Trawler

Project Trawler: Crime On The Information Highways

Contents

Key Judgements

Introduction

Computer Hacking

Viruses And Other Malicious Programs

Intellectual Property Offences

Fraud

Gambling, Pornography And Other Commerce

Electronic Payment Systems

Harassment, Threats And Hate Sites

Paedophilia

Criminal Communications

Assessing Risk And Impact

Responses To Crime

Annex A: Glossary Of Terms And Abbreviations

Key Judgements

Introduction

Project Trawler

1. The National Criminal Intelligence Service (NCIS) launched Project Trawler, its study of ‘computer crime’, in July 1996. It was recognised that the development of ‘information highways’, whilst revolutionising global communications and commerce, and offering a plethora of benefits to society, also opened up opportunities for criminal activity. Based on the project’s detailed findings to date, this paper seeks to raise awareness and understanding of the different criminal threats that exist and stimulate debate about the ways in which they may be eliminated or contained.
2. Project Trawler defines ‘computer crime’ as an offence in which a computer network is directly and significantly instrumental in the commission of the crime. Computer interconnectivity is the essential characteristic. The terms ‘computer crime’, ‘information technology (IT) crime’ and ‘cybercrime’ are used inter-changeably.
3. ‘Computer crime’ defies simple categorisation into crime types. There is consensus that attacks on network confidentiality, integrity and/or availability - i.e. unauthorised access to and illicit tampering with systems, programs or data - constitute one body of offences. The numerous remaining ‘cybercrimes’ comprise a mixed bag of mostly traditional offences which have found a new medium for their commission across IT networks.
4. The use of terms such as ‘IT crime’ should not be construed as meaning that NCIS believes that there is anything essentially corrupting about IT, nor that these offences constitute a distinct crime category (in the same way as, say, burglary or theft from a motor vehicle). It is simply a convenient catch-all phrase, which serves a useful purpose at the present time. It is true that many of these offences are merely extensions of more conventional crimes. However, the Internet and other networks, together with the possibilities that they create, are sufficiently new and unfamiliar to warrant examination of the subject as a whole.

    Quantitative And Qualitative Approaches

5. Unfortunately, authoritative statistics are not available to provide a full picture of the levels of ‘computer crime’. Surveys provide a partial snapshot and, generally, all indicators point upwards. Then again, more incidents would be expected because, with each passing year, there are more computers and users. For a wider (but still far from complete) picture, the Internet site www.web-police.org allows users worldwide to file complaints. Obviously, not all crimes are reported to this site, since it is not an official body and its existence may not be well known. Moreover, only 37% of the complaints it receives are found to be valid on further investigation. Nonetheless, its figures show an increase in the number of filed complaints from 640 in 1993, to 12,775 in 1997, to over 47,000 in 1998. The difficulty is in determining how much of this represents a growth in reporting of crime rather than in levels of crime.
6. Lack of authoritative quantitative data is undoubtedly a limitation, but not as problematic as one would first think. Quantitative approaches would struggle to throw much light on covert elements of the Internet; under-reporting may diminish the accuracy and reliability of data collected in security surveys; findings may be distorted by a small sample size or open to different interpretations; and a mass of figures gives no indication of the seriousness of each event. Moreover, quantitative data is of limited value when the objectives are to identify a possible emerging threat and propose the best means to deal with it and prevent it from escalating.
7. NCIS thus considers a qualitative approach (combined, where possible, with quantitative analysis) to be desirable. Consideration has been given to society’s exposure to potential criminal activity (i.e. the vulnerabilities of IT systems and the criminal opportunities which may arise from them), the capabilities and motivation of known offenders, and the impact of offences. Factors inhibiting crime have been borne in mind as well as the facilitators, and thought given to criminals’ own vulnerabilities and law enforcement’s opportunities too.

Computer Hacking

Someone has gained unauthorised access to your computer systems, programs or data. What damage might they do? A snooper might read your personal information, while a vandal might alter the design of your webpage. A saboteur might erase R&D data or paralyse your network, and an industrial spy might copy trade secrets. A thief might steal credit card details or alter records to make a financial gain. A blackmailer might plant a digital bomb and threaten to trash your systems unless payment is made. A terrorist might seek to disrupt critical national infrastructure.

8. In the UK, unauthorised access to computer systems, programs or data is an offence under the 1990 Computer Misuse Act (CMA), punishable with a fine of up to £2,000 or imprisonment of up to six months or both. Stiffer penalties are available, under the same Act, for unauthorised access with intent to commit or facilitate an arrestable offence or to cause unauthorised modification of the computer’s contents: these carry maximum sentences of five years’ imprisonment and/or an unlimited fine.

Scale Of The Problem

9. The integrity and confidentiality of data held on computers and the availability of IT systems are central to the functioning of many, if not most, companies and organisations. Attacks on the computer and its contents are potentially serious blows.
10. Quantifying incidents of unauthorised access is especially problematic due to under-reporting and, sometimes, a lack of awareness that intrusions have occurred. The private sector is reticent about reporting incidents to law enforcement. In a 1999 US survey by the CSI/FBI, only 32% of respondents who had suffered a computer intrusion in the previous year reported it to law enforcement. And this was an improvement on previous years when only 17% had reported. Numerous reasons have been given or suggested for non-reporting: fear of negative publicity; concern that competitors would exploit the case; ignorance that the incident could be reported; preference for a civil remedy; fear that publicity will attract other hackers; lack of confidence in law enforcement’s ability to assist; concern about excessive downtime; and, for insider hacking, a wish to deal with the matter in-house.
11. In the 1999 CSI/FBI survey, 55% of respondents reported that they had experienced cases of unauthorised access by employees (up from 44% in 1998), and 30% had suffered system penetration from outsiders (up from 24%). UK surveys do not suggest as many businesses and organisations here are victims, but hacking incidents are increasing. The number of assaults reported by UK academic institutions to JANET-CERT grew from 174 in 1994 to 1594 in 1998 - a more than ninefold increase.

The Hackers

12. The goal of many hackers is merely to gain unauthorised access to systems and goes no further. Such recreational hackers are primarily motivated by a desire to beat the challenge offered by secure code or a wish to show up shortcomings in security. Some might claim to have helped to bring about improvements in computer protection by highlighting inadequacies. However, although their motive is relatively benign, the less adept recreational hackers may still cause damage to systems inadvertently or give rise to a financial cost for the victim. Moreover, some recreational hackers often do more than just access; the temptation to copy information or leave a calling card (to demonstrate prowess) or enjoy service without paying is sometimes evident. And the activities of some are arguably irresponsible (by compromising or jeopardising sensitive information), vandalism (e.g. defacing websites), or private pranks (e.g. switching connections to sex sites).

