Overview

7.1.  We have made many recommendations designed to improve the security of those using the Internet. But whatever improvements are made, there will always be those who will abuse the Internet and its users. No security system is ever perfect, and certain individuals will inevitably seek to profit either from poor technical security or the ignorance and gullibility of other users. The last—but arguably most potent—defence against these "bad guys" is effective law enforcement. If they can be caught, prosecuted, convicted and punished appropriately, then the "bad guys", instead of operating with impunity, will face a genuine deterrent, and the hundreds of millions of law-abiding Internet users around the world should be able to communicate or conduct their business online with less fear that they will become victims of crime.

7.2.  However, we have heard considerable scepticism over the capacity of the police and the criminal justice system in this country to enforce the law. In the words of the Federation of Small Businesses, "Anecdotal evidence from members tells us that the police do not seem to have anywhere near the capability necessary to respond to these types of crime effectively" (p 377). It is essential that this perception be corrected, but for this some fundamental problems, legal, technical and administrative, will have to be overcome:

• There is, as we have already noted, no legal definition of "e-crime", nor are data on the incidence, investigation or prosecution of e-crimes (that is to say, crimes committed by means of or with the assistance of the use of electronic networks) collected.
• There are huge technical challenges in investigating e-crimes. The examination of IT equipment, hard disks, mobile phones or other devices, is highly specialised, time-consuming and resource-intensive. Moreover, the structure of the Internet and the difficulty of tracing the true source of particular packets of data present huge challenges in investigating offences.
• The global nature of the Internet means that frauds committed on individuals in the United Kingdom may be perpetrated by criminals in Eastern Europe, using servers based in North America or the far East, and so on. No law enforcement agency can combat e-crime effectively in isolation, but the mechanisms for international co-operation are inefficient and slow-moving.

The legal framework

7.3.  In Chapter 2, while considering data collection, we drew attention to the lack of an agreed definition of "e-crime". We recommended that the Home Office establish a system to identify within overall crime statistics offences committed by means of or with the assistance of electronic networks, so as to facilitate data collection in future. In the following paragraphs we examine the legal framework for e-crime in more detail.

7.4.  There is general agreement that crimes committed online—e-crimes—may be considered under two broad headings. As Sharon Lemon, of the Serious Organised Crime Agency (SOCA), told us, there is "the type of crime that can now be committed because technology exists which formerly could not be committed", and then there is "traditional crime moving on-line … traditional criminals using and exploiting technology" (Q 1034). The majority of crimes committed online fall into this second category of old crimes using new technology—as Tim Wright of the Home Office told us, "Most e-crime is a form of traditional crime like fraud, theft or extortion" (Q 2).

7.5.  It follows from this that most crimes committed online constitute well-established offences under the criminal law. Problems in the application these existing offences to the online world have been addressed as they arose. For instance, the Fraud Act 2006 rectified one notable lacuna, summarised by Professor Walden as "the fact that you could not deceive a machine, and therefore giving credit card details to a website and obtaining a service dishonestly was not considered to be a criminal offence of fraud" (Q 368).

7.6.  Crimes falling under Sharon Lemon's first heading—crimes that can only be committed because the technology exists—now also appear to be covered by the criminal law. In particular, the recent amendments to the Computer Misuse Act 1990 (CMA) updated offences relating to unauthorised access to computer material, actions intended to impair the operation of computers, and the manufacture or supply of equipment intended to be used for such purposes. These offences now cover computer-specific offences such as distributed denial of service (DDoS) attacks, which were not previously in themselves criminal offences (although using the threat of a DDoS attack to extort money would have been an offence). However, in light of further amendments to be introduced by the Serious Crime Bill, currently before Parliament, the Government have decided not to bring these changes into force until 2008.

7.7.  In light of these recent changes to the legislative framework, there was broad agreement among our witnesses that the criminal law now adequately covered the range of offences that could be committed online. Commander Sue Wilkinson of the Association of Chief Police Officers described the legal framework as "entirely adequate" (Q 1038); Nicholas Bohm was also "not conscious of significant legal gaps" (Q 368).

7.8.  However, we have two reservations. The first of these concerns the legal status of botnets—which are typically the vehicle for delivering spam or DDoS attacks. We asked the Minister, Vernon Coaker MP, whether it was illegal to purchase the use of a botnet. He summarised the position as follows: "No, it is not illegal to actually purchase it … What is illegal is the making, adapting or supplying of articles for use in computer misuse offences. In the same way that knives can be used illegally but you would not ban all knives, that is in part the logic we are applying to this particular scenario as well" (Q 837).

7.9.  In supplementary written evidence, the Home Office refined the Minister's answer. In essence the analogy with knives was confirmed—hiring a botnet is illegal if it is done in order to commit one of a number of possible offences, either under the CMA (as amended), the Fraud Act 2006, or a range of other statutes. However, hiring a botnet for legal purposes is not in itself a statutory offence, although the person hiring the botnet for ostensibly legal purposes (such as spamming) might in principle be prosecuted either under the general conspiracy provision found in section 1 of the Criminal Law Act 1977, or under the common law offence of incitement (p 277).

