This page considers forgery of documentation concerned
with identity: security passes, academic transcripts,
professional diplomas, resumes and other certification.
It covers -
is a more detailed examination of document- and biometric-based
identification regimes here
and here. A supplementary
guide considers identity crime,
along with a note on 'security
paper' and other mechanisms for protecting the integrity
Questions of web site and document identification are
explored in the Security & Infocrime guide on this
Elsewhere on this site we have noted
the quip that in a modern economy you are who your papers
say you are - take away those papers (and a plastic card
or two) and you have no identity. Manipulation of the
documentation can conversely improve the bearer's attributes:
enable access to services or facilities, eliminate age-based
restrictions or enhance career opportunities by adding
Documentation regimes have historically been undermined
in three ways -
documents have been illicitly obtained by those without
an entitlement (eg genuine passports have been purchased
from corrupt officials)
documents have been massaged through the inclusion or
deletion of data (eg an expiry date has been modified
or a personal photograph replaced)
entirely new document has been created, with the appearance
of a legitimate document
misuse is based on factors such as -
that particular documents cannot be readily forged (eg
because they feature technological protections such
as threaded and watermarked security paper, photographs
about the integrity of the government or private sector
entity issuing the documentation
plausibility of particular documents or suites of documents
(an isolated document is suspect, ten documents are
prima facie genuine - although a single illicit document
may have been used to 'breed' nine apparently legitimate
practice in data matching
assessment of risk in verifying documentation and claims
of identity (eg security guards 'waving through' anyone
who appears to have the requisite corporate identity
pass and wears a suit or other appropriate uniform)
an introduction to changing practices and issues see the
outstanding set of essays in Documenting Individual
Identity: The Development of State Practices since the
French Revolution (Princeton: Princeton Uni Press
2001) edited by Jane Caplan & John Torpey.
False birth certificates, Social Security cards and
drivers' licenses continue to be foundation or 'breeder'
documents for the procurement of genuine documents. A
US government study suggested that the birth certificate
is the "single most vulnerable document" - and
a key 'breeder' of other documents - because it is accepted
by most governmental agencies as proof of identity and
citizenship. Testimony in 2000 claimed
that over 8,000 US state and local registrars' offices
issue birth certificates, with over 10,000 variations
of US birth certificates being issued at any given time.
A government spokesperson commented
The best certificate to use fraudulently is a genuine
birth certificate. Some states furnish a birth certificate
to anyone who requests it. Other states may have issuance
requirements, but these requirements can also be circumvented.
Some states are experiencing malfeasance in their issuing
offices. In these cases, it is very difficult for most
people who are responsible for examining birth certificates
to detect this type of fraud, because the document is
genuine and in many cases the document is received without
the person being present.
Schneier offered a perspective by warning that
checks don't make sense. Everyone has an ID. Even the
9/11 terrorists had IDs. What we want is to somehow
check intention; is the person going to do something
bad? But we can't do that, so we check IDs instead.
It's a complete waste of time and money, and does absolutely
nothing to make us safer.
Corporate identification - ranging from correspondence
on corporate letterhead through business cards to security
passes that bear the subject's photograph - is so ubiquitous
as to be unnoticeable. The extent of misuse is not clear.
educational and professional certification
Concerns regarding certification and 'resume fraud'
reflect the credentialism that is an integral feature
of information economies, with an individual facing the
temptation of polishing a curriculum vitae by adding a
degree that wasn't obtained or adding non-existant expertise
and professional affiliations.
In some instances that simply involves citing information
on a job application, presumably with the hope that the
qualifications won't be checked or omissions identified.
A 1985 US Congress committee report indicated that up
to 500,000 false tertiary degrees are in 'use' in the
USA (eg were cited for employment purposes), including
10,000 false medical degrees. One perspective is provided
in a 1996 study (PDF)
by Michael Finn & Joe Baker.
Other claims suggest that 30% of employees were hired
with 'massaged' credentials or that "one in four
CVs contain lies", although most massaging appears
to relate to being economical with the truth rather than
fundamental misrepresentation. Estimates of the prevalence
and seriousness of resume fraud vary widely, with higher
figures (up to 80% incidence) coming from commercial resume
verification services. The February 2003 issue of Assessment
Council News (PDF)
notes a range from 11% to 67%.
Incidents have featured senior government officials, corporate
chief executives and board members, clergy, military leaders
and academics. Resume fraud is discussed
in more detail elsewhere on this site, with a complementary
note on diploma mills
(hand over US$500 for an instant PhD).
Certification also reflects use of primary/secondary school
documentation to validate claims for services (eg concessional
public/private transport fares for students and access
to educational intranets) or restrict access (eg 'card'
students from entertainment venues where alcohol is on
sale or underpin restrictions on the sale of tobacco,
alcohol and adult content to minors).
The extent of abuse is unclear, although it is common
to sight claims that up to 10% of Australian student IDs
have been altered, have been incorrectly issued or are
in use by an individual who no longer has the relevant
attributes (eg is no longer a student).
Discussion elsewhere on this site notes conviction in
2008 of Timothy Leslie McCormack, who faced 111 charges
(including forging Commonwealth documents) after falsely
claiming to be a qualified aircraft engineer and working
for ten months in maintenance of Qantas jets. McCormack
appears to have altered a colleague's engineer's licence
on his home computer before passing it off as his own
and was promoted to a Licensed Aircraft Maintenance Engineer
(LAME) after falsifying several exam results issued by
the Civil Aviation Safety Authority (CASA). After belated
detection - with a reported three month delay after initial
discovery of discrepancies in the paperwork - McCormack
was convicted. He reappeared in court shortly theafter,
following realisation that he had forged the character
reference letter provided to the court at the time of
biometric forgery and fraud
The notion of "the body as data" - and identification
of individuals through inherent properties such as DNA
or iris configuration rather than attributes such as documentation
assigned by a government agency - has posed questions
about manipulation of testing procedures and technologies.
In the film Gattaca for example the hero defeats
a DNA-based regime by engaging in identity fraud: simply
substituting another individual's hair, blood and skin
samples when tested. Fingerprint readers have been defeated
by using latex gloves or more spectacularly by using a
There is a useful discussion in Caplan & Torpey's
Documenting Individual Identity, noted above, and
in Genetic Secrets: Protecting Privacy & Confidentiality
in the Genetic Era (New Haven: Yale Uni Press 1997)
edited by Mark Rothstein.
We have explored the major biometrics
technologies and associated issues in a more detailed
note elsewhere in this site.