13. While most hacking incidents are mischievous or trivial in nature and design, a few attacks are undertaken for nefarious purposes, to achieve certain goals such as financial gain, sabotage or revenge.
14. To date, there has been a tiny number of known cases of unauthorised money transfers. The most notorious occurred in 1994, when the US Citibank was targeted by Russian cyber-criminals. Losses of US$400,000 were sustained and never recovered. One Russian (apparently on his way to withdraw some of the money) was apprehended in the UK, extradited to the US, and eventually sentenced to three years in prison.
15. The financial sector’s acute security consciousness may minimise the success rate of hacker-bank robbers. Efforts may turn instead, therefore, to targets perceived as having less secure networks. With IT systems increasingly home to information with high monetary value, either inherently (as in the case of credit card details) or in the perception of certain parties (such as the owners or their rivals), such targets may be lucrative. UK law enforcement has come across a number of cases in which company computers have been accessed for customer account details, either by a competitor to recruit the customers or else for credit card fraud purposes.
16. Information may be of such a confidential nature or monetary value to the owners that the hacker can use it for blackmail purposes. In January 1998, in reportedly Europe’s first case of electronic bank blackmail, the German Verbraucherbank offered a DM10,000 (US$5,300) reward for information leading to the arrest of a hacker who was blackmailing the bank. The hacker had claimed to have raided several customer accounts and retrieved customer data from the computers of two of the bank’s branches. He was demanding DM1 million (US$530,000) or else he would release the information on the Internet. Sabotage attacks can also be used for extortion: malicious programs will be unleashed unless the victim pays up, or a program already released will only be removed once the victim has paid up.
17. Commercial espionage is the acquisition of corporate plans, research and development results or other secrets by illicit or questionable means. Commercial sabotage is an act which aims to damage a rival business by undermining its standing (with the public, customers, etc.), or preventing it from functioning properly, or otherwise causing it unnecessary financial losses. The Internet has opened up a new battlefield for such actions. The Metropolitan Police Service’s Computer Crime Unit has encountered instances of employees copying customer databases and setting themselves up in competition. A difficulty here is that copying proprietary trade information does not count as theft under UK law. In December 1997, the Law Commission produced a consultative document (No. 150) which favoured criminalisation of the "misuse of trade secrets".
18. Pranksters have altered the websites of numerous prominent organisations. For example, in 1996, a hacker broke into the UK Labour Party’s website, reworded a link to another site to read "Labour Party Sex Shop" and transferred visitors to pages carrying pornography; in 1996, a hacker changed the CIA’s website to read "Criminal Stupidity Agency"; and in 1998, in Australia, the ruling Liberal Party’s website was accessed and its leader’s title changed to "The Dishonourable John Howard, Prime Minister, Minister for Pain, Suffering and Inequity". Such pranks are infantile, mindless, sometimes humorous, but they do entail a cost to put right the damage and, where the replacement page is not an obvious spoof, can mar the victim’s public image.
19. Vandalism can be more maliciously-inspired. Disgruntled employees, ex-employees or customers may be harbouring a grievance and may launch a digital attack with the purpose of causing harm. Workplace sabotage, of course, may be accomplished without using or targeting a computer, but digital tools offer the saboteur the means to attack valuable company resources while potentially remaining anonymous. Anecdotal evidence of such spite attacks exists. In a US court case in 1998, a sacked computer programmer was alleged to have detonated a digital bomb against his former employer in 1996. This act permanently deleted the company’s design and production programmes, causing an estimated US$10 million in damages. In the UK, a CMA conviction in 1998 - for altering an estate agency’s website to show pornographic images - was apparently a revenge attack. The estate agent had rejected a tender from one of the hackers to install and maintain the website.
20. Vigilantism is another mischief which may be perpetrated, although to date this has been a mainly US phenomenon. Targets are invariably alleged paedophiles or fraudsters. Hacking and denial of service attacks have been employed, as well as simple ‘naming-and-shaming’ of individuals.

21. A further blurring of distinctions amongst hackers has occurred with the emergence of political hackers or ‘hactivists’. Like the criminal-minded, they too have ulterior designs, whether furthering ‘ethical’ causes or pursuing political-ideological acts. Attacks on IT systems may be an effective tactic to promote a cause or highlight a grievance.
22. An widely-reported example of a campaign waged partly in cyberspace occurred in Norway in 1998: thousands of students launched a protest against rises in student loans by inundating the government with over 200,000 e-mail messages. This tactic was successful in attracting publicity, but does not appear to have caused any serious disruption. Politically-motivated protests by more adept hacking groups in 1998 included: the altering of websites around the world to include an anti-nuclear statement (by the MilWorm and Ashtray Lumberjacks groups); insertion of messages calling for full autonomy for East Timor into Indonesian Government websites (by Kaotik); and the ‘break-in’ to the "New York Times" website to call for the release of a jailed hacker (by Hacking For Girlies). Earlier this year, the Animal Liberation Tactical Internet Response Network staged ‘virtual sit-ins’ against Finnish Fur Sales, the Seattle Fur Exchange and a Swedish vivisection laboratory. Protesters from around the world were encouraged by the group to use an automated program which effectively shut down connections to the victims’ websites.

23. A key question in determining the hacking threat is the ratio of external to internal hacking. External hackers tend to grab more media attention, but known instances of major financial damage are not that common. Studies invariably show that most hacking incidents against companies and organisations are committed by insiders (whether dishonest or disgruntled employees, contractors or consultants). According to the Department of Trade and Industry (DTI), internal hacking cost UK organisations £1.5 billion in the six years from 1992, with 70% of all hacking incidents being of this type. Thus, whatever protection is erected against external hackers, a well-placed insider may be the simplest and most effective means of accessing information and could render nearly all security safeguards useless. The insider is likely to be more knowledgeable about both the victim’s vulnerabilities and the ‘valuables’ worth raiding.
24. The growth of the Internet, though, introduces a new vulnerability which may favour external hackers. The 1999 US CSI/FBI survey suggested that increasing connections to the Internet were raising the threat from external attack; 57% of respondents reported their Internet connections as a frequent point of assault in 1999, up from 37% in 1996.

25. There is scant evidence of the use of hacking by established criminals or of any connections between CMA offenders and the criminal world. However, media interest, increased IT literacy in society as a whole, and the imprisonment of CMA offenders (which brings them into contact with criminals who they might otherwise never meet) may well invite the attention and curiosity of established criminals, spread knowledge of computer hacking and its possibilities for financial gain, and promote the take-up or recruitment of skills. On the other hand, there may be little change if criminals remain content with the continuing opportunities and profitability of traditional forms of crime. Additionally, it should not be ruled out that the CMA offenders themselves may turn to more serious criminal pursuits as they realise the uses to which their skills may be put.

Methods And Capabilities

26. Due to vulnerabilities in networking protocols, it is possible to access a computer through the manipulation of data traffic exchanged across a network; telnet hijacking and IP spoofing are examples of such attacks. Alternatively, the hacker can subvert the computer’s access-control measures to obtain the user identification (user-ID) name and password. Digital means of doing this include: running a ‘trojan horse’ program, by which the hacker displays a false log-on screen and so deceives the user into revealing their user-ID and password; laying a ‘sniffer’ program that sits on the network and harvests data as it passes between computers; and a ‘brute force attack’, a software program which will generate every possible combination of letters, numbers and symbols on a standard QWERTY keyboard. Non-digital methods include: ‘shoulder surfing’, by which the hacker watches the user type in the details; and confidence tricks, by which the hacker persuades or deceives the user to reveal them.
27. Some hackers demonstrate considerable technical capabilities. However, hacking need not be highly-skilled and most hackers probably secure access by low-tech means or by merely following instructions and using tools available on websites - dismissively termed ‘point-and-click hacking’ or ‘kiddie script hacking’. The types of attacks identified by the CERT teams around the world reveal that the majority of detected attackers are not familiar with the operating systems that they encounter (e.g. DOS commands are used against UNIX systems).
28. The capabilities of the hackers, however, do not necessarily equate with the threat posed by them. Lesser skilled hackers may be more likely to cause damage to the computer data on the system, leading to financial loss or degradation/denial of service. Even if the majority of hackers are not highly skilled, they are not unskilled either, and may still be able to manipulate accessed systems to achieve desired results. A further consideration is the degree of organisation which may be present. Capabilities may be enhanced by calling on the advice and cooperation of other hackers from around the world. The existence of hacking forums, exchanging information on the Internet, has been well-publicised. Investigations over the years by the Metropolitan Police’s Computer Crime Unit suggest that hackers sometimes operate within loose confederations and small groups, which set common objectives and targets for attack. Some of these groupings cross national boundaries.
29. Some hackers lack the necessary know-how and skills to commit more serious crimes and while the more adept ones could use their talents to profit financially or cause serious damage to victim’s systems, whether they are inclined to do so is an entirely different matter. Many hackers are simply not motivated to exploit profit-making opportunities or trash other people’s computers. Distinguishing between the differently motivated hackers, however, is not always straightforward. When a victim detects an intrusion, it may be impossible to ascertain the hacker’s intention. The method of attack may be similar whether the attacker is an inquisitive teenager or a commercial spy. The same automated tools may be used and the same vulnerabilities in program and system design exploited. Moreover, it is not always clear whether a secondary offence, beyond intrusion, has occurred - it may be difficult to determine whether any information has been copied. The threat from an individual offender is also difficult to establish, since while a single hacking incident will prompt an investigation, it is only as the case progresses that the true level of offending becomes apparent. Each hacker is often responsible for countless offences both within and outside the UK’s jurisdiction.

