Iago's net: notes for an international legal regime to combat identity-related crime.

TABLE OF CONTENTS

I. INTRODUCTION

II. THE SCOPE AND EXTENT OF IDENTITY-RELATED CRIME

   A. Background
      1. Volume of Noncash Payments
      2. Communication Technologies
      3. Critical Vulnerabilities in Noncash Payment
         Methods and Communication Technologies
   B. The Incidence and Prevalence of Identity-Related Crime
      1. General Survey Data
      2. Regional and Country Data
         i. North America
         ii. Europe
         iii.   Other Regions
   C. Methods and Techniques of Identity-Related Crime
      1. Acquisition of Physical Items or Data
      2. Initial Transfer of Acquired Physical Items or Data
      3. Manipulation of Physical Items or Data
      4. Transfer of Manipulated Items or Data
      5. Use of Acquired Items or Data
   D. Effects of Identity-Related Crime
   E. Victims and Criminals

III. TOWARD AN INTERNATIONAL LEGAL REGIME FOR
IDENTITY-RELATED CRIME
   A. Identification of International Legal Norms
      1. International Conventions
         i. Council of Europe Cybercrime Convention
         ii. United Nations Convention Against
             Transnational Organized Crime
         iii. United Nations Convention Against
              Corruption
      2. National Statutory Regimes
         i. Criminal Codes
         ii. Civil Statutes and Mechanisms
      3. Other Actions by Multilateral Organizations
         i. United Nations Economic and Social
            Council
         ii. European Union
         iii. G8 Roma/Lyon Group
   B. Reification of International Legal Norms
      1. Application of Existing International
         Conventions
         i. Council of Europe Cybercrime Convention
         ii. United Nations Convention Against
             Transnational Organized Crime
         iii. United Nations Convention Against
              Corruption
      2. Development and Coordination of National
         Strategies on Identity-Related Crime

IV. CONCLUSION

I. INTRODUCTION

   So will I turn her virtue into pitch,
   And out of her own goodness make the net
   That shall enmesh them all. (1)

Pity Iago. Confined as he was to the setting of sixteenth century Venice, and the culture and technology appropriate to that time and place, Iago could carry out his scheme to deceive Othello and others only by using the most rudimentary techniques of psychological manipulation. Repetitive exhortations to Roderigo to "put money in thy purse" (2) for Iago's benefit, (3) elaborate verbal characterizations of Cassio's and Desdemona's behavior to arouse the Moor to draw false inferences, (4) staging of conversations and interactions that deepened Othello's commitment to those inferences (5)--all of these actions required considerable planning and effort over a period of several weeks, in multiple locations, for Iago to gain the benefits he sought.

By contrast, had Othello been set in the twenty-first century, Iago could have exploited modern business and computing technology to destroy the Moor's financial status, reputation, and relationship with Desdemona swiftly and profit handsomely in the bargain. Hacking of Desdemona's online bank account to transfer money to Cassio's account, (6) posting of defamatory statements about Desdemona's sexual preferences, (7) digital alteration of photographs to depict Cassio and Desdemona falsely in intimate relations, (8) and use of a "backdoor" (9) program in Roderigo's computer to transfer funds from Roderigo's Banca di Roma (10) account could have taken barely a single scene to enact.

Today, vast numbers of people and businesses around the world are discovering that they have become victims of identity-related crime (11)--often suffering substantial financial and indirect harms that they cannot easily foresee or control. (12) The costs of such crime can be measured in the tens of billions of dollars each year. (13) This Article will analyze, and offer a coherent response to, the increasingly global problem of identity-related crime. It will first explore the nature and extent of the problem, focusing on four principal issues: (1) the scope and extent of identity-related crime, including its incidence and prevalence; (2) the methods that criminals use during the five phases of identity-related crime, (14) including exploitation of digital data, computers, and the Internet; (3) the effects of identity-related crime on persons, businesses, and government; and (4) the people who commit the crime and the people victimized by such crime. It will then propose an approach to developing an international legal regime to combat identity-related crime, by identifying legal norms pertinent to identity-related crime that are reflected in existing international conventions, national criminal and civil codes, and other sources of authority, and by explaining how to reify those norms through international conventions, national statutes, and other measures.

II. THE SCOPE AND EXTENT OF IDENTITY-RELATED CRIME

A. Background

Identity-related crime--sometimes known as "identity theft" or "identity fraud" (15)--has deep roots in human history and various cultures. Just as Jacob obtained his brother Esau's birthright by mimicking his brother's hairy arms to deceive their blind father, (16) there have always been people who seek to obtain a financial advantage or avoid harm by pretending to be someone other than themselves. (17) For most of human history, the ability to engage in identity-related crime was limited. In pre-industrial cultures, the man who was born in a village generally lived, worked, and died in that village, and was personally known to everyone there.

If the growth of cities and mechanized transportation enabled more people to commit identity-related crimes away from their birthplaces, the phenomenon of identity-related crime reached full flower only in the last decade of the twentieth century. Three related trends coincided to make identity-related crime more feasible and profitable than ever before: (1) increases in the volume and ubiquity of noncash payment methods, whether for purchases or other benefits (e.g., goods and services), that were available to people in many countries, especially for remote transactions; (2) the growth of communications technologies permitting the remote use of those noncash payment methods, including computer technologies and the Internet, throughout the world; and (3) criminals' increasing identification of critical vulnerabilities in those noncash payment methods and communications technologies.

