Combating E-Identity Theft

The Internet has made commerce as close and as quick as a mouse click, but it has also caused a dramatic increase in e-identity theft. Due to the passive approach taken by Federal and state authorities toward combating it, legal practitioners must use statutes designed to eliminate unlawful actives associated with e-identity theft, to eradicate the theft itself.

E-identity theft occurs most often when an identity thief uses the Internet to electronically gather personal information about a person sufficient to allow for the successful application for one or more credit cards in another's name. Such information normally includes the victim's name, birthday and Social Security Number.

The mundane activities of a typical Internet user during the course of a regular day may provide tremendous opportunities for an e-identity thief:

• purchasing goods or services via the Internet;
• trading stock on-line; or
• receiving mail.

Any activity in which identity information is shared or made available to other Internet users creates an opportunity for e-identity theft.

How Identities Get Stolen

Generally speaking, e-identity theft occurs when unauthorized persons use personal information about another to create a sham identity for themselves in order to obtain money from a financial institution. Such was the case in United States v. Petersen, 98 F.3d 502, 504 (9th Cir. 1996), which affirmed the conviction of defendant who hacked into credit reporting services to obtain financial information that he used to order fraudulent credit cards in other individuals' names.

While the e-identity theft difficulty is not new, the Internet has severely exacerbated the problem. In particular, the Internet gives the impression of anonymity between the parties to an e-commerce transaction. Thus, many people have attempted to acquire goods and services illegally by using another individual's personal information or account numbers. Due to a lack of knowledge as to how to trace Internet transactions, sellers who fail to detect the fraud, normally also fail to track down the spurious e-buyer.

What Is Being Done?

Both Federal and state governments have taken a self-regulatory approach to e-identity theft, one deeply ingrained in laissez-faire economic attitudes. With the notable exception of the Federal Trade Commission, most Federal and state statutes employed to combat e-identity theft rely on industry self-regulation. The most important self-regulation mechanisms in the United States function through the Better Business Bureau, Direct Marketing Association and similar organizations.

Another notable exception occurred in December 2000 when the Congress passed the Internet False Identification Act of 2000, 114 Stat. 3075 (2000) which amended the False Identification Crime Control Act of 1982 ' codified as amended at 18 U.S.C. '1028 (1998) ' to include computer-aided false identity crimes. Section 1028 of Title 18 prohibits the production, transfer, or possession, in certain circumstances, of false identification documents or identification documents that were not legally issued to the possessor.

It further prohibits production, transfer, or possession of a “document making implement” with the intent to use it in the production of a false identification document. Additionally, the Amendment included making either false identification documents or the software or data used to make them available online.

The penalties for violation of the statute include both fines and the potential for loss of liberty. For example, the transfer or production of a federal identification document – birth certificate or driver's license ' or violating 18 U.S.C. '1028(a)(5) or '1028(a)(7), where the individual committing the offense obtains greater than $1000 as a result over a 1 year period, all are punished by a fine or not more than 15 years' imprisonment, or both.

While most states have laws prohibiting the theft of identity information, few address e-identity theft directly. The following is a partial list of current state laws that prohibit the theft of identity information but do not directly address e-identity theft:

• Cal. Penal Code '530.5;
• Fla. Stat. Ann. '817.568;
• Miss. Code Ann. '97-19-85;
• N.J. Stat. Ann. '2C:21-17;
• N.C. Gen. Stat. '14-113.20;
• Ohio Rev. Code Ann. '2913.49;
• Pa. Cons. Stat. Ann. '420;
• Tex. Penal Code Ann. '35.51; and
• VA. Code Ann. '18.2-186.3.

Since e-identity theft is often committed to facilitate other crimes, legal practitioners normally rely on Federal and state statutes that actively address unlawful acts to combat e-identity thieves. In particular, the following statutes have been most often used to prosecute e-identity thieves:

• Credit card fraud (18 U.S.C. '1029);
• Computer fraud (18 U.S.C. '1030);
• Mail fraud (18 U.S.C. '1341);
• Wire fraud (18 U.S.C. '1343);
• Financial institution fraud (18 U.S.C. '1344);
• Mail theft (18 U.S.C. '1708); and
• Immigration document fraud (18 U.S.C. '1546).

Thus, it is not unusual to use a computer fraud statute in the case of an e-identity theft because a computer fraud may be facilitated by the theft of identity information when a stolen identity is used to obtain credit on the Internet by fraud. Similarly, computer fraud may also be the primary vehicle to obtain identity information when the offender obtains unauthorized access to another's computer or Web site to obtain such information. These acts might result in the offender being charged with both identity theft under 18 U.S.C. '1028(a)(7) and computer fraud under 18 U.S.C. '1030(a)(4).

The lack of Internet know-how and resources has hobbled law enforcement authorities' ability to prosecute successfully the wrongdoer; as has the lack of uniformity in civil and criminal laws regarding e-identity theft. Additionally, complications arise from the attempt to reach a balance in making e-commerce easy while inhibiting e-identity theft.

The investigation of e-identity theft is labor intensive and individual cases are usually considered to be too small for federal prosecution. Victims of e-identity theft often do not realize they have been victimized until weeks or months after the crime has been committed, and can provide little assistance to law enforcement.