30. In the UK, the deliberate planting or dissemination of a computer virus or other nefarious software program - others include the ‘worm’, ‘digital bomb’, ‘trojan horse’ and ‘hostile applet’ - are covered by the 1990 Computer Misuse Act (see paragraph 8).

Scale Of The Problem

31. The table below presents one series of estimates showing the prolific rise in the number of computer viruses; others have put forward even higher figures. CERT is reportedly identifying as many as 200 new viruses each month. The number ‘on the loose’ at any one time, however, will be much lower, and the vast majority of incidents may be classed as nuisances rather than malicious.

Source: US Dr Solomons anti-virus software company.

32. Studies show that viruses are typically the most common type of assault on computer security. In recent surveys, the proportion of respondents who admitted suffering infections ranged from 20% to 90%. Some surveys have reported a fall in the frequency of viruses compared with previous years, possibly due to increased use of anti-virus software and greater awareness of the threat. However, a report by ICSA had virus incidents up 48% on 1997, despite the fact that more organisations had anti-virus software in place. The continued rise in incidents was attributed to the greater number of computers in use; better monitoring for viruses; increasing use of laptops, coupled with casual security; and the failure to update security procedures and products. Several surveys have reported a fall in the average financial cost of viral incidents.
33. The ICSA survey suggests that macro viruses account for the lion’s share of infections. The US Dr Solomons anti-virus software company claims that macro viruses, although representing only 2.3% of all viruses, account for 50% of all viral incidents. The prominence of macro viruses reflects the fact that they can affect the widely-used Microsoft Word software.

Viruses, The Internet And E-Mail

34. The computer virus has been given a new lease of life with the growth of the Internet and e-mail, since these provide new paths for transmission. Viruses can be hidden now within a file which is downloaded from the Internet or attached to an e-mail message, and will then infect the system when that file is run or the attachment opened. Thus, viruses may be spread from system to system without need of physical media such as a floppy disk. The Internet and e-mail are ideal environments for the spread of macro viruses, since Word documents are frequently exchanged over these media. Additionally, the Internet provides an ideal platform to launch new viruses. Within a few days in late March 1999, the Melissa virus (carried by e-mail) was reported to have infected tens of thousands of computers around the world. ICSA’s survey suggests that disks are still the most common path for infection, although infections via e-mail were growing.

Intellectual Property Offences

35. Although most categories of intellectual property offences fall under the civil law, some infringements do give rise to criminal penalties. The 1988 Copyright, Designs and Patents Act makes the manufacture and distribution of unauthorised copies criminal offences, with a maximum sentence of two years’ imprisonment on indictment. The 1968 Trade Descriptions Act includes provisions designed to protect consumers against being deceived by false or misleading trade descriptions, while the 1981 Forgery and Counterfeiting Act could be used where the pirated goods are sold as if the genuine article. If the offender uses without consent a mark which is identical or likely to be mistaken for the registered mark, then they would be guilty of an offence under the 1994 Trade Marks Act.

36. The Business Software Alliance (BSA) and Software Publishers’ Association (SPA) have estimated that 31% of business software in the UK in 1997 was used illegally; lost revenue to piracy totalled US$334.5 million. However, this did represent an improvement on the previous two years: in 1995, the rate was 38% and losses totalled US$444.6 million. Both the BSA and the UK Federation Against Software Theft (FAST) assess corporate end-user piracy to be the principal problem, with companies using software without a user licence or making unlicensed copies. Malicious intent, however, need not be present: bad systems management may merely overlook the requirement to secure adequate licences. The European Leisure Software Publishers’ Association (ELSPA) estimates that losses of revenue to the UK leisure gamesware industry were £1 billion in 1997 and £3 billion in 1998. The latter figure represents three times the industry’s legitimate UK retail sales.
37. Estimates of losses by the software industry tend to assume that customers would purchase legitimate goods if the pirated ones were not available - which is highly improbable in all cases. Moreover, by selling goods cheaply to those who would otherwise be unable or unwilling to buy them, the pirates may be expanding the future market for such products - ‘hooked’ customers may switch to authentic goods as they become more affordable. However, while this argument may be valid for some markets (e.g. games for teenagers, or developing national markets), it does not apply to others (e.g. applications programs for the corporate sector) and, as digital copies become indistinguishable from the genuine products and as widely available, it falls apart altogether. More importantly, it is undeniable that pirates are making money (and users saving money) at the expense of copyright owners and, where sales are being lost, depriving legitimate businesses of income. These losses reduce returns on investment, thereby diminishing the incentive to develop new products and expand, thus hindering growth and costing jobs. Lost sales also cut tax revenues to the government and probably result in inflated prices being charged to customers of legitimate software. Moreover, if the goods are inferior or faulty or contaminated with a virus, the copyright owner’s reputation may be harmed and the consumer has no redress.

38. Software piracy is the illegal copying and resale of software programs, be they operating systems, applications, or leisureware. Floppy disks, CD-ROMs and the Internet are all means of delivering pirated goods. The Internet has added a new dimension to the pirating/counterfeiting business, since the pirates can now download the software from the Internet or bulletin boards and copy on to blank CD-ROMs, known as Gold CDs. This practice requires a CD-writer costing about £250 from high-street outlets and blank CDs at £3 each. The copied CDs are usually sold through markets and car-boot sales or by mail-order. The Internet and bulletin boards are also used for direct distribution of illegal software and for exchanging information concerning the cracking of copy-protection. On the Internet, pirates sometimes release their goods for free, competing with other groups for "0-day release" - that is, the goal of providing a cracked version of the software on the same day as its release. There have been moves to make such ventures profitable, one method of doing this being the use of premium rate bulletin boards - a BT 0898 number or similar is leased for a bulletin board which holds the pirate software. A twist in the tale, however, is that profit-making pirates have themselves suffered from piracy.

39. The software pirate groups - called Warez groups - demonstrate a high degree of organisation. Some of these have a board of directors; global, national and regional headquarters; and staff with specific roles (suppliers of legitimate software; crackers who will remove the copyright protection systems built into the software; and a large distribution network of couriers, runners, and holders who provide the storage space for the customers to obtain the illegal software). These groups can be extremely well-equipped too. In some cases, UK law enforcement operations have seized large amounts of computer equipment.
40. In the case of the Gold CD-ROM trade, there is an international dimension. Exports of pirated software have occurred from the Far East and East Europe to West Europe. In March 1998, the FBI claimed to a US Congressional hearing that piracy is "an international crime problem that involves organised groups that conduct their counterfeiting enterprises multinationally". In the UK, ELSPA has reported that in 80% of its raids on software pirates, offenders are found to be engaged in other crimes (including illegal drugs, fraud and theft). The experience of UK law enforcement indicates that those involved in the counterfeiting and pirating of software are often involved in other more conventional criminal activities, such as drugs, forgery, handling stolen property, firearms possession. However, NCIS has yet to identify significant involvement of top UK criminals.

Audio, Video And Other Piracies

41. Any material which may be held in digital form is open to unauthorised copying and distribution. Hence, audio, digital video, graphical images and textual material can be pirated as well as software.
42. A boost to audio piracy is coming from the exchange of digital music files. These files are compressed using software into the MP3 format, which occupies a fraction of the size of the original file, and then distributed over the Internet, usually by being downloaded from webpages and stored on the individual’s computer. According to FBI testimony to a US Congressional hearing in March 1998, hundreds of digital jukeboxes are appearing on the Internet, most run for free by young people, often students. In February 1999, a press release by the European Parliament claimed that there were some 2,000 sites available on the Internet from which 80,000 illegal music files could be downloaded. The arrival on the marketplace of portable devices (such as Diamond Multimedia’s ‘Rio’), which can store and play MP3 files, is likely to help boost demand for music downloaded from the Internet.
43. Digital recordings could cause a potentially significant loss of revenue to the phonographic industry. As with software, pirates are able to supply their product direct from the Internet to their customers or download files themselves for transfer to CDs (or digital tape or other digital media), thus providing them with a low-cost method of producing counterfeits or pirated compilations. As of March 1999, the MP3 devices were retailing in the UK for around £200, with a blank CD (called a CD-R) costing just £1.
44. The Motion Picture industry is less threatened by the Internet at present than the phonographic industry: video compression is not sufficient to reduce the large volume of data required for even small video clips into files which are easily transferred; the capabilities of most computers do not allow for accurate smooth replay; and video material is not widely available on a digital medium which is easily ported onto home computers. Again, technological developments and the growth of multimedia requirements for home computers may make the widespread copying and distribution of video feasible.

