Identity theft: Is it a modern crime?

Identity theft

The identity theft prevention in Post Internet Era

Today in the 21st century when the globe is a virtual village and things can be found at a click of a button, the information storage capacity of computers have increased tremendously. Today looking at our phones and googling new information in a jiffy, who can remember that the first computer that was built was the size of a room. With the tremendous growth and evolution of technology, human interactions have significantly increased. With all the positives, there also arises a myriad offenses or illegal practices which are termed as cybercrimes. One such cybercrime is Identity theft. It usually takes place when an individual fraudulently obtains another individuals personal and private information and uses it for gaining a pecuniary interest. It is often termed as data theft wherein private information such as social security number, bank account details are stolen to either gain money or commit any other crimes. According to many research scholars, this is one the fastest growing crimes across the globe having victims across countries, regions, gender and ethnicity.

Data is constantly being stored on various platforms of the internet. If a person files an online tax statement, buys books on shopping websites, orders food online, constantly one is using data which is being stored on an online network. This network when hacked or leaked can have severe consequences and can often cause irreparable loss to the people. A recent study conducted titled India Risk Survey, 2017 a report was launched which claimed that 17% of the population have been scammed or have faced the crime of identity theft at one point in their lives. In 2018, India had ranked among the top 10 countries which is most susceptible to online crimes. With the LTE revolution in 2016, there are almost 354 million internet users, and a significant portion is at a significant risk of online fraudsters. Though there are so many internet users, the law regarding the cybercrimes and identity theft is pretty murky thus resulting in a very low of convictions.

Concept of Identity

Identity is the essence of an individual. It is the peculiar characteristics which distinguish one from other individuals. In the domain of computers, a uniquely distinct character of numbers and digits is what constitutes an identity. In technology, no two individuals can have same identity. It is like a fingerprint, each has its own. Legally, identity is the legal recognition of an individual in government documents and records such as Voter id, Aadhar card, Ration card etc. It usually has the individual’s name, address, date of birth, marital status and occupation. These are the most general information which almost all government IDs have. With the introduction of Information Technology (Amendment) Act, 2008[i], it also includes the concept of electronic signatures and password in the gamut of identity. These information are quite important and critical and thus safekeeping is the prime goal of each individual. In a case of identity theft, the offender often commits the crime in name of someone else or such information to gain money.

Identity Theft

Identity theft is a type of cybercrime which involves stealing of an individual’s identity and information to commit a crime or receive a benefit or access resources in the name of the victim. Usually, the individual obtains the information using fraudulent methods online however, this crime does not have its roots in the digital age.

 Even prior to the digital bubble in which one lives to today, identity theft was a common practice among habitual offenders who are fleeing the law or war victims who want a fresh start. Earlier the individual could steal the wallets, go through dumpsters or steal letters from the mail or steal credit cards. These methods are quite old school yet still practiced very much. However, with the growth of internet and individual’s innate dependence on the same, this has reached new scales. Today wherein data is stored online, a computer hacker can remotely steal ones data without even moving from his desk. Further, identity theft occurs when offenders misrepresent themselves as bank clerks, customer care representatives, agents of credit card companies and take advantage of innocent and gullible people. Today with email and various social media platforms, fake ids is quite common. Genuine people also make various fake ids to get freebies from different websites, stores and gain discounts. It has become such a common practice as there is no physical verification needed for creating an email id. Thus, it increases the scope of commission of cybercrimes.  It is so prevalent that people don’t even realise that it is punishable under the Indian Penal Code as in under Section 464 and 465. Action under this section is not taken unless a crime has been committed by such ids and it has been reported. (Under 464 and 465, making of a false electronic document has been made punishable.) Thus, there are very slim chances of actually finding out the real perpetrators.

The most common way in which the crime of identity theft is perpetuated is by

The procurement of the personal information of the individual. This is usually done in a deceitful and fraudulent manner

The procurement of information of the individual can be done in a number of way. This can be done by the perpetrator himself or through a third party such as buying of data from a computer hacker. Buying of data through the internet is a reality of the dark web. There have been several instances in the past years where bundles of personal data such as credit and debit card information, voter id cards, aadhar cards have been put up for sale. Apart from these, an offender can also gain private information from electronic devices through various means such as;

