The common law approaches to identity theft: Implications for Hungarian law reform

: The incidence of identity theft is escalating, especially in international contexts. Owing to the advancement of information technology, crimes associated with this issue are borderless and can manifest anywhere. The objective of this study is to scrutinize the regulatory frameworks concerning identity theft in foreign jurisdictions. The essay not only considers theoretical aspects but also practical and criminological dimensions of the issue in question. As an outcome of the examination of these regulatory models, it is hoped that proposals de lege ferenda (‘regarding future law’) can be articulated for the Hungarian legislature. The initial segment of the article grapples with defining the phenomenon. There is no universally accepted definition of identity theft. Various terms are employed in foreign literature to describe the very phenomenon, including “identity theft” and “identity fraud.” Subsequent to the conceptual introduction, the study surveys the potential forms of identity theft. In the subsequent sections of the article, the regulatory models of identity theft in common law jurisdictions are analyzed. The regulatory frameworks of the United States, the United Kingdom, Canada, and Australia are subject to examination. In the concluding section of the study, recommendations for future legislation ( de lege ferenda ) are proposed.


Introduction
Identity theft is becoming an increasingly global phenomenon.Due to the advancement of information technology, crimes related to it know no borders and can occur anywhere.Estimates suggest that victims in Canada and the United Kingdom spend almost 200 hours recovering their financial losses and reputations following identity theft. 1 By examining the regulatory frameworks in force in common law countries and analyzing the key components of the phenomenon and dissecting the most significant elements of identity theft, the study endeavors to articulate de lege ferenda proposals for the Hungarian legislation.

Definition of identity crimes
In the context of identity-related crimes, a variety of terms are commonly used.The term "identity theft" is frequently found in foreign literature, particularly in the United States 2 and Germany (referred to as Identitätsdiebstahl in German). 3 In contrast, in the United Kingdom, the preferred term is "identity fraud."This distinction arises because UK legislation does not explicitly define identity theft within a distinct statutory provision but considers it under the broader category of fraud. 4While these terms are often used interchangeably, it is important to note that Canadian law makes a clear distinction between the two offenses.
Charles M. Kahn and William Roberds view identity theft as an inherent consequence of the credit and payment system's structure, highlighting its economic and systemic dimensions.They argue for a balanced approach to reducing surveillance costs and controlling fraud, positioning identity theft as a macroeconomic issue rather than a series of isolated incidents. 5onversely, Katie A. Farina provides a comprehensive outlook on identity theft, emphasizing its execution via the unauthorized access to personal data for various frauds, focusing on the direct impact on victims and the wide range of personal information at risk. 6While Kahn and Roberds's perspective is theoretical, examining the broader economic and policy implications, Farina's approach focuses more on practical, individual solutions.Similarly, the Canadian legal scholars Philippa Lawson and John Lawford define identity theft as illegally obtaining and using (of) another person's personal information with fraudulent intent.The primary goal of the perpetrators is financial gain.Personal data can be obtained in several ways, for example, by: -stealing wallets, laptops, bank cards, hard disk drives; -"hacking" into computer storage devices over the internet, or -fraudulently posing as an internet service provider, apparently for market research purposes. 7iegelman frames identity theft as stealing an individual's good name and reputation for financial gain, emphasizing the impact on victims' public standing. 8In contrast, authors of a German book delineate identity theft as the unlawful acquisition of personal identity, clarifying that theft of individual data items does not constitute identity theft.Instead, it becomes identity theft only when a comprehensive set of data sufficient for personal identification is acquired.9They clearly distinguish between identity theft and identity misuse, the latter referring to the fraudulent use of personal data, highlighting the nuanced differences in the conceptualization of identity-related crimes. 10imilar to foreign terminologies, several technical terms have appeared in Hungary as well.In a joint study by Dániel Eszteri and István Zsolt Máté, the term identity theft is used in connection with crimes committed in the virtual reality simulator software Second Life.11Balázs Hámori also uses this technical term, and at the center of his definition is the illegal acquisition of personal data: "The illegal appropriation of a person's data (name, year of birth, address, credit card ID, social security number, and other personal data) with the intention of using them in various transactions for financial gain, from car rental to obtaining a bank loan." 12ontrary to the above, Zsolt Haig uses the term personality theft, citing a book by Winn Schwartau, 13 and classifies personality theft under infor-mation warfare, specifically personal information warfare.In the event of the commission of the crime, their victims may suffer material and moral/emotional damage.14Kinga Sorbán is another scholar who uses the term identity theft. 15According to her, there are two stages to this form of crime.In the first phase, the perpetrator steals the victim's personal data (e.g., social security number).The second phase involves the misuse of the said data.She points out that the Hungarian Criminal Code lacks a distinct provision for this issue, but believes it unnecessary because behaviors pertaining to it can be integrated into existing legal provisions. 16

