Home Affairs CommitteeWritten evidence submitted by Professor Peter Sommer [EC 14]

1. I am currently a Visiting Professor at de Montfort University and a Visiting Reader at the Open University. For 17 years I was first a Visiting Research Fellow and then a Visiting Professor at the London School of Economics. I have acted as an expert witness in many trials involving complex computer evidence; many of these would probably be regarded as E-Crime. They include: global hacking, terrorism, “phishing”, software piracy. But my instructions have also included criminal matters where digital evidence was crucial although the substantive crimes, including murder, large scale illegal immigration, art fraud, state corruption, money laundering, insurance frauds, theft of gold bullion and paedophilia which would probably not be classified as E-Crime.

2. I have provided advice for the UK’s National High Tech Crime Training Centre, was the external evaluator and then external examiner for the MSc in Computer Forensics at the Defence Academy at Shrivenham which is widely used for police training and while it existed I was the Joint Lead Assessor for the digital element in the Home Office-backed Council for the Registration of Forensic Practitioners. I currently advise the Forensic Science Regulator on matters of digital evidence.

3. As an academic I have had a very long-standing interest in the issues of the definitions and statistics of computer-related or “cyber” incidents. In March 2009 I carried out a literature review, including statistics, of Internet crime for the National Audit Office as a contribution to a value-for-money review of Government initiatives in reducing the impact of such crimes.

4. From time to time I have been asked to contribute to a variety of government-sponsored inquiries into the policing of e-crime, starting with Project Trawler in 1999 which lead up to the formation of the National High Tech Crime Unit.

5. My practical work as an expert witness has brought me into frequent and direct contact with successive specialist police units, starting with the original Metropolitan Police Computer Crime Unit.

6. In February this year the House of Commons Science and Technology Select Committee published its report Malware and Cyber crime (HC1537) for which I provided both written and oral evidence. Both appear in their printed report. There is some slight overlap with the concerns of your Committee’s current inquiry and this is reflected in my submission to you, though of course the two Committees proceed on different bases.

7. I attach a CV.1

Definitions of E-crime

8. There is no generally-agreed definition of E-crime and this lack directly impacts assessments of extent. We can illustrate the diversity of definitions. The Council of Europe CyberCrime Convention,2 also known as the Treaty of Budapest, covers in Articles 2–6 as “substantive offences”: “illegal access”, “illegal interception”, “data interference”, “system interference”, and “misuse of devices”. It adds as “computer-related offences”, articles 7 and 8, “computer-related forgery” and “computer-related fraud”. It further adds, articles 9 and 10, “offences related to child pornography” and “offences related to infringements of copyright and related rights”. Articles 4 and 5 more-or-less correspond to s 3 of the UK Computer Misuse Act, 1990: “Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.”

9. If we now turn to a report produced in February 2011 by the BAE subsidiary Detica in partnership with the Cabinet Office’s Office of Cybersecurity and Information Assurance (OCSIA), The Cost of Cyber Crime,3 this covers: “identity theft and online scams affecting UK citizens; IP theft, industrial espionage and extortion targeted at UK businesses; and fiscal fraud committed against the Government”. “Industrial espionage” is not a criminal offence in the UK4 and the report excludes any direct reference to malware or to child pornography.

10. A recent paper by academics at Cambridge and Cardiff Universities Measuring the Cost of Cybercrime5 has the great virtue that it carefully discusses the various elements that might go into “cybercrime” and estimates of associated loss. At the very least the reader can see the workings and assess whether to accept their particular decisions. A similar earlier and slightly less thorough exercise was carried out by the Oxford Internet Institute in 2010: Mapping and measuring Cybercrime.6

11. The ACPO E-Crime Strategy7 dated August 2009 uses a much simpler definition: “The use of networked computers or Internet technology to commit or facilitate the commission of crime”. This definition appears to exclude, for example, the use of computers to carry out frauds which don’t involve networks, the acquisition of illegal material such as child or extreme pornography and the deployment of techniques to generate forged documents.