1. Volume of Noncash Payments (18)

Globally, the World Payments Report 2010 stated that in 2008 there were 269 billion worldwide noncash transactions (compared with 154 billion worldwide noncash transactions in 2001)--a growth rate of 8.4% per year since 2001. (19) The report also noted that while North America and the mature economies of Europe and Asia-Pacific accounted for a combined 77% of non-cash payments volumes in 2008, "the rate of growth in non-cash payments volumes was faster in developing economies, especially the BRIC (Brazil, Russia, India, China) nations, in which economic activity remained robust relative to more developed nations." (20) In the United States, the U.S. Federal Reserve System recently estimated that in 2009 alone, there were more than 108.9 billion noncash payments in the United States--including (1) electronic payments via automated clearinghouse and credit, debit, and prepaid cards, and (2) checks--with a value of $72.3 trillion. (21) An estimated $30 trillion of that value comes from transactions flowing across the Automated Clearing House (ACH) network. (22) Moreover, during the period 2006 to 2009, electronic payments grew 9.3% per year to constitute more than 75% of all noncash payments by number and more than 50% of all noncash payments by value. (23)

2. Communications Technologies

Within the past several years, the Internet has expanded to almost unimaginable global proportions. Among other dimensions of the Internet's growth, there are more than 1.96 billion Internet users worldwide; (24) 205.3 million domain name registrations across all Top Level Domains; (25) more than 255 million websites; (26) and an estimated 2.9 billion email accounts and nearly 2.4 billion Instant Messaging accounts. (27)

The growth of Internet-based communications has also made possible a vast global expansion of commercial activities. For example, in North America a 2011 report by Forrester Research estimated that U.S. online retail sales grew 12.6% in 2010 to reach $176.2 billion, and is expected to reach $278.9 billion in 2015. (28) In Mexico, the Asociacion Mexicana de Internet (AMIPCI) estimated that as of the end of 2007, Mexican online commerce accounted for MX $955 million--78% greater than the preceding year. (29)

Mobile communications, too, offer new dimensions in global access to services. In 2010, there were reportedly more than 5 billion mobile phone connections worldwide, with more than 100% penetration in many regions. (30) Notably, the International Telecommunications Union estimated that by the end of 2010, developing nations' mobile cellular penetration rates would reach 68%, mainly driven by the Asia and Pacific region, (31) even though only 21% of developing nations' populations are online. (32) For instance, Kenya's M-Pesa system has become the largest phone banking platform in the world, with more than 13 million active customers. (33) Particularly noteworthy is the fact that mobile phone users are increasingly likely to use mobile devices for e-commerce. A 2011 survey by Accenture found that 45% of the most active mobile device users in 11 countries would welcome the opportunity to pay for goods and services using their mobile phones. (34)

3. Critical Vulnerabilities in Noncash Payment Methods and Communications Technologies

When noncash payment methods and digital communications are ubiquitous, so are the vulnerabilities that identity thieves can exploit. Computer security experts have identified a variety of critical vulnerabilities that facilitate identity-related crime on a multinational scale.

In 2009, the SANS Institute, a leading information security research and training organization, issued a report that identified two key digital vulnerabilities. The first is unpatched client-side software. The SANS report noted that targeted email attacks "are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash, and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access." (35) Paradoxically, even though operating systems reportedly had fewer remotely-executable vulnerabilities than client-side software, the report also noted that "[o]n average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities." (36)

The second is vulnerable Internet-facing websites. The SANS Institute report stated that "[a]ttacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted websites into malicious websites serving content that contains client-side exploits. Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered." (37)

The SANS report also noted that "[w]orld-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities (38)... Some vulnerabilities have remained unpatched for as long as two years." (39) Recent examples of zero-day vulnerabilities include an unpatched bug in Adobe Flash Player that enables targeted attacks via a Flash file embedded in a Microsoft Excel file delivered as an e-mail attachment, (40) and a vulnerability in all currently supported versions of the Microsoft Windows operating system "that could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites." (41)

In addition, security experts have lately identified a variety of exploits that target mobile phones. For example, in March 2011, Google remotely purged its Android smartphones of applications that contained malicious code that could take control of the phones and steal information. (42) The growth of such exploits is problematic because information-security departments may not recognize the vulnerabilities that compromised mobile devices may pose for their networks. A 2011 survey of 300 Chief Information Officers (CIOs) from the United States and the United Kingdom reportedly found that 78% of the CIOs did not know what mobile devices were connected to their networks. (43)

Finally, it must be acknowledged that human vulnerabilities can play a critical role in identity-related crime. Law enforcement authorities and information security experts have often found that criminals are using "social engineering"--the term often applied to the use of psychological influence techniques in social interactions--in many identity-theft schemes. (44)

B. The Incidence and Prevalence of Identity-Related Crime

1. General Survey Data

While there are no truly comprehensive data on global trends in identity-related crime, various reports indicate that identity-related crime has become a substantial problem in a growing number of countries around the world. A December 2010 survey of people in North America, Europe, Asia, Dubai, and Brazil by ACI Worldwide, an international payments-systems provider, found that 29% of financial services customers worldwide who used credit or debit cards had experienced payment-card fraud in the past five years--a 62% increase since 2009. (45) More detailed information on multiple regions and countries is also set forth in the ACI survey and in other sources.

