Identity Theft

What is ‘Identity Theft’

‘Identity theft’ refers to the fraudulent practice of using another person's personal information—such as their name, electronic signature, password, or unique identification details—without their permission. It is commonly committed to gain financial benefits, commit fraud, or impersonate the victim.^[1]

Official Definition of ‘Identity Theft’

The term ‘identity theft’ finds mention in multiple places. It has largely been defined similarly over time, and across different sources.

‘Identity Theft’ as defined in Legislation

The Bharatiya Nyaya Sanhita, 2023 (BNS) does not describe ‘identity theft’ per se. Instead, §§ 319 and 336 describe ‘cheating by personation’ and ‘forgery’, respectively. ‘Cheating by personation’ is defined as cheating by pretending to be another person. ‘Forgery’ is defined as creating a false document in order to commit fraud, or to support any claim or title. These sections carry varying degrees of punishment based on intent and the nature of harm caused. The descriptions offered in these sections help us get a general understanding of the concept of identity theft, even though they do not mention the term explicitly.

The Information Technology Act, 2000 defines identity theft in § 66C as the fraudulent or dishonest use of another person's electronic signature, password, or any unique identification feature. The offense is punishable with imprisonment of up to three years and a fine of up to one lakh rupees. Further, § 72 addresses the protection of personal data and addresses the problem of data security.

‘Identity Theft’ as defined in case law(s)

Case laws throughout India define ‘identity theft’ based primarily using the definition provided within Section 66C of the IT Act, 2002. The landmark case of K.S. Puttaswamy^[2] cites Section 66C multiple times in order to define identity theft. Various high court cases also define this concept by relying on Section 66C alone.^[3]

‘Identity Theft’ as defined in other official document(s)

The Organisation for Economic Co-operation and Development (2011) defines ‘identity theft’ as when a party without authority “acquires, transfers, possesses, or uses personal information” in connection with fraud or other crimes.

Digital Portal

The National Cybercrime Reporting Portal (NCRP) allows reporting of all types of Cybercrime.

NCRP Features

• All types of Cybercrime incidents can be reported from anywhere.
• Special focus on content reporting of online Child Sex Abuse Material/Rape-Gang Rape incidents.
• National/State/District-Level monitoring dashboards.
• Online status tracking facility for the complainant.
• Cyber Volunteers registered as Cyber Awareness Promoters.
• An automated Chatbot having predefined features created and named Vani- CyberDost Chatbot has been deployed on NCRP.
• A new Module “Citizen Financial Cyber Fraud Reporting and Management System” has been developed, connecting 85 Banks/Payment Intermediaries and Wallets etc. with the Cybercrime Backend Portal. This helps citizens to report cyber financial frauds on National Helpline number 1930.
• 1930 National Helpline number is running in all States/UTs.

• Citizen Financial Cyber Fraud Reporting and Management System [CFCFRMS]To deal with the complex subject of financial frauds, it is imperative to create a common integrated platform where all concerned stakeholders i.e., Law Enforcement Agencies (LEAs), banks, RBI, financial intermediaries, payment wallets, NPCI, etc., work in tandem; to esure that quick decisive and system-based effective action is taken to prevent flow of money siphoned off from innocent citizens to the fraudsters. Citizen Financial Cyber Frauds Reporting and Management System has been developed for quick reporting of financial cyber frauds and monetary losses suffered due to use of digital banking/credit/debit cards, payment intermediaries, UPI etc. Complaints can be reported through helpline number 1930 or on National Cybercrime Reporting Portal.

International Experience

United States of America

In the United States, 18 U.S.C. § 1028A(a)(1) seeks to define ‘aggravated identity theft’. This section applies when a defendant, “during and in relation to any [predicate offense], knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person.”^[4] However, in the case of David Fox Dubin v. United States, this section was used to prosecute the defendant when he used another person’s identity to overcharge the Medicaid billing process. The court disagreed with the above argument, and stated that, ”The text and context of the statute do not support such a boundless interpretation. Instead, §1028A(a)(1) is violated when the defendant's misuse of another person's means of identification is at the crux of what makes the underlying offense criminal, rather than merely an ancillary feature of a billing method.”^[5]

Thus, as we can see, the definition of ‘aggravated identity theft’ as used in the U.S. Code is overbroad. To combat this, the U.S. Supreme Court propounded the ‘crux’ test: a test which checks whether identity theft was at the crux of the crime committed, or whether it was simply ancillary to the predicate crime.^[6]

The U.S. Supreme Court has also commented that § 1028A(a)(1) “simply does too little to specify which individuals deserve the inglorious title of ‘aggravated identity theft’.”^[7] Thus, we can see that the problem of an exact definition for the crime of ‘identity theft’ plagues the United States.

