BuscaLegis.ccj.ufsc.br Identity Thef in internet an international context Alexandre R. Coelho 1. Introduction The objective of this paper is to demonstrate that The Fair and Accurate Credit Transactions Act of 2003 (FACT Act), a law signed by President Bush last year and which intend to solve the domestic problem of the identity theft via Internet, can be a great source against stolen of the credit card and accounting numbers in the international context. Hence, first I briefly describe the characteristics of the FACT Act, describing the tools that permit consumers to confront identity theft and the new obligations for credit card companies, financial institutions, and consumer reporting agencies. After that, I post the main problem identity theft via Internet currently faces that is related with the boundaries of the enforcement of the law, which means if the FACT Act can be efficient for consumers with the advent of Internet. Then, in the next item, I propose a solution to this problem, explaining how the FACT Act can help consumers around the world when their credit cards and accounting numbers are stolen. Finally, I conclude this paper recognizing that there is still much to do in terms of the new international rules in order to minimize or even to solve the problem of identity theft in the digital world. 2. Brief Description of the Law The FACT Act was signed by President Bush on December 4, 2003. This law tries to tackle theft involving credit card and accounting numbers via Internet in the United States, giving instruments to consumers confronting such problem and duties to national credit bureaus, banks, and credit card companies. 3 The FACT Act: 1) Enables consumers to verify easily, periodically, and without spending money their credit reports, once each consumer will have the right to receive every year a credit report free of charge from the three major credit bureaus - TransUnion, Experian and Equifax - which compile information on consumer s check-writing history, creditor s names, consumer s name, date of birth, current address, and consumer s current employer. 2) Requires credit bureaus to block fraudulent lines no later than 30 (thirty) days after the date of receipt of proof of the identity of a consumer and official copy with a police report, which will need to make clear that it is a claim of a identity theft (example: theft of credit card and accounting numbers via Internet). 3) Establishes the creation of a national fraud-alert system which will allow consumers to make just one telephone call to report fraudulent activity1. Before enacting FACT Act, consumers had needed to call for every credit card companies, all the consumer reporting agencies, and banks. When the national fraud-alert system begins to work, consumers will
just need to make one call to see her or his complaint reach all financial institutions, credit card companies and consumer reporting agencies. This fraud alert will remain for 90 (ninety) days. If the consumer provides an identity theft report (which could include a Federal Trade Commission FTC ID theft with a police report), the consumer will be able to place and extend the fraud alert for seven years in his or her credit file. Users of reports have a obligation to respect fraud alerts, avoiding to issue a new credit line, extension of credit, new cards, or a requested higher credit limit on existing accounts unless the consumer withdraw the fraud alert. 1 I can mention 3 (three) examples of fraudulent activity related with steal of credit card and accounting numbers, which means identity theft: a) when consumers have read their credit report mailed to them from TransUnion, they learnt that their current address have changed without their request; b) when a consumer is buying a car, the manager from an automobile store tell her or him that there are unusual debts; c) when a consumer receives her or his bill from a credit card company, she or he realized that the statement shows shopping from countries that such consumer never visited. 4 Financial institutions that receive a fraud alert from a consumer will be obliged to follow certain procedures2 to ensure that new business from criminals won t be occur again. 4) Orders that every merchant which emit receipts electronically (examples: stores, such as Staples and Home Depot) will have to replace their cash register in order to print only part of the number of the cards by 2007. For instance, this will prevent that a delinquent take from the trash rooms or office waste tube receipts with credit or debt numbers, an identity theft source. With these numbers in her or his hands, the criminal becomes able to buy goods via Internet, using names, addresses, numbers of credit and debit cards like consumers. 5) Establishes that the Federal Trade Commission (FTC), Federal Reserve Board (FED) and other Regulators, including states, implement regulations and guidelines, within one year, addressing specific obligations for credit bureaus, credit card companies, banks, and stores in general in order to improve the means of disposal consumer information and records containing information. The consumer s rights mentioned above and the last measures for companies in general, banks and credit card companies established by the FACT Act are the main improvements from this new law, which offered more apparatus for consumers to protect themselves against identity theft via Internet, especially with steal of credit card and accounting numbers. In the next items I will present how the global nature of the Internet can obstruct such improvements and how we can deal with it. 2 A body of standard rules is being developed by Federal Trade Commission ( FTC ) together with Federal Reserve, and states financial institutions in order to assemble standard legal procedures for every credit card companies, banks, and stores. 5 3. Is the FACT Act Efficient for American Consumers when an ID Theft happen in the Cyberspace? Historically identity theft has been a plague since the world was created. The most primitive way of the identity theft could be to kill your twin brother and assume his identity in order to stay with his money for instance. The physical presence of the criminal beside the victim was essential for the crime of the identity theft. After a lot of years, the ways of identifying a person have grown (examples: through numbers from credit cards and debt
