Home Affairs CommitteeWritten evidence submitted by the Home Office [EC 00]
Introduction
1. This paper sets out the Government evidence to the Home Affairs Committee inquiry into e-crime. This response refers to “e-crime” as “cyber crime” throughout in order to be consistent with the Government’s Cyber Security Strategy. It has been prepared in consultation with officials from other Government departments including Cabinet Office, Department for Education, Ministry of Justice, Department for Business, Innovation and Skills, Government Communications Headquarters and officers and staff from the Serious Organised Crime Agency (SOCA), the Police Central e-Crime Unit (PCeU), the Child Exploitation and Online Protection (CEOP) Centre and the National Fraud Authority.
2. The Science and Technology Committee previously examined the risks of both malware and cyber crime in the following reports: the third report of the 2010–12 Session entitled Scientific advice and evidence in emergencies and the 12th report of that same session entitled Malware and Cyber Crime. The Government welcomed both reports as a valuable contribution to its work on cyber crime.
3. The internet has revolutionised our economy, our society and our personal lives. It enables innovative new businesses to start and grow. It allows existing businesses to lower their costs and increase efficiency, and it gives customers the opportunity to demand better, cheaper and more convenient services.
4. However with such benefits and opportunities come threats. The Government’s National Security Strategy, published in 2010, ranked UK cyber security, of which cyber crime is an element, as a tier 1 national security priority. The Government has committed £650m to the transformational National Cyber Security Programme (NCSP) to bolster its cyber defences. Last November, the Government published its Cyber Security Strategy which set out how the UK will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment.
What is e-crime is understood to be and how does this affect crime recording?
Types of Cyber Crime
5. Cyber crime falls into a number of categories, within the general principle that what is illegal offline is illegal online. The first category encapsulates crimes that can only be committed by using computers and the internet, and that occur where a digital system is the target as well as the means of attack. This includes attacks on computer systems to cause disruption (for example Distributed Denial of Service (DDoS) attacks), and the stealing of data over a network often to enable further crime (for example through the spread of viruses and other malware, or computer and network intrusions (hacking).
6. The second category encapsulates “existing” or traditional crimes that have been transformed in scale or form by the use of the internet, such as fraud or the sharing of indecent images of children. Although these crimes have always existed, the growth of the internet has opened up a new (often global) market, which allows for a degree of anonymity, operation on an industrial scale, and has created new opportunities for organised criminal groups to finance their activities.
7. The final category comprises crimes that use the internet but that are not dependent on it. Here, networks are used for communication, organisation or to try to evade law enforcement. In the same way as the internet is indispensable to legitimate businesses, it can be used to organise more effectively a range of “traditional” crime types such as drug dealing, people smuggling and child exploitation and to conceal them more easily from law enforcement agencies.
8. This is a category of crime that is often neglected when discussing the scope of cyber crime. An increasing number of police investigations of crimes, both serious and volume, now have a cyber crime component, requiring the examination of computers, smartphones and digital CCTV evidence. These may not be recorded as cyber crime, but they do require the police to have access to both the skills and the technology to undertake this type of examination as a matter of routine.
9. The online environment provides opportunities for organised criminals to communicate anonymously, particularly through the use of Internet Relay Chat (IRC) and social media. The sole use of these communication services does not in itself constitute cyber crime, but is a clear example of how technology can assist criminals across a range of activities, including drugs, organised immigration crime and firearms.
10. Knowledge regarding the extent and nature of e-crimes is currently limited, but improving. We have more knowledge regarding some forms of e-crimes than others. It is not currently possible to provide an overall measure of the extent of e-crime. It is also not clear whether e-crimes are decreasing or increasing from the evidence currently available, and whether this varies according to the type of e-crime. However work is underway to address these gaps and gather robust evidence in this area.
Recording
11. There is no such crime as an “e-crime” formally defined in legislation. Police record offences1 categorised in traditional crime terms, and do not capture offences as a “cyber” or “e-crime”. So, whilst a fraud, for example, might be facilitated by use of computers, it would be recorded as a fraud offence, or a denial of service with financial demands may well be recorded as extortion.