Fraud

You are buying, selling or investing on the Internet, but is the person you are dealing with trustworthy? The vendor may be describing the products or services in a false or misleading manner, or may take orders and money, but fail to deliver the goods. A crook may ‘pass off’ as a legitimate respectable business. Counterfeit goods may be supplied, rather than legitimate ones. The payment mechanism may be abused by either side to a transaction. An impostor claiming to be a representative of a bank or ISP may ask for verification of personal information in order to obtain credit card details or passwords. Advanced fee frauds, untruthful share tips, risk-free investments and pyramid schemes may dupe the unsuspecting investor.

45. In the UK, the 1968 Theft Act provides for maximum penalties of seven years’ imprisonment for dishonestly appropriating property belonging to another (with the intention of permanently depriving them of it), and 10 years’ for dishonestly obtaining property by deception (by words or conduct, with the intention of permanently depriving the other of it). The 1978 Theft Act covers dishonestly obtaining services from another by deception (where the service is one which has to be paid for). Common law could be used for conspiracy to defraud where two or more people commit the crime; this carries a prison sentence of up to ten years.

Scale Of The Problem

46. In the US, the National Consumers’ League (NCL) acts as a clearing house for consumer complaints. Its Internet Fraud Watch (IFW) project, established in 1996, allows consumers throughout the world to report instances of Internet fraud. The number of complaints to the NCL about alleged fraud on the Internet grew twentyfold between 1996 and 1998, albeit from a very low base. In this period, the number of scams associated with on-line auctions grew substantially, and these have now become the principal ‘Internet frauds’, accounting for 68% of all reported cases in 1998. Non-supply of purchased goods or services, delivery of products or services inferior to those advertised, and suspected use of ‘shills’ (false customers) by sellers to inflate prices were typical complaints. The NCL figures, extraordinarily, show that most victims part with their money by insecure means: 93% of all reported fraudulent transactions involved the victim sending cheques or money orders, and even cash was sometimes posted. Credit cards made up very few of these cases, despite the non-liability protections that they offer to their holders.

47. Credit card abuse, in relation to the Internet, may be perpetrated by the customer or trader, or by a computer hacker. It occurs in a number of different forms, some of which are unique to the new medium. The Internet provides a new arena for fraudulent purchases to be made using a forged, stolen or lost credit card. A dishonest trader may retain credit card details for later abuse or sale or, alternatively, may bill the credit card company, but fail to deliver the goods. Hackers may intercept information or ‘steal’ from databases and thereby obtain the valid credit card numbers of others. Lists of credit card numbers or programs which generate valid new numbers (through mathematical algorithms) can be accessed on the Internet.
48. The relationship between the Internet and credit card fraud is usually highlighted as the danger of having details compromised during transmission. Interestingly, NCL’s Internet Fraud Watch has not received a single complaint of someone having their credit card number stolen while being transmitted to a reputable merchant (although there have been cases in which details have been passed unwittingly to crooks).
49. Visa, the international payments cards group, claimed in April 1999 that 47% of disputes and frauds arising from use of its cards in the European Union (EU) were Internet-related. Some 22% involved people denying that they had carried out the transaction, and 25% involved miscellaneous complaints such as wrong or late delivery. The 47% figure is extraordinarily high given that only 1% of Visa’s EU turnover is Internet-related.

50. Old-style financial scams - advanced fee frauds, pyramid schemes, ‘pump-and-dump’ share pushing, and get-rich-quick schemes - have been given a new lease of life on the Internet. Most of the horror stories emanate from the US and, to date, the UK has not suffered a proportional level of fraudulent activity. However, this probably reflects the UK’s lower Internet usage and so the situation may change as more people connect to the Net. It is usually with these financial frauds that the biggest money losses from ‘IT crime’ are seen: for example, in the US in 1996, a fraudster agreed in court to repay the US$12 million that he had collected in a stock manipulation scam.
51. The influence of share pushers can be dramatic. For example, in a US case of April 1999, a company’s share price jumped 30% following the release of false take-over information on the Internet. In another US case of 1998, a newsletter author allegedly made profits of US$172,000 from sales of shares in one company and US$573,500 from another; both companies failed to perform as hyped and their new shareholders lost much of their investment.
52. Deceptive investment opportunities do not even have to concern real companies. One cybervigilante claims to have uncovered a "biotechnology company" which in fact sold kitty litter, and "the largest corporation in Nevada" which was nothing more than a two-man air-conditioning repair shop. In the US, there have been reported cases of bogus investment banks appearing on the Internet, which offer high interest rates and disappear as soon as funds have been attracted. Copycat sites look genuine: in the April 1999 case cited above, the share pusher had posted the information on an Internet site dressed up to look like a news report from a reputable financial information provider.

Internet Features Which Aid Fraudsters

53. The Internet has certain inherent features which make it ideal for fraudulent purposes: cost-effectiveness, breadth of reach, difficulties authenticating identity, anonymity, ease of personalising appeals, and novelty. A fraudulent investment scheme may be advertised relatively cheaply on a credible-looking website or by mass e-mailing, and reach millions of people across the world, making it much easier to locate those gullible enough to part with their cash. In 1997, a phoney US investment scam (making false claims about a high-tech start-up company) attracted nearly 100,000 people to its website, 3,000 of whom e-mailed for further details, with 150 sending in money. In three months, the conman netted US$190,000.
54. The inability to readily determine the authenticity or location of a claimed identity prevents even the most cursory assessment of the validity of a communication. This works both ways: neither the seller nor the buyer can be truly certain of the authenticity of the other. In such circumstances, opportunities for fraudulent activity emerge. The fraudster can pose as a reputable entity or ‘quote’ one in order to give themselves credibility. Thus, sites which are assumed to be owned by a legitimate company can be established to take orders and credit card details and either process the transactions to receive payment, or use the credit card details fraudulently. To inspire false confidence, fraudulent sites have even been known to warn viewers of scams. A hacker-fraudster, ‘hijacking’ the webpage of a reputable investment advisor and using it to advertise a fraudulent scheme, might well fool even the most wary.
55. Personalised approaches can be computer-generated and can use registration details or website histories to target individuals more effectively. Finally, the Internet is new and unfamiliar to many users; novice Internet users may be unaware that software is available to block junk e-mail and conceal one’s movements on the Web. Many of the possible frauds which may be perpetrated rely on the novelty and trust of the Internet users.

Gambling, Pornography And Other Commerce

Fraud aside, what other perils may lie await for the Internet consumer or supplier? Vices may be within easier reach. Products, services and adverts which one would not find in the high street may be readily available from the Internet. Whereas in the ‘physical world’, an illegal sales outlet might be closed down relatively easily, in the ‘virtual world’, ease of relocation and jurisdictional problems intrude. Users will be exposed to the standards and legislative requirements of other countries, which may differ greatly from their own.

56. The UK Gaming Act 1968 defines all gaming other than at licensed premises as illegal. With respect to adult pornography, the key question for UK law enforcement is whether the material is in breach of the 1959 Obscene Publications Act (OPA). As amended by the 1994 Criminal Justice and Public Order Act, this Act applies to Internet images as it does to those available in other media, making it an offence to publish obscene material which is liable "to deprave and corrupt".

57. There were an estimated 1000 gambling sites on the Internet in late 1998. While the main forms of gambling at present are derivations of lotteries and sports betting, developments in technology and improvements in bandwidth will allow the development of live betting, and real-time interactive casinos, card games and slot-machines. The more important issue, however, is the development of offshore gaming sites - the on-line gambling business can base itself in the country with the lowest barriers to entry and weakest controls. These will be just as accessible for any UK Internet user, but will lie outside UK jurisdiction and may make it difficult for customers to gain legal recompense in the event of the site using unfair or fraudulent practices. In August 1998, there were reported to be around 160 virtual casinos on the Internet, with almost 70% of them based in the Caribbean.
58. There are a number of concerns: the fact that extant regulatory controls are rendered useless; the possible anonymity of the operators; social effects of unrestricted gambling (i.e. the dangers of addiction, exposure of children or access by them); threat of fraud (e.g. theft of credit card details by casinos or bookmakers, and fly-by-night operators who rig the games or fail to pay out); and possible money laundering opportunities. While illegal activities cannot be ruled out, operators can probably expect to make plenty of money while remaining legitimate.

