What is identity theft?

12.3 While there is widespread concern about identity theft and its impact on privacy, there is little consensus about the definition of the term ‘identity theft’. Commentators, legislators and policy makers tend to use the terms ‘identity crime’, ‘identity fraud’ and ‘identity theft’ in differing ways and, at times, interchangeably.

12.4 In this Report, ‘identity crime’ is used broadly to describe any offence committed using a fabricated, manipulated or stolen identity.[3] ‘Identity fraud’ is used to describe a type of identity crime—namely, the gaining of a benefit (or the avoidance of an obligation) through the use of a fabricated, manipulated or stolen identity. ‘Identity theft’ is used to describe the illicit assumption of a pre-existing identity of a living or deceased person, or of an artificial legal entity such as a corporation.[4]

12.5 Identity theft can be committed for a number of reasons. For example, as noted above, the assumption of another person’s identity can facilitate the commission of identity crimes, including identity fraud, people smuggling and terrorism offences.[5] It can also enable a person to avoid detection in order to avoid meeting obligations, such as making child support payments. Alternatively, identity theft may be committed simply to distress or intimidate the person to whom the illicitly acquired identity information relates.[6]

12.6 There are many ways in which identifying information about another person can be acquired surreptitiously, including through the theft of a person’s mail, wallet, purse or handbag, or through the retrieval of documents from a person’s rubbish. The identifying information of another person can also be acquired through more sophisticated means, such as skimming the person’s credit card or hacking into an electronic database containing identifying information about the person.[7] Social engineering and ‘phishing’ are other methods used to acquire information in the online environment. Phishing typically occurs when an email purporting to be from a trusted entity directs a recipient to a website that closely resembles the website of that entity. The ‘phisher’ can then acquire any information the person enters on the ‘fake’ website, such as the person’s name or online banking password.[8] Social engineering practices, such as pretexting, rely on a person providing information to another person, whether face-to-face or over the telephone or internet.[9] In addition, details posted by a person on a social networking site or online profile can be sufficient to enable the theft of that person’s identity by another person accessing that profile.[10]

12.7 Identity theft can be a traumatic experience for the person whose identifying information is stolen. Victims of identity theft may suffer direct financial loss as a result of the theft. In addition, they may incur costs when attempting to prevent the continued use of their identifying information. Further, victims of identity theft are often required to expend large amounts of time and effort countering the adverse effects of the theft. For example, they may be required to restore their credit rating, or correct errors in their criminal history.[11]

[3] Australasian Centre for Policing Research and Australian Transaction Reports and Analysis Centre Proof of Identity Steering Committee, Standardisation of Definitions of Identity Crime Terms: A Step Towards Consistency (2006), 15.

[4] Ibid, 15.

[5] Australasian Centre for Policing Research, Australasian Identity Crime Policing Strategy 2006–2008 of the Australasian and South West Pacific Region Police Commissioners’ Conference (2005), 1.

[6] Model Criminal Code Officers Committee of the Standing Committee of Attorneys-General, Discussion Paper, Model Criminal Code Chapter 3, Credit Card Skimming Offences (2004), 31.

[7] N Dixon, Identity Fraud: Research Brief No 2005/03 (2005) Parliament of Queensland—Parliamentary Library, 5–6.

[8] Model Criminal Law Officers’ Committee of the Standing Committee of Attorneys-General, Discussion Paper—Identity Crime (2007), 5.

[9] United States Computer Emergency Readiness Team (US-CERT), National Cyber Alert System—Avoiding Social Engineering and Phishing Attacks (2004) <www.us-cert.gov/cas/tips/ST04-014.html> at 24 April 2008.

[10] Model Criminal Law Officers’ Committee of the Standing Committee of Attorneys-General, Final Report—Identity Crime (2008), 6.

[11] See J Blindell, Review of the Legal Status and Rights of Victims of Identity Theft in Australasia (2006) Australasian Centre for Policing Research, 5.