Nevertheless, the proliferation of ICTs has exerted a profound impact upon the nature and form of crime, and has altered the mechanisms of crime commission. Nowadays, perpetrators can use fraudulent e-mails and fake websites to scam thousands of victims located around the globe, and may expend less effort in doing so than their predecessors.^2
1 Introduction of the “Anti-Phishing Act Of 2004”, 150 CONG. REC. S7897 (July 9, 2004) 2 S. BRENNER, Cybercrime Metrics: Old Wine, New Bottles (Virginia, Virginia Journal of Law and Technology), [2004], p. 6.
(b) Secondly, allowing identity thieves to work anonymously or after assuming the identity of an innocent victim, and access information anywhere in the world. Cyber-Trespass or Hacking: Cyber-Trespass is becoming more common to commit identity theft. It can include many different ways of using a computer and network to steal information, money, or other valuables. Cyber-trespass offences include: embezzlement,^3 unlawful appropriation,^4 corporate / espionage, 5 plagiarism,^6 and DNS cache poisoning.^7 According to Webester dictionary, Hacking means unauthorized attempts to bypass the security mechanisms of an information system or network. Phoney or Sham Websites: Phishing and Pharming: Identity thieves can also set up and use sham or phoney websites to commit their crimes. Phishing is a clear variation and manifestation of phoney communications and websites.^8 It is the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise
3 This involves misappropriating money or property for the criminal’s own use that has been entrusted to him by someone else. 4 This crime differs from embezzlement in that the criminal was never entrusted with the valuables but gains access from outside the organization and transfers funds, modifies documents giving him title to property he doesn’t own, or the like 5 In which persons outside/inside the company use the network to steal trade secrets, financial data, confidential data.. etc 6 This is the theft of someone else’s intellectual work with the intent of passing it off as one’s own. 7 It is a form of unauthorized interception in which intruders manipulate the contents of a computer’s DNS cache to redirect network transmissions to their won servers. 8 The word phishing comes from the analogy that Internet scammers are using e-mail lures to fish for passwords and financial data from the sea of Internet users. The term was coined in 1996 by hackers who were stealing AOL Internet accounts by scamming passwords from unsuspecting AOL users. Since hackers have a tendency to replacing “f” with “ph” the term phishing was derived. Available at <http:// www.webopedia.com/DidYouKnow/Internet/2005/phishing.asp> (last accessed 14/11/2014)
in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information. Thus, phishing is essentially a method of committing credit card fraud, identity theft and/or generic theft. Phishing attacks use ‘spoofed’ e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc.
Spoofing:
A closely interconnected and often confused term with phishing and pharming is spoofing. A “spoofer”, in Internet terms, is defined generally as the “cracker” who alters, or “forges,” an e- mail address, pretending to originate a message from a different source address than that which he or she truly has.96 There are many ways an attacker may do this, and there are many types of attacks. The attacker may do this to gain access to a secured site that would accept the “hijacked” address as one of few permissible addresses, or more maliciously, the reason may be to hide the source of any type of attack.“Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords).
Spyware:
Spyware is computer software that can be used to gather and remove confidential information from any computer without the knowledge of the owner. Everything the surfer does online, including his passwords, may be vulnerable to spyware. Spyware can put anyone in great danger of becoming a victim of identity theft. Moreover, some forms of spyware can be installed on the computer from a remote location without the identity thief ever having physical access to the victim’s computer.
Electronic Bulletin Boards:
Chat rooms and electronic bulletin boards have become breeding grounds for identity theft. When criminals have obtained personal identifying information such as credit
Nigerian 419 Scam:
This is the most prevalent method still conning many persons around the globe wherein the fraudster sends the email to target persons in guise of some rich family member of a dead African Millionaire who is in distress due to political turbulence in his country. The fraudster seeks your help to get the large some of money in your account with a commission of huge money to you for your services of offering your account to receive the money. This scam is called as Nigerian 419 fraud(for the relevant section of the Nigerian Criminal Code). There is another category of Nigerian fraud of similar nature where the victim receives unsolicited email declaring that he has won the lottery after his email being selected from thousand of other emails. These scams qualify as identity crimes because they involve collecting personal and bank information from unsuspecting Internet users who are gullible enough to respond to these solicitations.
Shoulder Surfing:
The fraudster can also obtain your personal data without breaking into your homes. In public places, some people loiter around ATM & Telephone Booths who watch your enter your secret PIN Number or simply looking over your shoulder on a public telephone or just by eavesdropping if you are giving your credit card information over the phone. 11
IDENTITY THEFT IN INDIAN LAW
Data theft, i.e. identity theft and cheating by personation. It is a traditionally old crime which can be done without the use of internet or cyber technology, for example by dumpster diving where a search of garbage of a house can give access to thrown expired driving licenses, or credit cards, or bank documents of the residents of the house, by which information about them can be known.^12 Identity theft as a crime has existed independent of internet and computers, but with the advent of technology, computers, mobile phones, internet, etc. have eased the possibility of identity theft to a great extent.