59. As with Internet gambling, there is an undoubted consumer demand for ‘Internet sex’. Commercial activities include peep shows, in some of which the strippers respond to the requests of the viewer; distribution and sales of pornographic images; and adverts and sales of sexual aids (particularly those related to sexual fetishes). The Internet is also being used as a virtual phone-box for the placement of prostitutes’ calling cards, and is host to mail-order bride services (the women are invariably east Asian or east European) and advertisements for sex-tours.
60. Effective regulation of the Internet is very difficult to achieve. Consequently, there is a risk that services may be offered and standards observed which would not be allowed in a properly licensed regime in the ‘physical world’. In the case of sex commerce sites, this may result in the provision of obscene hardcore pornography and, indeed, many of the Internet sex sites do offer, upon their front pages, categories which would appear to be in possible contravention of the OPA.

61. Prohibited or regulated goods, reported being marketed on the Internet at one time or another, include: illegal drugs (e.g. ecstasy), prescription-only medicines (e.g. viagra), quack cures, body parts (e.g. kidneys), skins and by-products of endangered species, armaments, counterfeit products and stolen goods. As well as on-line gambling and prostitution, other illicit or unregulated services identified on the Internet have included provision of investment advice, child adoption and, in Japan, a suicide ‘service’ (offering advice on lethal dosages and sale of potassium cyanide capsules - at least one death was attributed to the ‘service’).

Electronic Payment Systems

62. A full list of money-laundering legislation in the UK is as follows: the Criminal Justice Act 1988; Prevention of Terrorism (Temporary Provisions) Act 1989; Criminal Justice Act 1993; Criminal Law (Consolidation)(Scotland) Act 1995; Drug Trafficking Act 1994; Proceeds of Crime (Northern Ireland) Order 1996; and Proceeds of Crime Act 1995.
63. The combined legislation makes it an offence for any individual to either attempt to hide or conceal the source of funds known or suspected to be from criminal activity, or to assist another to do the same. Moreover, special obligations are placed upon certain categories of financial institutions under the Money Laundering Regulations; duties include adequate record keeping, training of staff, and identification of an appropriate individual to examine and disclose suspicious transactions to NCIS.

64. Smartcards, On-line Banking, and Ecash are all new forms of payment system which, at time of writing, are fairly limited in tests globally (including the UK) have not been in existence long enough for ‘live’ problems to have been observed. However, in overall terms, the potential for anonymity, speed of use, removal of human checks at institutions, lack of physical volume, ability to ignore national boundaries, jurisdictional inapplicability - all these factors present the criminal with additional opportunities to launder funds. Law enforcement and business must seek to minimise such risks by introducing systemic checks and balances within the new technologies.
65. It is conceivable that criminal organisations will take time to recognise and exploit new technology. Yet, historical precedent provides a contrary view. Following the introduction of the various anti-money laundering obligations in the UK during 1993-1995, criminal use of less regulated sectors (where risk of disclosure was less) accelerated sharply. It is reasonable to expect that new payment systems will be similarly exploited if the opportunities are sufficient.
66. On the positive side, a number of factors may constrain criminal exploitation of new payment systems. It is possible to design out some of the risks. Also, placement of illicit funds will be necessary before EPS can be exploited. In the longer term, a general move away from the use of cash in day to day transactions could make criminals with a high illicit cash turnover more easily identified.

Harassment, Threats And ‘Hate Sites’

68. A Novell survey in 1998 (of 810 people using e-mail at work) found that half the sample had received unwanted e-mail from a persistent sender. 35% of the offensive messages comprised unsolicited pornography. To date, however, there have been no known criminal cases in the UK concerning cyber-stalking. However, as Net usage grows, NCIS assesses that occurrences of harassment will escalate.
69. Cyber-stalking has attracted much concern in the US, and 17 states have reportedly passed laws against on-line stalking or harassment. The first temporary restraining order on an on-line stalker was issued by a court in Texas in October 1996; the individual had been harassing the employees of a Dallas-based ISP. And the first prison sentence for an e-mail hate crime was handed out in May 1998. A student in California was convicted of violating the civil rights of 59 students by sending racially-targeted threats to them in 1996; he was sentenced to one year’s imprisonment.
70. Vicious on-line statements and rumours may be used against the victim. Two especially nasty cases have reportedly occurred in the US. In 1997, someone allegedly posted a child’s name, age and phone number on 14 paedophile chatrooms, giving false sexual messages which led paedophiles to call on the girl’s home. In January 1999, a Californian man was arrested after allegedly impersonating a woman (who had spurned his advances) on the Net. He, posing as she, is believed to have placed an advert on a bulletin board, seeking male partners to live out a gang rape fantasy and giving (the woman’s) name, address and telephone number, and even instructions on how to bypass her house’s burglar alarm. Several men responded to the advert with phone calls and visits to the woman’s home.
71. E-mail harassment shares similarities with the posting of hate mail and the making of obscene telephone calls. Notably, the stalker does not have to terrorise the victim face-to-face. However, compared with those traditional forms of pestering, the Internet offers advantages to the stalker. No forensic evidence is left on the message (which may occur with letters); there is no need to confront the victim in real time (as on the phone); there is no danger of voice or handwriting recognition; and there are various ways in which it is possible to attain relative anonymity (so there is less risk of the connection being traced, as with phone calls).
72. In the period 1996-98, the NCIS Kidnap And Extortion Desk was notified of two cases of blackmail by e-mail. This figure is small in comparison with the total number of notified blackmails in this time (96 cases). As with cyber-stalking, the Internet offers a number of advantages to the electronic extortionist. There is no danger of fingerprints and steps can be taken to hide identity. However, the blackmailer will need a physical interface in order to access their ill-gotten gains.

73. Examples of intimidation, such as extremist websites listing the names and addresses of those they wished killed, have also been noted. While it may be difficult to prove to a court that these constitute death threats, the language and imagery used does suggest an intention to at least put people in fear of their lives. In the US, an anti-abortion website, called the Nuremberg Files, was sued after issuing a ‘hit list’ of more than 200 names and addresses of abortion doctors and pro-choice judges, lawyers and politicians. Those murdered in recent years had lines drawn through their names. In February 1999, a civil court in Oregon fined the people behind the website (and two organisations held to be championing them) US$107 million in punitive damages for waging the Internet campaign. With generalised threats made on the Net, in which names and addresses are listed, the spread of information may increase the chances that an unstable extremist will become aware of a target living or working in their locality.
74. Annual studies by the Simon Wiesenthal Centre have shown a steep rise in the number of identified ‘hate sites’ on the Internet. Most of these websites operate from the USA and espouse racism, neo-Nazism, terrorism and so on; their number has grown sixteen-fold in the past three years. The use of the Internet has specific advantages: it has a global reach; is low-cost; content can be easily targeted to particular audiences at particular times; propaganda can be disseminated without censorship; and it may reach people who would not otherwise come into contact with such groups.

