مشخص کردن هویت مجرم در سیستم های اطلاعاتی مدیریت جرم: تعاریف، طبقه بندی و تجربه گرائی

Identity fraud as a term and concept in its formative stages was often presumed to be identity theft and visa versa. However, identity theft is caused by the identities (or tokens) of individuals or organisations being stolen is an enabling precursor to identity fraud. The boundaries of identity fraud and identity theft are now better defined. The absence of specific identity crime legislation could be a cause of perpetrators not classified as breaching identity crimes but under other specific entrenched law such as benefit fraud, or credit card fraud. This metrics overlap can cause bias in crime management information systems. This study uses a multi-method approach where data was collected in both a quantitative and qualitative manner. These approaches are used as a lens for defining different classes of online identity crimes in a crime management (IS) security context. In doing so, we contribute to a deeper understanding of identity crime by specifically examining its hierarchical classes and definitions; to aid clearer structure in crime management IS. We seek to answer the questions: should current law around identity fraud continue to be reinforced and measures introduced to prevent identity crime; should laws be amended; or should new identity crime laws be constructed? We conclude and recommend a solution incorporating elements of all three.

The illegal online use or trade in identities of individuals and organizations is recognized to have a substantial influence on other crimes such as frauds and money laundering; seriously impacting the real economy.1 The global economic cost of these identity crimes was estimated to be “US$2 trillion in 2005”.2 In the United States the annual estimated cost of identity crime alone in 2009 was “US$54 billion”.3 These survey figures may not reflect the actual figures if real cases were to be analysed.4 A major concern with the costing of identity crimes is the potential bias, error, and lack of consistency in how they are defined and classified.5 As crime management information systems (IS) transition from paper-based to digital systems to ease storage and aid retrieval (often remotely for law enforcement), there is an emergent need to classify the fields accurately.6 The US leads the way in criminalizing identity crime and data breaches.7 (IS) security research focuses on computer abuse, computer crime, and computer-related crimes. Computer crimes include “crimes whereby the computer is the target or the mechanism for committing the crime or the computer user is the target. It also includes crimes committed over the Internet or where the Internet plays a role in the commission of the crime” (see Table 6).8 Online identity crimes are linked to computer abuse, computer crime and computer-related crime in IS security, because they are enabled by computers and/or the Internet. A difference is that identity crime involves social engineering of people and technology. The ubiquity of information technology; computers, the Internet, mobile devices, and their interconnectedness in a digital economy enables the increase of identity crime methods, such as phishing, not previously accounted for by computer crime and abuse in IS research.9 Internet users reached the 2 billion mark in January 2011.10 Smart perpetrators are devising increasingly sophisticated ways of committing identity crimes. Therefore classes of IS-enabled abuse, such as identity crime, continue to evolve often ahead of IS security innovations.11 The remainder of this paper is structured as follows. The next section discusses the methodology.12 Then we identify the various definitions of identity crime and discuss our results. The final sections discuss the contributions, implications, limitations, conclusion and future research in this area.

Identity theft and identity deception are also enablers of identity fraud as well as other related economic crimes such as money laundering, terrorist financing, drug trafficking and people smuggling.26 In Australia, people committing identity crimes may be prosecuted under current legislation such as bank fraud, credit card fraud, or mail fraud (see Table 5), or under some other legislation where specific identity crime laws are absent such as in certain Australian States. Herein lies a dilemma for government, law enforcement, practitioners, and academic researchers27; should current law continue to be reinforced, laws be amended, or new identity crime laws be constructed? Based on our findings in this study, we promote a combination of these options. We now outline our reasons. The evolution of identity crimes such as identity theft had its beginnings well before 1964 when the term ‘identity theft’ was first documented. Similar crimes were well known to US law enforcement agencies in postal services and the credit card industry.28 These criminal behaviours of committing fraud were perpetrated by stealing credit cards from the mail from the 1960s. Mail theft itself was a problem in the US from the start of the US Postal Service in 1775. United States legislation was subsequently passed in the late 18th century to criminalize mail theft.29 Similarly, ‘wire fraud’ was and continues to be a problem in the US and other jurisdictions as communications technology evolves from fixed line to mobile telephony and the Internet or a hybrid system (for example Voice over Internet Protocol). Some forms of conduct have been criminalized, as policy-makers (often due to public pressure) have sought to use the legal system to establish or to reinforce acceptable social norms, culture, and attitudes. A reasonable starting point to assess the general evolution of crime leading to identity crime sub-classes is to investigate the norms or attitudes that may have influenced the cultures in countries that currently have identity crime laws (Australia, Canada, US). Thus, crime classification systems vary by jurisdiction although