11 Identity theft or identity fraud< http://www.neerajaarora.com/identity-theft-or-identity-fraud/ > last accessed 14/11/ 12 Stuart F.H. Allison, et al., Exploring the crime of identity theft: Prevalence, clearance rates, and victim/ offender
characteristics, 33 JOURNAL OF CRIMINAL JUSTICE 19 (2005).
In Indian law, identity theft as a crime was never addressed separately. It could be read in various offences described in the IPC such as cheating under Section 415, IPC, cheating by personation under Section 416 IPC, breach of trust under Section 403, IPC, etc. but not as „theft 2 01 Funder Section 378 of the IPC. Even the offence of identity theft specifically by way of use of a computer resource, was never addressed by any law before the 2008 amendment to the IT Act. It used to be covered under the unamended Section 66 of the IT Act which provided: “(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking.” Thus, prior to the amendment act, the crime of identity theft was forcibly brought under S. within the ambit of, hacking 2 01 F, which presupposes that there was an infiltration of a computer resource involving, alteration, deletion or destruction 2 01 Fof the information residing therein, facilitating the crime of identity theft.” the crime of identity theft broadly involves two steps Firstly , the wrongful obtainment of personal identification information and the fraudulent use of the identity so stolen. Computers and internet can be used for the first step of wrongfully obtaining another person 2 01 Fs identity. Hacking as covered by the old Section 66 is not the only way in which information can be wrongfully obtained from another person. Hacking as covered by the old Section 66 involves acts where data or information is stolen from another computer by technologically advanced means where the fact of theft of information might not even be known to the victim. However, in many other ways such as phishing, internet is used to get the information from the victim, where the victim himself/herself provides the information to the fraudster under a false belief. These are instances of fraud or cheating or misrepresentation by way of internet which were not specifically covered by any law. Meanwhile, with the advent of technology, there were newer ways in which the internet, computers and mobile phones were being used for identity theft which would result in negligible legal action. For example, in 2005, a financial institute complained that they were receiving misleading emails ostensibly emanating from ICICI Bank 2 01 Fs email ID. 13 The place of offence, Vijaywada was searched for the evidence and it was found that one laptop and mobile phone
13
have used electronic signature, password or unique identity feature must have done so fraudulently or dishonestly. 16 It means that unless it is proved that the accused has the required mens rea, he will not be liable. Any person who is found guilty of fraudulently or dishonestly using other 2 01 Fs electronic signature or password or identity feature shall be punished with imprisonment of either description for a term which may extend to three years and shall be liable to fine which may extend to rupees one lakh. 17 Moreover, this section covers use of electronic signatures, passwords, or any other unique identification feature. The scope of „unique identification feature 2 01 Fis unclear though. It is doubtful if a profile in a social networking website or a matrimonial website could be considered unique identification information, and if it cannot be considered so, then using a person^ 2 01 Fs such profile by another person will not be identity theft. For instance, during the recent violence in north-eastern India, multiple twitter accounts of the PMO (Prime Minister 2 01 Fs Office were being operated by different people, sending wrong messages as the official response. 18 Such an act would not be considered identity theft of the PMO but will be covered under Section 66D.
Section 66D (as quoted above) prescribes punishment for whoever „cheats by personation 2 01 F, without defining it. In such a situation, it can be assumed that cheating by personation would carry the same meaning as it does in Section 416 of the Indian Penal Code, 1860.63 According to section 416 of the IPC: A person is said to “cheat by personation” if he cheats by pretending to be some other person, or by knowingly substituting one person for another, or representing that he or any other person is a person other than he or such other person really is.A person is said to „cheat 2 01 Fwhen he or she:by deceiving any person, fraudulently or dishonestly induces the person so deceived to deliver any property to any person, or to consent that any person shall retain any property, or intentionally induces the person so deceived to do or omit to do anything which he would not do
16 Section 66C, Information Technology Act, 2000. 17 DR. FAROOQ AHMED, CYBER LAW IN INDIA, 334 (4th ed., 2011). 18 Twitter accounts, posing as Prime Minister’s Office, blocked, NDTV, August 21, 2012, available at http://www.ndtv.com/article/india/twitter-accounts-posing-as-prime-minister-s-office-blocked- (last visited, 6-11-2012).
or omit if he were not so deceived, and which act or omission causes or is likely to cause damage or harm to that person in body, mind, reputation or property, is said to “cheat”.