Paedophilia

76. Images available for download from the paedophile newsgroups range from innocent photographs of young children to      the most graphic documentation of rape or abuse of children and babies. For example, in 1996, a file on the Internet     contained live video shots of a five-year old being physically abused. More recently, a law enforcement operation in      1998 discovered images of children as young as two being sexually abused.
77. In the UK, since December 1996, the Internet Watch Foundation (IWF) has operated a telephone and e-mail hotline for members of the public to report material encountered on the Internet which they consider to be illegal. The vast majority of complaints concern child pornography - actionable reports concerning such material doubled last year, rising from 215 reports in 1997 to 430 in 1998. While it would be presumptuous to interpret the figures as indicating an increase in paedophile activity on the Internet, they do at least represent a growing awareness of the presence of obscene material on this medium. It is also important to note that the vast majority of these complaints (about 95%) relate to material originating outside of the UK (mostly from the US and Japan). Supplementing the hotline, the IWF also routinely monitors certain newsgroups which have a track record of carrying potentially illegal material - in January 1998, about 40 such newsgroups were being watched.
78. In a two-week period in January 1998, research by the COPINE project of University College Cork identified 6033 child erotica and child pornography pictures posted in 23 child sex related newsgroups. In a repeated exercise in April 1998, 7303 such pictures were found, although the number of newsgroups had fallen to 16. Two-thirds of the images were deemed to be arguably erotic rather than pornographic, with the latter comprising largely either old European photos or more recent ones featuring Asian children.
79. In the US, in 1996, child protection services reported at least 23 cases of ‘cyber-solicitation’. US law enforcement, though, has had some success with a proactive approach to this threat. Teams will pose as children upon chat channels and gather evidence through online conversations. Thus, the anonymity of the Internet - the inability to determine gender or age or trustworthiness - can work both for and against the offender.
80. During 1998, Her Majesty’s Customs and Excise (HMCE) intercepted a succession of materials (videos, magazines, computer disks, and other formats) found to have been ordered off the Internet and imported via Post Office mail or courier service. Some Internet paedophiles raided during UK law enforcement operations in recent years have been found to be in possession of magazines, videos and CDs (as well as computer images), and to be downloading images from the Internet onto CDs for distribution by post.
81. Operation Starburst was the first operation in the UK to target paedophiles who were using the Internet for communications. Information provided by US Customs led to the identification of a researcher at Birmingham University who was using the university computer to store 11,850 images, of which 1,875 were paedophilic pictures. Investigations by the West Midlands Police Commercial Vice Unit enabled other individuals, who had copied some of these images, to be identified and located. Police forces in Australia, Germany, South Africa, Singapore, the UK and the USA then cooperated and coordinated arrests to prevent the targets from using the Internet to tip each other off. Evidence seized in the original operation led to follow up investigations and, to date, there have been over 20 prosecutions in the UK and over 100 worldwide.
82. Operation Cathedral, a law enforcement operation across 15 different countries against the "Wonderland" paedophile ring, resulted in autumn 1998 in the largest ever worldwide seizure of paedophile material. In the 12 European countries alone, over a quarter of a million paedophilic images were uncovered from computers, plus hundreds of CDs and thousands of videos and floppy disks containing such material. In the UK, eight suspects have been charged with conspiracy to distribute indecent images of children, one suspect with possession of such images and another (in Scotland) with possession and distribution of obscene material. Another suspect is not being proceeded against, but is already serving a 12 year sentence following conviction of child abuse offences. In other countries, law enforcement agencies have sought to identify over 110 targets and, where identified, have either charged suspects or are continuing their investigations.
83. An unanswered question is the proportion of users of child pornography who are also child abusers. West Midlands Police estimated that 35% of those targeted by Operation Starburst in 1995 had physically abused children. More recent research of child pornographers in 1998, by the FBI in the US, suggested that less than 50% of collectors of material had, as far as investigations could tell, committed physical offences. Whether there is a tendency for collectors, in time, to move on to actual child abuse, however, is also a pertinent question.

84. Assumptions that those who disseminate and/or collect child pornography are not particularly computer-literate are probably inaccurate and certainly complacent. More likely, there are a range of abilities. Some will have long experience using the new media and there are known cases where child pornographers have used digital tools to conceal material (e.g. strong encryption). Moreover, the success of law enforcement operations may raise awareness among the paedophile community of the risks that they run when acting overtly on the Internet.
85. As a medium, the Internet provides distinct advantages for those trading or distributing paedophilic material. Images can be scanned in and stored as computer files, and the Internet then allows these to be transmitted through a number of mechanisms. Traditionally, much child pornography has come into the UK from abroad, available as physical objects such as magazines or videos, which could be intercepted as they entered the country and which constitute evidence of unlawful possession. With the Internet there is no border control and (often) no tangible goods, complicating law enforcement’s task of detecting the crime and obtaining the evidence.

Criminal Communications

In pursuit of a serious criminal, law enforcement obtains a warrant from the Home Secretary and lawfully intercepts a communication, only to find that the message is encrypted and unintelligible. A criminal is arrested and law enforcement exercises its legal powers to seize and interrogate the individual’s computer for evidence, only to find that the contents are encrypted and unavailable in a legible form. An offender takes advantage of the various ways of ensuring anonymity on the Internet and evades detection while pursuing criminal activities - law enforcement efforts to trace originators of hacking attacks, paedophile material, personal threats and extortion demands are frustrated.

85. The 1985 Interception of Communications Act allows for the lawful interception of a communication sent over a public telecommunications system if undertaken for national security reasons, the economic well-being of the UK or the prevention or detection of serious crime. The interception must be sanctioned by a Secretary of State. The 1984 Police and Criminal Evidence Act (PACE) contains provisions relating to powers of search and seizure, which includes the power to seize computers. PACE and the 1998 Data Protection Act contain provisions allowing law enforcement to seek access to subscriber and data traffic information held by ISPs. This information is often essential to locate suspects and further investigations, helping to determine the origin of obscene material, hacking or denial of service attacks, e-mail fraudsters, extortionists, etc. Certain methods of achieving anonymity on the Internet are illegal and covered by appropriate legislation - e.g. Internet Protocol (IP) spoofing is a computer misuse offence, submitting false subscriber details constitutes fraud. There is no legislation prohibiting use of anonymous remailers, other methods to protect identity on the Internet or cryptography, nor a need for any, since these have legitimate and extremely beneficial uses (see paragraphs 89 and 90).

Scale Of The Problem

86. A number of criminal groups, active in the UK or continental Europe, are known or believed to be using Internet communications in order to organise their activities; these include drugs importers, software counterfeiters, football hooligans and far-right activists. UK Police forces have evidence of the widespread use of e-mail and encryption by groups involved in ‘computer crime’. The use of such facilities within paedophile groups appears to be increasing.
87. If figures are unavailable to demonstrate this take-up, there remain compelling reasons to believe that use of these methods will increase in the coming years. As Internet communications and their security facilities become more widely used by the public and business, it is very likely that they will be adopted by more criminals too. The criminal community has been keeping abreast of new communications technologies for years and is aware of law enforcement interception capabilities. It has been responding accordingly - e.g. it was understanding of the vulnerability of landlines to simple wire taps that encouraged use of cellular phones and phone cloning. Greater use of cryptography will erode law enforcement’s present powers to intercept communications and interrogate seized computers.
88. Secure encryption is paradoxically both a blessing and a bane for law enforcement and crime prevention. On the positive side, its widespread use will curtail opportunities for certain kinds of ‘IT crime’; for example, it can be used for secure storage of sensitive data (anti-hacking) and to protect intellectual property (anti-piracy) and prevent the defrauding of firms and individuals (anti-fraud). Critically, the combination of encryption and digital signatures will help to authenticate both identity and message. The downside, however, is that secure encryption will help Organised Crime, paedophile rings and other criminals to communicate with less risk of detection. NCIS assesses that widespread effective use of robust non-recovery encryption by criminals will seriously damage law enforcement’s ability to fight serious and organised crime.
89. Anonymous remailers and other methods which protect identity on the Internet may similarly be used for good or ill. They are useful for political dissidents in countries with repressive regimes, victims of abuse (who wish to participate in discussions on the subject, but not expose their identities), and those who are concerned about privacy on the Net. Unfortunately, they may also appeal to those who want their criminal affairs to remain private.

The Challenge To Law Enforcement

90. Criminals who make effective use of the methods available to protect content and identity are going to be much harder to catch. Law enforcement agencies are thus keen that, in specified circumstances only (i.e. where lawful access is presently permitted), they should be able to formally request the decryption key, whether from the user or anyone else to whom the key has been entrusted. Failure to comply with the request would constitute an offence. There are some limitations to this proposed measure’s overall effectiveness and these would undoubtedly be exploited by the most astute criminals. However, the measure does offer the prospect of preserving some of law enforcement’s present data recovery capability.
91. The combination of Internet communications, their convergence with telephony and other media, and the various methods of ensuring anonymity and content protection (of which encryption is just one element) poses a formidable challenge to law enforcement. Moreover, in the coming years, new technologies and procedures are likely to be developed to protect the innocent from hackers, and these will be used by criminals too. Lawful access to decryption keys can only be a very partial solution to the problems which will be faced and a range of other measures and tools will need to be developed - NCIS is exploring the possibilities.

