Graphical Version | ||||
Home Report on identity theftA Report to the Minister of Public Safety and Emergency Preparedness Canada and the Attorney General of the United States Bi-national Working Group on Cross-Border Mass Marketing Fraud
Executive summaryIdentity theft refers to all types of crime in which someone wrongfully obtains and uses another person's identifying information for the purpose of fraud or other criminal activity, typically for economic gain. The perpetrators of identity theft include members of organized criminal groups or networks, terrorists and individual criminals. Identity theft is usually done for economic gain but has also been used by terrorists to obtain cover employment, finance their activities and avoid detection when carrying out their attacks. Criminals also use identity theft to divert law enforcement focus away from the true perpetrators of crimes. There are indications identity theft is growing rapidly, due in part to the Internet and modern technology. During a one-year period in 2002-2003, total losses to individuals and businesses related to identity theft in the United States were estimated at approximately US$53 billion. In Canada the losses for 2002 were estimated at approximately CAN$2.5 billion. Identity theft is committed in every place associated with daily life. Methods include mail theft, stealing from residences and personal spaces, misuse of personal data in business transactions, phishing, and theft from company or government databases. The victims of identity theft come from every age group and all segments of society; however, the majority of victims appear in segments of the population with good or potentially good credit ratings. Victims of identity theft often suffer financial loss, damage to their credit rating and reputation as well as emotional distress. Many are also left with the complicated and sometimes arduous task of clearing their name and credit rating. A 2003 U.S. Federal Trade Commission identity theft survey report found victims had spent a total of 300 million hours in the preceding year to resolve problems created by the theft of their identity. Identity theft is not confined by borders. Joint efforts to address this problem are coordinated through the Bi-national Working Group on Mass Marketing Fraud (a Cross-Border Crime Forum sub-group), consisting of government and law enforcement officials from Canada and the United States. Governments and the private sector in both countries have pursued a variety of initiatives and legislative reforms to combat identity theft. On the basis of available data, it appears that identity theft is likely to continue to grow substantially over the next decade and become increasingly important in cross-border criminality. It is expected to pose a threat to tens of millions of people and businesses in Canada and the United States unless law enforcement authorities and private-sector entities mount a vigorous and coordinated response to the problem. There are a number of areas in which law enforcement, government and the private sector in both countries can strengthen efforts to combat identity theft. They include:
IntroductionIn 2003, the Canada-United States Cross-Border Crime Forum determined that it would be appropriate to conduct a threat assessment of identity theft and its impact on cross‑border criminality. It directed the Canada-United States Working Group on Cross‑Border Mass‑Marketing Fraud, which reports to the Forum annually, to prepare such an assessment. This assessment is the product of many agency and individual participants in the Working Group from the United States and Canada. It was prepared jointly by the United States Department of Justice (DOJ) and Public Safety and Emergency Preparedness Canada (PSEPC). The objective of this threat assessment is to define the nature, scope and impact of identity theft. It includes trends, statistics and an examination of the factors surrounding identity theft to increase understanding of the nature of the crime as well as current and potential responses to the problem. This report, which is being presented at the time of the October 2004 Cross‑Border Crime Forum, will provide information and recommendations for policy makers, law enforcement, consumers and the private sector. While there is a growing volume of data on the incidence of identity theft, statistical and analytical studies on the patterns of and participants in this criminal behaviour are still limited. Both countries are developing initiatives to respond to these challenges. These initiatives will be described later in the assessment. This report is intended to provide Canada, the United States and other countries with essential information and to promote increased coordination on improving oversight and management of the risks of identity theft and developing comprehensive responses. As discussed below, this assessment recommends a coordinated response embracing public education and awareness campaigns, legislative measures and enforcement actions. Identity theft -- the threatUnlike certain crimes that are specific to particular types of property and locations -- for example, car theft and burglary -- identity theft is committed in every place associated with daily life. Identity thieves target residences, workplaces and even places of recreation. Moreover, the growing ubiquity of digital data, and of computers and devices that transmit or store such data, means that identity thieves can ply their trade without ever coming into physical proximity with the individuals whose data they are stealing. Simply by doing things that are part of everyday routines -- for example, charging dinner at a restaurant, using payment cards to purchase gasoline or rent a car, or