The Villainy Saga of Identity Theft – Prevention of Identity Theft in the Post Internet Era

Identity Theft
Image Credits – Jack Teagle

Identity theft is when one uses another’s unique identification factors such as name, Aadhar card number, credit card information, and other government-recognized identification to commit fraud. The information gathered by fraudsters can be used for various types of crimes such as taking money out of the individual’s credit card or bank account without their knowledge, using the information to benefit from the individual’s medical care services, and receiving the tax return amount of the individual to name a few common ones. The earliest form of identity theft was murder, the information gathered from the deceased individual was then used by the fraudster to escape his life’s burdens and lead a new life with a new identity. At the same time, other historical practices were also pick-pocketing to find information about one’s wallet.

This was easy in the past as the registry of individuals’ unique identification factors even photographs weren’t stored. However, the later forms of identity theft occurred through dumpster diving which meant that the fraudsters searched the trash of people to find any personal information. This became widespread due to the improper disposal of an individual’s sensitive documents. However, the advent of the internet made it easier for fraudsters to steal personal information through various viruses and spyware software. Thus, cybercrime and identity theft have become more prevalent than ever before. 

Types of Identity Theft

Criminal Identity Theft

This form of identity theft involves a person charged with a crime using another individual’s personal identifying information to escape the charges. 

Child Identity Theft

This form of identity theft occurs when a minor’s personal information is stolen and used for availing credit or loan facilities. It can also be used for procuring credit cards under the minor’s personal information.  

Financial Identity Theft

Financial identity theft occurs when the individual’s bank account information is stolen and used for transferring money to another account, availing loan facilities, etc. 

Medical Identity Theft

The personal information of an individual is stolen by the fraudster to avail medical benefits such as medical insurance. This can also be used to procure the drugs or medicines prescribed under the individual’s name. This type of identity theft becomes an issue in the future of the individual as it becomes a part of his/her medical history. 

Alibi Identity Theft

Fraudsters usually either create a duplicate identity or forge the deceased person’s documents to get their Public distribution supply either for their advantage or to sell it in the black market. 

Synthetic Identity Theft

This type of identity theft involves combining legitimate personal information of an individual with fake details to create a fake document to avail of loans, credit cards, procure a fake driving license, etc. 

Identity Cloning

In identity cloning, an individual’s identity is stolen by the fraudster and used to pose as the individual himself. Immigrants and terrorists commit such fraud to hide their true identities. This type of identity theft mainly doesn’t involve any financial gain to the fraudster. 

In the following sections let us look into the provisions in place in India for identity theft and cybercrime while also discussing what we as an individual can keep track of to prevent identity theft. 

Legal Implications of Identity Theft

Identity Theft
Image Credits – Anthony Morell

Identity theft is an illegal act that has certain sections that ascribe a penalty and or compensation for the same. Section 43 of the Information Technology (IT) Act, 2000 talks about the penalty and compensation charged for damage caused to computers, computer systems, and computer networks. Section 66 of the IT Act contains punishments for several computer-related offenses. Under the same Act, however, Section 66C specifically states the punishment for identity theft, which is, imprisonment of up to three years and will be liable for a fine of up to rupees one lakh.

The Indian Penal Code under theft i.e., Section 378 deals with only movable and tangible assets and property thus, making identity theft not compatible within the ambit of the definition of theft under this section, however, few sections in the IPC read with the IT Act enables us to seek legal remedy through the punishments provided in the IPC. Sections 464 and 465 which deal with false documentation and punishment for the same can be considered a provision created against identity theft. Section 416 to 419 of the IPC talks about the offense of cheating by personation and cheating for wrongful gains while stating their respective punishments. Let us look at a few cases to understand the extent of digital fraud and the issue with the present law for identity theft. 

The CBI v. Arif Azim case, also known as the Sony Sambandh case, involved a 24-year-old boy who posed himself as an NRI to buy a set of color TV and cordless headphones. Sony had only recently launched a new scheme called Sony Sambandh where NRIs could purchase and send appliances online to their friends and family residing in India. The defendant was a call center worker who gained access to an international credit card and posed as Barbara Campa to purchase the goods and have them sent to him. However, the credit card owner complained about the unauthorized purchase, and the fraud was brought to light.

The courts held that as the defendant was a first-time convict and was a young man, he should be issued a lenient statement and left with a one-year probation. The case established that the provisions of the IPC can be used in cases of identity theft. 

