On 21 November 2007, Bill C-27, An Act to amend the Criminal Code (identity theft and related misconduct), was introduced in the House of Commons by the Minister of Justice, Rob Nicholson. The bill will create several new Criminal Code offences specifically targeting those aspects of identity theft that are not already covered by existing provisions. Essentially, Bill C-27 will focus on the preparatory stages of identity theft by making it an offence to obtain, possess, transfer or sell the identity documents of another person.
Identity theft has been called the crime of the 21st century. With the proliferation of personal and financial information as a result of such electronic media as the Internet and associated technology, new life has been given to an old crime. Not so long ago, assuming and using another person’s identity was a relatively small-scale operation that required time and effort to execute (e.g., stealing a purse, breaking into a house, overhearing a private conversation). Today, however, perpetrators of identity theft can operate at a distance from their victims, access databases containing large amounts of personal information and transmit stolen data quickly and easily around the world.
The nature and scope of identity theft have made it not only difficult to define the term, but also to measure the extent of the problem. With respect to a definition of “identity theft,” some commentators refer to identity fraud in relation to the fraudulent use of personal information, and identity theft as pertaining to the unauthorized collection of the information. This is the approach taken in Bill C-27. Others, however, apply the term identity theft broadly to encompass the preparatory stage of acquiring, collecting and transferring personal information, as well as the actual use of the information to attempt to commit, or to actually commit, a criminal offence.
Identity theft techniques can range from relatively unsophisticated methods, such as dumpster diving, mail theft and pretexting (posing as someone who’s authorized to obtain information in order to get it), to more elaborate activities, such as skimming,(1) phishing,(2) pharming,(3) vishing(4) and hacking into large databases. Given the evolving nature of technology, identity thieves are constantly developing new techniques to obtain personal information. There are even online operators and underground networks that specialize in the sale of stolen personal information. Thus, identity theft can range from the stealing of credit card information to the wholesale misappropriation of an identity.
Once obtained, personal information can be used to open bank accounts, obtain loans or credit cards, gain employment or transfer land title in the victim’s name. Stolen or reproduced personal documents can also be used to obtain government benefits or government-issued documentation. There also appears to be a growing trend of using identity theft to facilitate organized crime and terrorism activities (e.g., to mislead or avoid detection by law enforcement officials).
Victims of identity theft may suffer significant financial loss as well as damaged reputation or credit ratings. There may also be losses suffered in terms of the time, expense and emotional stress associated with restoring reputations and recovering financial and other losses incurred. Governments and businesses may also suffer financial loss and damaged reputations, and to the extent that identity theft is used to support terrorist activities, there may be national security implications.
Given that it can take months or even years for identity theft to be detected, coupled with the fact that most cases go unreported, statistics in this area are fairly unreliable. PhoneBusters, a national anti-fraud call centre jointly operated by the Ontario Provincial Police and the Royal Canadian Mounted Police, is the principal source of data on identity theft in this country; however, its statistics are complaints-based and as such may represent only part of the problem. According to PhoneBusters, for the calendar year ending December 2006, a total of $16 million in losses was reported on the basis of between 7,000 and 8,000 complaints.(5) Of note is the fact that this is double the amount of money lost but half the number of victims from the year before, which might indicate that identity theft is becoming more profitable and that there are increasingly more ways to make money from the actual fraud related to it. The Canadian Council of Better Business Bureaus has estimated that identity theft may cost Canadian consumers, banks and credit card companies, stores and other businesses more than $2 billion annually.
Calls for amendments to the Criminal Code to deal with the problem of identity theft have recently come from parliamentary committees as well as from individual Members of Parliament. For example, in its fifteenth report, presented during the 1st Session of the 39th Parliament, the Standing Committee on Finance recommended that the Minister of Justice take action to include the offence commonly known as “identity theft” in the Criminal Code. As well, in May 2006, Mr. James Rajotte introduced Bill C-299, An Act to amend the Criminal Code (identification information obtained by fraud or false pretence). The bill seeks to amend the Criminal Code to tackle the problem of “pretexting,” which involves a fraudster trying to obtain personal information about an individual either by posing as that person or someone authorized to have that information. The bill is currently at the first reading stage in the Senate.