submitting personal information to employers and various levels of government -- individuals may be leaving or exposing their personal data where identity thieves can access and use it without the victim’s knowledge or permission. The victim may not discover the effects of the fraud until weeks, months or even years later. What is identity theft?In broad terms, identity theft refers to all types of crime in which someone wrongfully obtains and uses another person's identifying information for the purpose of fraud or other criminal activity, typically for economic gain. Such data may include name and date of birth and a range of closely related information such as social insurance numbers in Canada and Social Security numbers in the United States, as well as passport, driver’s license and credit card numbers. Once stolen, the personal information can be used to take over or create financial accounts, transfer bank balances, apply for loans and credit or purchase goods and services. 1 Identity thieves may also present or create documents such as birth certificates or immigration documents to obtain benefits such as health care, education, social assistance and public pensions. Why is it committed?Canadian and United States law enforcement agencies are seeing a growing trend in both countries towards greater use of identity theft as a means of furthering or facilitating other types of crime. 2 In the overwhelming majority of identity theft cases, the objective is financial. Some criminals engage in identity theft to obtain funds under their victim’s name, mislead law enforcement as to the real perpetrator of the crime, or hide from law enforcement. Others obtain publicly‑funded benefits or services to which they would not otherwise be entitled. Some use others’ identifying data as means to larger ends, ranging from fraud to human trafficking and terrorism. The scope of identity theftThere are substantial indications that identity theft has become a significant problem for consumers and businesses in Canada and the United States. One indication is the increase in the number of identity theft complaints filed in both countries.3 In the United States, identity theft-related complaints reported to the Federal Trade Commission (FTC) increased from 86 212 in 2001, to 161 836 in 2002, to 214 905 in 2003 -- an increase of nearly 250 percent. 4 In the first two quarters of 2004, the FTC received an additional 130 217 identity theft complaints. This means that the average number of complaints that the FTC received per week has consistently increased: more than 1600 per week in 2001, more than 3100 per week in 2002, more than 4100 per week in 2003 and more than 5000 per week in the first half of 2004. In Canada, the PhoneBusters National Call Centre received 7629 identity theft complaints in 2002 from Canadians reporting total losses of more than CAN$8.5 million. In 2003, PhoneBusters received 14 526 identity theft-related complaints from Canadians, reflecting reported losses of more than CAN$21.8 million. 5 Statistics gathered by PhoneBusters in 2003 and the first half of 2004 indicate the largest number of complaints surrounding identity theft relate to credit cards or false application for a credit card (32 percent) and cell phones or false application for a cell phone (10-12 percent). Similarly, the FTC reports that in 2003, 33 percent of identity theft victims reported that their identifying information was used for credit card fraud and 16 percent of victims reported that their identifying information was used for fraud in ordering phone service. Cell phones accounted for 10.4 percent of this total while landline phones accounted for 5.6 percent 6. Due to challenges categorizing the statistical information, law enforcement in both countries has reason to believe that actual instances, particularly of credit card "takeover", may actually be much higher.7 In addition, a September 2003 survey 8 for the U.S. Federal Trade Commission found that within a one-year period nearly 10 million persons in the United States -- 4.6 percent of the adult U.S. population -- discovered that they were victims of some form of identity theft. Of those 10 million persons, 3.2 million persons discovered that an identity thief opened new accounts in their name and 6.6 million consumers learned that an identity thief was misusing existing accounts. The survey also found that businesses suffered nearly US$48 billion in identity theft-related losses, individual victims suffered nearly US$5 billion in losses and victims spent nearly 300 million hours trying to resolve the problem. In addition, two major Canadian credit bureaus, Equifax and Trans Union, indicate that they receive approximately 1400 to 1800 Canadian identity theft complaints per month, the majority of which are from the province of Ontario. The Canadian Council of Better Business Bureaus estimates consumers, banks, credit card firms, stores and other businesses lost CAN$2.5 billion to the perpetrators of identity theft in 2002 9. On the basis of available data, it appears that identity theft is likely to continue to grow substantially over the next decade and become increasingly important in cross-border criminality. It is expected to pose a threat to tens of millions of people and businesses in Canada and the United States unless law enforcement authorities and private-sector entities mount a vigorous and coordinated response to the problem. Who are the victims? Who are the perpetrators?Another notable feature of identity theft is that its impact on victims extends across all ages. According to the U.S. Federal Trade Commission, 29 percent of identity theft complaints came from persons aged 18-29, 25 percent from persons aged 30-39, 21 percent from persons aged 40-49, 13 percent from persons aged 50-59, and 10 percent from persons aged 60 and more. Even persons under the age of 18 accounted for 3 percent of all identity-theft complaints. 