12. The computer or other technology used to commit crimes is the method (or modus operandi) by which a crime was committed. The details on methods are not collected centrally. In general, what is illegal offline is illegal online, and UK legislation on fraud or other forms of criminal behaviour applies to both. For example, on-line frauds such as lottery scams, dating scams, boiler room scams all constitute the offence of fraud by false representation, contrary to section 2 of the 2006 Fraud Act. Another example relates to online theft offences, which may be recorded under the Copyright, Designs and Patents Act (1988), Computer Misuse Act (1990) or the Communications Act (2003) depending on what is actually stolen.
13. The Home Office has introduced new crime recording classifications to enable law enforcement agencies to capture specific cyber crime offences as laid out in the Computer Misuse Act (1990), such as computer misuse crime, malware, DDoS attacks and hacking offences.
14. Cyber crime is also captured through victim surveys, such as the British Crime Survey (BCS). The Government is continuing to explore further opportunities to working with the police and other partners to improve the identification of cyber crimes within recorded crimes and crime and victim surveys.
How we are Improving Reporting
15. The Cyber Security Strategy emphasises the importance of increasing the reporting of cyber crimes and there is significant activity under way to address this. The Government has taken steps to expand the role of Action Fraud, which is led by the National Fraud Authority, to become the single reporting point for financially motivated crime. Over the coming months Action Fraud, in partnership with the National Fraud Intelligence Bureau, will press ahead with the roll out of an improved reporting capability to all UK police forces. For the first time the police and the National Fraud Intelligence Bureau will have the capacity and capability to analyse all fraud and cyber crime data from one source. This will provide a much more coordinated and joined up approach to targeting those who attack our citizens and businesses.
What is the extent and the nature of the threats on which e-crime policy is based?
16. In October 2010, the National Security Strategy identified the cyber threat to the UK, which includes cyber crime, as a Tier One threat. £650 million of new funding was allocated to the National Cyber Security Programme (NCSP) which will bolster our cyber capabilities in order to help protect the UK’s national security, its citizens and our growing economy in cyber space. At least £63 million of this will go towards enabling the UK to transform our response to cyber crime, in addition to resources ordinarily allocated to law enforcement to tackle crime.
17. There has been some attempt to measure the cost of cyber crime, but it will not be possible to provide a robust estimate until data regarding prevalence and scale of cyber crime has been improved. One widely cited estimate from “The Cost of Cyber Crime”2 produced by Detica in February 2011, approximates the cost to the UK of cyber crime to be up to £27 billion per year, or around 2% of GDP. Whatever the cost, as businesses and Government move more of their operations online, the scope of potential targets will continue to grow.
18. GCHQ is the operational hub for cyber security in the UK and, through its information assurance and intelligence work is the best place in which to concentrate UK expertise in understanding threats and exploiting opportunities in cyber space. GCHQ also hosts the Cyber Security Operations Centre (CSOC), whose role is to provide greater awareness of threats and developments in cyberspace, and ensure that the UK can respond effectively in the event of a major cyber incident. Law enforcement agencies contribute learning from their activities to CSOC. Within the NCSP, a key element of CSOC’s role is to act as a central hub, to cultivate a greater holistic awareness of threats, vulnerabilities and developments in cyberspace and to communicate these to NCSP stakeholders and ultimately policy makers. CSOC have produced baseline assessments pertaining to various aspects of the cyber crime landscape and regularly produce topic reports, to which the PCeU, SOCA and GCHQ contribute. The most recent example of this involved contributing learning from their operations in relation to the “Hacktivist” threat.
19. The Government is also supporting law enforcement agencies in their work to improve the timely exchange of intelligence with a broad range of industry, academia and other agencies both in the UK and abroad. This intelligence contributes to law enforcement operations and informs threat assessments and subsequent programmes of activity. Intelligence may take various forms, including brigaded victim reports and the latest network vulnerabilities or methodology. For example, the PCeU routinely shares intelligence concerning threats with industry, academic and law enforcement partners, in addition to tactical and strategic learning from their operational and prisoner debriefing activity. The benefits to this approach mean that law enforcement can respond with one timely investigation, rather than dealing with numerous isolated, reports from individual members of the public. Furthermore, once a trusted space within industry is established and a common vulnerability or attack is experienced, then businesses are more likely to report the issue.