there are some commonalities. Major crime categories (for example, murder, fraud, or theft) and their heuristics also determine how sub-classes of these crimes have evolved. The evolutionary changes in fraud in Australia have been documented and changes may differ when compared with other countries.30 Fraud, while not being a new crime, is a crime that is in a state of change and evolution due to shifting IS technologies.31 As the scope of the identity crime problem (in both economic and societal terms) increases, similar pressures have been placed on government policy makers to legislate against it.32 The use of identity deception techniques for committing crimes is not a recent phenomenon. For example, the English Forgery Act was passed in 1870 to legislate against false share certificates. The evolution of specific identity crime taxonomy via a classification (process) correlates closely with the introduction of legislation firstly in the US and subsequently in Australia or Canada, with other countries beginning to follow, for example the UK. The basis of taxonomy is evolutionary connectedness. Identity crimes are a problem directly associated with identity attribution and system authentication such as a credit card PIN or username and password. Identity crime is not an industry specific crime. Identity crime permeates across all sectors and countries where personal and organizational identity information is used for economic gain or avoidance of cost or loss. The grouping and ranking in hierarchies, by similarities or differences between identity crime classes are shown in Table 2. Reading Table 2, we see the many different identity crime nomenclature, classifications by rank, context, and jurisdictional region; these identifications by the individuals gave referral to their taxon referenced by author(s). Table 2 column 1, shows a vast array of identity crime nomenclature used across and within regions as well as their evolving classification labels. Both identity theft and identity deception have many crime sub-class methods at the most granular level. Well-known examples of offline identity theft are caused by wallet theft, mail redirection, and dumpster diving, while an example of an online identity theft method is war-driving. Online examples for identity deception are phishing, vishing, and smishing.33 Identity deception is a broader cause of criminality than identity theft because stealing an identity is just one of many classes of identity crime that allows someone to assume an identity of another individual or entity (real or fictitious). The identity deception class has been recommended to be further classified into sub-classes identity manipulation and identity falsification and each has been given similar labels.34 The Australasian Centre for Policing Research (2006) and Model Crime Law Officer's Committee (2008) identity crime definition also includes the situation for when someone creates a false identity that is not based on a real person; a fictitious identity. We label this identity deception. Identity crime generally means activity in which a perpetrator utilizes a false identity in order to facilitate the commission of a crime; with nomenclature labelled identity fraud or sub-classes ranked identity theft and identity deception categories. Interview quotes from Participant 12 in Table 3 illustrate the need for and problems around, the requirement to initially define a new phenomenon such as identity fraud and identity theft or to classify the many other labels for identity deception. Until the terms are defined within statutes and improved upon with amendment(s) and/or case law, law enforcement case charges are usually laid against an identity crime (or any other ‘new’ crime for that matter) perpetrator under a current statute, for example, mail fraud, telephone fraud, credit card fraud, or check fraud. There is a need to define identity crimes in legislation because ‘identity theft’ and ‘identity deception’ are enablers of ‘identity fraud’. There is a range of crimes then which impact communities in devastating ways.35 All these intricacies in identity crime terms we clearly define in Table 1 grounded from interviewee data collection; this is the level at which identity crime definitions need to be considered for accurate research and comparison of results across time and location.36 We attained these definitions upon considering themes from coded data. Participant 8 alludes to perpetrators using fictitious identities, which can manifest itself in different ways. With fictitious identity, perpetrators may eventually exist within organizational knowledge management systems. Organizations or government can find it difficult to discover false identities within their databases, or in via other interactions in the community. This is because identity fraud perpetrators can create an identity by registering on other databases, or with other organizations through exploiting weak attribute checks or authentication systems. Perpetrators might for instance register on the electoral roll, create bank accounts or to obtain a driver's license if the authenticity checks of any of these systems can be circumvented. If successful, perpetrators have then created an identity which is likely to be able to authenticate further uses in other databases, because organizations are unlikely to look behind these apparently genuine documents.37 Alternatively, a perpetrator could also create another identity under a different name by simply transposing letters or by dropping a letter in a first or last name. Similar instances have occurred by mistakes in administration, for example a clerk might make a spelling or typing error on an identity document and this allows a perpetrator to opportunistically represent that altered name as their own. Assumed identities emerge also, where one can either take on the identity of a living person, a genuine person, or a dead person. Therefore systems need resilience to be able to absorb and recover from