Assessing Risk And Impact

92. The novelty of ‘cybercrimes’, and the daring or drama of individual cases, makes such offences extremely newsworthy, but there is a danger of allowing hype and ‘a good story’ to distort the true picture. How concerned should the public really be about ‘IT crime’?

IT Vulnerabilities And Criminal Opportunities

93. To a large extent, vulnerabilities stem from the difficulties of adapting to the new technologies, environment and realities of the ‘virtual world’, and of keeping up with the rapid pace of innovation. Technologies (e.g. computers, telephones, televisions) are converging and media (e.g. personal communications, publishing, broadcasting) blurring. Digital technology is making it easy to manipulate information, enabling multiple copies to be made without loss of quality and data to be transferred between different hardware (computers, telephones, digital TV, pagers, etc.). Bandwidth is widening, increasing the speed of transmission of ever-larger volumes of data. Internet facilities and software are providing greater anonymity on the Net and protection of content. Further radical changes are promised with the introduction of new low-cost devices enabling Internet access (e.g. mobile phones, TV set-top boxes).
94. The Internet is no respecter of national or international boundaries, presenting acute difficulties for traditional regulators. Even when action is possible, the regulatory power can be circumvented by the site relocating elsewhere in the world. The transnational nature of the Internet raises some legal uncertainties: Which country will have jurisdiction to hear the case? Which country’s laws will govern the action? How can a court decision be enforced if the defendant resides abroad? Which protocols will govern cross-border investigations?
95. Inevitably, the widespread adoption of new technology raises problems concerning usage, behaviour and attitudes. People have to become attuned to new responsibilities and requirements. Effective security procedures must be put in place and observed (e.g. concerning exchange of disks, back-up procedures, isolating internal systems from the open Net). Organisations and law enforcement must overcome their lack of familiarity with the technologies and inexperience in dealing with ‘IT crimes’. All the while, the Internet grows at a phenomenal rate and society’s dependence on IT systems increases and becomes, in some cases, critical.
96. From all the above developments arise numerous opportunities for commerce, communications, learning, etc. However, those with the capability and motivation to commit crime may profit too. These vulnerabilities become criminal opportunities when the criminal has the knowledge, means and motivation to exploit the new situations and attempt to carry out the crime - e.g. the necessary resources, skills, information, access, organisation, viable targets and prospects of rewards.
97. Until relatively recently, ‘IT crimes’ have been limited by the user profile. Military and governmental establishments were attractive to recreational hackers, who could win kudos by penetrating certain key sites. Software copyright owners (piracy), and telecommunications companies and Internet Service Providers (service theft) were also visible and attainable targets. The growing use and commercialisation of the Internet since the mid-1990s has broadened the target profile significantly: commercial entities (industrial espionage), credit card companies (fraud) and everyday users (fraud, harassment) have become victims too. In future, likely targets are audio and video copyright owners, corporate rivals, home shoppers and new Internet infrastructure firms. Moreover, in cyberspace, offenders are not limited to targets in their home country.

Capabilities, Motivation And Impact

98. The spread of computer culture and ‘IT-literacy’ in society can be expected to raise the IT skills and capability of particularly younger generation criminals, and the awareness of all criminals to the possibilities for committing ‘cybercrime’. Expertise can be recruited or even requisitioned by coercion.
99. The Internet’s use as a communications medium helps to spread knowledge about criminal acts (e.g. credit card fraud, synthetic drugs manufacture), while geographical location is no longer a barrier to people meeting and cooperating with each other. Notably, information has been shared identifying vulnerabilities and solutions in order to facilitate hacking, telecommunications fraud and software cracking. Tools as well as know-how are made available on the Internet. The communal nature of the Net also assists the spread of knowledge to avoid detection - e.g. paedophiles with computer know-how have been known to educate others in their rings. Many ‘IT crimes’ do not require any special IT skills, only a rudimentary understanding, while the key ‘skills’ for traditional crimes are already in the criminals’ possession (e.g. confidence tricks).
100. Motives vary amongst ‘IT criminals’ and more than one underlying motive may be present. In fraud and extortion cases, direct financial gain (prompted, perhaps, by greed or a pressing need for cash) is the impetus. With service theft and industrial espionage/sabotage, it is indirect financial gain, to avoid payment, secure a competitive advantage, or acquire the means (e.g. credit card details) to gain in future. In cases of cyberstalking and some commercial sabotage, the motive may be malice, mischief, or revenge (the desire being to hurt or embarrass the target of the crime). For some recreational hackers, the activity is regarded as a game or challenge. The wish to make a statement or seek attention is demonstrated by hackers with a political agenda and extremists disseminating their opinions, while an ‘ethical’ attitude prevails among those hackers seeking to highlight vulnerabilities in computer security systems. Finally, the motive of child pornographers is presumably sexual or violent gratification.
101. IT crime’ is not violent in a direct sense, although violence against the person may precede or be present during the act (in the case of paedophilia) or there may be repercussions where public safety is endangered (e.g. interfering with emergency services or air traffic control) or health records altered. Emotional distress or anxiety might result from the viewing of obscene material, e-mail harassment, or being cheated out of money. More quantifiable is economic injury, which can be measured by adding up direct monetary losses, the loss of proprietary information of financial value, lost business and profits, downtime, costs of repairing damage and protecting oneself against future damage, etc. Obviously, the impact will vary widely depending on the nature of the crime, from the grave to the mildly annoying.

Keeping A Perspective

102. Few, if indeed any, individuals should be considered criminal masterminds, with perfect grasp of society’s vulnerabilities to crime, understanding of their opportunities for criminal action, and control of resources and events. Criminals have their own vulnerabilities, which may deter them from pursuing a venture, lead to failure in accomplishing the job, or result in them being caught. Among the factors which may deter ‘IT crime’ are: lack of computer know-how among the established criminal fraternity; risks associated with recruiting outsiders with the necessary expertise; continuing profitability of traditional forms of crime or new prospects in those areas; publicity surrounding successful law enforcement operations; and the need in some cases for a ‘physical world’ interface - money or fraudulently purchased goods must still be collected somewhere, while prohibited material goods sold over the Internet must still be shipped. The openness of the Net is a double-edged sword: it allows the criminal to reach a wide audience, but it also allows their activities to be monitored by law enforcement, businesses and users. Likewise, the anonymity of the Net works both ways: the criminal may conceal their identity, but so too may law enforcement (for detection) and law-abiding users (for protection).

Responses To Crime

103. In turning to the responses to the various threats described in the pages of this report, particular caution is needed with the use of the umbrella term ‘IT crime’ - it covers a multitude of offences and different responses will be needed to tackle different crimes. Additionally, combating crime is not simply a matter for Government and law enforcement. The IT industry, Internet infrastructure firms, corporate and private users, and the media have responsibilities and a role to play too. Indeed, such are the dynamics and pace of change of the ‘IT world’ that some users and businesses will be far ahead of law enforcement in identifying measures to prevent and detect crime.

Users

106. There is much that users can do to prevent themselves becoming victims of ‘IT crime’. Most viruses are nuisances rather than criminally pernicious and are best dealt with by users employing sensible precautions (e.g. isolating Internet connections from internal networks and properly configuring and regularly updating anti-virus software). The implementation and observation of appropriate security measures (e.g. firewalls and password protection) will guard against the hacking threat. Firms and organisations which hold personal data have a legal obligation to safeguard it from unauthorised access or alteration, disclosure or destruction - lax security could leave them in breach of the 1998 Data Protection Act.
105. NCIS encourages users to report incidents to the Police, the IWF or appropriate hotlines - non-reporting allows offenders to hone their skills and prey on others. Self-help groups (e.g. anti-virus forums) are useful, while the Internet is an ideal medium for issuing alerts to fellow users (e.g. about scams) and spreading advice. Keeping audit logs (which monitor logins and user activities) often enables offenders to be traced back to their point of origin. Industry’s development of filtering and ratings systems will provide the information and tools needed so that users may restrict or avoid access to certain sites.
105. In particular, the principle of ‘buyer beware’ applies on the Internet as on the high street. The customer is the first bastion against Internet fraud; common sense and a degree of scepticism about enticing offers is a useful guard.