20. The cyber crime Threat Reduction Board, established under the Government’s organised crime strategy “Local to Global” provides an operational context in which law enforcement and intelligence agencies can assess operational and intelligence activity against the Stem, Strengthen and Safeguard themes of the organised crime strategy and provide assurance to Ministers that the cyber crime threat is being effectively tackled. A Cyber Crime Board, chaired by the Parliamentary Under-Secretary for Crime and Security (James Brokenshire MP), has been established to deliver appropriate Ministerial oversight and ensure that policy development is fully informed by the best possible understanding of the threats.
21. What is the effectiveness of current law enforcement and legislative capabilities, including local and regional capabilities and what are the potential impacts of proposed organisational change?
Are there any gaps in the response to e-crime and, if so, how should they should be addressed?
The Current Law Enforcement Landscape
22. Co-ordination of law enforcement efforts is key to providing a joined up, end-to-end response to cyber crime. Our agencies and law enforcement partners work closely together to make this happen, including the UK Intelligence Agencies, Ministry of Defence (MOD), Centre for the Protection of National Infrastructure (CPNI), Police Central e-Crime Unit (PCeU), Serious Organised Crime Agency (SOCA), HM Revenue & Customs (HMRC), UK Department for Business, Innovation and Skills (BIS), the National Fraud Authority and City of London Police among others.
23. The Government has committed £63 million specifically to tackle cyber crime, which has significantly strengthened the capacity and capability of the PCeU and SOCA. In the first six months of the programme, PCeU operational intervention has resulted in a reduction of impact on the UK independently assessed as £140 million. Last financial year (2011–12) there were 45 arrests for cyber crime with 100% victim satisfaction. Over 21,377 web sites have been taken down from April 2011 to April 2012, resulting from evidence gathered by the PCeU Internet Governance Team.
24. There has been significant progress internationally, specifically cooperation to progress cyber investigations with Ukraine and China, and a cyber Joint Investigation Team (JIT) with Estonia which has been authorised and funded by Europol, and which resulted in substantial prison sentences for an Eastern European organised crime network working in the UK. SOCA has carried out a number of investigations (further details at paragraph 44), and further examples can be found in SOCA’s separate submission which sets out its recent successes against cyber crime.
Legislative Capability
25. What is a crime offline is a crime online, and whilst some cyber crime offences such as hacking, phishing, malware or virus attacks are set out in the Computer Misuse Act (1990), many crimes committed online are prosecuted under existing legislation such as the Fraud Act (2006) or the Communications Act (2003).
26. The Government has committed to reviewing the existing legislation relating to cyber crime, to ensure that it is fit for purpose, and remains relevant and effective.
27. In particular, the Government wants the Police and the Courts to have the most effective powers to disrupt, prevent and prosecute those responsible for these crimes. We are therefore reviewing our powers to support law enforcement, including on areas such as gathering and preserving data for use as evidence and information-sharing between sectors and internationally. We have also committed, as part of the Cyber Security Strategy, to encourage Courts in the UK to use existing powers to impose appropriate online sanctions for online offences.
Proposed Organisational Change
28. Subject to the will of Parliament, the National Crime Agency (NCA) will be established by the end of 2013, at the centre of the reformed law enforcement landscape.
29. The National Cyber Crime Unit (NCCU), which will be part of the National Crime Agency, will focus on tackling the first two types of cyber crime, as set out in paragraphs 5 and 6 above. This will allow the NCCU, to focus its resources and skills on the most sophisticated areas of cyber crime, whilst supporting the NCA and wider law enforcement to take responsibility for tackling cyber-enabled crime. This principle of supporting law enforcement to take responsibility for tackling cyber enabled crime, rather than looking to a specialist cyber unit to lead, will underpin the work of the NCCU. The third definition of cyber crime, that of crimes that are facilitated by the internet, is being tackled through the police who are mainstreaming cyber awareness, capacity and capabilities throughout their service.
30. The creation of the National Cyber Crime Unit (NCCU) is a critical part of the Government’s wider National Cyber Security Programme (NCSP). It will bring together the national law enforcement response to cyber crime under one roof. This single capability will work closely with other partners, such as GCHQ, to strengthen the UK’s overall resilience and incident response to cyber threats and to ensure individuals and industry can take full advantage of the many opportunities presented by the internet.
