ARCHIVE - Report on identity theft
Archived Content
Information identified as archived is provided for reference, research or record-keeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
A Report to the Minister of Public Safety Canada and the Attorney General of the United States
Bi-national Working Group on Cross-Border Mass Marketing Fraud
October 2004
- Executive summary
- Introduction
- Identity theft - the threat
- What is identity theft?
- Why is it committed?
- The scope of identity theft
- Who are the victims? Who are the perpetrators?
- How is identity theft committed?
- The impact of identity theft?
- Efforts to combat identity theft
- The way forward: Challenges and recommendations
Executive summary
Identity theft refers to all types of crime in which someone wrongfully obtains and uses another person's identifying information for the purpose of fraud or other criminal activity, typically for economic gain. The perpetrators of identity theft include members of organized criminal groups or networks, terrorists and individual criminals. Identity theft is usually done for economic gain but has also been used by terrorists to obtain cover employment, finance their activities and avoid detection when carrying out their attacks. Criminals also use identity theft to divert law enforcement focus away from the true perpetrators of crimes.
There are indications identity theft is growing rapidly, due in part to the Internet and modern technology. During a one-year period in 2002-2003, total losses to individuals and businesses related to identity theft in the United States were estimated at approximately US$53 billion. In Canada the losses for 2002 were estimated at approximately CAN$2.5 billion.
Identity theft is committed in every place associated with daily life. Methods include mail theft, stealing from residences and personal spaces, misuse of personal data in business transactions, phishing, and theft from company or government databases.
The victims of identity theft come from every age group and all segments of society; however, the majority of victims appear in segments of the population with good or potentially good credit ratings. Victims of identity theft often suffer financial loss, damage to their credit rating and reputation as well as emotional distress. Many are also left with the complicated and sometimes arduous task of clearing their name and credit rating. A 2003 U.S. Federal Trade Commission identity theft survey report found victims had spent a total of 300 million hours in the preceding year to resolve problems created by the theft of their identity.
Identity theft is not confined by borders. Joint efforts to address this problem are coordinated through the Bi-national Working Group on Mass Marketing Fraud (a Cross-Border Crime Forum sub-group), consisting of government and law enforcement officials from Canada and the United States. Governments and the private sector in both countries have pursued a variety of initiatives and legislative reforms to combat identity theft.
On the basis of available data, it appears that identity theft is likely to continue to grow substantially over the next decade and become increasingly important in cross-border criminality. It is expected to pose a threat to tens of millions of people and businesses in Canada and the United States unless law enforcement authorities and private-sector entities mount a vigorous and coordinated response to the problem.
There are a number of areas in which law enforcement, government and the private sector in both countries can strengthen efforts to combat identity theft. They include:
- Comprehensive and coordinated public education and awareness initiatives to reduce victimization;
- Better coordination of law enforcement efforts at national and bi-national levels in analyzing and using identity theft complaints and better informing the public about the existence of national points of contact to report identity theft;
- Discussions between the private sector and law enforcement to enhance identity theft reporting to law enforcement;
- Review of the legislative framework applicable to identity theft, to ensure it keeps pace with the constantly evolving nature of identity theft;
- Efforts to work towards greater consistency and security in identity document issuance and verification processes, to protect the integrity of foundation documents; and
- Review and revision, where appropriate, by private sector entities - especially those that use and retain large volumes of personal identifying data or personal financial data - of their internal procedures and policies affecting the security of those data.
Introduction
In 2003, the Canada-United States Cross-Border Crime Forum determined that it would be appropriate to conduct a threat assessment of identity theft and its impact on cross-border criminality. It directed the Canada-United States Working Group on Cross-Border Mass-Marketing Fraud, which reports to the Forum annually, to prepare such an assessment. This assessment is the product of many agency and individual participants in the Working Group from the United States and Canada. It was prepared jointly by the United States Department of Justice (DOJ) and Public Safety Canada (PS).
The objective of this threat assessment is to define the nature, scope and impact of identity theft. It includes trends, statistics and an examination of the factors surrounding identity theft to increase understanding of the nature of the crime as well as current and potential responses to the problem.
This report, which is being presented at the time of the October 2004 Cross-Border Crime Forum, will provide information and recommendations for policy makers, law enforcement, consumers and the private sector.
While there is a growing volume of data on the incidence of identity theft, statistical and analytical studies on the patterns of and participants in this criminal behaviour are still limited. Both countries are developing initiatives to respond to these challenges. These initiatives will be described later in the assessment.
This report is intended to provide Canada, the United States and other countries with essential information and to promote increased coordination on improving oversight and management of the risks of identity theft and developing comprehensive responses. As discussed below, this assessment recommends a coordinated response embracing public education and awareness campaigns, legislative measures and enforcement actions.
Identity theft - the threat
Unlike certain crimes that are specific to particular types of property and locations - for example, car theft and burglary - identity theft is committed in every place associated with daily life. Identity thieves target residences, workplaces and even places of recreation. Moreover, the growing ubiquity of digital data, and of computers and devices that transmit or store such data, means that identity thieves can ply their trade without ever coming into physical proximity with the individuals whose data they are stealing.
