Privacy Law and Policy Reporter
South Australian laws target identity theft
Jeremy Douglas-Stewart PRIVACY LAW CONSULTING AUSTRALIA
In a first for Australia, the SA Government has recently passed laws specifically targeting one of the major problems of the virtual commerce era, identity theft. Identity theft generally involves an offender using a victim’s personal information, such as their name, address, bank account number and credit card details, to assume a false identity in order to obtain an advantage, such as to acquire goods or services or to gain entry into a country. A report recently commissioned by Australia’s financial intelligence agency, AUSTRAC, and the financial sector indicates that identity fraud cost the Australian community $1.1 billion in 2001-2002. In addition to these financial costs, identity theft poses a significant threat to individuals’ privacy. While the new laws are aimed primarily at preventing the financial costs involved with identity theft, they will also indirectly provide increased levels of privacy protection for individuals.
The new offences are established by the Criminal Law Consolidation (Identity Theft) Amendment Act 2003 (SA) which amends the Criminal Law Consolidation Act 1935 (SA). The amending Act was assented to on 11 December 2003 and will commence upon proclamation, which is expected to be in early 2004.
The amendments make it an offence to:
• assume a false identity (of a person who is living or deceased, real or fictional, natural or corporate) and to intend to commit, or help commit, a serious criminal offence;
• falsely pretend to have particular qualifications, or to be entitled to act in a particular capacity, and to intend to commit, or help commit, a serious criminal offence;
• use another person’s personal identification information with the intention of committing, or helping to commit, a serious criminal offence;
• produce or possess material that would enable someone to assume a false identity or to exercise a false right of ownership to a financial or non-financial benefit, with the intention of using it, or enabling another person to use it, for a criminal purpose;
• sell or give material that would enable someone to assume a false identity, or to represent a false right of ownership to a financial or non-financial benefit, knowing that it is likely to be used for a criminal purpose; and
• possess equipment for making material that would enable someone to assume a false identity, or to exercise a false right of ownership to a financial or non-financial benefit, intending to use it to commit one of the above offences.
The offences target preparatory conduct by virtue of the fact that they require an ‘intention’ to commit an offence. As such, the new laws criminalise behaviour that may occur before the commission of an offence and, in doing so, generally avoid overlapping with existing offences. For example, if a cashier is caught in possession of a credit card skimming device which transfers details from customer credit cards to blank credit cards, the cashier will generally not yet have committed an existing offence, such as fraud. The cashier would, however, be caught by the identity theft provisions where it could be shown that they intended to use the blank credit cards to commit a serious criminal offence.
Increased protection of privacy
While identity theft often has clear financial consequences for victims, it also interferes to a significant extent with their privacy. This is because victims feel that they no longer have control over their own actions, as persons with whom an offender deals will believe that the offender’s actions are those of the victim. Interferences with privacy may, for example, result from:
• having personal details held by account providers, such as addresses and marital status, changed;
• the disclosure or sale of personal information to others;
• the recording of bad cheques or unpaid accounts on credit reports;
• having accounts established with organisations with which a victim would not normally associate, such as dating services or pornographic websites;
• the provision of a victim’s name by an offender to law enforcement authorities when detained by police;
• being falsely arrested as a result of arrest warrants being issued in a victim’s name; and
• damage caused to business reputations with suppliers or customers.
Although the Act is not intended to directly address privacy issues, the new offences will indirectly offer significant protection against such intrusions of privacy. However, being criminal offences, the new laws will not provide victims with a right to take action themselves and, as such, victims will need to rely on the discretion of police to prosecute offenders.
Must be in connection with serious offence
A major concern surrounding the Act was that many less serious forms of assuming false identities or misrepresenting qualifications or capacities (either legitimately or non-legitimately) would be caught. For example, there was concern that the offences may apply to:
• an author who writes under a pseudonym;
• a person who specifies a lower age when signing up at a dating agency;
• a person who adopts a fictitious identity for security reasons (for example, when communicating with strangers on the internet) or to deal with an organisation anonymously (as permitted under National Privacy Principle 8 of the Privacy Act 1988 (Cth)); or
• a minor who misrepresents his or her age to purchase tobacco or to gain entry into a licensed premises.
However, the offences will not apply in such circumstances owing to the requirement that, in order to establish an offence, a perpetrator must be shown to have intended to commit a serious criminal offence (which is defined to mean an indictable offence or an offence prescribed by regulation). This element will generally be lacking in each of the circumstances outlined above.
Interestingly, however, the Act specifically excludes the application of the offences to misrepresentations by persons under 18 years of age that are made for the purpose of:
• obtaining alcohol, tobacco or similar products; and
• gaining entry to premises to which they are not ordinarily allowed on account of their age.
The Act also excludes anything done by such a person to facilitate such a misrepresentation; for example, altering an identification card. However, the purpose of including these exemptions appears to have been primarily to reassure the public that the Act will not apply in these circumstances as, arguably, they are unnecessary in view of the fact that such misrepresentations will not be caught in any case as they are not being made with the requisite intention to commit a serious criminal offence.
Victims of identity theft often have to spend significant amounts of time and resources to ‘re-establish’ their identities. This will commonly involve, for example, proving to numerous organisations that they have been the victim of such theft, applying to have information corrected (for example, on credit reports) and rebuilding business relationships.
Significantly, to assist victims re-establish their identities, the Act amends the Criminal Law (Sentencing) Act 1988 (SA) to enable a court to issue a victim, upon application, with a certificate indicating that they have been the victim of an offence in which an offender has assumed their identity or used their personal identification information. This will make the process proving to organisations that a victim has been the subject of identity theft significantly less burdensome.