12. The previous ACPO Strategy, dated January 2005 and signed off by Trevor Pearce, then Acting Director General of the National Crime Squad and now Director Designate of Operations at the National Crime Agency (NCA), referred to “For the investigation of Computer-enabled Criminality and Digital Evidence”8 and did not limit itself to “networked computers or Internet technology”.

13. It needs to be recognised that by 2011 PC ownership was 77% of the population and household internet take-up was 78%.9 When the term “computer crime” first came into popular usage in the early 1970s the proportion of the population that had access to computers was tiny. For that reason, right through to the end of the last century it was possible to see computer/cyber/e-crime as distinct purely in terms of the demographics of potential offenders. But today large numbers of crimes are likely to have a “computer” element simply because for most of the population distinctions between their “non-virtual” and “cyber” selves are increasingly difficult to make.

14. The computer and the network may not be central to a crime or its investigation but the role of some form of digital evidence may be crucial.

15. A question for the Committee, therefore, is whether the current ACPO definition of E-Crime fully addresses the range of policy issues facing police investigatory capability.

Impact on Crime Reporting

16. Most official forms of crime recording in the UK are on the basis of specific offences prosecuted. But in relation to “E-crime” there are particular difficulties as a result of policies of the Crown Prosecution Service. It sees the 1990 Computer Misuse Act as designed to fill in gaps in other forms of legislation10 and in framing charges will concentrate on what it sees as the substantive offence rather than a modus operandi. Thus, if some-one infiltrates a program to monitor the keystrokes on a computer and then subsequently uses the passwords thereby obtained to access a computer from which to carry out a fraudulent transaction, the offence will probably be recorded as a breach of the Fraud Act 2006, despite the fact that both s 3 and s 1 Computer Misuse Act offences took place. A phishing attack would probably also be charged as fraud or money laundering, a Distributed Denial of Service attack (which also tends to involve offences under s 3 Computer Misuse Act when computers are remotely taken over by “back doors” or “Trojans”) would probably be charged as an extortion as this is the most common way in which criminals can make money. A botnet is simply a more extensive form of Distributed Denial of Service attack. In every year since the Computer Misuse Act came into force, prosecutions have seldom exceeded 100 per year.

17. From a broader policy perspective many criminal activities can be classified in several different ways—as the “substantive” offence such as fraud, sexual exploitation of children or extortion—or as a “computer crime” (involving computers to some degree) or as an e-crime (on the current ACPO definition as involving networked computers).

Impact on Policy Formation

18. The main justification for collecting statistics and arguing about categorisation is to see that resources are available to meet the needs of law enforcement, a matter which I consider below.

Gaps in Legislation

19. There are no significant gaps in terms of substantive law, as a combination of existing conventional criminal offences, principally the Fraud Act 2006, and the deployment of the Computer Misuse Act meet most likely eventualities. There are however problems with the law covering investigators, which consists of a hotch-potch of powers, the product of historical evolution. Seizure and subsequent examination of computer hard-disks and other physical data media depend mostly on the Police and Criminal Evidence Act, 1984. Communications data is covered by the Regulation of Investigatory Powers Act, 2000 and subsequent laws and orders about data retention, currently the subject of the Draft Data Communications Bill. Interception evidence is, under RIPA, inadmissible and can only be used for intelligence purposes. The law covering access by the police to suspect computers is particularly complex and I attach a copy of my article Police Powers to Hack which is in Computer and Telecommunications Law Review (2012 CTLR, Issue 6 pp 13–19).11 There, and also in my evidence to the Joint Committee Draft Data Communications Bill, I suggest that a more radical review of police powers, including the circumstances in which warrants are issued, is required in order to achieve an appropriate balance between providing the police with adequate investigatory powers and ensuring that the public are not subject to unnecessary intrusion.

20. Interception evidence, currently excluded by s 17 RIPA, 2000, will need to be admitted in the same way as all other forms of technical evidence and the distinctions between “communications data” and “content” are now almost impossible to make within the technical protocols used on the Internet.