Simply by doing things that are part of everyday routines - for example, charging dinner at a restaurant, using payment cards to purchase gasoline or rent a car, or submitting personal information to employers and various levels of government - individuals may be leaving or exposing their personal data where identity thieves can access and use it without the victim's knowledge or permission. The victim may not discover the effects of the fraud until weeks, months or even years later.
What is identity theft?
In broad terms, identity theft refers to all types of crime in which someone wrongfully obtains and uses another person's identifying information for the purpose of fraud or other criminal activity, typically for economic gain. Such data may include name and date of birth and a range of closely related information such as social insurance numbers in Canada and Social Security numbers in the United States, as well as passport, driver's license and credit card numbers. Once stolen, the personal information can be used to take over or create financial accounts, transfer bank balances, apply for loans and credit or purchase goods and services. 1
Identity thieves may also present or create documents such as birth certificates or immigration documents to obtain benefits such as health care, education, social assistance and public pensions.
Why is it committed?
Canadian and United States law enforcement agencies are seeing a growing trend in both countries towards greater use of identity theft as a means of furthering or facilitating other types of crime. 2 In the overwhelming majority of identity theft cases, the objective is financial.
Some criminals engage in identity theft to obtain funds under their victim's name, mislead law enforcement as to the real perpetrator of the crime, or hide from law enforcement. Others obtain publicly-funded benefits or services to which they would not otherwise be entitled. Some use others' identifying data as means to larger ends, ranging from fraud to human trafficking and terrorism.
The scope of identity theft
There are substantial indications that identity theft has become a significant problem for consumers and businesses in Canada and the United States. One indication is the increase in the number of identity theft complaints filed in both countries.3
In the United States, identity theft-related complaints reported to the Federal Trade Commission (FTC) increased from 86,212 in 2001, to 161,836 in 2002, to 214,905 in 2003 - an increase of nearly 250 percent. 4 In the first two quarters of 2004, the FTC received an additional 130,217 identity theft complaints. This means that the average number of complaints that the FTC received per week has consistently increased: more than 1600 per week in 2001, more than 3,100 per week in 2002, more than 4,100 per week in 2003 and more than 5,000 per week in the first half of 2004.
In Canada, the Canadian Anti-Fraud Centre received 7,629 identity theft complaints in 2002 from Canadians reporting total losses of more than CAN$8.5 million. In 2003, Canadian Anti-Fraud Centre received 14 526 identity theft-related complaints from Canadians, reflecting reported losses of more than CAN$21.8 million. 5
Statistics gathered by Canadian Anti-Fraud Centre in 2003 and the first half of 2004 indicate the largest number of complaints surrounding identity theft relate to credit cards or false application for a credit card (32 percent) and cell phones or false application for a cell phone (10-12 percent). Similarly, the FTC reports that in 2003, 33 percent of identity theft victims reported that their identifying information was used for credit card fraud and 16 percent of victims reported that their identifying information was used for fraud in ordering phone service. Cell phones accounted for 10.4 percent of this total while landline phones accounted for 5.6 percent 6. Due to challenges categorizing the statistical information, law enforcement in both countries has reason to believe that actual instances, particularly of credit card "takeover", may actually be much higher.7
In addition, a September 2003 survey 8 for the U.S. Federal Trade Commission found that within a one-year period nearly 10 million persons in the United States - 4.6 percent of the adult U.S. population - discovered that they were victims of some form of identity theft. Of those 10 million persons, 3.2 million persons discovered that an identity thief opened new accounts in their name and 6.6 million consumers learned that an identity thief was misusing existing accounts. The survey also found that businesses suffered nearly US$48 billion in identity theft-related losses, individual victims suffered nearly US$5 billion in losses and victims spent nearly 300 million hours trying to resolve the problem.
In addition, two major Canadian credit bureaus, Equifax and Trans Union, indicate that they receive approximately 1400 to 1800 Canadian identity theft complaints per month, the majority of which are from the province of Ontario. The Canadian Council of Better Business Bureaus estimates consumers, banks, credit card firms, stores and other businesses lost CAN$2.5 billion to the perpetrators of identity theft in 2002 9.
On the basis of available data, it appears that identity theft is likely to continue to grow substantially over the next decade and become increasingly important in cross-border criminality. It is expected to pose a threat to tens of millions of people and businesses in Canada and the United States unless law enforcement authorities and private-sector entities mount a vigorous and coordinated response to the problem.
Who are the victims? Who are the perpetrators?
Another notable feature of identity theft is that its impact on victims extends across all ages. According to the U.S. Federal Trade Commission, 29 percent of identity theft complaints came from persons aged 18-29, 25 percent from persons aged 30-39, 21 percent from persons aged 40-49, 13 percent from persons aged 50-59, and 10 percent from persons aged 60 and more. Even persons under the age of 18 accounted for 3 percent of all identity-theft complaints. 10 Similar findings are echoed in Canadian research. According to research recently conducted by the Fraud Prevention Forum in Canada, victims of identity theft cut across all segments of Canadian society regardless of income and levels of education.11 However, the largest targeted segments of the population appear to be those who have a good credit rating or potential for good credit.
Individuals are not the only victims of identity theft. Corporations, financial institutions and small businesses can suffer not only financial loss but also damage to reputation, credibility and future operations.