Types of identity theft
Various typologies of identity theft are recognized, but due to the brevity of this study, a comprehensive presentation of each is not possible.According to one typology, we can distinguish among financial, medical, criminal, synthetic, and child identity theft. 17or instance, in Hungarian jurisprudence, a case of forgery of public documents may be considered as an instance of criminal identity theft.As per the 2/2004 Criminal Unification Decision, if a defendant, during the course of criminal proceedings initiated against them, assumes the identity of another existing individual, leading to the inclusion of the corresponding data in the public document prepared by the investigating authorities, they may be deemed to have committed the dual crimes of false accusation and "intellectual" forgery of public documents.
Misuses related to personally identifiable information not only have the potential to cause financial harm but can also infringe upon human dignity and indirectly harm one's health. 18

The crime of identity theft in the United States
Identity theft is one of the most prevalent forms of crime in the United States.It is therefore not surprising that the U.S. was the first country in the world to codify the concept of identity theft in a specific provision. 19n 1998, an amendment (Identity Theft and Assumption Deterrence Act) introduced this offense into the United States Code.Prior to the amendment, creating a false document with stolen data was considered as forgery, but misuse of personally identifiable information did not constitute a crime in itself.The purpose of the amendment was to subject abuses related to identity to federal criminal threats, which provided law enforcement agencies with broader investigative tools.The aim was also to not only penalize material damage but also other personality rights violations related to identity theft.In addition, the law prescribed a higher penalty than the previous diverse fact situations, which could increase the success of prosecution and the number of plea bargains, which -due to confessions -speeds up the criminal proceedings. 20urrently, Chapter 18, Section 1028, Subsection (7) of the United States Code's Government Code states that anyone who -intentionally and unlawfully -transfers, possesses, or uses identification devices -of another person, -with the aim of -as perpetrator, accomplice, or instigator -carrying out unlawful activities, is punishable under member state or federal law.
An identification device, according to the law, is any name or identification number that verifies the identity of a specific individual.This particularly includes the individual's: -name, social security number, date of birth, state-issued driving license, or vehicle registration number, foreign registration number, passport number, employee or tax identification number; -unique biometric data, such as fingerprints, voice print, retina or iris image, or other unique physical distinguishing feature; -unique electronic identification number, address, or routing number; or -telecommunications identification information or identification device.
The law only contains an illustrative listing of the behaviors.
The U.S. Code 21 protects not only traditional physical documents but also electronic data storage devices containing personal identities.Despite the fact that Title 18 Section 1028 of the U.S. Code is focused on identity theft, unlawful acquisition of identity-related data is not punishable, only the subsequent behaviors involving the data, such as possession, transfer, or use thereof.Section 1028 also protects freely available data, regardless of whether the identity-related information is available online or, for example, may (have been) retrieved from a physical garbage container.Offenders most frequently attempt to obtain bank card numbers, credit card numbers, PIN codes used for ATMs, or social security numbers. 22he collection of identity-related data could be considered computer fraud according to Section 1030 of the code.The paragraph states that illegal access to protected data, or password and bank card number acquisition through spyware, for instance, are punishable.The regulation complies with the Council of Europe Convention on Cybercrime, adopted in Budapest on November 23, 2001, which the United States signed in 2001, ratified in 2006, and it came into effect on January 1, 2007.
Section 1030, in its current form, finds its origins in the Comprehensive Crime Control Act of 1984, Title 18, Fraud and related activity in connection with computers and was expanded further by the Computer Fraud and Abuse Act of 1986.Subsequent legal developments culminated in the Identity Theft Enforcement and Restitution Act of September 2008, the introduction of which was aimed at clarifying and broadening of the jurisdiction of law enforcement agencies in relation to identity theft.This law clarified and expanded the jurisdictional authority of law enforcement agencies.Essentially, it facilitated the process for investigative bodies to proceed against identity thieves who commit their crimes via computer.In addition, it defines the victim of cybercrime and mandates compensation for them. 23he legal consequence of identity theft can be, for its convicted perpetrator, as severe as thirty years of imprisonment, especially when a crime is related to terrorism.In fact, identity theft is heavily penalized precisely because in many cases it can be conducive to the financing of terrorism.24American law also penalizes attempted identity theft with an equal severity.