10 Similar findings are echoed in Canadian research. According to research recently conducted by the Fraud Prevention Forum in Canada, victims of identity theft cut across all segments of Canadian society regardless of income and levels of education.11 However, the largest targeted segments of the population appear to be those who have a good credit rating or potential for good credit. Individuals are not the only victims of identity theft. Corporations, financial institutions and small businesses can suffer not only financial loss but also damage to reputation, credibility and future operations. Comprehensive statistics on the perpetrators of identity theft are lacking and available data on identity thieves is largely anecdotal. However, this data indicates that identity thieves tend to fall into three broad categories:
How is identity theft committed?Identity theft, in its modern form, often occurs out of the sight of, and beyond the effective reach of, the victim. It is carried out by means of compromising electronic data systems, obtaining false foundation documents (such as birth certificates or citizenship documents), directing mail to new addresses, obtaining new credit accounts and improperly charging existing ones. It relies on the modern culture of ubiquitous personal information holdings, easy consumer credit and the rapid advancement and widespread acceptance of information technology. It also relies on any weaknesses in the safeguarding of personal identifying information. For example, identity thieves are quick to exploit any vulnerability in the measures that businesses, government agencies and consumers use to protect personal data. The means of compromising personal data for identity theft are so varied and evolve so rapidly that even technologically sophisticated individuals and organizations may have difficulty maintaining adequate control over those data. As noted earlier, identity theft is committed in every place associated with daily life. This section identifies the principal points of vulnerability that identity thieves exploit to acquire identifying data, and the methods they use to do so. They fall into two broad categories: physical methods and electronic methods. Physical methods
Electronic methods
The impact of identity theftIdentity theft causes two distinct types of harm to its victims. The first is direct financial loss. Depending on the type of fraud that a criminal commits with the aid of stolen identifying data, consumers and businesses may lose anywhere from a few hundred dollars to tens of thousands of dollars. Indeed, small e-commerce businesses may be particularly hard-hit by identity theft. Because of credit card association policies, an online merchant who accepts a credit card number that later proves to have been acquired by identity theft may be liable for the full amount of the fraudulent transactions involving that card number. The second, more insidious, type of harm involves indirect costs that identity theft creates for its victims. Individuals whose identities are stolen may have their credit ratings and reputations damaged, if not ruined, for extended periods of time because of the fraudulent transactions that have been conducted in their names. Many victims report that it takes them months, if not years, and substantial personal expense to clear their credit ratings. In a 2003 survey conducted for the Federal Trade Commission, victims of all types of identity theft reported that they had spent an average of US$500 to repair the damage done by identity thieves. Victims of the most serious form of identity theft, involving the creation of new accounts and other frauds, reported that they had spent an average of US$1200 to repair the damage from identity theft. Moreover, the survey indicated that identity theft victims as a group had spent nearly 300 million hours (an average of 30 hours per person) in the preceding year resolving problems relating to identity theft.13 These indirect costs, in some cases, even include the risk that the victims of identity theft will be mistaken by law enforcement as the criminals. In the FTC survey, 4 percent of identity theft victims reported that criminals had misused the victims’ personal information by offering the victims’ names and identifying information when those criminals were stopped by law enforcement authorities or were charged with a crime.14 In rare instances, victims have even been arrested and detained by law enforcement authorities for a time before their true identity and relationship to the crimes could be established. Although primarily economic in nature, identity theft can also have national security implications and an impact on social benefits and government services (welfare payments, driver’s licenses, workers’ compensation benefits, passports, birth certificates, tax refunds, etc.). Benefits going to individuals who are not entitled to receive them are a significant cost to governments and ultimately to the people of Canada and the United States.15 Efforts to combat identity theftBoth Canada and the United States have undertaken a variety of initiatives and legislative reforms to combat identity theft. As explained below, many of these initiatives are multi-sectoral, multi-jurisdictional and multi-agency, and extend beyond law enforcement. Reporting identity theftIn an effort to acquire a better understanding of the scope and magnitude of identity theft, governments and the law enforcement community, with participation from the private sector, have established public reporting mechanisms.