Comprehensive statistics on the perpetrators of identity theft are lacking and available data on identity thieves is largely anecdotal. However, this data indicates that identity thieves tend to fall into three broad categories:
- Members of organized criminal groups or networks
Law enforcement agencies in both countries are aware that organized crime groups such as outlaw motorcycle gangs and various ethnically based criminal organizations, as well as more locally based criminal networks, are increasingly involved in identity theft. These groups use identity theft not only to systematically make money but also to use the proceeds to support other criminal ventures. In addition, they may create a ready pool of others' identities to facilitate the commission of criminal activity and avoid detection by law enforcement. - Terrorists
Governments in both countries are aware that terrorists use identity theft to obtain cover employment, finance their activities and avoid detection when carrying out their attacks. For example, an al-Qaida terrorist cell in Spain used stolen credit cards in fictitious sales scams and for numerous other purchases. They kept purchases below amounts where identification would need to be presented. They also used stolen telephone and credit cards for communications back to Pakistan, Afghanistan, Lebanon, etc. Extensive use of false passports and travel documents were used to open bank accounts where money for the mujahideen movement was sent between countries such as Pakistan, Afghanistan, etc.12 - Individual criminals
Identity theft is not committed only by organized groups or networks. Many individuals have used identity theft as a means to make money quickly, to obtain a benefit to which they are not otherwise entitled and to misdirect law enforcement away from the real perpetrators of crimes.
How is identity theft committed?
Identity theft, in its modern form, often occurs out of the sight of, and beyond the effective reach of, the victim. It is carried out by means of compromising electronic data systems, obtaining false foundation documents (such as birth certificates or citizenship documents), directing mail to new addresses, obtaining new credit accounts and improperly charging existing ones. It relies on the modern culture of ubiquitous personal information holdings, easy consumer credit and the rapid advancement and widespread acceptance of information technology. It also relies on any weaknesses in the safeguarding of personal identifying information. For example, identity thieves are quick to exploit any vulnerability in the measures that businesses, government agencies and consumers use to protect personal data.
The means of compromising personal data for identity theft are so varied and evolve so rapidly that even technologically sophisticated individuals and organizations may have difficulty maintaining adequate control over those data.
As noted earlier, identity theft is committed in every place associated with daily life. This section identifies the principal points of vulnerability that identity thieves exploit to acquire identifying data, and the methods they use to do so. They fall into two broad categories: physical methods and electronic methods.
Physical methods
Mail theft
Criminals regard both incoming and outgoing mail as a potential target for identity theft. Incoming mail, for example, may contain solicitations for "pre-approved" credit cards. Identity thieves have been known to intercept these mailings, fill out the required information and mail back the credit card form, but falsely state that the recipient's mailing address has changed. As a result, the credit card is issued in the recipient's name, but mailed back to a new address chosen by the identity thief. The intended recipient may not realize that the solicitation was sent or that a new account was established without his or her authorization.
Outgoing mail from residences can also provide information valuable to identity thieves. Consumers who pay their bills by mail routinely include their bank cheques, which typically contain personal identifying information as well as bank account and routing numbers. Credit card bill payments are also likely to include payment stubs that show the consumers' credit card numbers.
For these reasons, identity thieves have been known to break into postal collection boxes and to steal incoming or outgoing mail from residential mailboxes. In some cases, identity thieves can amass large quantities of mail simply by driving along roads and removing mail from each roadside mailbox that has a red flag raised to alert postal carriers that the mailbox contains outgoing mail. The prevalence of this practice has prompted some law enforcement agents to refer to these mailbox red flags as "steal-me flags".
Example - Mail theft in Canada: Thieves stole the mail of a Canadian victim and got access to critical information such as credit card numbers. Using those numbers, thieves extended the victim's credit lines, applied for credit cards and opened fraudulent accounts. The thieves also robbed the victim of about $15,000.
Theft from residences and personal spaces
Criminals also target locations where individuals may believe they are unlikely to be victimized because they regard those locations as being under their personal control. Some identity thieves, for example, have exploited their legitimate access as workers to look for identifying data in others' residences or offices. Other identity thieves target cars in which the owners have left wallets or purses, and simply break the car windows to steal identifying or financial information. Still others resort to "dumpster diving", i.e., rummaging through garbage in dumpsters or trash bins to remove documents containing valuable personal information.
Electronic methods
Misuse of personal data in business transactions
Even in a public business setting (for example, paying for a meal in a restaurant or ordering merchandise in a retail store) identity thieves can make use of physical devices to ply their trade. Criminals, for example, are known to issue special devices known as "skimmers" to workers in restaurants, bars and stores. Skimmers are devices no larger than a pager or personal data assistant, which read the data on credit cards' magnetic stripe when someone swipes the cards through the skimmer. The persons using these skimmers can then provide the data from the skimmers to higher-level criminals, who can use the recorded credit card data to order merchandise or create counterfeit credit cards. In some instances, identity thieves have installed skimmers on the outside of legitimate financial institutions' ATM machines. These skimmers are carefully designed to look like they are part of the real ATM machines, but can be detached later by the identity thieves to retrieve the recorded data.