Regulation in Canada
In Canada, the need for special regulation arose in the 2000s.During this period, a surge in the number of offenses, notably those involving misuse of bank card data, was observed.This tendency was not exclusive to Canada but was observed globally, with countries such as Hungary also experiencing an increase in incidents of credit card fraud. 25In the year 2006, over 12,000 individuals in Canada fell victim to identity theft, culminating in a loss amounting to 16.2 million dollars. 26n March 2009, the House of Commons of Canada passed an amendment, and since then, identity theft has been regulated under a specific statutory provision.
Section 402.1 of the Canadian Criminal Code defines personal identification data, which is considered to be any data, including biological or physiological information, that is generally used independently or in combination with other information to identify individuals.This includes, in particular, fingerprint, voice print, iris image, DNA profile, person's name, date of birth, signature, username, credit card number, debit card number, financial account number, passport number, social security number, health insurance number, etc.
The law differentiates between identity theft and identity fraud.The crime of identity theft is contained in Section 402.2 of the said code.Under the law, a crime is committed by anyone who acquires or possesses another person's identifying information with the intent to use it to commit an indictable offense.Moreover, a crime is committed by anyone who transfers, makes accessible, distributes, sells, offers for sale, or unlawfully possesses another person's identifying information.From the subjective side, the perpetrator's legally evaluated aim is to use these personal identifiers to commit a crime.
The law lists the following offences: -forgery of or uttering forged passport, -fraudulent use of certificate of citizenship, -personating peace officer, -perjury, -theft, forgery, etc., of credit card, -false pretence or false statement, -forgery, -use, trafficking or possession of forged document, -fraud, and -identity fraud.
Identity theft is punishable by up to five years in prison.Section 403 of the Canadian Criminal Code contains the offense of identity fraud.According to the factual basis of the offence, a crime is committed by anyone who fraudulently personates another person, regardless of whether the person is alive or dead.
The law also defines the purposes for which the crime can be committed: -with intent to gain advantage for themselves or another person; -with intent to obtain any property or an interest in any property; -with intent to cause disadvantage to the person being personated or another person; or -with intent to avoid arrest or prosecution or to obstruct, pervert or defeat the course of justice.Identity fraud is considered a more serious crime than identity theft, and the penalty is imprisonment for up to ten years. 27

Australian legislation
It was the state of South Australia that pioneered legal measures against crimes pertaining to identity.In 2003, amendments were made to the state's Criminal Law Consolidation Act 1935, leading to the establishment of the following offenses: -false identity (Section 144B), -misuse of personal identification information (Section 144C).
Subsequent legal evolution brought other Australian state, Queensland, into focus, where the Criminal Code Act 1899 was amended in 2007.As per Section 408D of the said code, a person who obtains or deals 27 Borges G. et al.: Identity theft andfraud legislation in Canada. "Canadian Law Journal" 2011, vol. 4, no. 120, pp. 341-343. PPK.2023.07.01.06 s. 8 z 13 P r o b l e m y P r a w a K a r n e g o with another entity's identification information for the purpose of committing, or facilitating the commission of, an indictable offence commits a misdemeanor is liable to a prison sentence of up to three years.Importantly, Queensland's legislation criminalizes not only the misuse of natural persons' identification data but also that of legal entities.The Australian Federal Parliament amended the Criminal Code Act 1995 in 2008, thus officially recognizing identity theft as a distinct category of crime at the federal level.
Under Section 372 of the Australian Federal Criminal Code, a compendium of crimes pertaining to identity fraud is defined.These include (the illegal): -dealing in identification information, -possession of identification information, and -possession of equipment used to make identification documentation.
Of these, the gravest is the first crime, carrying a punishment extending to five years of imprisonment.The said code stipulates that data or documents affiliated with a person, whether living or deceased, actual or fictitious, is considered identification information, provided it is used for the purpose of identification.An indispensable requirement is that the data should serve the identification of someone.The law contains a listing akin to the U.S. regulation, delineating what specifically qualifies as such data.28