cards, fingerprints, photos, and professional backgrounds). Meanwhile, identity theft becomes more sophisticated, especially with the advent of the Internet. Currently, in the cyberspace, the physical presence of the criminal is not required to steal credit card and accounting numbers belonging to consumers. According to a survey from FTC3 35% of American consumers are victims of credit card fraud and 15% are victims of bank fraud. As we can see 50% of identity theft is derived from credit card and bank fraud. In line with such survey, the FTC explains that this kind of identity theft is increasing because consumers share their personal information on the Internet, criminals scam personal information, frequently through e-mail, by posing as legitimate companies or government agencies, or they can get consumer s personal information hacking into electronic files. Nowadays, consumers, hackers, crackers, and all kind of users, even terrorists can use Internet to steal data from any company, bank, credit card company, judicial courts and yet directly from consumer s personal computers via e-mails or using identical replicas of website s banks. Cyber criminals break firewalls and steal numbers from cards, which stay inside of the data banks managed by credit card companies and banks around the world. In addition, the worst aspect of this kind of crime is that delinquents can operate from England, Singapore, Egypt, Caribbean Islands, or in Brazil in order to steal credit card and accounting numbers from Americans who live in the United States. 3 National and State Trends in Fraud & Identity Theft from FTC - January 2004. 6 The FACT Act can work when the criminal and the victim are living in the American territory, however, if the criminal live in Nigeria, the bank s website is managed in Brazil, and the consumer has her or his domicile in the United States, certain measures, rights and obligations established by the FACT Act won t be enforced completely. The American consumer will be unprotected in this case. In other words, the Internet environment does not know frontiers or boundaries. This is an inherent characteristic of the Internet. Then, I can conclude that cyber crimes or identity theft have become an international matter. The first measure presented in the item 2 from the FACT Act is easier to apply. Consumers can receive their annual free credit reports from credit bureaus. However, the next measures (numbers 2; 3; 4 and 5) won t work in an international scenario like this: one American consumer, a Brazilian cyber criminal, and a store based in France. Credit bureaus will be able to block fraudulent lines, but how this block will reach in France and how Americans authorities will stop a Brazilian cyber criminal? He will be able to buy goods via Internet, using personal information from such American consumer from store s websites with headquarters based in Canada, Italy, Germany, London, Tokyo, etc. Besides, this cyber criminal can travel to Uruguay and from there he can remain buying goods via Internet. A lot of questions will arise, I present some of them. How fraud alerts will become known by Uruguayan authorities? How stores based in Italy and Germany will receive fraud alerts from the United States? How to track a Brazilian cyber criminal that can be able to move to other countries all the time and buy goods via cyber cafes, using credit card numbers from five, six or even ten Americans consumers for instance? Every merchant in the United States will be obliged to emit special receipt by 2007. Now, imagine an American tourist who visits Rio de Janeiro Brazil - and buy some gifts with her or his credit card number. Rio de Janeiro s stores are not required to replace their electronic machines in order to emit only part of the
7 number of the credit cards. Brazilian cyber criminals4 will be able to pick up from garbage, trash rooms such receipts and buy goods via Internet without the consumer s knowledge. Finally, The Federal Trade Commission and the Federal Reserve Board will implement rules for banks, credit card companies, and stores to improve their data banks, where consumer s information and records will be filed. The main way of to steal credit card numbers and accounting numbers is to invade via Internet data banks managed by stores, credit card companies, and Banks. How to improve technologically Italian and Egyptian stores? How can Americans authorities enforce the FTC and FED rules in data banks managed by foreign stores and commercial Banks in other countries, for example? As result the FACT Act alone will not be efficient in an international arena, when commercial transactions take place via Internet. In the next item I explain how we can try to deal with it. 4. Attempts to Solve the Problem of Identity Theft via Internet in an International Arena How can we address the problem of identity theft in an international environment, performed by hackers or crackers around the world who break into computers via Internet and steal credit card numbers and account information from credit card companies, banks, and even from the own consumer s personal computers? Is there a solution to solve the problems posted in the last item or even minimize them? Are there ways to powerfully minimize the problems of Internet fraud, consequently identity theft via Internet? I strongly believe that yes, there are. However, this is a matter for a lot of strong efforts among regulatory agencies and credit bureaus around the world, also considering that some years will be necessary 4 According to a Britain company of information security (mi2g), Brazil conquered in 2002 the title of the biggest laboratory of cyber criminals around the world, causing US$ 45 billions in damages for the world-wide economy. Source: mi2g and Folha de São Paulo online (a Brazilian newspaper). 