2. Regional and Country Data

i. North America

In the United States, a survey by a private-sector firm,Javelin Strategy & Research, reported that in 2010, 8.1 million adults in the United States fell victim to identity fraud (46) and losses from identity fraud totaled more than $37 billion. (47) The ACI survey found that 31% of U.S. consumers in 2010 had been victims of payment-card fraud in the past five years. (48) In Canada, a 2008 survey by McMaster University found that 6.5% of Canadian adults (nearly 1.7 million people) were the victims of some form of identity fraud in the preceding year. (49) In Mexico, there are no comprehensive data on the scale of the problem, but individual cases indicate that some Mexican residents are involved in identity-related crime. In March 2011, three Mexican nationals were arrested by police in Pleasonton, California and charged with forgery, possession of stolen property, and burglary in connection with their purchases of products with forged credit cards and shipping the products back to Mexico to be resold. (50)

ii. Europe

There is no single study or survey that provides an estimate of the overall scope of identity-related crime in Europe. In the United Kingdom, a February 2011 report by a consulting firm and the Office of Cyber Security and Information Assurance estimated the total cost of cybercrime at 27 billion [pounds sterling] per year ($43.4 billion), (51) including 4.1 billion [pounds sterling] ($6.6 billion) in various identity-related crime costs: i.e., costs to citizens of 1.7 billion [pounds sterling] ($2.7 billion) per year for identity theft and 1.4 billion [pounds sterling] ($2.3 billion) per year for online scams (many of which involve some form of identity-related crime), and costs to businesses of 1 billion [pounds sterling] ($1.6 billion) from loss or theft of customer data. (52) A March 2011 report by the United Kingdom National Fraud Authority specifically estimated the "true cost" of identity fraud (i.e., including the costs of responding to and dealing with identity fraud) at 2.7 billion [pounds sterling] ($4.3 billion). (53) The ACI survey found that 33% of United Kingdom consumers, 27% of Italian consumers, and 11% of Dutch consumers had been victims of payment-card fraud in the past five years. (54)

In France, a 2009 survey by a private-sector research entity, Credoc, found that 210,000 French adults were victims of identity theft each year, at a cost of nearly 4 billion [euro] ($6.3 billion) per year to individuals, public entities, and insurers. (55) In Spain, a study by Eurostat, the European statistics agency, found that 7% of Spanish residents (the highest of any European Union member nation) had experienced online identity theft in the preceding 12 months, and 33% of Spanish Internet users had experienced a computer infection involving a virus or spyware. (56)

iii. Other Regions

Comprehensive data on identity-related crime are scarcer for other regions of the world. In the Asia-Pacific region, the most extensive data pertain to Australia. In 2011, the Australasian Consumer Fraud Task Force found that online fraud was costing Australians at least AU $1 billion ($1 billion) per year. (57) A 2009 survey by a private research firm found that 4.4 million Australians had been affected by identity theft, compared to 3.8 million Australians in the preceding year. (58) Previously, a 2007 survey by the Australian Bureau of Statistics (ABS) found that 806,000 Australians had been victims of various forms of personal fraud in the preceding 12 months, with reported total losses of AU $977 million ($631 million). Among those 806,000 victims, 499,500 were victims of identity fraud, which the ABS defined to include both bank and credit card fraud and identity theft. (59)

Elsewhere in the Asia-Pacific region, the ACT survey found that 44% of Chinese customers--the highest percentage of countries in the survey--reported being victims of payment-card fraud in 2010. (60) Anecdotal data indicate that certain forms of identity-related crime clearly affect jurisdictions such as Taiwan (61) and Hong Kong. (62)

In South America, the most extensive data pertain to Brazil. The ACI survey found that 30% of Brazilian consumers reported being victims of payment-card fraud in 2010. (63) Previously, the Brazilian Federal Judicial Police stated that in 70% of frauds against financial institutions and commercial establishments, the offender used a false identity card. (64)

In the Middle East, the Internet security company Norton warned Middle Eastern social media that social media identity theft is one of the top five cyber-threats facing Middle Eastern consumers in 2011. (65) The ACI survey found that 28% of Dubai residents reported being victims of payment-card fraud in 2010--an increase of 75% from 2009. (66) For other countries in the region, such as Saudi Arabia, anecdotal data reflect some incidence of identity-related crime. (67)

In Africa, the head of the South African Fraud Prevention Service estimated in 2008 that identity theft was costing South Africa R1 billion ($130.2 million) a year, but acknowledged that more precise data were unavailable. (68) There are no comparable estimates for other African nations, but there is substantial, if fragmentary, anecdotal evidence of identity-related crime affecting several African countries. (69)

C. Methods and Techniques of Identity-Related Crime

…