Industry

107. Industry has a key role to play: conducting their own investigations and pursuing law suits against offenders, providing for self-regulation, developing technical solutions, establishing new services for users, and cooperating with law enforcement.
108. Companies are responsible for protecting their own names and trade marks, and will consequently have a role in fraud prevention (by spotting companies using false credentials in order to win business). Industry-wide organisations will be at the forefront of efforts to ensure that fraudsters and pirates are not abusing the reputation of their industries, stealing trade from legitimate businesses, and cheating customers. NCIS encourages industry to monitor the Internet for criminal developments which may rebound on it and to share findings with law enforcement. Such observation will reveal the security weaknesses and opportunities identified by potential criminals, and give advanced warning of likely new methods of attack.
109. Organisations representing the software and audio industries - e.g. the BSA, FAST, ELSPA, and British Phonographic Industry (BPI) - have teams investigating and prosecuting piracy (including Internet-related piracy). Other methods used by such organisations include publicity, education of end-users, ‘naming-and-shaming’ of guilty corporations, and hotlines for disclosures by members of the public. The BSA offers rewards to employees who ‘whistle-blow’ on their companies. In the case of end-user piracy, industry-led investigations and education of intellectual property rights are probably the best means of addressing the problem. Similarly, industry’s own efforts (e.g. in-store inspections) can be effective against distributors who engage in hard disk loading.
110. Market forces can be expected to provide some self-regulation in areas such as gambling and adult pornography. Reputable businesses will look to attract trade and it will be in their interest to deal fairly and evenly with their customers; only the tried and trusted will claim a market share. In each sector, operators might band together to fund an international body, which would endorse those sites which fulfilled certain criteria (thus helping customers to identify the ‘approved’ operators). Such a body might monitor the Internet for misappropriations of its mark of approval and other evident abuses against the public, check out its members’ sites to ensure compliance with its requirements for membership, establish a hotline for customer complaints, issue warnings to the public about crooked sites, and cooperate with law enforcement when illegalities were uncovered. Governments might encourage ISPs, advertisers and credit card companies to only accept business from and for these approved sites.
111. Technical solutions available or in development include: biometrics (which use physiological measurements, such as fingerprints, voice or facial recognition, or scanning of retina or iris, to grant computer access); fraud screening software (which checks numerous variables that might identify a fraudster), e-mail filtering systems (which either block mail from certain addresses, or only permit mail from specified addresses), and digital ‘watermarks’ (which encode ownership information, cannot be deleted and are invisible to the eye). The software and audio industry is attempting to develop technologies to limit the distribution or susceptibility to copying of digital media. The adoption of cryptography and digital signatures will help to authenticate identities.
112. Opportunities for new services arise; for example, to take on the IT security burden (e.g. scanning incoming e-mail for viruses). In the case of audio piracy, the big record companies have been slow (much slower than the pirates) to provide a better web presence to cater for potential Internet customers.

113. At the local level, Police forces will need the capability to react to computer misuse incidents which cause more than just a nuisance (serious denial of service attacks, extortion demands, commercial espionage, exposure of secrets, etc.). Training and resource issues arise, while Police forces will need to increase their awareness of ‘computer crime’ and computer evidence. A national register of technical experts might aid local investigations.
111. ‘IT crimes’ open up new opportunities for law enforcement. On the Internet, an advert for a bogus product or service or investment can find the gullible who will part with their money. However, the act of advertising means that the scam may itself be found by watching regulators. Similarly, with prohibited goods and services, the peddlers necessarily advertise their wares for sale and this too is open to detection. Search engines may be used to look for suspect words or phrases. Monitoring of illicit goods being marketed on the Internet may provide leads on deliveries, since shipment of tangible goods still has to be effected in the ‘physical world’. Continued trading of hard formats (e.g. CD-ROMs with pirated software, CD-Rs with pirated recordings, and pornographic videos) means that there will still be opportunities for law enforcement interception and seizure.
111. Monitoring of overt information on websites, newsgroups and so on, may also garner useful information on: digital piracy, extremist propaganda, and developments in the ‘sub-cultures’ of hacking, phreaking and software cracking. Users, industry and law enforcement might then be forewarned of changes in criminal behaviour (skill levels, new techniques, and so on) and so respond appropriately (e.g. by issuing fraud alerts, patching up loopholes in computer security, advising operational units of possible new criminal practices).
111. At a national level, intelligence analysis will help to determine priorities. Which offenders should society be most worried about and where and how should law enforcement’s efforts be concentrated? This is particularly important with respect to computer misuse offenders. Scarce law enforcement resources need be concentrated on those offenders and incidents which pose the more serious threat - that is, generally, those who use hacking tools and malicious programs as the means to defraud banks, extort money, plunder information of financial value, cause economic harm, etc. To this end, NCIS is recommending that the most successful method of policing serious computer misuse is via a single dedicated national unit.
111. The proposed national unit would have three broad roles: to investigate the most serious ‘IT crimes’; to act as a centre of excellence for ‘cybercrime’ issues; and to support local forces which encounter offenders using sophisticated IT skills. Benefits of such a unit might include: inspiring public confidence in law enforcement’s ability to tackle such crimes; overcoming the geographical factors which complicate local forces’ ability to pursue and apprehend certain offenders; acting as an ‘IT crime’ reference point for operational enquiries by foreign law enforcement agencies; improving coordination; and facilitating economies (e.g. by avoiding duplication of expensive leading-edge anti-crime technologies).
111. Law enforcement will have to accept that criminal know-how will be more widely disseminated and easily accessed than in the past, and that its existing interception capabilities will gradually erode as use of Internet communications and cryptography grows. Given the difficulty of preventing extremist views getting on the Net in the first place (and of effectively removing them even when they are identified) and the impossibility of anticipating the actions of unstable individuals, law enforcement responses in these areas must necessarily be reactive.
111. Publicity given to successful law enforcement operations and firm court sentencing against offenders may cause some to be less confident of their chances of getting away with criminal acts. Areas in which legislation might be considered are: criminal law protection for trade secrets; strengthening of Section 1 of the 1990 Computer Misuse Act; and lawful access to decryption keys (in prescribed circumstances).

Partnerships

120. Given the transnational nature of the Internet, international cooperation is vital. It covers a number of areas: harmonisation of legislation and policy, combined law enforcement operations, standardisation of investigative and forensic techniques, extra-territorial jurisdiction, consistent extradition of criminals, cooperation in retention of witnesses and evidence, and exchange of information. Operations Starburst and Cathedral have shown the value of coordinated international action by law enforcement against paedophile rings, both in exchanging information at the preliminary stage and in preventing paedophiles tipping off other ring members when arrests and seizures are made. The creation and maintenance of a central library of known paedophilic images at an international level would both aid the search for victims and help to determine the nature of offences.
121. The forging of close links between law enforcement and industry would be welcome. Together, business and law enforcement can raise public awareness about the risks posed by criminals on the Internet (e.g. advance fee frauds, passing personal financial details over insecure communications channels, etc.), promote best practices for IT security, and develop effective counter-crime tools and procedures. The ACPO/ISP/Government Forum is a useful initiative to foster a working relationship and help the parties to gain improved understanding of each other’s concerns. The cooperation of organisations such as the ISPs is crucial to the investigation of ‘computer crimes’ in order to benefit from in-house expertise and lawful access to subscriber and tracing information.
122. Opportunities exist now, while problems are emerging, for the law-abiding to take the steps to improve security. Mutual advice on crime prevention and detection, exchange of information and ideas, appropriate actions and measured responses taken to combat the genuine threats that exist, will help to curb ‘cybercrime’ and ensure that the information highways do not become a seductive environment for criminals.

Annex A: GLOSSARY OF TERMS AND ABBREVIATIONS

Press Releases | About NCIS