UK regulation
Contrary to other common law countries, English law does not contain a specific actus reus pertaining to identity theft; related behaviors are covered under the Fraud Act of 2006.The following can be considered crimes related to identity theft: -fraud by false representation, -fraud by failing to disclose information, and -abuse of position.
Each of these crimes carries a sentence of up to ten years' imprisonment.
The offence that most closely approximates to identity theft is the one described as fraud by false representation.This is defined in the law as a "dishonest false representation."Such representation could pertain to either facts or law.There are no restrictions on how the representation is made; it may be expressed in writing or verbally.A typical manifestation in English practice is the act commonly known as phishing.For instance, the offence is perpetrated by an individual who, under the guise of a bank, sends fraudulent emails to unsuspecting victims requesting them to disclose their personal information.The materialization of damage is not a prerequisite; the offence is considered an immaterial crime.The action of the perpetrator must be intentional, and they must realize that their act embodies a falsehood or incorporates deception.The legally evaluated aim of the perpetrator lies in financial gain, or causing financial detriment to others. 29

The necessity for specific regulation of identity theft in Hungary
As previously mentioned, the Hungarian Criminal Code does not currently contain a specific statutory provision for identity theft.However, the rates of certain crimes that might fall under the phenomenon of identity theft indicate that there is a need for a new statutory provision.The data presented in this section is sourced from the Bűnügyi Statisztikai Rendszer (Criminal Statistics System), which is the official system used by the Hungarian government to collect, process, and report statistical data on criminal activities in the country.This system includes data on various types of crimes, including their frequency, geographical distribution, and trends over time.The data collected in the Criminal Statistics System is used for official reports, policymaking, and law enforcement purposes.From 2018 to 2022, there were significant increases in several categories of crimes that are related to identity theft 30 : • Fraud showed a 128% increase from 2018 to 2019.• Misuse of personal data saw a dramatic increase of 686% from 2018 to 2019, a 14% increase from 2020 to 2021, and a 103% increase from 2021 to 2022.
It is important to note that the data for 2023 is not yet complete.However, the significant increases in these categories of crimes over the years indicate that identity theft and related crimes are a growing problem in Hungary.This highlights the necessity of introducing specific regulations for identity theft within the Hungarian Criminal Code by drafting a new statutory provision as a separate provision.
In light of the substantial increases in various categories of crimes related to identity theft, it is clear that the current provisions of the Hungarian Criminal Code are insufficient to address this growing problem.This insufficiency not only hampers the effective prosecution of these crimes but also leaves a legal void that needs to be filled in order to provide comprehensive protection against such offenses.
Therefore, to fortify the legal framework and ensure comprehensive protection against identity theft, we propose the following amendment to the Hungarian Criminal Code:

Identity theft
[…] § (1) Anyone who a) unlawfully acquires or possesses another person's identification data for the purpose of using it, b) unlawfully transmits or makes available another person's identification data for the purpose of committing a crime specified in ... §, ... § (...) paragraph ... point or ... §, is guilty of a felony punishable by imprisonment not exceeding three years.
(2) The penalty shall be imprisonment between one to five years for a felony if the offense is committed in criminal association with accomplices or on a commercial scale.
(3) The penalty shall be imprisonment between two to eight years if the offense causes substantial injury to interest.

Note:
In the proposed statutory provision, the sections indicated by "..." would be substituted with the actual crimes from the code listed in the crime rate section.

Conclusions and suggestions
Predominantly, common law jurisdictions implement distinctive statutory provisions to penalize identity-associated transgressions.
As we navigate the 21st century, the inherent value of personal and identifiable data continues to rise, and the misappropriation of such data can inflict substantial damage on individuals, legal entities, and states alike.It is of utmost importance to extend the shield of criminal law over information closely bound to one's identity.In our perspective, the formulation of specific legal provisions serves as the most efficient mechanism to achieve this aim.Taking into account the existing provisions of Hungarian legislation and inspired by the American and Canadian legislative models, we have drafted a proposal, de lege ferenda, for Hungarian legislators to consider.Implementing a specific proposal like this would not only introduce a distinctive statutory provision for the safeguarding of identity data but also represent a crucial step towards bolstering the legal protections against identity theft and related crimes in Hungary.

D
á v i d Tó t h, B a l á z s G á t i • T h e c o m m o n l a w a p p r o a c h e s t o i d e n t i t y… PPK.2023.07.01.06 s. 11 z 13