Phishing, spoofing and pretexting
Criminals who want to obtain personal data from people online are increasingly using a technique known as phishing. Consumers will receive "spoofed" emails (emails that appear to belong to legitimate businesses such as financial institutions or online auction sites). These emails will typically redirect consumers to a spoofed website, appearing to be from that same business or entity. Similarly, many consumers receive "pretext" phone calls (phone calls from persons purporting to be with legitimate institutions or companies) asking them for personal information. In fact, the criminals behind these emails, websites and phone calls have no real connection with those businesses. Their sole purpose is to obtain the consumers' personal data to engage in various fraud schemes.
Example - Phishing scam targets Royal Bank customers
In June 2004, the Royal Bank of Canada notified customers that fraudulent emails purporting to originate from the Royal Bank were being sent out asking customers to verify account numbers and personal identification numbers (PINs) through a link included in the email. The fraudulent email stated that if the receiver did not click on the link and key in their client card number and pass code, access to their account would be blocked. These emails were sent within a week of a computer malfunction that prevented customer accounts from being updated. The malfunction impacted payroll deposits that were scheduled to enter many accounts, leaving customers at risk of missing mortgage, rent and other payments. The Royal Bank believes it is likely someone tried to take advantage of the situation.
Example - Citibank customers besieged by phishing
In just one month (June 2004), Citibank was the target of 492 unique phishing attacks - more than any other organization. One recent phishing scheme falsely informed its recipients that there had been attempts to log into the recipients' Citibank accounts from a foreign Internet Protocol (IP) address. The email from the phishers also falsely stated that Citibank had established an offline verification system that the recipients could access by clicking on a link enclosed in the email. If a recipient clicked on the link, the legitimate Citibank website appeared in the background and a pop-up window, programmed to send the recipient's data to a completely different location, appeared in the foreground.
Theft from company or government databases
Law enforcement agencies in both Canada and the United States have noticed a significant increase in efforts by identity thieves to access large databases of personal information maintained by private companies and government agencies. Criminals have broken into offices to steal computer hard drives, bribed or compromised employees into obtaining personal data for them and hacked into databases.
Example - Identities stolen from company database
A temporary replacement worker assigned to the office of a national financial services company in Ontario stole customer profiles from the company database. The company had thousands of profiles in the database and was unaware that the thefts had taken place. Numerous medical doctors began finding themselves the victims of identity theft in the form of false applications for credit being attributed to their name. The profiles that were stolen contained complete financial data on the doctors and their families.
The fraud source came to light when an officer stopped a vehicle as part of a routine operation and found the passenger in possession of several profiles. The officer was unable to effect an arrest as no offence was being committed at the time. He was unaware that the profiles were stolen and no credit card data existed on the profile sheets. The officer had the presence of mind to have the documents photocopied and turned over to fraud investigators.
An investigation identified the source of the compromise and an acknowledgement from the company that they were the source resulted in charges against the employee. Over one million dollars in fraud was attributed to the data theft and the incident resulted in charges against four individuals, to date, including the occupants of the car originally stopped. This case had over 100 victims from across Canada and resulted in frauds being perpetrated across the country. Obtaining a complete list of victims was problematic because of the lack of correlation of victims' names between the credit grantors, the credit bureaus, the police, the victims and the source company.
The impact of identity theft
Identity theft causes two distinct types of harm to its victims. The first is direct financial loss. Depending on the type of fraud that a criminal commits with the aid of stolen identifying data, consumers and businesses may lose anywhere from a few hundred dollars to tens of thousands of dollars. Indeed, small e-commerce businesses may be particularly hard-hit by identity theft. Because of credit card association policies, an online merchant who accepts a credit card number that later proves to have been acquired by identity theft may be liable for the full amount of the fraudulent transactions involving that card number.
The second, more insidious, type of harm involves indirect costs that identity theft creates for its victims. Individuals whose identities are stolen may have their credit ratings and reputations damaged, if not ruined, for extended periods of time because of the fraudulent transactions that have been conducted in their names. Many victims report that it takes them months, if not years, and substantial personal expense to clear their credit ratings. In a 2003 survey conducted for the Federal Trade Commission, victims of all types of identity theft reported that they had spent an average of US$500 to repair the damage done by identity thieves. Victims of the most serious form of identity theft, involving the creation of new accounts and other frauds, reported that they had spent an average of US$1200 to repair the damage from identity theft. Moreover, the survey indicated that identity theft victims as a group had spent nearly 300 million hours (an average of 30 hours per person) in the preceding year resolving problems relating to identity theft.13
These indirect costs, in some cases, even include the risk that the victims of identity theft will be mistaken by law enforcement as the criminals. In the FTC survey, 4 percent of identity theft victims reported that criminals had misused the victims' personal information by offering the victims' names and identifying information when those criminals were stopped by law enforcement authorities or were charged with a crime.14 In rare instances, victims have even been arrested and detained by law enforcement authorities for a time before their true identity and relationship to the crimes could be established.
Although primarily economic in nature, identity theft can also have national security implications and an impact on social benefits and government services (welfare payments, driver's licenses, workers' compensation benefits, passports, birth certificates, tax refunds, etc.). Benefits going to individuals who are not entitled to receive them are a significant cost to governments and ultimately to the people of Canada and the United States.15
Efforts to combat identity theft
Both Canada and the United States have undertaken a variety of initiatives and legislative reforms to combat identity theft. As explained below, many of these initiatives are multi-sectoral, multi-jurisdictional and multi-agency, and extend beyond law enforcement.