However, unlike some identity theft laws in the US, the SA statute does not go further to assist victims by providing them with rights in relation to the correction of information that organisations hold about them. While this is understandable from the point of view that the Act is concerned with establishing criminal offences rather than protecting individuals’ privacy, it is unfortunate in view of the fact that a fundamental tenet of information privacy rights is the right to correct inaccurate information. Consequently, victims will need to continue to rely on existing information privacy laws and regimes, such as the Privacy Act 1988 (Cth) and the Information Privacy Principles set out in the SA Government’s Information Privacy Principles Instruction — Cabinet Administrative Instruction No 1 of 1989, in order to seek access to, and correct, their personal information.
Identity theft vs identity fraud
Many privacy advocates distinguish between the terms ‘identity fraud’ and ‘identity theft’.
‘Identity fraud’ is often used to refer to where a perpetrator uses another person’s personal information:
• on a limited number of occasions;
• in a single context (for example, to commit credit card fraud) or in a very limited number of contexts;
• for material gain.
In contrast, ‘identity theft’ is often used to refer to where a perpetrator uses another person’s personal information:
• on numerous occasions;
• over an extended period of time;
• in numerous contexts;
• for either material or non-material gain.
A recent example of identity theft was in the much publicised case of Derek Bond, the 72 year old English pensioner wrongfully detained by South African police for three weeks in 2003 at the request of the FBI after an offender had used Mr Bond’s identity for over a decade to commit various crimes.
From the point of view of protecting privacy, the key difference between identity fraud and identity theft is the requirement for (or lack of) material gain. This is a subtle, but important, distinction because a victim will usually suffer an invasion of privacy irrespective of whether there is material gain. From this perspective, it is important that identity theft offences do not require an intention to obtain material gain as this will indirectly operate to protect privacy in itself. For example, such an offence would enable prosecution even where the only form of damage, or menace, resulting from the relevant actions is an invasion of privacy suffered by a victim. There would be no need to establish that an offender intended to obtain a material gain.
Many foreign identity theft statutes, particularly those in American States, require material gain to be established and, as such, are in fact restricted to identity fraud offences (despite, in some cases, being termed ‘identity theft’ offences). However, the SA statute is not restricted in this manner. The offences relating to assuming a false identity and making false representations do not distinguish between financial and non-financial gain. Similarly, the offences relating to possession, supply and use of prohibited materials expressly indicate that the offences apply regardless of whether a financial or non-financial benefit is intended to be obtained.
However, despite the fact that the offences have been drafted broadly enough to encompass both identity fraud and identity theft, the requirement that an offender be shown to intend to commit a serious criminal offence means that the Act still will not operate to protect a victim’s privacy in itself. Consequently, even where a case of identity theft causes a victim to suffer a gross invasion of privacy, the fact that the identity theft has been committed will not in itself be sufficient to prosecute an offender as it must also be shown that the offender intended to commit a serious criminal offence.
As is generally the case with the establishment of any criminal offence, the new identity theft provisions will broaden the circumstances in which police may conduct enquiries. However, some privacy advocates have expressed concern at the broad terms that have been used to draft the new offences, indicating that this may enable police to question, investigate and detain individuals suspected of contravening the Act in a broader range of circumstances than would perhaps otherwise be the case.
To demonstrate, each offence describes a broad category of conduct that could be committed in numerous ‘everyday’ circumstances. The only limitation on criminal liability for the conduct is the requirement that it be carried out with the intent of committing a serious criminal offence. For example, if it were not for the requirement that an offender must intend to commit a serious criminal offence, most people in Australia would, at one time or another, be caught by the provisions relating to the misuse of personal information as it is not uncommon for a person to use someone else’s information in the manner proscribed; for example, by withdrawing funds from a spouse’s bank account using an ATM card or using a family member’s credit card details to purchase a product over the telephone. Similarly, the circumstances that are proposed to constitute a ‘false pretence’ under the Act are very wide, particularly those relating to the misrepresentation of qualifications or capacities. For example, it is possible that a person could be accused of making a ‘false pretence’ simply by inaccurately describing his or her job title of ‘junior assistant’ as ‘an executive assistant’. The only reason for which such conduct is not caught by the Act is that there is no intention to commit a serious criminal offence.
Some privacy advocates argue that as the purpose of the criminal law is to proscribe certain types of conduct, criminal offences should not be drafted in such broad terms. Rather, in lieu of describing a very broad category of conduct that will constitute the physical elements of an offence and limiting its application by requiring a specific mental element, the proscribed conduct should itself also be specific. For example, in relation to the offence relating to the misuse of personal identification information, rather than the requisite conduct being the ‘use of another person’s personal identification information’, the Act should specify the particular ways in which the information is required to be used to establish an offence; for example, the ‘use of another person’s personal identification information in the process of creating a false identity document’. This would place further reasonable restrictions on the circumstances in which police could commence investigating an individual as the physical elements of the offence would be more narrowly defined.
Without detracting from the validity of these arguments, however, the style adopted by the SA legislature is, to a certain extent, consistent with modern legislative practices.
From a privacy perspective, SA’s new identity theft offences are a welcome addition to the State’s criminal laws. The fact that the laws are not intended to directly address privacy issues means that more could be done to protect privacy rights and to assist victims re-establish their identities, however, the new offences indirectly offer a significant level of protection against invasions of privacy that result from identity theft.
Jeremy Douglas-Stewart is a specialist privacy law consultant at Privacy Law Consulting Australia; <jeremy.d@privacy lawconsulting.com.au>.