21. The Committee also ought to consider the position of the means by which evidence is obtained from cloud computing services, the vast majority of which are not based in the UK either jurisdictionally or physically. There are many forms of cloud computing, from consumer-orientated services like Google, Facebook, Drpbox, Twitter and web-based email, to business facilities in which companies substantially reduce their own local computing resources and pass their processing and storage requirements to large international entities.

22. Although there are a number of legal procedures and Mutual Legal Assistance Treaties which give the UK courts the ability eventually to obtain evidence from the cloud, they are lengthy and expensive. Swifter results can be obtained by seeking the co-operation of cloud companies, but the UK government seems slow to realise that the cloud companies will strongly prefer adherence to international legal norms of recognition of privacy rights, transparency, strict application of necessity and proportionality tests, and proper judicial process. In that connection, UK use of law enforcement-issued production orders and permission to intercept in the hands of a politician, is significant handicap.

Issues in Investigation and Law Enforcement

23. Apart from the matter of investigatory powers, the very wide range of circumstances in which digital evidence may play a part creates significant difficulties for determining a police response. A criminal event may be local, national or international; it may be semi-opportunistic or highly organised; it may or may not, be linked to other forms of organised crime; its primary focus might be fraud involving banking and financial services, or retail fraud, or the sexual abuse of children, or the theft of copyright materials, or something else entirely. And the digital evidence may be central to a trial or simply peripheral but essential.

24. It is not enough to think in terms solely of specialist units. Every detective needs to know the basics of digital evidence—where it is likely to be located, how it can be safely collected and preserved without being contaminated in the process, and the core techniques that are used in analysis. The front-line detective needs to be able to interact and work with forensic technicians. Because of the ever-changing nature of computer hardware and software, and the rapid development of new criminal methods, basic training for all detectives cannot be a one-off exercise but requires relatively frequent refreshment.

25. In effect the police response needs to be tiered—a level of knowledge for all, higher levels of skills for detectives within particular specialisations such as child protection, fraud, terrorism. And a single elite leadership unit to tackle the most complex and innovatory crimes and also provide research, advice and training for the rest of the law enforcement community.

26. The first attempt at setting up such a unit was the National High Tech Crime Unit (NHTCU) and which disappeared when the National Crime Squad was dissolved and the Serious Organised Crime Agency (SOCA) created. NHCTU staff were then absorbed in to “SOCA e-Crime”, now “SOCA Cyber”. But SOCA was separate from UK policing and the leadership role was lost until PCEU was set up from within the Metropolitan Police Service. It is to be hoped that with the development of NCCU within NCA does not repeat the same mistake—the unit must have a solid clearly articulated on-going relationship with the rest of UK law enforcement.

27. Thought must also be given to how digital forensic expertise is made available. The expertise has to extend to assisting in making decisions about what potential evidence to seize and what to examine in detail. Because of the quantities of digital material available—numbers of computers, mobile phones, tablets etc plus the ever-increasing storage capacity each holds, selections have to be made. Police refer to this process as triage but insufficient thought has been given to how it executed—and by whom. There seems a very good case for the development of specialist Digital Scenes of Crime Officers (SOCOs) as the skills required are outside those routinely available to regular SOCOs or police officers attending a crime.

28. There is also a very good case for regional hubs of digital forensic expertise as opposed to each police force having its own unit. This consolidation is already happening. However it is also essential that regular police investigators have easy access to digital forensic technicians so that they can work together when required.

29. A particularly productive route to the investigation of organised groups which deploy cyber techniques appears to be the Covert Internet Investigator (CII). There are a number of courses in CII, for example from Skills for Justice12 and NPIA13 but there is as yet no published Code of Practice, which would seem important in developing public confidence in the ethicality and robustness of the methods

30. The use of private sector out-sourcing of digital forensic services needs to be deployed with care. There are a number of highly competent companies and individuals, many former police officers and law enforcement agency employees. But there is danger in current practices of aggressive competitive tendering—if a OIC (Officer in Charge) lacks the knowledge fully to formulate his requirement, all that the tendering forensic service provider will do is respond to that tender. If, as now often happens, the OIC and the successful forensic service provider are geographically separated, police and technician will never work properly together and opportunities are missed.