31. The National Cyber Crime Unit will deliver a range of benefits to the current law enforcement response to cyber-enabled crime. By bringing together the PCeU and SOCA Cyber, the NCCU will eliminate remit overlaps, delivering efficiencies and spare capacity that can be utilised to bear down harder on organised cyber criminals. Building on the successes of SOCA Cyber and the PCeU, the NCCU will deliver:
A single, high-profile law enforcement lead dedicated to combating organised cyber criminals;
A more targeted focus on the most serious incidents of cyber crime, removing the criminals who facilitate cyber-enabled crime further downstream;
A stronger, more cohesive response to the most serious cyber-enabled crime;
Dedicated resources to drive a step-change in cyber capabilities across law enforcement, police service and wider partners;
Stronger partnerships at all levels, including delivery of a single point of contact for rapid response to dynamic threats and closer engagement with industry and academia; and
Closer joint working with the Security and Intelligence Agencies through improved ICT connectivity and intelligence sharing.
32. Police and Crime Commissioners will be a powerful local representative, able to set the priorities for the police force within their force area, respond to the needs and demands of their communities more effectively, ensure that local and national priorities are suitably funded by setting a budget and the local precept, and hold to account the local Chief Constable for the delivery and performance of the force.
Local Capability
33. In 2008 the National e-Crime Programme conducted a national survey of police capability on cyber. A new project is being developed by PCeU to update this research including staffing numbers, training, equipment and best practice. This will further inform in relation to capability and provide updated information in relation to national response.
34. The publication of the Strategic Policing Requirement will support national co-ordination and collaboration between police forces to respond to serious and cross-border criminality. In order to ensure that local police forces can still access specialist services, the Strategic Policing Requirement seeks to ensure that local policing plans account for cyber capability as well as the contributions that local agencies will provide to the national response.
35. On a national scale, the police response has had limited resources and infrastructure to respond to, exploit, and harness the benefits of the digital environment owing to a fragmented approach to policing cyber crime. The National e-Crime Programme delivered three PCeU hubs to address this situation. The Hubs enhance existing PCeU national operational capability to respond and investigate cyber crime. The regional hubs are based in the North West, East Midlands and Yorkshire & the Humber. The “hubs” were launched in February 2012 and despite their infancy and early stages of development are already contributing to PCeU operations contributing to a fast and dynamic response outside London.
Bringing together Law Enforcement Capabilities
36. Building on the successes of both SOCA Cyber and the PCeU, the establishment of the NCCU will further strengthen the law enforcement response to the most serious cyber crime by addressing a number of gaps that we know exist in law enforcement’s response to cyber crime.
37. First and foremost the NCCU will deliver a single, high-profile law enforcement lead dedicated to combating organised cyber criminals. This will provide increased clarity and coherence in the law enforcement response and a more targeted focus on the most serious incidents of cyber crime where the NCCU can add most value.
38. This ambition fits with the overall goal of the NCA to address the sometimes fragmented law enforcement response to serious and organised crime by creating a new Agency with the mandate to task and co-ordinate the UK law enforcement response. The NCCU will form a vital part of the NCA, able to undertake tasking and coordination across the whole of operational law enforcement, ensuring that appropriate action is taken against criminals at the right level, led by the right agency. The NCCU will also benefit from the NCA’s single national intelligence picture of serious and organised crime to inform its operational activity.
39. As part of this, a key principle of the NCCU is to support law enforcement partners to take the lead in tackling cyber and cyber-enabled crime, rather than looking to a specialist cyber unit. We know that mainstream cyber capability across law enforcement needs to be enhanced, and so the NCCU will house dedicated resources to drive a step-change across law enforcement, the police service and wider partners. This will build on the existing work of the PCeU in the National e-Crime Programme, including roll-out of the digital forensic triage tools, supporting the Police Professional Body on developing cyber training, providing a single national centre of expertise to provide guidance to wider law enforcement, as well as ensuring that cyber capability is mainstreamed throughout the NCA itself as a role model for wider law enforcement.