Reporting identity theft
In an effort to acquire a better understanding of the scope and magnitude of identity theft, governments and the law enforcement community, with participation from the private sector, have established public reporting mechanisms.
- Identity Theft Data Clearinghouse
The Federal Trade Commission developed the Identity Theft Data Clearinghouse in late 1999, to establish a central nationwide repository for law enforcement access to identity theft complaints. Built on the FTC's Consumer Sentinel network, the Clearinghouse provides both U.S. and Canadian members of the Sentinel network with direct, online and secure access to the consumer complaints that the FTC receives through its online complaint form, toll free hotline (1 877 IDTHEFT) and data sharing agreements with other entities, including the Social Security Administration's Office of the Inspector General. Law enforcement officers can search the Clearinghouse database for complaints based on the location of a suspect, a victim or a particular company involved in the misuse of the identities, or many other key elements of the crime. Currently more than 1,000 law enforcement agencies have direct online access to almost 700,000 identity theft complaints through the Clearinghouse. - Suspicious activity reports
Federal regulations require a wide range of financial institutions to file reports with the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN), whenever they encounter information that indicates a crime affecting a financial institution may have been committed. U.S. law enforcement agencies may access these reports for investigative purposes. More recently, in response to the growing incidence of identity theft, these reports, known as Suspicious Activity Reports, have been revised to include a box that a financial institution may check if it believes that identity theft is involved in some way with the suspicious activity it is reporting. This revision increases the opportunities for federal agents to identify current or recent identity theft-related crimes affecting financial institutions. - Internet Crime Complaint Center (IC3)
Established in 2000, the IC3 is a joint venture of the FBI and a nonprofit organization, the National White Collar Crime Center (NW3C). Through the IC3 website, victims of online crime, including identity theft, can report possible criminal activity. Staff at IC3 analyze these complaints for patterns and levels of possible criminal conduct and, in appropriate cases, provide investigative packages of complaint data and other information to federal, state or local investigators and prosecutors in various metropolitan areas throughout the United States. The IC3 also shares its Internet fraud and identity theft complaint data with the FTC for inclusion in the Identity Theft Data Clearinghouse. - RECOL
In Canada, the RCMP-led Reporting Economic Crime Online (RECOL) is a web-based initiative that involves an integrated partnership between international, federal and provincial law enforcement agencies, as well as regulators and private commercial organizations that have a legitimate investigative interest in receiving a copy of complaints of economic crime, including identity theft. RECOL also provides data pertaining to trends, as well as information relating to consumer education, prevention and awareness of economic crime. - Canadian Anti-Fraud Centre
The Canadian anti-fraud call centre, jointly operated by the Ontario Provincial Police and the Royal Canadian Mounted Police, that collects information on telemarketing fraud, advanced fee fraud letters and identity theft complaints. Although it has email capacity, most complaints are phoned in to the PNCC. The information is disseminated to the appropriate law enforcement agencies. Due to the ever-increasing number of complaints about identity theft, Canadian Anti-Fraud Centre started an Identity Theft project in 2002. The data collected at Canadian Anti-Fraud Centre is a valuable tool in evaluating the effects on the public of various types of fraud. 16 Canadian Anti-Fraud Centre plays a key role in educating the public about specific fraudulent telemarketing pitches. The Canadian Anti-Fraud Centre also plays a vital role in the collection and dissemination of victim evidence, statistics and documentation. The original mandate of Canadian Anti-Fraud Centre was to prosecute key individuals in Ontario and Quebec involved in telemarketing fraud under the Criminal Code of Canada. The Canadian Anti-Fraud Centre's mandate now also includes facilitating prosecution by United States agencies through extradition, and by Industry Canada under the Competition Act.
Bi-national and national coordination
Identity theft-related issues cut across all jurisdictions and involve all levels of government, the law enforcement community and the private sector. In an effort to avoid duplication of activities and to ensure consistency across all jurisdictions and programs, a number of coordinating bodies have been established at the bi-national and national levels.