Currently, the Criminal Code does not contain a specific identity theft offence. With the exception of some new offences dealing with computers (s. 342.1) and credit/debit cards (s. 342), most of the Code offences relating to property predate both the computer and the Internet. In 2004, the Department of Justice issued a consultation document to solicit views on legislative options to address gaps in the Code in relation to identity theft.(6) The paper noted that while the Code covers most fraudulent uses of personal information by identity thieves, it does not address the unauthorized collection, possession and trafficking of personal information (except for credit card data and computer passwords) for the purposes of future criminal activity.
The reason for this gap in the Code stems in large part from the fact that property offences (e.g., theft) relate to a tangible thing that the owner is deprived of. It is therefore difficult for non-physical or virtual information to be characterized as property unless it has a commercial value in and of itself, such as a trade secret. Moreover, the courts have generally held that the elements of theft and fraud are not satisfied in cases where only the confidentiality of personal information is violated. This means that copying personal information, even for future criminal use, is not an offence under the Code. Finally, the Department of Justice consultation document notes that prior to the computer and Internet, a typical case of identity fraud involved one person stealing the identification and then using it for his or her gain. Today, technology has facilitated the involvement of numerous people along a continuum of criminal activity with no one player having committed all the elements of the fraud.
Bill C-27 contains 13 clauses. We will be looking at each of them, with the exception of clause 2 (which defines the word “passport”(7) for purposes of offences involving this official Canadian document, such as forging or using a false passport(8)) and clause 13 (which provides for the coming into force of the bill at a date set by Order in Council).
The bill’s first clause creates a new hybrid offence(9) involving identity documents issued by a department or agency of the federal or a provincial government or by a foreign government.
Anyone who without lawful excuse, procures to be made, possesses, transfers, sells or offers for sale such an identity document that relates to another person is liable to a term of imprisonment not exceeding five years. (Clause 1 of the bill adds subsections 56.1(1) and 56.1(4) to the Criminal Code.)
The new subsection 56.1(3) of the Code lists the identity documents covered by the new offence. They are the following official documents:
With respect to official documents issued by the various levels of government in Canada, it would appear that this list is exhaustive. Any new government identity document that might be issued in the future would thus not be covered by the offence of possessing or trafficking in government documents provided for in the bill.
The new offence does not require that the prosecution prove the intent to use an identity document in a dishonest or fraudulent manner or in the perpetration of a crime (as is the case, for example, for the new offence of identity theft in clause 10).
However, the bill does provide that a person can have a lawful excuse for procuring to be made, possessing, selling or offering for sale a government identity document related to another person (clause 1 of the bill, adding new subsection. 56.1(1) to the Code). For example, a person would not be found guilty of the offence if he or she had acted:
Clause 8 adds to the current offence of using a forged document(10) those of trafficking in forged documents (new section 368(1)(c) of the Code) and possessing a forged document with intent to use it (new section 368(1)(d) of the Code). All these offences are punishable by a term of imprisonment not exceeding 10 years.
Clause 9 stipulates that the offence of making, selling or possessing an instrument or device intended for the making of a forged document(11) includes the repair, purchase, exporting our importing of such an instrument or device (new section 368.1 of the Code). This offence is punishable by a term of imprisonment not exceeding 14 years.
Clauses 7 and 9 provide for exceptions for undercover work carried out by law enforcement agencies.
Clause 7 protects from prosecution for making a forged document(12) people who do so at the request of a police force, the Canadian Forces or a department or agency of the federal or a provincial government (new subsection 366(5) of the Code).