  • Hacking: It is a technique which allows hackers to transfer information from one computer to another using malwares such as viruses and programmes. It is usually done through infected messages, links or downloading any software which has the power to override the firewall protection in the computers. Thus, viruses copy ones credit card information, passwords, bank account statements and the hacker decrypts it and uses it to commit crime.
  • Phishing: It is similar to hacking whereby the fraudster sends the individual an email or a message from a bank or service which is extremely popular. In the email, there is a link which is deceptively similar to the original website and asks the user to enter bank account details and other personal information. Innocently, the person may fill in the details and can be a victim of cybercrime. Phishing often takes place through telephone as well, wherein fraudsters would misrepresent themselves as bank clerks or customer care officers and in the nativity, people often get scammed.
  • Nigerian Prince Scam: This is one of the most common scam emails which were quite common in the early 2000s. In this, the offender, pretending to be the prince of some region or an heiress of an African millionaire would send emails out. In the emails, he would request the individual to use their bank accounts to transfer some money as he doesn’t have one in that country and the receiver would receive a generous sum of money as reward. On this pretext, he would gain their trust, their bank account details and empty their bank accounts.
  • Lottery Winner Scam: Another common method of online fraud is by sending an email or message that claims that the individual has been selected among tens of thousands a lucky lottery winner. In this pretext, they would gain bank account details or ask for some money to transfer the amount and swindle the entire money.
  • Skimming: This method is commonly used to clone ATM cards and credit cards. It is installed in digital payment outlets and when an individual uses it to pay, it clones the card and pin number. Often, the devices have magnetic card reader and a pinhole camera which records the movement of the individual while he enters his password or pin. Later on, the fraudster, uses it to empty the bank account of the victims.

There are several other forms of cybercrimes which result in individual’s data being stolen or misused. These can be clickbait, or advertisements clicks or transactions on scrupulous websites which do not have secured gateways for transactions.

Using of such information with the intent to cause either pecuniary or any other kind of legal harm to the said individual

The information received by the offender can be used for a variety of purposes. It can be used for economic enrichment. It can used to secure loans, buy expensive items, gain governmental benefits etc. The offender can also create a new identity using the stolen identity. This is called as breeder identification. Changing ones identity is a common practice among seasoned crooks and gangsters. They change their identity to escape justice and in doing so can commit more crimes such as cheating, forgery, impersonation etc. Stolen identities can also be used to commit crimes of their own. It can used for purchasing illegal and illicit substances, participate in fraudulent activities such as large scale transactions etc.

Identity Theft and Law

As it has been established that identity theft is a crime and a menace in itself. Any individual who is uses internet is highly susceptible. Identity theft is not treated as a standalone crime in India and therefore, there is no one singular statute which deals with it in detail. In fact it has been dealt within the Indian Penal Code and the Information Technology (Amendment) Act, 2008.

Identity Theft under the Indian Penal Code

Identity theft can be described in layman’s term as theft of an individual’s identity, its personal and private information. Despite it being so delicate, it has not been incorporated in the provisions of theft under Section 378 of Indian Penal Code. However, with the promulgation of the Information Technology Act, 2000, certain amendments have been brought into the Indian Penal code which allows the inclusion of electronic records as documents. Thus, in the context of offences of forgery and fraud, tampering with electronic records is also punishable. In addition, the code also makes any person liable who has forged a website to trap and lure victims to reveal their confidential information. The Expert Committee instituted by the parliament had recommended certain amendments to the IT Act, 2000 and the IPC. It recommended that there should be a section called Section 417-A which punishes any individual who has cheated a person using data and personal information of other person. Further any form of cheating through a computer network is punishable with an imprisonment up to five years.

Identity Theft under the Information Technology Act

The IT Act, 2000 is the foremost law in India governing cybercrimes. Although, its goal was primarily to recognize e- commerce in India thus, it did not outline cybercrimes per se. Prior to the amendment in 2008, under Section 43 of the Act, a liability of civil nature can be imposed on any individual who has accessed someone else’s computer without authorisation or abetted the same. Thus, a compensation of maximum of one Crore could be given for illegal access to a computer system. Under Section 66, cybercrime could only come into play when there was any alteration, deletion or reduction in computer output. The concept of identity theft had no remedy and if any individual used the computer for any illegal purpose without the knowledge of the owner there was no consequence.

When the Act was amended in 2008, the concept and term identity theft was introduced. Herein under Section 66, a criminal liability has been imposed for Act when individual has accessed someone else’s computer without authorisation or abetted the same. The new act also delineates through 66 B, C, D punishment for identity theft, computer trespassing and punishment for cheating by impersonation using computer. In addition, stringent laws have been developed for the protection of   “sensitive personal data” which are stored by financial intermediaries and service providers. As privacy has been recognised as a fundamental right, data protection is also within it ambit.  The central government in pursuance of this has put forward the draft bill for Data Protection, 2020 in the parliament.  In addition, under Section 69, the central government or the state government can use data for the purpose of monitoring and surveillance. Thus, depending upon how this crime is committed, the above-mentioned laws can be utilised.

Lacuna in the Law

Though the Act of 2000 has undergone a considerable amount of change through the 2008 amendment, and helped ensuring protection of personal and private data from being misused, it is still not as comprehensive as one would desire. There are still certain pitfalls and certain provisions in the law which need to encompass the growing ambit of identity theft and thus require immediate changes. Under the newly inserted provision which protects “unique identification feature” of an individual in digital space under Section 66 C has not been defined in the Act. The Act fails to provide the meaning of what would constitute an identification feature which is the very essence of identity theft. Though the Information Technology Rules, 2011 has provided a definition of “sensitive personal information”, and that intermediaries should protect it. Both these terms may seem same, however are very different from one another and cannot be assigned the same meaning. Thus, it is up to the judiciary to determine via the rules of interpretation what exactly, it means.