- Bi-national Working Group on Cross-Border Mass Marketing Fraud / Cross-Border Crime Forum
Since 1997, the Bi-national Working Group on Cross-Border Mass Marketing Fraud has provided an important mechanism for bi-national coordination and cooperation on a wide variety of mass marketing fraud issues. This Working Group, which also functions as a sub-group of the Canada-United States Cross-Border Crime Forum, has previously highlighted the problem of identity theft through its 2003 report on mass marketing fraud and its involvement in the preparation of joint public advisories on identity theft for consumers and retailers in both countries (as described below). - Public policy forum
The forum was a roundtable discussion on identity theft and fraud, co-sponsored in June 2003 by Citizenship and Immigration Canada and Public Safety Canada. Participants were drawn from law enforcement agencies, private sector national associations, academic and legal observers, and various government departments. - National Mass Marketing Fraud Strategy Group
This group is co-chaired by the Public Safety Canada and the Competition Bureau (Industry Canada). It coordinates Canadian efforts and addresses mass marketing fraud in three key areas: enforcement projects, crime prevention and legislative reform. The group's mandate is to address consumer and business fraud conducted by telephone, the Internet or mass mailing. Its mandate also includes the issue of identity theft. The membership consists of federal, provincial and territorial government representation, Canadian law enforcement agencies and the private sector. - Identity Theft Sub-Committee
In 1999, the U.S. Department of Justice established the Sub-committee on Identity Theft in the Attorney General's Council on White-Collar Crime. The Sub-committee, which includes representatives of federal law enforcement and regulatory agencies, as well as representatives of state and local law enforcement, meets monthly to share information and facilitate coordination among all levels of law enforcement on identity theft issues. - International identity theft conferences
The first-ever International Identity Theft Conference, was hosted by the Ontario Provincial Police (Anti-Rackets), in Orillia, Ontario, from October 21 to 23, 2003. The conference was attended by more than 300 participants from government, police, law enforcement and the private sector from across Canada, the United States and as far away as Australia. A second conference is scheduled for October 19 to 21, 2004, in Orillia. - Federal/Provincial/Territorial (FPT) Council on Identity
With increased incidents of entitlement fraud in publicly-funded programs, a rise in identity theft, and in the aftermath of the 2001 terrorist attacks, the security and integrity of identity documents have become a major concern. Federal, provincial and territorial ministers agreed that current Canadian identity policies require review and that a new approach to identity should be considered. The FPT Council on Identity was established and tasked with reviewing Canada's current identity policy; developing a consensus among jurisdictions on a comprehensive approach to identity including common definitions, best practices and standards. The Council is tasked with drafting an identity policy framework for further consideration. It is chaired by Foreign Affairs Canada and has representatives from all Canadian jurisdictions and various program areas.
Prevention and mitigation
Preventing victimization and mitigating the impacts of identity theft on consumers and businesses are critical components of both countries' overall strategies to combat identity theft.
- Prevention of Crime in Industry Committee (PCIC) is a sub-committee of the Canadian Association of Chiefs of Police that provides a forum for discussion and collaboration with Canadian police executives, government policy advisors and key private sector corporations on emerging criminal trends and corresponding remedial actions. The PCIC has a working group focused specifically on identity theft. 17
- The Canadian Banking Association reports that the banking industry in Canada spends more than CAN$100 million annually to prevent, detect and deter fraud and other crimes against banks, including activity related to identity theft. 18
- The Fraud Prevention Forum, formerly the Deceptive Telemarketing Prevention Forum, is a concerned group of private sector firms, consumer and volunteer groups, government agencies and law enforcement organizations in Canada committed to fighting fraud aimed at consumers and businesses. In March 2004, the Competition Bureau, as chair of the Fraud Prevention Forum, unveiled an anti-fraud public education campaign in Toronto. This campaign is the first international effort of its kind to combat the growing epidemic of fraud targeted at consumers and businesses by helping Forum partners educate consumers. The Federal Trade Commission is adapting the campaign's material for use throughout the United States. The Office of Fair Trading in the UK is supportive of the campaign and is looking for its own opportunities to use the material to educate its citizens.
- Cross-Border Crime Forum public advisories. At the May 2003 Cross-Border Crime Forum, Public Safety Canada (then the Department of the Solicitor General of Canada) and the United States Department of Justice jointly issued public advisories on current trends and developments in identity theft. Two advisories were issued: one directed at consumers and the other at retailers. The advisories highlighted some of the most significant forms of identity theft in Canada and the United States, explaining how to recognize them and how to respond.
- Law enforcement training. Since 2002, a group of U.S. federal law enforcement and regulatory agencies (including the Department of Justice, the Postal Inspection Service, the Secret Service and the Federal Trade Commission) has jointly sponsored a series of regional training seminars for state and local law enforcement authorities throughout the United States. To date, the participating agencies and the American Association of Motor Vehicle Administrators have conducted 18 one-day seminars. These seminars include practical guidance and information resources for state and local police, sheriffs, and prosecutors on how to respond to and investigate identity theft.
- "Operation: Identity Crisis" was a national consumer awareness campaign organized by the U.S. Postal Inspection Service in conjunction with the U.S. Postal Service, Federal Trade Commission, U.S. Secret Service and various other governmental agencies and private companies associated with the Financial Industry Mail Security Initiative (FIMSI). The campaign, which took place in September 2003, focused on educating consumers about ways to protect themselves from various identity theft schemes. It also provided businesses with prevention tips to help them protect consumer data and ensure privacy.
- Identity theft educational information. The FTC, as the national clearinghouse for data on identity theft complaints, hosts a consumer-oriented website, provides educational materials for consumers, businesses and law enforcement; and participates in other targeted forms of public outreach. In addition, the attorneys general of most states have identity theft education for consumers on their websites. Finally, on specialized issues such as phishing, various governments and business and consumer organizations have established websites or web pages on identity theft, such as the Anti-Phishing Working Group's antiphishing.org and the National Consumers League's phishinginfo.org.