Bi-national and national coordinationIdentity theft-related issues cut across all jurisdictions and involve all levels of government, the law enforcement community and the private sector. In an effort to avoid duplication of activities and to ensure consistency across all jurisdictions and programs, a number of coordinating bodies have been established at the bi-national and national levels.
Prevention and mitigationPreventing victimization and mitigating the impacts of identity theft on consumers and businesses are critical components of both countries’ overall strategies to combat identity theft.
Legislative initiativesA strong legislative framework is also fundamental to combating identity theft successfully. Since 1998, the United States federal government and nearly all state governments have adopted a number of measures to address identity theft.19
The way forward: Challenges and recommendationsThe United States and Canada, like other countries, live in an increasingly open and fast‑paced global environment, and benefit from the increased ease with which goods and information can be shared and transmitted across local and international boundaries. These same elements also lend themselves to cross-border criminality, including identity theft. While individual criminals are involved in opportunistic crime, organized crime is increasingly involved in systematic theft. Law enforcement authorities are concerned that the same aspects benefiting organized crime will be used by terrorists to finance or carry out attacks. Now that the Internet is a permanent and valuable presence in our everyday lives, borders and jurisdictions have given rise to new vulnerabilities, increasingly exploited by criminals committing identity theft. Criminals can gather and disseminate sensitive personal data on the Internet through sites hosted by any Internet Service Provider (ISP) in the world. Similarly, "spoofed" websites, used to lure personal information, can be built and uploaded on an ISP anywhere in the world. Therefore, the location of the crime can become a problem for law enforcement and raises jurisdiction and coordination issues. Like the telephone, the Internet is a powerful means of communications that can be used for lawful or unlawful purposes. Those who use it for criminal purposes exploit vulnerabilities that we must be able to identify and contain quickly. Timeliness, jurisdictional issues and coordination are some of the challenges in the fight against identity theft. This section details these challenges and recommends responses. Coordinating public education initiativesChallenge: The public is not fully aware of the pervasive nature of identity theft and its devastating impacts on their daily lives. Emerging trends, such as phishing, are expected to grow and to affect more and more people if appropriate actions are not taken to prevent victimization. Recommended response: Coordinated public education and awareness initiatives involving both governments and the private sector should be continued to inform individuals, businesses and other entities that collect personal identifying information. These initiatives should address how to minimize the risk of identity theft and what to do if victimized. Both countries should also be prepared to develop joint education and awareness initiatives, where appropriate, on specific identity theft-related problems as they arise. An example of this is the joint public advisory on phishing from the United States Department of Justice and Public Safety and Emergency Preparedness Canada issued at the 2004 Cross-Border Crime Forum. Enhancing reporting mechanisms and enforcementChallenge: The public needs to know where to report identity theft and what will be done with that information by law enforcement. Recommended response: Both governments need to increase their efforts to inform the public about the existence of national points of contact to report identity theft, such as Canada’s PhoneBusters and RECOL, and the U.S. FTC’s Identity Theft Clearinghouse. There should be better coordination of law enforcement efforts at the national and bi-national levels in analyzing and using citizen complaints, as well as identifying trends and patterns, to foster more effective prosecution and disruption of identity theft operations. Challenge: The private sector must also address the issue of reporting identity theft more systematically to law enforcement authorities. The selective reporting of this activity gives an incomplete image of the situation and may hamper efforts to protect the greater public good. Identity theft cannot continue to be treated as a business loss that may or may not be reported to the police. Recommended response: The private sector and law enforcement should pursue discussions to enhance identity theft reporting to law enforcement. These efforts are likely to produce more concrete and lasting results in investigating identity theft. Reviewing legislative frameworksChallenge: The legislative sanctions applicable to identity theft need to keep pace with the