The methodology for the Measurement Framework involved developing a range of indicators that were designed to quantify not only the incidence of identity crime itself, but also its broader impacts and some of the activities that can be undertaken to prevent identity crime from occurring. AGD developed this methodology with assistance from the AIC (Bricknell & Smith, 2013; the AIC Report).
This methodology was then tested during an initial six-month pilot data collection exercise involving a range of Australian, state and territory government agencies, using a sub-set of these indicators. This exercise was focussed primarily on existing data held by government agencies, and other information that was available from public sources.
With the assistance of the Department of Foreign Affairs and Trade, AGD also commissioned the AIC to conduct a community survey to gauge the community experiences of, and attitudes toward, identity crime. The AIC Survey was administered online over a two-week period in September 2013, and garnered responses from a cross-section of 5,000 people.
Given the number of agencies that were approached with requests for data—over 50—the pilot exercise was conducted over a relatively short timeframe. Aside from the AIC Survey, there was limited additional funding available for the pilot; as such agencies needed to provide data, if available, using existing resources. In some cases, agencies indicated that they may have data to inform the exercise, but that it could not be provided in an accessible format within the timeframe and resources available.
Similarly, there are a range of private sector and other non-government organisations that hold valuable sources of information on identity crime, although it was beyond the scope of the pilot activity to explore non-government sources of data that were not otherwise publicly available. It is envisaged that these sources of information could be explored in any future phases of the project.
This report provides some of the key findings of the pilot data collection exercise and makes some preliminary observations on the nature and scale of identity crime in Australia. This may provide some insights into possible policy or operational responses to identity crime. However, the report is designed primarily to help raise broader awareness of the nature and extent of identity crime in Australia and for relevant ministers to use when assessing whether or not to establish an ongoing program of data collection, measurement and reporting to support implementation of the NISS.
Australia’s national identity infrastructure
Unlike some countries, Australia does not have a national identity card. The systems that Australians rely upon to help establish and verify their identities—our national identity infrastructure—is an interdependent network of systems that has evolved over time by practice and convention, not necessarily by design. It is built on a range of documents, cards and other credentials that are issued by a range of government, business and other non-government organisations. While the primary purpose of these credentials was not to serve as evidence of a person’s identity, they have become increasingly used in this way throughout the community.
In order to develop reliable and robust estimates of identity crime, it is important to understand the nature of Australia’s identity systems. Within Australia’s network of identity infrastructure, over 20 government agencies manage more than 50 million core identity credentials (such as passports, birth certificates, visas, citizenship certificates, driver licences and Medicare cards). In addition, a comparable number of credentials are issued by private sector and other non-government organisations.
While not traditionally considered as critical infrastructure, Australia’s identity management systems have many of these characteristics. In the event that these systems are compromised or become unavailable for any length of time, there could be significant impacts to the Australian economy.
Australia’s federated identity management system is characterised by interdependencies. Each agency that issues identity credentials within Australia relies upon those issued by other organisations to help verify their clients’ identities. A breach of identity security in one organisation can have potentially serious ‘downstream’ consequences for the identity of an individual or another organisation, and affects the strength of the network
as a whole.
Australia’s identity systems are also highly dynamic. Each year hundreds of thousands of identity credentials are issued or renewed as people arrive in Australia, move interstate, get married, learn to drive, or need to access medical services.
Detecting and preventing the fraudulent use of identities in such a dynamic network of identity management systems presents significant challenges for the range of service delivery, regulatory and law enforcement agencies involved.
One of the key challenges in measuring identity crime is the lack of commonly agreed terms and definitions for this activity, both across Australia and internationally. However, there is an emerging consensus around the use of some of this terminology. Definitions for some of the key terms used throughout this report are included below. A more complete glossary is included in Appendix C.
Identity crime: a generic term to describe activities/offences in which a perpetrator uses a fabricated, manipulated, or stolen/assumed identity to help them commit a crime(s). Identity fabrication: the creation of a fictitious identity. Identity fraud:gaining money, goods, services or other benefits or avoiding obligations by using a fabricated, manipulated, or stolen/assumed identity. Identity manipulation:altering one or more elements of an identity (e.g. name, date of birth, address etc.).Identity misuse:using personal information for purposes extraneous to the original transaction—such as renting it to a vendor of related products, or mining it to create a consumer profile or direct marketing list. Identity takeover: assuming parts or all of the identity of another person with their consent. Identity theft: stealing or assuming a pre-existing identity (or significant part thereof) without consent and, in the case of an individual, whether the person is living or deceased.