8 to implement certain international rules and procedures in order to improve the safety amid commercial transactions via Internet. Measures to reach international solutions have already begun with initiatives led by international organizations, such as Organization of American States (OAS), United Nations (UN), and Commission of The European Communities. Thirty two countries, members of OAS, had a meeting in Buenos Aires in 2003 in order to organize a unified strategy to combat sabotage crimes, identity thefts, and financial frauds. UN Commission on International Trade Law s (UNCITRAL) is preparing a document to regulate the e- commerce around the world. The text focuses on areas such as legal electronic transactions, data exchanges and e-mail messages. The Commission of The European Communities enacted in 03.12.2004 in Brussels a proposal for a decision of the European Parliament and of the Council with the purpose of establishes a community program to promote safer use of the Internet and new online technologies. States and international organizations are working in order to build an international standard body of rules to regulate the Internet environment. However, I strongly believe that to harmonize laws, definitions, rules, procedures in a multilateral way will take a lot time, because this is the nature of international treaties. There are a lot of negotiations and group of interests. I am confident that bilateral treaties or agreements between commercial blocks, such as European Union and NAFTA, Brazil and the United States can be faster
achieved and more efficient to consumers. This can minimize and solve some logistical problems with theft of credit card and accounting numbers via Internet. We can imagine the measures cited above from the Fact Act amplified around the globe. Imagine that a consumer in the U.S. can block her or his number of credit card in Brazil or in Argentina through a Brazilian credit bureau. For example, integration and harmonization of legal procedures between Americans and Brazilians credit bureaus, Central Banks, and Consumer Protection Agencies using norms established inside of The FACT Act. This law can be a good model to implement legal rules for both countries (Brazil and the United States for instance). 9 I am very confident that this a great deal in order to minimize or even to solve the problem of identity theft with use of the numbers of credit cards or accounting banks. The FACT Act can be used as a model to harmonize and to spread the enforcement of specific law that protect consumers from theft of credit card and accounting numbers around the world. Why not? Frankly, the U.S. and Europe have the best laws that protect consumers. For example, the Brazilian Consumer Code is based in American laws. Otherwise, the multilateral temptations, evolving a lot of countries and at the same time much interests to solve or even minimize the problem of identity theft can be a mere act without real effect in the virtual world, especially when we think in terms of commercial transactions via Internet made by consumers. 5. Conclusion We described in this paper how the identity theft is a complex problem with the advent of Internet and how the FACT Act alone can be useless in an international center, once the cyberspace does not know boundaries, and cyber criminals can be born anywhere, not only in the United States. Some initiatives can be more ambitious than others, depending on the restrictions from the different regulatory agencies. Nevertheless, bilateral agreements can be useful and more efficient than treaties amid international organizations, involving many countries and interests. Moreover, the American Congress enacted a specific law dealing well with identity theft and would be so helpful for other countries to use as a model. As we briefly discussed, commercial transactions via Internet will receive benefits from bilateral agreements between Brazil and the United States for instance. However, as demonstrated in this paper, the FACT Act alone, without a international bias, will be worthless when identity theft occur involving different countries, being the American consumer the victim for example. 10 6. References Article from Consultor Jurídico Newspaper Title: Crimes na Internet Governos já preparam leis para conter cybercrimes available at http://conjur.uol.com.br/textos/2509/ Article from Consumers Union Consumer Federation of America Title: 2003 Changes to the Fair Credit Reporting Act: Important Steps Forward at a High Cost Article from Washington Post Title: Finally, New Ways to Fight ID Thieves available at http://www.washingtonpost.com/ac2/wp-dyn/a33460dec3?language=printer Article from Centro Brasileiro de Estudos Jurídicos da Internet Title: United Nations progress on e-commerce treaty available at www.cbeji.com.br Bederman, David J. International Law Frameworks Foundation Press New York, New York 2001
Beaver, Mark Cooperação Entre Jurisdições: Um Estudo de Caso Sobre Cibercrime available at http://usinfo.state.gov/journals/itdhr/1003/ijdp/green.htm Credit Report Sample from TransUnion available at http://www.truecredit.com Manual about ID Theft from Federal Trade Commission - Title: ID Theft. When Bad Things Happen To Your Good Name available at http://www.consumer.gov/idtheft Proposal for a Decision of The European Parliament and of The Council Brussels, 03.12.2004 The Fair Credit Reporting Act The Fair and Accurate Credit Transactions Act of 2003 The Truth in Lending Act The Electronic Fund Transfer Act The United States Code Section 1028 of title 18 Disponível em <http://www.cbeji.com.br/br/downloads/secao/identity%20theft%20in%20an%20internati onal%20context%20-%2004_06_2004[1].pdf > Acesso em.: 17 set. 2007.