40. The expertise and information needed to combat cyber crime sits largely outside law enforcement including in the Security and Intelligence Agencies (SIAs), industry, international partners and others. The NCCU will draw upon the range of experience and expertise from these partners in order to stay effective against cyber criminals. This will involve closer joint working facilitated by enhanced ICT connectivity and intelligence sharing and maintaining a diverse workforce with experience from a range of sectors. The NCCU will look to utilise NCA Special Constables to bring in the relevant expertise, as well as seconding staff out to industry to strengthen relationships and gain experience. The NCCU will also work with operational partners to ensure that there are clear lines of responsibility when responding to the range of cyber threats, from terrorist cyber attacks to cyber attacks on critical national infrastructure.
41. Given the rapid increase in both the volume of digital data generated by individuals and the range of devices and locations on which it can be found (computers, smartphones, CCTV systems, games consoles, in-vehicle GPS systems, remote (cloud) storage etc.), there is a corresponding increase in the number and type of traditional crimes that now have at least some e-crime component to them. These are generally crimes that would be investigated at a local force level rather than by specialist cyber crime units such as PCeU. One of the key emerging gaps is therefore in the provision at a local level of suitable tools, techniques, skills and common processes to enable the police to routinely investigate these crimes effectively.
Addressing Gaps in the Response
42. In order to improve our local policing response and appropriately direct police resources, law enforcement agencies and the Home Office are working to improve our knowledge around the prevalence and nature of cyber crime, particularly where they relate to volume crimes. This will allow us to effectively train and equip local police officers to tackle these crimes on a day-to-day basis. In this regard, the Home Office Centre for Applied Science and Technology (CAST) is working with policing to evaluate and develop specialist tools and techniques for use both in serious and volume crime investigations, particularly to assist with rapid and automated examination of large volumes of data.
43. Other activities are being considered to improve knowledge on prevalence and nature of cyber crime in relation to volume crime, for example, ensuring appropriate data capture mechanisms are in place and that we are addressing under-awareness and under-reporting of cyber crimes amongst businesses and the general public. More widely, there is consideration around how we address gaps in knowledge regarding “what works” in terms of preventing cyber crime by encouraging the public and businesses to better protect themselves online.
44. There is evidence of a number of successful SOCA, PeCU, CEOP and NFIB disruptive operations in tackling cyber related activities and reporting to agencies such as Action Fraud, NFIB and CEOP has increased. However, wider evaluations of cyber policing structures, initiatives and performance are currently lacking:
The PCeU have taken forward work to mainstream cyber awareness, capacity and capability throughout their service. The regional hubs of PCeU launched in February 2012 increase operational capacity and capability and awareness of cyber within the regions. Work is ongoing with Skills For Justice to produce a competency framework for PCeU enforcement and intelligence officers. This framework will be available nationally.
Over the coming year, funding from the National e-Crime Programme is supporting an interim National Hash Set database, which will amalgamate law enforcement databases and apply consistency to grading and processing indecent images of children.
Virgin Media worked with SOCA to warn customers on its network that they might have been infected with the dangerous SpyEye Trojan variant. This collects personal and banking information and poses a high level threat to infected users. It is comparable in severity to the “Zeus” Trojan which reportedly siphoned over half a million pounds from UK consumers’ bank accounts last year. SOCA detected around 1,500 Virgin Media customers’ Internet Service Providers (ISPs) infected with the SpyEye Trojan and at risk of identity theft or fraud. Virgin Media wrote to these customers to get help if they were unable to manage the disinfection process themselves.
SOCA identified and, through its Alerts system, reported several hundred cases of domain name abuse directly to ICANN3, highlighting continuous failures in the customer validation of domain name registrations by the specific “registrars” directly responsible for the sale of domain names to users. Targeted SOCA Alerts highlighted areas of abuse and registrar practice that disrupted a major online malware distribution group by preventing it from registering and using malicious domain names over a long term period. Collaboration with ICANN to amend the Registrar’s Accreditation Agreement (RAA) has assisted law enforcement efforts in crime prevention and detection, and direct reporting to ICANN, highlighting specific criminal use of domain names and methodology, has encouraged due diligence measures to prevent abuse.
