WRITER: Clare Sullivan
ILLUSTRATION: Callum Starr
In the movie, The Net, Angela Bennett (played by the actress Sandra Bullock) has her purse and passport stolen while on vacation in Mexico. She goes to the American Consulate to apply for a temporary visa in order to return to the United States. In the Consulate office she is approached by an officer holding an application form:
Officer: Ruth Marx? Ruth Marx? Excuse me, are you Ruth Marx?
Officer: You are not the woman who was here about a temporary visa?
Angela: No, I am here about a temporary visa but…
Officer: Is your social security number 915301717?
Officer: Do you live at 407 Finley Avenue, Venice, California?
Officer: Well then, according to the California Department of Motor Vehicles you are Ruth Marx.
The Net, Columbia Pictures Industries Inc. (1995)
When The Net was released in 1995 it was science fiction. Now it is reality. Extreme identity theft, where a person builds an entire life using another person’s digital identity, is the latest evolution of identity crime, and it’s becoming an international challenge.
Extreme identity theft is now the fastest growing white-collar crime in the United States of America. Identity theft is the most frequent complaint to the regulator, the Federal Trade Commission, and the nature of the crime is changing. Identity theft complaints involving more than one type of identity theft increased by 13% in 2011 compared with 12% in 2010. In 2012, Americans reported more than 11 million instances of identity theft.
Statistics do not capture the insidious nature of this crime, its impact on victims or just how easy it is to steal another person’s identity. This year, a woman living in Texas, Candida Guitierrez, discovered she had been the victim of extreme identity theft. Her identity had been used by a woman in Kansas to build a new life, and the fraudster had used it to buy a house in Topeka, to get a new job, and, allegedly, to receive medical care for the birth of her two children. Had Guitierrez not applied for a mortgage, and been refused because of bad debts, this decade-long deception may never have been uncovered. In fact, Guitierrez’s imposter successfully deceived the United States government and a number of private businesses before the fraud was discovered. In a disturbing move, the identity thief initially denied her crimes and, instead, asserted that her identity had been fraudulently used by Candida Guitierrez! Such brazen deception highlights the sinister nature of this new type of identity theft.
Today, extreme identity theft is made more likely by the fact that many organisations now require digital identity for transactions. Already, many of us have online PINs, passwords, logins or usernames; often linked to emails, bank accounts or social networking sites. Soon, a digital identity will be required for most, if not all, dealings with government and private enterprise. And this is a development that is occurring throughout the world.
Your digital identity comprises name, gender, date of birth and, most commonly, a signature.
Digital identity in this context is a defined and limited set of information which determines an individual’s identity for transactional purposes. Typically, it comprises name, gender, date of birth and a piece of ‘identifying information’ which is most commonly a signature or a Personal Identification Number (PIN), but it can include biometrics such as fingerprints, a face scan or iris scans. Platforms like Facebook and LinkedIn openly provide access to at least three out of the four pieces of information that make up a digital identity, thereby increasing the opportunity for identity fraud.
Digital identity is verified for transactional purposes when all the required transaction information presented matches the information on record. This matching is not with a human being; it is simply verified by identical information—regardless of whether the identity information is presented in person or remotely. If all the information presented matches, the system will automatically authorise dealings with that identity.
An individual is connected to a digital identity through their identifying information, but the connection is tenuous and potentially unreliable as none of the identifying information currently used is infallible.
Reliability depends on the type of identifying information used, the circumstances in which it is originally collected and recorded, how it is stored and transmitted, and, most importantly, the process used for comparing the information on record with the information presented for a transaction. Photo and signature comparison, which are most commonly used for identification purposes, are unreliable when the individual is not known to the person making the comparison. And, even in more sophisticated schemes, like biometrics, this remains the case. All such systems have error rates. These include false positives as well as false negatives. Moreover, in a large population even a seemingly low error rate, such as that cited for some biometrics for example, can result in a large number of mistakes.
To put this in perspective, consider, for example, a relatively low 2% error rate for a population of 300 million which is approximately the population of the United States. That rate results in 6 million people being affected. Even in Australia, which has a much lower population, that error rate would lead to 420, 000 incidents of incorrect identification. But of course, any error rate is unacceptable if it results in an individual being unable to use his or her digital identity to transact and/or leads to accountability for transactions made by another person.
A transacting public or private sector entity will look to the person linked to that identity through that identifying information. This is because the identifying information links the digital identity to that individual. This feature is much more than just an unfortunate consequence of system design and operation. In effect, it amounts to a presumption that an innocent individual has to rebut. The challenge faced by the individual in proving his or her digital identity has two aspects. Difficulty can arise in relation to the individual not only establishing “I am who I say I am,” but also in establishing “I am not who the record says I am.”
Reduce the risk of identity theft
- Your personal information is useful and valuable. Look after it.
- Be careful about the information you disclose, especially on social media.
- A small collection of information constitutes your digital identity. Although much of this is publically available, avoid grouping it together whenever possible. Don’t make it easy for your identity to be stolen.
- The move to impersonal dealings, often without any history of personal acquaintance, makes identity theft easier. Try to cultivate some key personal relationships, such as with your bank, so there is someone in authority who knows you. This may help to prevent becoming a victim and it will help restore your identity if you need to prove who you are.
Consequently, the nature and functions of digital identity mean that an individual who is a victim of identity theft, or system error, can face considerable difficulty in establishing his or her innocence. Considering transactions can be conducted from anywhere in the world, 24 hours a day, it is extremely challenging for an individual to establish that he or she did not enter into a specific transaction. From the merchant’s perspective, the transaction occurred legally. But if the transaction occurred through the fraudulent use of a digital identity, where does the real owner of that identity stand? The reality is that the transaction will, as a matter of practicality, if not law, look to the person linked to that identity through the identifying information. The difficulty for an individual is compounded by the fact that, like Guitierrez, the victim may not even become aware of the transaction until much later, such as when overdue notices arrive.
Despite these failings, the South Australian Law Reform Institute in its Final Report on Modernisation of South Australian Evidence Law to Deal with New Technologies, October 2012, recommends that the Evidence Act 1929 (SA) be amended so that computer records are presumed to be accurate and can be admitted into evidence on that basis. At present, section 59 B requires the Court to be satisfied that there is no malfunction before computer records can be admitted into evidence.
The recommendation of the South Australian Law Reform Institute aims to facilitate admission of computer evidence and this brings the South Australian legislation into line with the approach that applies in most Australian states and territories and at federal level. However, this recommendation effectively shifts the burden of proof at the outset to an individual like Guitierrez, who already faces a difficult task in establishing fraud or system error. The recommendation can result in serious consequences for an innocent individual and considerable injustice.
Dr Clare Sullivan is a Lecturer with the School of Law, located in the UniSA Business School. A cyber-law lawyer, her research focuses on the legal implications of the use of digital identity for commercial transactions.
> For more information, visit the School of Law