7.10.  On the other hand, "recruiting" a botnet—that is, installing code on a computer without the knowledge or authorisation of the owner, and thereby modifying its operation—constitutes an offence under one or more sections of the CMA. However, the degree to which, within the criminal underworld, those who recruit botnets are the same or differ from those who subsequently operate them and offer them out for hire, is unclear.

7.11.  More generally, we question the Minister's analogy with knives. A knife per se can be used for many legitimate purposes, but the sale or possession of certain kinds of knife (essentially those designed with criminal uses in mind), or the sale of knives to certain categories of people (typically those under 16 years of age) could be illegal under one of a range of statutes, including the Dangerous Weapons Act 1959, the Criminal Justice Act 1988 and the Knives Act 1997. The fact that such knives could in principle be used for lawful purposes does not make their sale legal.

7.12.  Similarly, although a botnet could in principle be used for legal purposes, it is inherently designed for criminal uses, and can only exist by virtue of criminal acts by those who recruited it. We would therefore see considerable advantages if the criminal law, for the avoidance of all doubt, were explicitly to criminalise the sale or purchase of the services of a botnet, regardless of the use to which it is put.

7.13.  Our second, overlapping reservation, is over the framework for prosecuting spammers, who are typically the customers for botnet operators. From discussions in Redmond with Aaron Kornblum, Senior Attorney at Microsoft, it was clear that Microsoft, AOL and others have made significant progress in the United States in prosecuting spammers, assisted by the fact that both federal and state laws permit companies to launch third-party actions on behalf of their customers. Nicholas Bohm also commented that such actions were "sustainable on a much more simple basis" in the United States than in the United Kingdom, and suggested that "if the rules about class actions or representative actions were easier and if the costs rules were different so that you did not have to pay costs when you lost, and indeed if you could recover something substantial when you won, then you might see a litigation solution to the problem" (Q 406).

7.14.  Written evidence supplied by the Government subsequently suggested that Microsoft had in fact brought two "third-party" actions in the United Kingdom against spammers. However, neither appeared to be a third-party action in the American sense, that is to say, an action brought by the company on behalf of and in the name of its customers:

• In one case, brought under regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003, Microsoft established that as a provider of email services it had itself suffered damage as a result of the spammers actions. The issue of whether Microsoft was entitled to bring an action under the regulation was explicitly covered by the judge in this case, Mr Justice Lewison: "the domestic regulations were made in order to conform with the provisions of the Directive and part of the policy of the Directive was, in my judgment, to protect the providers of electronic communications' systems. Consequently, I am satisfied that Microsoft is within the class of persons for whose benefit the statutory requirement was imposed."[37]
• In the second case the spammer, by using spam to attract custom to a pornographic website, was in direct contravention of Microsoft's terms and conditions.

We are therefore not persuaded by the Government's conclusion that "third party legal action is another viable approach to addressing the spam problem" (p 275).

7.15.  The Government also pointed out—which we fully acknowledge—that the number of spammers based in the United Kingdom is small compared with that in the United States. They drew attention to research by the anti-spam initiative Spamhaus, showing that only one United Kingdom-based spammer appears on the Register of Known Spam Operations (a list which at the time of writing contains 133 spam operations). However, we see no reason for complacency in such a fast-moving sector.

High volume, low denomination crime

7.16.  Since the existing legislative framework covers "traditional" offences committed by electronic means, it follows that the "bad guys", if caught, can be prosecuted for offences such as fraud or extortion. However, this reliance on traditional offences has some possibly unintended consequences. For instance, the use of electronic networks for the commission of an offence, and implications of this, are not necessarily factored in either by the police, when initiating investigations, or by the courts, when sentencing those found guilty.

7.17.  To take a hypothetical example, if an individual makes a complaint to the police that they have been the victim of online fraud, losing a few tens or hundreds of pounds, it may appear to be a minor crime, not meriting investigation—particularly as the offender could be anywhere in the world. The problem was vividly described by Garreth Griffith, of eBay: "What happens on eBay tends to be lower-value, higher-volume types of things. When we try to get police engaged, sometimes they say … If it is not over 'x' threshold—thousands of pounds, or whatever it is—we can't help you" (Q 601).

7.18.  But if the crime has been committed online, the chances are that thousands or millions of other individuals have been similarly targeted. This is a consequence of the basic economics of e-crime. As Professor Anderson noted, the "bad guys" engage in "volume crime for low denomination transactions" (Q 703). Email is free: anyone who hires the use of a botnet can, at very low cost, send millions of phishing emails or advertisements for bogus medications. If only a tiny proportion of recipients respond the operation quickly becomes hugely profitable. In other words, the individual crime, as reported to the police, has to be scaled up by a factor of several thousand before the true scale of criminality can be guessed at.