United Kingdom

The U.K. Metropolitan Police defines ‘identity theft’ as “the use of a person’s stolen details to commit crime.” As we can see, this definition is broader than the one used in Section 66C of the IT Act, 2002, since this definition covers the usage of a person’s information outside of their digital footprint as well. However, this definition can also be quite vague, and a more comprehensive definition is certainly necessary.

Learnings and Best Practices

From an analysis of the above two jurisdictions, we can see that it can be difficult to pinpoint an exact definition for ‘identity theft’. We need a definition which is not too broad, but at the same time we also need a definition which is not too vague. This can be difficult to achieve with an emerging concept such as identity theft. Judicial decisions can certainly help with this, but a concept as dynamic as identity theft is extremely difficult to pinpoint.

Official Database

Crime in India Report

The National Crime Records Bureau (NCRB) compiles and publishes the statistical data on crimes in its publication 'Crime in India’. The latest published report is for the year 2022. The report defines it in the same manner as outlined in the IT Act, without any modifications. Interestingly, identity theft ranked as the third most common type of pending case.

Table 9A.2, Volume II Crime in India Report (2022)

TABLE 9A.4 Police Disposal of Cyber Crime Cases (Crime Head-wise) - 2022 Volume II Crime in India Report (2022)

National Cyber Crime Reporting Portal

States/UTs are primarily responsible for the prevention, detection, investigation and prosecution of cyber crimes through their Law Enforcement Agencies. The Central Government supplements the initiatives of the State  Governments through advisories and schemes for the capacity building of their Law Enforcement Agencies. To strengthen the mechanism to deal with cyber crimes in a comprehensive and coordinated manner, the Central Government, through the Ministry of Home Affairs has set up the Indian Cyber Crime Coordination Centre (I4C) to deal with all types of cyber crime in the country.

It also publishes Cyber Digest that is part of the I4C's efforts to raise awareness about cybercrime. The Cyber Digest is a periodic document that informs citizens and employees about how cyber fraud operates.

Research that engages with 'Identity Theft'

Internet Freedom Foundation has a report called ‘Big Tech releases its transparency reports in compliance with the IT Rules: Here’s what we found’ which sheds light on Google, Facebook, Instagram, WhatsApp and Twitter’s transparency reports in compliance with Rule 4(1)(d) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (‘the 2021 IT Rules’).^[8] The reports highlight some interesting facts and figures. For example, WhatsApp banned over 2 million Indian user accounts in one month, and 98.4% of Google’s nearly 60,000 removal actions related to copyright claims.

A gap that was noticed in these reports submitted by the Social Media companies was that while there was strict compliance with the 2021 IT Rules, which only require a numerical disclosure of the number of user complaints received and the action taken thereon, there were no details of the complaints, no breakups relating to the categories of complaints received and action taken, and no disclosures regarding the source of these complaints. Most importantly, the 2021 IT Rules do not require a disclosure of how many content removals were ordered by the Government. However, in order to truly advance transparency in the digital life of Indians, it is absolutely crucial that Big Tech discloses Government censorship action on their platforms.

This is relevant since identity theft often stems from misuse or exposure of personal information. Transparency about the nature of user complaints could help shed light on whether any of these complaints relate to identity theft incidents or other privacy breaches. If government censorship actions involve requests for user data, there is a potential overlap with concerns about privacy and the risk of identity theft through unauthorized access or use of such data.

Challenges and Way Ahead

Challenges

Identity theft is among the fastest-growing crimes in India, as seen in the NCRB Report 2022 as well. There exist many knowledge gaps about how often it happens, how it occurs, who commits it, and who is victimized. These gaps hinder efforts to both prevent and respond effectively to the crime. Different states have varying definitions and laws regarding identity theft, leading to confusion and inconsistency. For example, there are varied definitions and provisions with regards to Photo Identity Cards in each state which makes data analysis difficult. Most importantly, a significant lack of reliable data and research limits understanding and hampers efforts to tackle the issue effectively.^[9]

Way Ahead

Artificial Intelligence can play a crucial role in identifying fraudulent activities and irregularities in data usage. They provide timely alerts and proactive measures to prevent identity theft and may work to provide more sophisticated and secure methods of identity verification.

With regards to policy changes, the government needs to produce more regulation relating to the protection of personal data which may lead to more uniform and efficient collection of data. A standard form for cyber security at national and international level should be appointed. Cybercriminals frequently operate across national borders, which makes international collaboration crucial. This involves sharing intelligence, resources, and best practices to effectively combat identity theft. Joint initiatives between governments and private sectors can foster the development of innovative solutions and bolster defences against identity theft.