Following a referral from the Internet Watch Foundation, CEOP identified a website that was hosted in Germany, which contained a large number of child abuse material and a section for people to buy and sell children from sexual exploitation. CEOP worked to identify a suspect who was thought to have produced the website and assisted Kent Police in setting up an undercover operation to gather further evidence against the suspect. This was successful and the suspect, Darren Leggett, was arrested. Leggett was found to have committed a number of sexual offences against young children, and was given an indeterminate sentence on 21 June this year, with a minimum term of seven years.
Action Fraud has reported over 33,000 instances of cyber-enabled fraud or internet crime-related issues, of which 2017 were crimes under the Computer Misuse Act (1990). In addition 19,000 instances of attempted online scams have been reported to the service along with 1,200 reports of virus attacks.
Working with Stakeholders
45. The Government recognises that in tackling cyber crime there is a key opportunity for industry, Government agencies and law enforcement to come together to provide a joint threat picture, to gather intelligence and to provide a joint response.
Building trust and confidence between the private sector and law enforcement authorities is vital to address any gaps in the response the threat of cyber crime. Industry has a vital role to play and also needs to invest in effective information security in order to reduce the threat from cyber crime. We cannot achieve our goals in isolation. The prosperity of the UK, creating a secure UK business environment, a secure UK (critical) national infrastructure is just as important as bringing criminals to justice. The Cyber Security Strategy creates a framework for an alliance that is greater than its constituent parts An excellent example of this cross-sector working is the UK Council for Child Internet Safety (UKCCIS) which brings together government, industry, law enforcement, academia and charities to work in partnership to help keep children and young people safe online.
46. We are now considering how best to build on this successful formula to address the interests of industry and Government in dealing with cyber crime. We are also looking at international partnership models for operational information-sharing, such as the National Cyber-Forensics Training Alliance (NCFTA), based in Pittsburgh, USA. The NCFTA brings together private industry and law enforcement in a neutral, trusted environment to identify, mitigate and prevent cyber crime through joint working and data exchange. We will be looking at this, and other such structures, to inform our work to enhance operational-level partnerships between Government and the private sector on cyber crime.
47. At a tactical level, the PCeU continues to build upon the good work with the existing Virtual Task Force (VTF). The VTF was established in July 2009, incorporates staff from the Police Central e-Crime Unit and has achieved considerable success which has resulted in international recognition of the benefits of this model of public/private sector operational delivery. Member organisations have committed a strategic lead member and tactical representatives.
International Work
48. Cyber crime is an international crime, and the Government has been clear that a major part of our response is to work internationally at Government and at law enforcement levels.
49. The Government has ratified the Budapest Convention on Cybercrime, as the main international agreement in this area, and has taken an active approach to encouraging countries to sign and ratify it. The Government believes that all countries should put in place the appropriate legislation and law enforcement capability to tackle cyber crime, and the ability to support international partners. The Government believes that the Convention offers the only current and comprehensive framework for this.
50. The Government has opted in to the EU Directive on attacks on information systems to ensure that there is common agreement across EU Member States on offences and sentences to allow our law enforcement agencies to together to identify suspects, gather evidence and bring criminals to justice.
51. The Government supports the creation of the EU Cybercrime Centre, and in particular the decision to locate it in Europol, which will build on its existing high-tech crimes capability. The Government expects the Centre to support Member States in working together to tackle cyber crime, and to develop effective best practice in areas such as cross-border cooperation and information sharing.
52. The Government strongly supports the EU Council Conclusions on the creation of a Global Alliance Against Child Sexual Abuse, put forward by the Presidency and the Commission. The Government recognises the need for Member States, third countries, international law enforcement and industry to continue to work together to prevent the spread of child pornography. The Alliance will build on the existing work in this area.
53. The Government strongly supports the work of the Hungarian Government in organising the Budapest Conference on cyber issues that will be held in October. This is a follow up to the London Conference on Cyberspace that was hosted by the Foreign Secretary in November 2011.
What are the options for addressing key emerging issues that will affect the public such as liability over personal computer security, personal data held by social networking sites and its vulnerability to criminal use?