The essence of cheating therefore is inducement which would cause a change of action of another person only because of such deception. Therefore, in a situation where person X has sufficient funds and credibility to make certain purchases but does not want to spend his own money, and therefore, by way of identity theft, makes certain purchases as person Y, amassing credit in the name of Y, cannot be said to have committed „cheating 2 01 Fas but for identity theft of Y, person X could still have made the same purchases. Therefore, identity theft cannot be covered entirely by the provisions on „cheating 2 01 F.
The main difference between the provision dealing with cheating by personation (Section 66D) and identity theft (Section 66C) is that the communication device or computer resource is the necessary instrument of crime of cheating by personation. In the latter case, electronic signature or password may be stolen and then used for impersonation. In the former case, computer resource or computer device is being used for misrepresentation of one 2 01 Fs identity. The offence of cheating by personation is committed whether the individual personated is a real or imaginary person. 19 Therefore, importance is not on causing harm to the person impersonated, but to the public at large which is being deceived. Cheating by personation can be a means of obtainingpersonal identification information such as by way of phishing, as well as the fraudulent use of such identification information. The younger generations, which use the internet and other online technologies extensively for staying connected for all day to day work and entertainment, including information, e-mails, social Networking, e-banking, e-shopping, web-TV, news, education, home-work research, online gaming, downloading music, videos, movies and other contents etc, are more vulnerable to targeted cyber-crime. Therefore, to clear doubts, the government of India issued an “Advisory on Preventing and Combating Cyber Crime against Children.”65 Accordingly, Section 66C along with Sections 66A and 66E of IT Act, and Sections 506, and 509 of IPC cover offences of cyber bullying and cyber stalking as well, while
19 Explanation, Section 416, IPC.
single window format. There also needs to be a law in order to deal with the alternatives which are coming out with regard to the paper based storage and communication of information.^22 The European Union The European Union has two main legislations for cyber crimes and protection of data which are relevant to identity theft. The European Union Data Protection Directive was passed by the EU in 1998^23 designed to restrict data collection, processing,69 dissemination, and storage in Europe. The directive is not self-executing; it requires states to create implementing legislation on their own. Therefore, the laws are different from country to country within Europe, depending on the legislation each adopts. 24 The directive includes some procedures designed to promote uniformity in the laws in Europe and in the treatment of non-member states that process European data. Therefore, the attempt is to bring in uniformity in domestic laws than to impose transnational laws and regulations. Similar point can be taken out from the Council of Europe Convention on Cybercrime.^25
US Law on Identity Theft
22 Shobhalata V Udapudi & Barnik Ghosh, The Information Technology Act of India: A Critique, 2(5) ZENITH INTERNATIONAL JOURNAL OF BUSINESS ECONOMICS & MANAGEMENT RESEARCH (2012), at http://zenithresearch.org.in/ (last visited, 16-11-2014) 23 Council Directive 95/46/EC, 1995 O.J. (L 281) 31, available at http://www.privacy.org/pi/intlorgs/ec/ final EU Data Protection.html (last visited, 1-11-2012). 24 Michael Edmund O'Neill, Old Crimes in New Bottles: Sanctioning Cybercrime, 9 GEO. MASON. L. REV. 237, 253 (2000)
25 Council of Europe Committee of Experts on Crime in Cyber-Space, Convention on Cybercrime, opened for signature Nov. 23, 2001, available at http://conventions.coe.int/treaty/en/Treaties/Html/I85.htm (last visited, 4-11-2012).
In the United States, the growing problem of identity theft was addressed by the US legislature by way of a dedicated legislation for identity theft.The Identity Theft and Assumption Deterrence Act of 1998 which became effective October 30, 1998, makes identity theft a Federal crime with penalties up to 15 years imprisonment and a maximum fine of $250,000. It establishes that the person whose identity was stolen is a true victim. Previously, only the credit grantors who suffered monetary losses were considered victims.^26 This legislation enables the Secret Service, the Federal Bureau of Investigation, and other law enforcement agencies to combat this crime. It allows for the identity theft victim to seek restitution if there is a conviction. It also establishes the Federal Trade Commission as a central agency to act as a clearinghouse for complaints, (against credit reporting agencies and credit grantors) referrals, and resources for assistance for victims of identity theft.^27
Some features of this Act require attention. It considers cheating by personation, possession of identification information of another person with the knowledge of it being so, as well as the transfer of identification information of another person to a different person, as an offence of identity theft.^28 Moreover, the punishment under this act ranges from a maximum imprisonment of 1 year to a maximum imprisonment of 25 years with or without fine depending on the use made of stolen identity. In cases of drug trafficking crime or violence crimes, it can be up to 20 years, while in international terrorism it can be up to 25 years.79 Moreover, the Identity Theft Penalty Enhancement Act 29 was recently passed by the US Legislature. It established penalties for aggravated identity theft, in which a convicted perpetrator could receive additional penalties (two to five years 2 01 Fimprisonment) for identity theft committed in relation to other federal crimes. Examples of such federal crimes include theft of public property, theft by a bank officer