Legislative initiatives
A strong legislative framework is also fundamental to combating identity theft successfully. Since 1998, the United States federal government and nearly all state governments have adopted a number of measures to address identity theft.19
- Criminalization of identity theft
In 1998, as part of the Identity Theft and Assumption Deterrence Act, Congress enacted a new criminal offence directed specifically at identity theft. This identity theft offence, codified at 18 U.S.C. § 1028(a)(7), prohibits the knowing use, transfer, or possession, without authorization, of a "means of identification" of another person with the intent to commit, or to aid or abet, or in connection with any unlawful activity that constitutes any offence under U.S. federal law or any felony under U.S. state or local law. 20 The identity theft offence carries significant criminal sanctions. Even a simple violation of section 1028(a)(7), without more, is punishable by a maximum of five years imprisonment and a US$250 000 fine.21 If, as a result of the offence, any individual committing the offence obtains anything of value aggregating US$1000 or more during any one-year period, the maximum term of imprisonment increases to 15 years. Several states have also enacted enhanced penalties laws for identity theft, including Florida, Indiana, Montana and New York.
On July 15, 2004, the Identity Theft Penalty Enhancement Act became law. This Act establishes a new federal offence of aggravated identity theft to enhance penalties for identity theft-related criminal conduct. Under this new offence, individuals found guilty of aggravated identity theft would receive an additional mandatory, consecutive two years' imprisonment over and above their sentences for the underlying offence (or an additional five years' imprisonment in the case of certain terrorism-related offences). 22 The Act also expands the scope of the current identity theft offence by prohibiting not just the transfer or use of another's identity information, but also possession of such information in conjunction with the requisite criminal intent. In addition, it increases the maximum penalties for identity theft and includes a higher maximum penalty for identity theft used to facilitate acts of domestic terrorism. - Compilation and Analysis of Identity Theft Complaints
The Identity Theft and Assumption Deterrence Act vested the United States Federal Trade Commission with authority to establish a database of complaints from the public about identity theft. The database, now known as the Identity Theft Data Clearinghouse, is accessible by U.S. and Canadian law enforcement authorities that sign confidentiality agreements with the FTC. - Fair and Accurate Credit Transactions Act (FACTA)
In the United States, the FACTA, which became law in December 2003, contains several provisions aimed at reducing identity theft and helping victims recover their credit reputations. The FACTA contains provisions that several states had enacted previously to combat and prevent identity theft. These provisions include free credit reports to consumers, credit freezes, credit card number truncation and the furnishing of business records related to identity theft to consumers. - Canadian Criminal Code
While in Canada there is no generalized offence called identity theft, there are a number of offences in the Criminal Code that criminalize activities integral to the criminal misuse of personal information. For example, subsection 342(3) of the Criminal Code criminalizes the possession, use of or trafficking in credit card and debit card data in such a way that would allow the perpetrator to use either the credit card or debit card itself or to obtain the services provided by the issuer of the card. The forgery provisions apply to persons who make false documents, with knowledge that the documents are false, and with intent that they should be used or acted on as genuine. A person who actually uses a false document, knowing that the document is forged, to defraud another person can be charged with fraud and with uttering a forged document. Perpetrators who assume a false identity in order to gain an economic or other advantage (such as to avoid detection for criminal offences) can be charged with personation. These provisions are illustrative of a number of the current provisions in the Criminal Code that address various aspects of identity theft.
The way forward: Challenges and recommendations
The United States and Canada, like other countries, live in an increasingly open and fast-paced global environment, and benefit from the increased ease with which goods and information can be shared and transmitted across local and international boundaries. These same elements also lend themselves to cross-border criminality, including identity theft. While individual criminals are involved in opportunistic crime, organized crime is increasingly involved in systematic theft. Law enforcement authorities are concerned that the same aspects benefiting organized crime will be used by terrorists to finance or carry out attacks.
Now that the Internet is a permanent and valuable presence in our everyday lives, borders and jurisdictions have given rise to new vulnerabilities, increasingly exploited by criminals committing identity theft. Criminals can gather and disseminate sensitive personal data on the Internet through sites hosted by any Internet Service Provider (ISP) in the world. Similarly, "spoofed" websites, used to lure personal information, can be built and uploaded on an ISP anywhere in the world. Therefore, the location of the crime can become a problem for law enforcement and raises jurisdiction and coordination issues.
Like the telephone, the Internet is a powerful means of communications that can be used for lawful or unlawful purposes. Those who use it for criminal purposes exploit vulnerabilities that we must be able to identify and contain quickly. Timeliness, jurisdictional issues and coordination are some of the challenges in the fight against identity theft. This section details these challenges and recommends responses.
Coordinating public education initiatives
Challenge: The public is not fully aware of the pervasive nature of identity theft and its devastating impacts on their daily lives. Emerging trends, such as phishing, are expected to grow and to affect more and more people if appropriate actions are not taken to prevent victimization.
Recommended response: Coordinated public education and awareness initiatives involving both governments and the private sector should be continued to inform individuals, businesses and other entities that collect personal identifying information. These initiatives should address how to minimize the risk of identity theft and what to do if victimized.
Both countries should also be prepared to develop joint education and awareness initiatives, where appropriate, on specific identity theft-related problems as they arise. An example of this is the joint public advisory on phishing from the United States Department of Justice and Public Safety Canada issued at the 2004 Cross-Border Crime Forum.
Enhancing reporting mechanisms and enforcement
Challenge: The public needs to know where to report identity theft and what will be done with that information by law enforcement.