constantly evolving nature of identity theft, notably its use of new technologies. Recommended response: Governments at all levels in both countries should review the adequacy of their laws that apply to identity theft and, where appropriate, amend those laws to ensure that they provide sufficient scope of coverage and suitable criminal and civil sanctions. That review should include existing false-personation and fraud statutes as well as separate identity theft offences. Improving document and data integrity and securityChallenge: The security and integrity of personal identification documents is an important part of protecting individuals and society at large from identity theft. Intrinsic to that is the very issuance and security of identity documents, particularly those that are the foundation in establishing a person’s identity, such as birth certificates, passports, and permanent resident and citizenship documents. Recommended response: Both countries should work, respectively, towards greater consistency and security in document issuance and verification processes. In Canada, such efforts should build on the work of the Federal/Provincial/Territorial Council on Identity, which has a mandate to develop a policy framework to govern documentation of individual identity issued by governments. Challenge: There have been incidents where personal identifying information retained by the private sector has been wrongfully used, resulting in harm to individuals. Recommended response: Both countries already have laws that govern the collection, retention and dissemination of personal identifying information. However, private sector entities -- especially those that use and retain large volumes of personal identifying data or personal financial data -- should review and, where appropriate, revise their internal procedures and policies affecting the security of those data. In some cases, this may mean improving information-security and physical-security measures; in other cases, this may mean closer scrutiny of employees who are granted access to large volumes of personal data. ConclusionLaw enforcement, other government agencies and the private sector need to strengthen and better coordinate their efforts to combat identity theft, particularly with regard to the growth of identity theft in cross‑border criminality. Governments in both countries should develop comprehensive approaches to identity theft, ranging from prevention to prosecution. In particular, reporting structures, legislative frameworks, public education initiatives and private sector involvement should be improved to reduce identity theft. 1 Public Interest Advocacy Centre, Identity Theft: The Need for Better Consumer Protection, October 2003. 2 Transcript of Attorney General remarks at identity theft press conference, U.S. Department of Justice (May 2, 2002) http://www.usdoj.gov/archive/ag/speeches/2002/050202agidthefttranscript.htm 3 This may be due to the growth of identity theft, better awareness and reporting, or a combination of both. 4 See Federal Trade Commission, National and State Trends in Fraud & Identity Theft, January - December 2003, 2004, p. 9, available at http://www.consumer.gov/sentinel/pubs/Top10Fraud2003.pdf 5 Thus, in just one year complaints increased by 90 percent and reported losses by 156 percent. See http://www.phonebusters.com/english/statistics_E03.html 6 See National and State Trends, supra note 4, at p. 10. 7 PhoneBusters Identity Theft Statistics 2003/2004, RCMP-CCB Ottawa July 19, 2004 8 See Synovate, Federal Trade Commission - Identity Theft Survey Report (covering May 2002 - May 2003), available at http://www.ftc.gov/os/2003/09/synovatereport.pdf 9 Canadian Bankers Association, Identity Theft: An Old Problem Needing a New Approach (May 2003) at p. 5. 10 See National and State Trends, supra note 4, at p. 7. 11 According to findings from consumer survey and focus groups conducted by the Fraud Prevention Forum in 2003 in preparation for its 2004 anti-fraud campaign. 12 Prepared statement of Dennis M. Lormel, Chief, Terrorist Financial Review Group, Federal Bureau Of Investigation, on S. 2541, Identity Theft Penalty Enhancement Act, before the Subcommittee on Technology, Terrorism and Government Information of the Committee on the Judiciary, United States Senate (July 9, 2002), reprinted at http://www.fbi.gov/congress/congress02/idtheft.htm 13 See Synovate, Federal Trade Commission Survey Report, supra note 8, at p. 6. 14 See id. 15 Extracted from: Identity in Canada: A Policy Framework, November 6, 2002 16 Efforts are underway to share PhoneBusters identity theft data with the FTC's Identity Theft Data Clearinghouse. These efforts could result in greater access by law enforcement to a wider array of identity theft data. 17 PCIC 2002/2003 Annual Report 18 Canadian Bankers Association (CBA) 2002 Report at p. 10. 19 A list of US states that have adopted some form of identity theft legislation may be found at www.consumer.gov/idtheft 20 See 18 U.S.C.§ 1028(a)(7). 21 See id.§ 1028(b)(2). 22 See 18 U.S.C. 1028A. |