The methodologies of committing crimes in cyberspace are different from their counterparts in real space. The importance of addressing this difference becomes more pronounced in light of society's increasing reliance on information and technology infrastructure. As such, legislators must duly account for the use of technology as an integral piece of sound legislative initiatives. It can no longer be a case of using old laws to adapt to new technology.
Identity theft provides an excellent example of the impact technology has had on crime. Reports of identity theft run rampant in the popular press. However, the Criminal Code, as currently written, does not contain a specific identity theft offence. In fact, most of the provisions attempting to address identity theft are fraud provisions that predate the advent of the Internet, save for offences dealing with credit and debit cards, and "unauthorized use of computer." This latter section is useful insofar as it can be used to capture fraudulent use of identity information over the Internet.
The effectiveness of the Code provisions regarding unauthorized use of a computer and fraudulent use of credit or debit cards is limited. For example, although it is illegal to fraudulently use personal information, there is nothing to address the unauthorized collection, possession or trafficking of such personal information. Seemingly, policymakers have caught on (or have been impelled to catch on) that there is a need to close such legislative gaps. In short, not only is Canada lacking a clear definition of the crime of identity theft, but law enforcement lacks the ability to intervene until, more often than not, it is too late.
Bill C-27 had its second reading on January 30th of this year and is now in committee. The general purpose of the Bill is to create three new offences:
- obtaining or possessing identity information with the intent to use it to commit certain crimes;
- trafficking in identity information with knowledge of or recklessness as to its intended use in the commission of such crimes; and
- possessing and trafficking certain government-issued identity documents belonging to another person – expanding the relevant documents from passports to include Social Insurance Numbers, drivers' licences, birth certificates, and a number of other identity papers.
Furthermore, and importantly, the Bill introduces the concept of restitution for the victim.
What It Does
The Bill's proposed amendments are laudable in three ways. First and foremost, by criminalizing the foregoing, the Bill gives law enforcement the ability to intervene at the stage of possession and trafficking, before fraud has actually been committed.
Second, the Bill is forward thinking and tries to anticipate the use of technology and not shy away from it. For example, the Bill does a good job of capturing the various technical manifestations of identity, including biometrics which will undoubtedly be a significant source of identity theft in future years. The anticipatory nature of the Bill becomes evident when looking at the very definition of "identity information" in the section 402.1 of the Code:
For the purposes of sections 402.2 and 403, "identity information" means any information – including biological or physiological information – of a type that is commonly used alone or in combination with other information to identify or purport to identify an individual, such as a fingerprint, voice print, retina image, iris image, DNA profile, name, address, date of birth, written signature, electronic signature, digital signature, user name, credit card number, debit card number, financial institution account number, passport number, Social Insurance Number, health insurance number, driver's licence number or password.
Although more restrictive than the definition of "personal information" in the Personal Information Protection and Electronic Documents Act, the list in section 402.1 is non-exhaustive, so it does leave room for other incarnations of identity-information as technology evolves.
Third, the Bill appears to recognize the power of market forces in assisting in regulating the prescribed conduct. As mentioned above, in addition to jail time for fraudulent acts, identity thieves will now be facing the possibility of having to reimburse their victims for costs incurred as a result of the fraud (e.g., the price of rehabilitating one's identity, replacing cards and documents, and correcting one's credit history).
This notion of restitution becomes increasingly relevant in the scenario where the accused is an employee of a company. Although the focus of this article is not one of corporate liability, it is important to note that this concept can be found in the present Code.
Criminal intent may become attributable to an organization where: (i) the organization benefits, to some degree, from the offence; and (ii) a senior officer is a party, or where a senior officer has knowledge of the commission of the offence by other members of the organization and fails to take all reasonable steps to prevent or stop the commission of the offence. However, such a finding requires that there is a threshold of reasonableness by which criminal intent can be imputed.
Section 402.2 of the Bill states:
1) Everyone commits an offence who knowingly obtains or possesses another person's identity information in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence. 2) Everyone commits an offence who transmits, makes available, distributes, sells or offers for sale another person's identity information, or has it in their possession for any of those purposes, knowing or believing that or being reckless as to whether the information will be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence. [emphasis added]
Two issues come to the fore:
1) What are the circumstances that would give rise to a "reasonable" inference that the information is intended for fraud?
2) How is one to determine that a person was "reckless" as to whether such information could be used for fraud?
The standard(s) by which one could impute reasonableness and recklessness in the realm of identity theft is/are less than clear.
When one talks about identity theft, whether one uses the term identity information or, more broadly, the term personal information, these are distinct privacy-related terms. To date, there are standards for security only and there are no equivalents for privacy. Thus, without clear standards related to privacy, it may be difficult for companies to mitigate against risk and to assess what is reasonable and what is reckless.
Until a comprehensive set of standards are developed in this area, it may be helpful to look to the following for guidance: i) industry standards and best practices; ii) Privacy Commissioners, specifically orders they render that include promulgation of standards; iii) relevant legislation (e.g., privacy acts such as PIPEDA); and iv) jurisprudence in the area.
The Bill comes at a time when there is increased support for the notion that something must be done to combat identity theft. However, the Bill may not represent the panacea, and stakeholders should recognize that there is still a need to develop a comprehensive framework for contending with identity theft. Privacy standards would be an invaluable addition to the mix. Furthermore, public awareness about how individuals and organizations should handle identity information would also go a long way to ensure the Bill succeeds.