Recommended response: Both governments need to increase their efforts to inform the public about the existence of national points of contact to report identity theft, such as Canada's Canadian Anti-Fraud Centre and RECOL, and the U.S. FTC's Identity Theft Clearinghouse. There should be better coordination of law enforcement efforts at the national and bi-national levels in analyzing and using citizen complaints, as well as identifying trends and patterns, to foster more effective prosecution and disruption of identity theft operations.
Challenge: The private sector must also address the issue of reporting identity theft more systematically to law enforcement authorities. The selective reporting of this activity gives an incomplete image of the situation and may hamper efforts to protect the greater public good. Identity theft cannot continue to be treated as a business loss that may or may not be reported to the police.
Recommended response: The private sector and law enforcement should pursue discussions to enhance identity theft reporting to law enforcement. These efforts are likely to produce more concrete and lasting results in investigating identity theft.
Reviewing legislative frameworks
Challenge: The legislative sanctions applicable to identity theft need to keep pace with the constantly evolving nature of identity theft, notably its use of new technologies.
Recommended response: Governments at all levels in both countries should review the adequacy of their laws that apply to identity theft and, where appropriate, amend those laws to ensure that they provide sufficient scope of coverage and suitable criminal and civil sanctions. That review should include existing false-personation and fraud statutes as well as separate identity theft offences.
Improving document and data integrity and security
Challenge: The security and integrity of personal identification documents is an important part of protecting individuals and society at large from identity theft. Intrinsic to that is the very issuance and security of identity documents, particularly those that are the foundation in establishing a person's identity, such as birth certificates, passports, and permanent resident and citizenship documents.
Recommended response: Both countries should work, respectively, towards greater consistency and security in document issuance and verification processes. In Canada, such efforts should build on the work of the Federal/Provincial/Territorial Council on Identity, which has a mandate to develop a policy framework to govern documentation of individual identity issued by governments.
Challenge: There have been incidents where personal identifying information retained by the private sector has been wrongfully used, resulting in harm to individuals.
Recommended response: Both countries already have laws that govern the collection, retention and dissemination of personal identifying information. However, private sector entities - especially those that use and retain large volumes of personal identifying data or personal financial data - should review and, where appropriate, revise their internal procedures and policies affecting the security of those data. In some cases, this may mean improving information-security and physical-security measures; in other cases, this may mean closer scrutiny of employees who are granted access to large volumes of personal data.
Conclusion
Law enforcement, other government agencies and the private sector need to strengthen and better coordinate their efforts to combat identity theft, particularly with regard to the growth of identity theft in cross-border criminality. Governments in both countries should develop comprehensive approaches to identity theft, ranging from prevention to prosecution. In particular, reporting structures, legislative frameworks, public education initiatives and private sector involvement should be improved to reduce identity theft.
- 1 Public Interest Advocacy Centre, Identity Theft: The Need for Better Consumer Protection, October 2003.
- 2 Transcript of Attorney General remarks at identity theft press conference, U.S. Department of Justice (May 2, 2002).
- 3 This may be due to the growth of identity theft, better awareness and reporting, or a combination of both.
- 4 See Federal Trade Commission, National and State Trends in Fraud & Identity Theft, January - December 2003 (PDF Version ), 2004, p. 9.
- 5 Thus, in just one year complaints increased by 90 percent and reported losses by 156 percent.
- 6 See National and State Trends, supra note 4, at p. 10.
- 7 Canadian Anti-Fraud Centre Identity Theft Statistics 2003/2004, RCMP-CCB Ottawa July 19, 2004
- 8 See Synovate, Federal Trade Commission - Identity Theft Survey Report (PDF Version ) (covering May 2002 - May 2003); Betsy Broder, prepared statement of the Federal Trade Commission on Identity Theft: Prevention and Victim Assistance, Hearing before the Subcommittee on Oversight and Investigations of the Committee on Energy and Commerce (PDF Version ), U.S. House of Representatives (December 15, 2003).
- 9 Canadian Bankers Association, Identity Theft: An Old Problem Needing a New Approach (May 2003) at p. 5.
- 10 See National and State Trends, supra note 4, at p. 7.
- 11 According to findings from consumer survey and focus groups conducted by the Fraud Prevention Forum in 2003 in preparation for its 2004 anti-fraud campaign.
- 12 Prepared statement of Dennis M. Lormel, Chief, Terrorist Financial Review Group, Federal Bureau Of Investigation, on S. 2541, Identity Theft Penalty Enhancement Act, before the Subcommittee on Technology, Terrorism and Government Information of the Committee on the Judiciary, United States Senate (July 9, 2002).
- 13 See Synovate, Federal Trade Commission Survey Report, supra note 8, at p. 6.
- 14 See id.
- 15 Extracted from: Identity in Canada: A Policy Framework, November 6, 2002
- 16 Efforts are underway to share the Canadian Anti-Fraud Centre identity theft data with the FTC's Identity Theft Data Clearinghouse. These efforts could result in greater access by law enforcement to a wider array of identity theft data.
- 17 PCIC 2002/2003 Annual Report
- 18 Canadian Bankers Association (CBA) 2002 Report at p. 10.
- 19 A list of US states that have adopted some form of identity theft legislation.
- 20 See 18 U.S.C.§ 1028(a)(7).
- 21 See id.§ 1028(b)(2).
- 22 See 18 U.S.C. 1028A.
- Date modified: