certification

This page considers forgery of documentation concerned with identity: security passes, academic transcripts, professional diplomas, resumes and other certification.

It covers -

• introduction
• corporate identification
• educational and professional certification
• biometric forgery and fraud

There is a more detailed examination of document- and biometric-based identification regimes here and here. A supplementary guide considers identity crime, along with a note on 'security paper' and other mechanisms for protecting the integrity of documents.

Questions of web site and document identification are explored in the Security & Infocrime guide on this site.

     introduction

Elsewhere on this site we have noted the quip that in a modern economy you are who your papers say you are - take away those papers (and a plastic card or two) and you have no identity. Manipulation of the documentation can conversely improve the bearer's attributes: enable access to services or facilities, eliminate age-based restrictions or enhance career opportunities by adding spurious qualifications.

Documentation regimes have historically been undermined in three ways -

• legitimate documents have been illicitly obtained by those without an entitlement (eg genuine passports have been purchased from corrupt officials)
• existing documents have been massaged through the inclusion or deletion of data (eg an expiry date has been modified or a personal photograph replaced)
• an entirely new document has been created, with the appearance of a legitimate document

Successful misuse is based on factors such as -

• assumptions that particular documents cannot be readily forged (eg because they feature technological protections such as threaded and watermarked security paper, photographs or holograms)
• assumptions about the integrity of the government or private sector entity issuing the documentation
• the plausibility of particular documents or suites of documents (an isolated document is suspect, ten documents are prima facie genuine - although a single illicit document may have been used to 'breed' nine apparently legitimate records)
• poor practice in data matching
• poor assessment of risk in verifying documentation and claims of identity (eg security guards 'waving through' anyone who appears to have the requisite corporate identity pass and wears a suit or other appropriate uniform)

For an introduction to changing practices and issues see the outstanding set of essays in Documenting Individual Identity: The Development of State Practices since the French Revolution (Princeton: Princeton Uni Press 2001) edited by Jane Caplan & John Torpey.

False birth certificates, Social Security cards and drivers' licenses continue to be foundation or 'breeder' documents for the procurement of genuine documents. A US government study suggested that the birth certificate is the "single most vulnerable document" - and a key 'breeder' of other documents - because it is accepted by most governmental agencies as proof of identity and citizenship. Testimony in 2000 claimed that over 8,000 US state and local registrars' offices issue birth certificates, with over 10,000 variations of US birth certificates being issued at any given time.

A government spokesperson commented

The best certificate to use fraudulently is a genuine birth certificate. Some states furnish a birth certificate to anyone who requests it. Other states may have issuance requirements, but these requirements can also be circumvented. Some states are experiencing malfeasance in their issuing offices. In these cases, it is very difficult for most people who are responsible for examining birth certificates to detect this type of fraud, because the document is genuine and in many cases the document is received without the person being present.

Bruce Schneier offered a perspective by warning that

ID checks don't make sense. Everyone has an ID. Even the 9/11 terrorists had IDs. What we want is to somehow check intention; is the person going to do something bad? But we can't do that, so we check IDs instead. It's a complete waste of time and money, and does absolutely nothing to make us safer.

     corporate identification

Corporate identification - ranging from correspondence on corporate letterhead through business cards to security passes that bear the subject's photograph - is so ubiquitous as to be unnoticeable. The extent of misuse is not clear.

     educational and professional certification

Concerns regarding certification and 'resume fraud' reflect the credentialism that is an integral feature of information economies, with an individual facing the temptation of polishing a curriculum vitae by adding a degree that wasn't obtained or adding non-existant expertise and professional affiliations.

In some instances that simply involves citing information on a job application, presumably with the hope that the qualifications won't be checked or omissions identified.

A 1985 US Congress committee report indicated that up to 500,000 false tertiary degrees are in 'use' in the USA (eg were cited for employment purposes), including 10,000 false medical degrees. One perspective is provided in a 1996 study (PDF) by Michael Finn & Joe Baker.

Other claims suggest that 30% of employees were hired with 'massaged' credentials or that "one in four CVs contain lies", although most massaging appears to relate to being economical with the truth rather than fundamental misrepresentation. Estimates of the prevalence and seriousness of resume fraud vary widely, with higher figures (up to 80% incidence) coming from commercial resume verification services. The February 2003 issue of Assessment Council News (PDF) notes a range from 11% to 67%.

Incidents have featured senior government officials, corporate chief executives and board members, clergy, military leaders and academics. Resume fraud is discussed in more detail elsewhere on this site, with a complementary note on diploma mills (hand over US$500 for an instant PhD).

Certification also reflects use of primary/secondary school documentation to validate claims for services (eg concessional public/private transport fares for students and access to educational intranets) or restrict access (eg 'card' students from entertainment venues where alcohol is on sale or underpin restrictions on the sale of tobacco, alcohol and adult content to minors).

The extent of abuse is unclear, although it is common to sight claims that up to 10% of Australian student IDs have been altered, have been incorrectly issued or are in use by an individual who no longer has the relevant attributes (eg is no longer a student).

Discussion elsewhere on this site notes conviction in 2008 of Timothy Leslie McCormack, who faced 111 charges (including forging Commonwealth documents) after falsely claiming to be a qualified aircraft engineer and working for ten months in maintenance of Qantas jets. McCormack appears to have altered a colleague's engineer's licence on his home computer before passing it off as his own and was promoted to a Licensed Aircraft Maintenance Engineer (LAME) after falsifying several exam results issued by the Civil Aviation Safety Authority (CASA). After belated detection - with a reported three month delay after initial discovery of discrepancies in the paperwork - McCormack was convicted. He reappeared in court shortly theafter, following realisation that he had forged the character reference letter provided to the court at the time of conviction.

     biometric forgery and fraud

The notion of "the body as data" - and identification of individuals through inherent properties such as DNA or iris configuration rather than attributes such as documentation assigned by a government agency - has posed questions about manipulation of testing procedures and technologies.

In the film Gattaca for example the hero defeats a DNA-based regime by engaging in identity fraud: simply substituting another individual's hair, blood and skin samples when tested. Fingerprint readers have been defeated by using latex gloves or more spectacularly by using a gummi bear.

There is a useful discussion in Caplan & Torpey's Documenting Individual Identity, noted above, and in Genetic Secrets: Protecting Privacy & Confidentiality in the Genetic Era (New Haven: Yale Uni Press 1997) edited by Mark Rothstein.

We have explored the major biometrics technologies and associated issues in a more detailed note elsewhere in this site.

   next page  (wills)