Clause 9 allows public officers to create and use covert identities in the legitimate performance of their duties or employment. They could thus not be found guilty of making a forged document,(13) using a forged document,(14) trafficking in forged documents,(15) or possessing a forged document with the intention of using it,(16) or of an offence relating to instruments intended for the making of a forged document(17) (new section 368.2 of the Code).
Clause 10 adds a new section to the Criminal Code under the heading “Identity Theft and Identity Fraud.” Under its provisions, identity theft refers to the preliminary steps (e.g., the collection and possession of another person’s identity information) and identity fraud constitutes the subsequent deceptive use of such information in connection with crimes like personation, fraud or abuse of credit card data.(18)
Clause 10 thus creates a hybrid offence targeting the obtaining or possession of identity information: identity theft (new subsection 402.2(1) of the Code). The new offence is punishable by a term of imprisonment not exceeding five years (new section 402.2(5) of the Code).
For someone to be found guilty of identity theft, the prosecution would first have to prove that the person had knowingly obtained or possessed another person’s “identity information.”
The bill defines identity information as “any information – including biological or physiological information – of a type that is commonly used, alone or in combination with other information, to identify or purport to identify an individual” (clause 10).
This definition differs from the definition of “personal information” in the Personal Information Protection and Electronic Documents Act (PIPEDA).(19) The PIPEDA definition states that “personal information” means “information about an identifiable individual.” This definition may thus include information that does not permit identification of an individual, bur rather information about an identifiable individual (for instance, his or her shopping preferences).(20) The definition of “identity information” in the bill is more restrictive, because such information must “identify or purport to identify” an individual.
Moreover, under the definition in the bill, information that on its own might not identify an individual (for example, an address) can be considered “identity information” if it could be combined with other information (for example, a birth date) for the purposes of identification.
The new section 402.1 of the Code gives examples of identity information:
Some information, such as a Social Insurance Number, fingerprint or DNA profile, is unique, in that it is sufficient in itself to identify an individual.
Second, to obtain a conviction for identity theft the prosecution would also have to prove that the accused had obtained or possessed another person’s identity information in circumstances giving rise to a reasonable inference that the information was intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence. Under the new subsection 402.2(3) of the Code, this would include the following indictable offences:
Clause 10 creates another hybrid offence, trafficking in identity information (new subsection 402.2(2) of the Code). It involves the transmission, making available, distribution, selling or offering for sale, or possession of another person’s identity information. The definition of “identity information” provided in the new section 402.1 of the Code applies to this new offence as well.
To obtain a conviction for trafficking in identity information, the prosecution would have to prove that the accused had trafficked in another person’s identity information knowing or believing that, or being reckless as to whether the information would be used to commit an indictable offence that included fraud, deceit or falsehood as an element of the offence. The examples of indictable offences set out in the new subsection 402.2(3) of the Code apply to trafficking in identity information as well.
This new offence, like identity theft, is punishable by a term of imprisonment not exceeding five years (new subsection 402.2(5) of the Code).
The bill replaces the current offence of “personation with intent”(21) (i.e., pretending to be another person to gain an advantage for oneself or cause a disadvantage to someone else) with “identity fraud” (clause 10 of the bill amending section 403 of the Code).
Clause 10 also adds to the existing offence the fact of pretending to be another person to avoid arrest or prosecution or to obstruct the course of justice (new section 403(1)(d) of the Code).
Clause 10 further specifies that the expression “personating a person” includes pretending to be that person or using that person’s identity information as if it pertained to the person using it (new paragraph 403(2) of the Code). The definition of “identity information” in the new section 402.1 of the Code applies to the offence of identity fraud as well.
The maximum sentence for identity fraud is the same as that currently provided for personation, 10 years in prison (new section 403(3) of the Code).
At present, personating a peace officer is an offence punishable on summary conviction,(22) which means that the maximum sentence is a fine of not more than $2,000 or six months’ imprisonment or both.(23)
Clause 3 makes it a hybrid offence and increases the maximum sentence to five years in prison (new subsection 130(2) of the Code).