Another pitfall of the Act, is its lack of extra-territorial jurisdiction. Unlike the Indian Penal Code, which has provided for an extra territorial jurisdiction under Section 4, the IT Act, is only applicable in India. Thus, only when an identity theft has been committed by a computer resource in India, can the act be made applicable. This makes it very difficult for the authorities to apprehend the offenders who are illegal using data by sitting in some country. Additionally, the compensation provided under the Act is very meagre. The compensation scheme has been provided under section 43 of the Act. The upper limit to the compensation provided to an individual is 1 Crore and to a corporation or a body corporate is 5 crore. But this is not adequate. Mere physical trauma is not what this crime entails. It destroys the attitude of the individual, his faith in society is shattered and he views everyone with an eye of suspicion.  The punishment for the offence is also pretty meagre. The purpose of any punishment is deterrence of the crime.

Under the IT act, identity theft is a bailable and a compoundable offence. This implies that an individual can secure bail even at the police station and the parties can reach to a compromise as well.  This is not at all a stringent punishment. Even under Section 66-C, there is a mere three year imprisonment sentence and that too is made compoundable under Section 77-A. This shows the attitude of the law framers as such an inadequate punishment will have no deterrence effect on the offenders and he can further be scot free. The conviction rate is very poor in India. This further acerbates the growth of cybercrimes at such a rapid rate.

According to a report, there have 5000 complaints every year, out of which 2000 are arrested and merely 12 are convicted. The entire legal system is grappling with this problem as the complaints are increasing but there are not enough officers to deal with it. This again results in poor cybercrime prevention. Thus, the need of the hour is to make adequate provisions in the light of recent developments and deploy more resources in the form of man power and funds to confront cybercriminals.

Conclusion

Identity Theft affects hundreds of people every year around the world. Swindlers and cybercriminals steal identities of in a variety of ways. Some commit identity theft by stealing physical information. They can do so by dumpster diving, taking discarded computers, printers or phones that have not had their hard drives wiped. Many a time, they take the help of social engineering, wherein they manipulate the victims to give up information. A common form of this is phishing, whereas fraudster impersonates a trusted individual or entity and asks the victim for sensitive information. Identities can also be stolen through high tech means such as malware and data breaches where hackers target large organisations and steal information of multitudes of customers and employees. Information stolen through illegal means is often sold on illegal markets. With many different avenues to grab the information, today, protection measures need to be taken at an individual and state level to ensure protection and privacy of the masses.

Frequently Asked Questions

What do you mean by Identity?

Identity is the essence of an individual. It is the peculiar characteristics which distinguish one from other individuals. In the domain of computers, a uniquely distinct character of numbers and digits is what constitutes an identity. In technology, no two individuals can have same identity. It is like a fingerprint, each has its own. Legally, identity is the legal recognition of an individual in government documents and records such as Voter id, Aadhar card, Ration card etc.

What do you mean by identity theft?

Identity theft is a type of cybercrime which involves stealing of an individual’s identity and information to commit a crime or receive a benefit or access resources in the name of the victim. It is the procurement of the personal information of the individual. This is usually done in a deceitful and fraudulent manner and using of such information with the intent to cause either pecuniary or any other kind of legal harm to the said individual.

How is identity theft committed?

The crime of Identity theft can be committed in a number of ways. Some commit identity theft by stealing physical information. They can do so by dumpster diving, taking discarded computers, printers or phones that have not had their hard drives wiped. Many a time, they take the help of social engineering, wherein they manipulate the victims to give up information. A common form of this is phishing, whereas fraudster impersonates a trusted individual or entity and asks the victim for sensitive information. Identities can also be stolen through high tech means such as malware and data breaches where hackers target large organisations and steal information of multitudes of customers and employees. Information stolen through illegal means is often sold on illegal markets.

What are legal remedies available to a victim of identity theft?

Identity theft is not treated as a standalone crime in India and therefore, there is no one singular statute which deals with it in detail. In fact it has been dealt within the Indian Penal Code and the Information Technology (Amendment) Act, 2008.

Edited by Shikhar Shrivastava

Approved & Published – Sakshi Raje  

Reference

[i]Section 66 C of Information Technology (Amendment) Act, 2008

Ruchika Jha
My Name is Ruchika Jha and I am from Jaipur, Rajasthan. I have completed my schooling from Delhi Public School R.K.Puram and currently in my penultimate year of law school at Hidayatullah National Law University. I am interested in Banking and Structured Finance. I enjoy cooking, traveling, writing and research. I strive to better myself every day and work in a dynamic, challenging, work-oriented environment to accomplish my desire to seek more knowledge.