54. All processing of personal data in the UK, online and offline, must comply with the Data Protection Act 1998 (DPA) and its data protection principles. Importantly, the seventh principle requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
55. The expansion of the Internet and the emergence of social media networks has recently led the European Commission to publish proposals for updated data protection legislation. These proposals were published on 25 January 2012 and contain a Regulation (setting out a general EU framework for data protection) and a Directive (covering authorities dealing with criminal offences and penalties). Amongst other things, the proposals seek to provide individuals with strengthened rights to delete their personal data (including a so-called “right to be forgotten”), which could affect the way in which people’s information is held by online services, such as social networks.
56. Given the practicalities, costs and potential for confusion of a full-scale “right to be forgotten”, the UK Government will push in negotiations for an overhaul of the provisions as drafted. However, the Government is committed to giving individuals the right to delete their personal data, where this is appropriate. The principles of “data minimisation” and “privacy by design”, if adopted by organisations in their systems, should help to ensure that people’s personal data does not proliferate online and is held securely, minimising the opportunities for those who would seek to use it for criminal purposes.
57. The Information Commissioner, the UK’s independent data protection supervisory authority, enforces the DPA’s requirements and promotes good practice. As part of the latter role, the Information Commissioner’s Office (ICO) has produced guidance for individuals and young people on keeping their personal data safe online, including specific advice on using social networks.
58. There is work under way across Government and industry to improve data protection for customers. BIS and the Home Office are working in partnership with the six major Internet Service Providers (ISPs) in the UK: BT, TalkTalk, Sky, Everything Everywhere, Vodafone, and VirginMedia, to explore what more could be done or done differently to better protect businesses and consumers from online threats such as malware and botnets. This covers the basic security packages that ISPs are offering to their customers, as well as raising awareness amongst customers about the importance of behaving securely online.
59. Further work is under way with Government, industry and law enforcement through the Forum for Innovation in Crime Prevention. This is a strategic expert advisory group drawn from science, business and industry, law enforcement agencies and Government that identifies major opportunities for preventing and disrupting crime through innovative design, technology and behavioural change and proposes solutions that incentivise business engagement.
60. Our law enforcement agencies work with their counterparts overseas to carry out work such as restricting criminal access to the Internet. This is achieved through work with organisations such as the Internet Corporation for Assigned Names and Numbers.
How effective are current initiatives to promote awareness of using the internet safely and what are the implications of peoples’ online behaviours for related public policy?
61. Prevention is key, and we are working to raise awareness and to educate and empower people and firms to protect themselves online. GCHQ estimates that 80% or more of currently successful attacks could be defeated by simple best practice, such as updating anti-virus software regularly. The Government works in close partnership with industry on cyber security, recognising that this is crucial to protecting individuals and their data.
62. Organisations can be attractive targets for cyber criminals, who may seek to exploit security vulnerabilities in order to access intellectual property or other commercially sensitive information. In the Cyber Security Strategy, the Government committed to improving both the information sharing and risk management between businesses, law enforcement and business service providers.
63. The Government supports Get Safe Online, which is a joint public and private sector campaign which provides up to date, accurate and authoritative advice to online consumers on how to protect themselves, their families and their businesses online. We have increased funding for Get Safe Online to £395,000 this year to improve the website and enable it to reach out to more people across the UK. The campaign is working in partnership with various police forces, as well as their private sector partners to provide advice on cyber security that is accessible to everyone.
64. Action Fraud has a key role to play in terms of encouraging and enabling behaviour change in relation to preventing citizens and businesses from becoming victims of crime in this area. An excellent start has been made in this arena with the successful delivery of the “Devil’s in Your Detail” campaign which was a joint initiative between the NFA and private sector organisations from the banking and telecoms industries. This campaign was video-driven and aimed to encourage people to treat their personal information as a valuable commodity. The campaign reached over four million people. Subsequent analysis of 4,000 people who watched the videos resulted in over 60% stating that they would take more steps to protect themselves from fraud.
August 2012
1 Police recording of crimes is governed by the National Crime Recording Standard (NCRS) and the Home office Counting Rules (HOCR). These set out the principles under which reports received from victims are recorded. Police recorded crime statistics are based on a notifiable list of offences. The HOCR set out the broad classification groups into which those offences are managed for statistical purposes.
2 http://www.cabinetoffice.gov.uk/resource-library/cost-of-cyber-crime
3 Internet Corporation for Assigned Names and Numbers, the body responsible for the administration and allocation of domain names.