such perpetrator attacks.37 A recent Australian innovation is for organizations to set up processes to trawl through ‘fact of death’ files to determine identities on their databases are deceased. Private organizations see identity fraud, identity theft and identity deception (or synonyms) in a much narrower nomenclature than government agencies. While Australian Federal and State agencies in some cases adopt their own internal group labelling for the various identity crime sub-class names, they often have a broader description for identity crime. This could have been driven from government initiatives for defining identity crime labels over time.38 Table 4 illustrates a sample of the rich responses received from the various US Federal and State Attorney Generals and US Statistic Bureaus. In Table 4 the feedback correspondence from Montana describes clearly the issues this paper is endeavouring to rectify. They point out the divergence and evolution of all groups; that for index crimes ‘theft’ is the highest rank in their crime classification but that under the Montana Incident-Based Reporting Scheme identity theft is categorized as a ‘fraud’ thereby potentially inflating fraud levels. Table 6 illustrates the various modes of researcher and legal definitions of identity crimes across different countries over time. In Australia, government and law enforcement have agreed on the following standard terminology: “Identity theft is the theft or assumption of a pre-existing identity (or a significant part thereof), with or without consent, and whether, in the case of an individual, the person is living or deceased”.39 However, Australian legislation does not in the main use this terminology (see Table 5), due to concerns over limitations related to legal definitions of theft.40 The US federal government led the way in defining identity theft by way of legislation in the form of Identity Theft and Assumption Deterrence Act (1998) (see Table 6). This Act was introduced in order to mitigate the economic cost to victims, both entity and individual, by making identity theft a crime with substantial penalties in the form of fines or jail as a deterrent to future perpetrators. All US States subsequently followed this lead. We argue that the assumption part of the US Identity Theft and Assumption Deterrence Act (1998) identity theft definition is not identity theft but identity deception (see Table 5). We show that identity deception is a clearer referral, encompasses all similar labels, has precedence from a historical crime perspective,41 academia,42 and US State legislation (see Table 4).43 Identity deception (Table 1) is the rapidly growing phenomenon where fraudsters create identities and then steal goods and services from businesses (i.e. identity fraud). According to ID Analytics, Inc., identity deception accounted for about 85 percent of identity frauds compared to 15 percent for identity theft.44 Those experiencing this phenomenon appreciate its far-reaching consequences versus those falling under the sub-class of identity theft.45 Wang et al. describe their different criminal identity deception categories that fall under their labels of name, residency, identity and date-of-birth of deception, and each has sub-categories.46 In Wang et al.'s identity deception taxonomy, reference to any identity crime act or event to obtain by a perpetrator proof of identity (POI) documentation or personally identifiable information, PII (personal identifying numbers, PIN or passwords), other than by identity theft methods may be more accurately classified as identity deception (see Table 1).47 The basic premise of an identity theft act is that the perpetrator steals an individual or entity's POI or PII. Thus all other methods such as inventing, falsifying, altering or fabricating are classified as identity deception. In mid 2008 the Australian Bureau of Statistics published the results of a personal fraud survey that asked questions to measure various types of identity crime incidents.48 The publicly available results are at a reasonably high level across what we term the identity crimes sub-classes, in order to maintain survey respondent anonymity. A year after release of the data to the public, researchers who meet ABS research criteria could apply to access the data at more granular levels than was made public. We gained access to the data at a more atomistic level and made various integrity checks. For brevity and to maintain respondent anonymity, we reclassified and consequently recalculated the data at the publicly available level following our Table 1 (identity crime definitions and classes). This better ensured that results could be replicated by others.49 The identity crime portion of Fig. 3 identity fraud under the ABS classification is 3.1% with 499,500 victims made up of 124,000 identity theft victims (0.8%) and 383,300 (2.4%) credit or bank card fraud victims. The remainder are victims of personal fraud or scams.50 However, using our definitions and classifications, phishing (57,800 victims or 0.4%) is an identity crime method (taxon), specifically it is grouped within the identity deception class that may cause identity fraud or be part of a related identity crime. In Fig. 2 we show the reclassified identity crime components that constitute the identity fraud portion (now 557,300 victims or 3.5%) of the ABS Personal Fraud Survey and the corresponding number of victims in each class where they can be categorically shown without ambiguity at this domain level. The broken uni-directional lines in Fig. 2 from ‘credit or bank card fraud’ to identity deception and identity theft are because at this level we cannot say the exact amount apportioned to either class, but we know over half of the new identity fraud victims are caused by this fraud (383,300 or 2.4%). We could apportion the 383,300 victims to identity deception and identity theft based on prior findings of 85 percent and 15 percent respectively,51 but again this would not be accurate.