The Internet has made commerce as close and as quick as a mouse click, but it has also caused a dramatic increase in e-identity theft. Due to the passive approach taken by Federal and state authorities toward combating it, legal practitioners must use statutes designed to eliminate unlawful actives associated with e-identity theft, to eradicate the theft itself.

E-identity theft occurs most often when an identity thief uses the Internet to electronically gather personal information about a person sufficient to allow for the successful application for one or more credit cards in another's name. Such information normally includes the victim's name, birthday and Social Security Number.

The mundane activities of a typical Internet user during the course of a regular day may provide tremendous opportunities for an e-identity thief:

• purchasing goods or services via the Internet;
• trading stock on-line; or
• receiving mail.

Any activity in which identity information is shared or made available to other Internet users creates an opportunity for e-identity theft.

How Identities Get Stolen

Generally speaking, e-identity theft occurs when unauthorized persons use personal information about another to create a sham identity for themselves in order to obtain money from a financial institution. Such was the case in United States v. Petersen , 98 F.3d 502, 504 (9th Cir. 1996), which affirmed the conviction of defendant who hacked into credit reporting services to obtain financial information that he used to order fraudulent credit cards in other individuals' names.

While the e-identity theft difficulty is not new, the Internet has severely exacerbated the problem. In particular, the Internet gives the impression of anonymity between the parties to an e-commerce transaction. Thus, many people have attempted to acquire goods and services illegally by using another individual's personal information or account numbers. Due to a lack of knowledge as to how to trace Internet transactions, sellers who fail to detect the fraud, normally also fail to track down the spurious e-buyer.

What Is Being Done?

Both Federal and state governments have taken a self-regulatory approach to e-identity theft, one deeply ingrained in laissez-faire economic attitudes. With the notable exception of the Federal Trade Commission, most Federal and state statutes employed to combat e-identity theft rely on industry self-regulation. The most important self-regulation mechanisms in the United States function through the Better Business Bureau, Direct Marketing Association and similar organizations.

Another notable exception occurred in December 2000 when the Congress passed the Internet False Identification Act of 2000, 114 Stat. 3075 (2000) which amended the False Identification Crime Control Act of 1982 ' codified as amended at 18 U.S.C. '1028 (1998) ' to include computer-aided false identity crimes. Section 1028 of Title 18 prohibits the production, transfer, or possession, in certain circumstances, of false identification documents or identification documents that were not legally issued to the possessor.

It further prohibits production, transfer, or possession of a “document making implement” with the intent to use it in the production of a false identification document. Additionally, the Amendment included making either false identification documents or the software or data used to make them available online.

The penalties for violation of the statute include both fines and the potential for loss of liberty. For example, the transfer or production of a federal identification document – birth certificate or driver's license ' or violating 18 U.S.C. '1028(a)(5) or '1028(a)(7), where the individual committing the offense obtains greater than $1000 as a result over a 1 year period, all are punished by a fine or not more than 15 years' imprisonment, or both.

While most states have laws prohibiting the theft of identity information, few address e-identity theft directly. The following is a partial list of current state laws that prohibit the theft of identity information but do not directly address e-identity theft:

• Cal. Penal Code '530.5;
• Fla. Stat. Ann. '817.568;
• Miss. Code Ann. '97-19-85;
• N.J. Stat. Ann. '2C:21-17;
• N.C. Gen. Stat. '14-113.20;
• Ohio Rev. Code Ann. '2913.49;
• Pa. Cons. Stat. Ann. '420;
• Tex. Penal Code Ann. '35.51; and
• VA. Code Ann. '18.2-186.3.

Since e-identity theft is often committed to facilitate other crimes, legal practitioners normally rely on Federal and state statutes that actively address unlawful acts to combat e-identity thieves. In particular, the following statutes have been most often used to prosecute e-identity thieves:

• Credit card fraud (18 U.S.C. '1029);
• Computer fraud (18 U.S.C. '1030);
• Mail fraud (18 U.S.C. '1341);
• Wire fraud (18 U.S.C. '1343);
• Financial institution fraud (18 U.S.C. '1344);
• Mail theft (18 U.S.C. '1708); and
• Immigration document fraud (18 U.S.C. '1546).

Thus, it is not unusual to use a computer fraud statute in the case of an e-identity theft because a computer fraud may be facilitated by the theft of identity information when a stolen identity is used to obtain credit on the Internet by fraud. Similarly, computer fraud may also be the primary vehicle to obtain identity information when the offender obtains unauthorized access to another's computer or Web site to obtain such information. These acts might result in the offender being charged with both identity theft under 18 U.S.C. '1028(a)(7) and computer fraud under 18 U.S.C. '1030(a)(4).

The lack of Internet know-how and resources has hobbled law enforcement authorities' ability to prosecute successfully the wrongdoer; as has the lack of uniformity in civil and criminal laws regarding e-identity theft. Additionally, complications arise from the attempt to reach a balance in making e-commerce easy while inhibiting e-identity theft.

The investigation of e-identity theft is labor intensive and individual cases are usually considered to be too small for federal prosecution. Victims of e-identity theft often do not realize they have been victimized until weeks or months after the crime has been committed, and can provide little assistance to law enforcement.