31. Anther often-neglected aspect of law enforcement is the role of the Crown Prosecution Service. For some time the CPS has had specialist prosecutors who have enjoyed a certain level of training—indeed I have done a small amount myself. But if my experience is anything to go by most CPS caseworkers lack much knowledge of digital evidence and in particular evidence derived from hard disks. All too often one sees the “particulars” on an indictment that make little or no sense. The fear is that mistakes in the framing charges both generates expense elsewhere in the criminal justice system—showing up in defence criminal legal aid and in court costs—and can sometimes result in the guilty going inadequately punished.

32. As with many issues within law enforcement response to digital evidence the problem is not a total absence of activity but that the extent and quality of resource made available is not keeping pace with the rates at which digital evidence in its various forms of growing throughout society.

33. See also my remarks about evidence from the cloud—paragraph 21 above.

International Dimensions

34. Although getting further international support and sign-up for the CoE Cyber Crime Convention (The Treaty of Budapest, 2001) is an obvious ambition, the Committee needs to be alert to the possibility that in some parts of the world it is perceived as too orientated to the conditions of Western Europe and North America. Alternative initiatives are being developed by the International Telecommunications Union. The Committee, in talking to UK government officials, may want to probe the UK government’s stance.

35. At a practical level much appears to depend on the quality of personal relationships between UK law enforcement specialists and their opposite numbers in other countries. I note the role of SOCA in this regard.

36. A further issue the Committee may like to consider is the position where, although an offence may have been committed within the jurisdiction of the English courts—the Computer Misuse Act, ss 4–5 are quite widely drawn—there are significant difficulties in successful UK prosecution where the vast bulk of the evidence is outside UK jurisdiction. The Crown Prosecution Service currently has a consultation: http://www.cps.gov.uk/consultations/concurrent_jurisdiction_consultation.pdf

Promotion of Public Awareness

37. The investigation of crimes in which digital evidence is an important component will always be expensive. Whatever arguments one has about definitions of e-crime it is unquestionably true that many are transborder in nature. For both of these reasons it is unrealistic to expect successful law enforcement action in anything other than a very small proportion of overall criminal acts. For these reasons prevention and mitigation are critical. It is disappointing that the National Cyber Security Programme placed so little emphasis on helping individuals and businesses help themselves. In the end the best people to apply protection to computers are those who immediately use them. One of the big concerns in E crime is the extent to which social engineering methods are deployed and education is the principal means by which it can spotted and thwarted. I notice that out of a total of £650 million for the overall programme get safe online has received just under £400,000.

38. I hope the committee will consider the virtues of extending the notion of “public health” to the cyber domain. We surely need much more frequent Government-sponsored official advice. Inevitably commercially sponsored advice pushes the public towards the specific products and services of the sponsors.

November 2012

1 Not printed.

2 http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm. It dates from 2001 and came into force in 2004 and was ratified by the UK in 2011.

3 http://www.detica.com/uploads/resources/THE_COST_OF_CYBER_CRIME_SUMMARY_FINAL_14_February_2011.pdf

4 http://www.justice.gov.uk/lawcommission/docs/cp150_Legislating_the_Criminal_Code__Misuse_of_Trade_Secrets_Consultation.pdf

5 http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf

6 http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1694107

7 http://www.met.police.uk/pceu/documents/ACPOecrimestrategy.pdf

8 I have been unable to discover a current online source for this, but retain my own copy

9 Ofcom http://stakeholders.ofcom.org.uk/binaries/research/cmr/cmr11/UK_CMR_2011_FINAL.pdf

10 Statements frequently made by CPS officials in public and private

11 Not printed.

12 http://nos.ukces.org.uk/NOS%20Directory/NOS%20PDF%20%20Skills%20For%20Justice/ConversionDocuments/SFJCECCO8.pdf

13 http://www.npia.police.uk/en/578.htm

Prepared 29th July 2013