26 Martha A. Sabol, The Identity Theft and Assumption Deterrence Act of 1998 – Do Individual Victims Finally Get their Day in Court?, 11 LOY. CONSUMER L. REV. 165 (1998-1999). 27 Identity Theft and Assumption Deterrence Act of 1998, NATIONAL CHECK FRAUD CENTRE, available at http://www.ckfraud.org/title_18.html (last visited, 16-11-2014). 28 Id; Holly K. Towle, Identity Theft: Myths, Methods, and New Law, 30 RUTGERS COMPUTER & TECH. L.J. 237, 266, (2004). 29 18 U.S.C. § 1028A
„theft 2 01 Fand the wrongful use of such a stolen identity is merely an expression of the mens-rea or intention to dishonestly obtain information in order to use it.There can be other ways of proving the dishonest or fraudulent intention such as extortion of money from the victim by way of threat issued to the victim by the fraudster to use the stolen identity.Therefore, a fraudulent use of the stolen identity is not an essential ingredient for the offence of theft of identity. However, fraudulent obtainment of personal identification information is inherently wrong at three levels. One, the personal identification information even if not fraudulently used, can always be a tool to blackmail the victim. An instance mentioned earlier supports this conjecture. Before identity theft was criminalized in the US, a man after having stolen another 2 01 Fs identity and fraudulently used it to generate a huge debt in the other 2 01 Fs name, used to often taunt him on the phone, as it was not an offence punishable by law. Similarly, if a person fraudulently steals another person^ 2 01 Fs identification information, effectively his identity, and without using it, threatens him that hemight use it, he can extort money or favours from the other or even cause a lot of mental agony and pressure. However, if at this point of time, the victim wants to take legal actions against the other person for identity theft, it will not be covered by the Section 66C or Section 66D.
Second, the personal identification information which is obtained fraudulently or dishonestly can be sold instead of being directly used by the fraudster. This could lead to allowing an identity trade racket, where only those who make the end use of the stolen identity will be punishable by law, and not the ones running such a racket. With virtually non-existent boundaries between nations on the internet, India could be a favorable location of running such a racket, to supply identities even to people in other nations. The act of wrongfully obtaining personal identification information by any means needs to be made punishable by law and not merely the use of it.
Third, if another person is in possession of one 2 01 Fs identity, then this very fact is a serious invasion in the right to privacy of the victim, even if it is not being fraudulently used. The limited scope of Section 66C to only unique identification information leaves out some loopholes in the law. The ambiguous and vague nature of „unique identification feature 2 01 Fhas already been considered above, besides that, certain other identification information that is not unique can also cause the same effect as that of identity theft. Unauthorized use of a person 2 01 Fs mobile phone number or another person 2 01 Fs IP address, for instance can shift attribution of a
liability or crime on another person. A threat message sent by a terrorist outfit claiming responsibility for a terror attack from a mobile phone number which is registered on someone else 2 01 Fs name, or using another person 2 01 Fs IP address by way of a proxy website to commit a cyber crime, the IP address will trace another person other than the victim.
The distinction between identity theft and cheating by personation is negligible. Personation is the core of identity theft as it has the same functional nature of being representational as identity. An inherent characteristic of identity is in it being unique. If a person misrepresents himself or herself on the internet using computer resource, then that person is using the identity of a person who might even be real. Thus, intentionally or unintentionally, a person might end up donning the identity of another actual person, which will be akin to introducing a clone of that person in virtual world, diminishing or threatening his control his identity.This point can be well explained by two contrasting examples. One is that of multiple PMO twitter accounts discussed above where the intention was to fraudulently spread misleading information. The other example could be a case where say a fake profile is created in a social networking website such as facebook, only to conceal the real identity of the person operating it, but in the process, it becomes the fake profile of another actual person. Here there was no intention to defraud or in any way affect the personated person, but it would still effectively be a clone profile with the same representational effect as that of the actual person 2 01 Fs profile. In both the above examples, pure cases of cheating by personation have also resulted in the same effect as that of identity theft.
Therefore, there exists only an academic difference between identity theft and cheating by personation which is not even made out by the wordings of Sections 66C and 66D. Existence of these two separate sections can therefore create confusion, especially if an interpretation of either of the two sections is attempted, and the question of legislative intent arises in making the two offences as separate sections. The instances of cheating by personation even by use of a computer or communication device which do not amount to identity theft can anyway be covered by Sections 415 and 416, IPC. But when such cheating by personation leads to identity theft, then it needs to be called identity theft and be treated as identity theft. Therefore, Sections 66C and 66D should be merged into one section. This leads to the final point about treatment of the offence of identity theft by the State.^32
32 VAKUL SHARMA, INFORMATION TECHNOLOGY – LAW AND PRACTICE 186 (3d ed., 2011).