In the National Association of Software and Service Companies (NASSCOM) v. Ajay Sood & Others, the defendants were a recruitment and headhunting agency that posed themselves as the plaintiff to get personal information by sending e-mails in the name of the plaintiff. The investigation brought to light two hard disks used by the defendants to send out emails under fake names using the NASSCOM trademark. This is the first case where the courts declared that phishing is an illegal act although there is yet to be definitive legislation for the same.

The courts defined phishing as, An act which amounts to phishing, under the Indian law would be a misrepresentation made in the course of trade leading to confusion as to the source and origin of the e-mail causing immense harm not only to the consumer but even to the person whose name, identity or password is misused. The courts held that the defendants were to pay 16 crore rupees and ordered the seizure of the hard disks found on the defendant’s premises. This case lays down a precedent for cybercrime cases as phishing was commonly known as a fraudulent call or e-mail sent out to individuals to gain access to personal information, whereas this case showed that organizations could also fraudulently pose themselves as a third party for the same.  

Issues with the Present Law

The most notable issue with the law is that there is no conclusive provision or legislation for identity theft or cybercrime. The Information Technology Act, 2000 through the 2008 amendment included identity theft as an illegal act and made other amendments but it hasn’t yet conclusively defined what constitutes the identification features of an individual that the Act seeks to protect. However, although the Act defines sensitive personal information it is not exhaustive of the purpose of Section 66(C) in particular. It is also to be noted that the punishments given in the Act are not enough to ensure that the convict would not commit the crime again i.e., it is not punitive to induce the convict to stop digital fraud.

The Act in Section 66(C), which deals with identity theft, states that the upper limit of damages is one lakh rupees and imprisonment only is up to three years. Considering the amount that the convict defrauds individuals through the digital space, the amount of punitive damages is not a reasonable value as seen in the Sony Sambandh case where the court showed leniency to the defendant as he was young and must stop to ensure that victims of digital fraud have faith in the judicial system. Stricter punishments should be in place to ensure that people do not indulge in digital fraud. Legislation for cybercrime that is clear and inclusive of all the forms of committing digital fraud including punishments for each cybercrime should be legislated and put into force. Investigation authorities must be appointed and there is a set of hackers for procuring information about the fraudster during trials. 

Individual efforts to Decrease Identity Theft

Here are a few individual efforts we can take to minimize the risk of identity theft occurring to us. 

  • The easiest way for a hacker to get access to e-mails is through weak passwords, thus ensuring that you change your password frequently and use characters and numbers to make it more complex and hard to guess. 
  • The most prominent and widespread form of identity theft is transferring money from one’s bank account, thus, checking your bank statements at regular intervals will help you keep a track of the changes in case they occur. 
  • Ensure that you do not open non-secure websites as they may contain spyware programs or viruses which may automatically have access to the websites accessed by you and the passwords entered by you. Additionally, ensure all your accounts (e-mails or bank accounts) have two-factor authentication so that in case someone fraudulently accesses the account you will be notified. 
  • One can also ensure that their computers have an anti-virus program installed to detect any virus in the computer. 
  • Organizations can encrypt their confidential documents by adding several layers to ensure that it is safe. 
  • In case of bank account fraud, make sure you contact your bank to freeze your account to prevent further damage. 
  • In the instance of receiving phishing calls posing to be your bank ensure you don’t give out personal information unless you are sure it is a legitimate call.
  • The public must be made aware of different forms of cybercrime and how they can protect themselves through workshops conducted by NGOs or the Government or through a collaboration of both. 

These are a few ways that as an individual, you can do to prevent identity theft. As the saying goes, prevention is better than cure and although these steps do not completely stop the crime, it helps decrease the frequency of the same. 

Conclusion

The rapid growth in digitalization and shift to the internet space has posed a potential threat to the increase in digital frauds and digital scams. Cybercrime is such a crime that the fraudster is hard to trace and can delete all of his/her digital trails to escape the law. Thus, this calls for extra caution for the general public and organizations to ensure the safety and security of their personal information. The courts must ensure that they provide judgments and show leniency only in cases where it is justifiable through the nature of the crime and not through the character of the convict. As mentioned above the laws at present are not exhaustive and have to be amended and new stricter laws and punishments have to be created. Steps must also be taken on an individual level to limit the individual exposure to the crime.

Awareness about the various ways in which digital fraud and scams are committed should be spread to the general public to ensure they take steps essential to protect themselves from fraudulent calls, messages, and e-mails. The risks and dangers that entail due to the peculiar nature of identity theft and cybercrime make it essential that steps have to be taken by individuals and the state to ensure that the public’s privacy is secure.