Section 342(3) of the Code currently governs the offence of fraudulently possessing, using or trafficking(24) in credit card data. Clause 4 stipulates that such data include personal identification numbers (PINs). The definition of a credit card already includes debit cards.(25)
Section 342.01(1) of the Code currently provides for the offence of making, selling, exporting, importing or possessing an instrument for falsifying or forging credit cards. Clause 5 adds a similar offence for instruments used to copy credit card data (new section 342.01(1) of the Code).
The maximum sentence for all these offences is a term of 10 years’ imprisonment.
The postal system is a gold mine of personal information. Through it pass bank and credit card statements, a wide variety of government documents, and pre-approved credit applications. The theft of mail is thus becoming a favourite activity for those who want to obtain identity information illegally.
At the present time, section 356(1)(a)(i) of the Code deals with the theft of any thing sent by post, after it is deposited at a post office and before it is delivered. Under clause 6(1), a person will also be committing a theft of mail if he or she steals a thing after it has been delivered but before it is in the possession of the addressee (new section 356(1)(a)(i) of the Code).
In addition to stealing mail, some criminals will illegally divert another person’s mail. They do this by submitting a forged change of address notice to a body that has sent out a statement (for example a bank or credit company) or by using Canada Post’s general change of address (forwarding) service. In addition to obtaining a host of personal data, such criminals can also gain time for pursuing fraudulent activities without the victims’ knowledge. Clause 6(1) tackles this problem by creating the offence of fraudulently redirecting mail (new section 356(1)(d) of the Code).
This provision also creates the offence of making, possessing or using a copy of a Canada Post mailbox or other key with intent to commit a mail-related offence (new paragraph 356(1)(b) of the Code). The Code already covers the theft of such a key.(26)
The mail theft offences in the Code are treated as indictable offences. Clause 6(2) makes mail-related offences hybrid offences. The maximum sentence remains 10 years’ imprisonment.
When someone is found guilty of identity theft, trafficking in identity information or identity fraud, the court will be able to order the person to reimburse the victim. The offender will then have to pay the victim any reasonable amount that the victim has spent to restore his identity, including correcting his or her credit history or rating and replacing identity documents. This is a discretionary order that can be added to any other sentence.
Private Member’s Bill C-299, An Act to amend the Criminal Code (identification information obtained by fraud or false pretence) would add two new offences to the Code, both punishable by a maximum term of imprisonment of two years:
Bill C-299 defines “identity information” as “information about any person, living or dead, that is capable of being used, whether alone or in conjunction with other information, to identify that person.” This definition is covered by the definition of identity information in Bill C-27.
Clause 12 of Bill C-27 provides that in the event of Bill C-299’s receiving Royal Assent, the coming into force of Bill C-27 will in effect repeal Bill C-299. Bill C-299 is currently at the first reading stage in the Senate.
Generally speaking, police associations, business organizations, credit reporting agencies and privacy advocates are pleased with the introduction of Bill C-27 as an enforcement measure that seeks to detect, prosecute and convict identity theft offences. Indeed, the Canadian Association of Chiefs of Police and the Canadian Bankers Association have for some time been calling for amendments to the Criminal Code to deal specifically with the crime of identity theft.
However, privacy advocates and consumer groups are quick to note that the bill is but one piece of a larger identity theft toolkit. There is still the need for a comprehensive framework involving law enforcement agencies, consumer organizations, businesses and financial institutions that would address the broader issues associated with identity theft (e.g., strengthening and enforcing data protection laws, consumer protection and victim redress and public education). The case for this broader framework was made by witnesses before the House of Commons Standing Committee on Access to Information, Privacy and Ethics in the spring of 2006. The Committee held several preliminary hearings on the issue of identity theft prior to the prorogation of Parliament on 14 September 2007.(28)
© Library of Parliament