7.19.  It is therefore crucial that the criminal justice system, at every level, possesses the information and the understanding to be able to seek and detect patterns of criminality, and, where necessary, to aggregate thousands of individually small crimes to build up a picture of the true scale of criminality.

Reporting procedures

7.20.  The hypothetical example just cited highlights the first stage of an investigation, the initial report of a crime, which the victim is normally required to make at their local police station. However, it is clear from the previous section that in the case of e-crime local police forces are not well placed, on the basis of isolated reports of what may appear to be petty frauds, either to assess accurately the scale of criminality involved or to reach a judgment on whether to launch an investigation and what resources to devote to it. One way to overcome this problem would be to use the Internet itself to develop a central online reporting system for e-crime—as has happened in the United States.

7.21.  At the Department of Justice in Washington we heard the familiar story of individually minor crimes being reported to local police, typically not meriting investigation or federal prosecution. In response the Federal Bureau of Investigation (FBI), having identified e-crime as its number three priority, after international terrorism and espionage, has developed a central referral mechanism for Internet related crime, by means of the Internet Crime Complaint Center (IC3)[38] website. This facilitates central logging of crime reports, which are then analysed and correlated. Individually minor crimes can be aggregated until they reach the threshold for launching federal prosecutions.

7.22.  Our discussions at the FBI's Regional Computer Forensic Laboratory in Silicon Valley fully endorsed the value of the Bureau's approach. Special Agent Shena Crowe told us that the IC3 site was logging an average of some 20,000 complaints a month. Median losses reported in 2005 were just $424, but total losses reported on the site in that year totalled $183.12 million. Subsequently these data were updated in the IC3 Internet Crime Report for 2006, which confirmed a total of just over 207,000 complaints in that year; over 86,000 of these were referred to federal, state or local law enforcement agencies for further investigation. Losses from the latter were put at $198.44 million, with median losses rising to $724[39]. This sounds like a small sum—but to the individuals concerned it may be a major loss.

7.23.  Reports to the IC3 site are still voluntary, nor are they confined to crimes perpetrated in the United States (and we have already noted a reporting bias in paragraph 5.09 above), so the relationship between these figures and the actual scale of e-crime is unclear. However, the IC3 figures do demonstrate the value of a central system that can "triage" large numbers of complaints, prioritise them and finally allocate them to the appropriate agencies for further investigation.

7.24.  No comparable system exists in the United Kingdom. Instead the responsibility for logging reports of e-crime remains with individual police forces. We have referred previously to the Metropolitan Police Service's (MPS) "Fraud Alert" website, but we learnt in the course of our visit to the Metropolitan Police at Cobalt Square that unlike IC3 the Fraud Alert site does not have an automated system for processing reports of fraud—the software to automate the site would cost of the order of £40,000. In the absence of this modest funding, all reports are collated manually, and any attempt to publicise the site would risk attracting more reports than the staff could process. The impression we drew from our visit was of highly committed and skilled staff doing their best to cope in an under-resourced and under-valued environment.

7.25.  This could change. Earlier this year senior officers from the police and SOCA visited IC3. One of these officers, Commander Sue Wilkinson of the MPS, accepted that we had "a lot to learn" from IC3 (Q 1052). At the same time, the introduction of a comparable service in this country would need to be managed in such a way as to avoid overlap with "the new strategic fraud authority and the new potential national fraud reporting centre that is currently being scoped by the City of London Police". Similar views were expressed by Mr Coaker. He confirmed that the Government were "happy to look at" the IC3 model, but also drew attention to the prospect of a central reporting system for fraud. His irreproachable conclusion was that "there needs to be some co-ordination across the whole of this" (Q 808).

7.26.  However, in certain key areas the Government's actions appear to have taken us if anything further away from a co-ordinated approach to e-crime reporting. Anyone logging onto the Fraud Alert site is faced with the following instructions on the homepage: "Please send all banking related phishing emails to reports@banksafeonline.org.uk. Queries related to Paypal or Ebay should be sent to spoof@paypal.co.uk and spoof@ebay.co.uk respectively." This is followed by an optimistic request to "Please copy us into any emails that are sent to these organisations"—although it is necessary to navigate to another page to locate the Metropolitan Police email address.

7.27.  The fact that those seeking to report online frauds are specifically discouraged from reporting these crimes to the police is attributable to new guidelines issued to police forces by the Government with effect from 1 April 2007. The Minister, speaking before the new guidelines came into force, explained them as follows: "from 1 April people experiencing … online fraud, will be asked to report that in the first instance to APACS, who will then make the decision whether to report it on to the police … APACS will get a bigger picture of what has happened and then report back to the police, who can then have a more intelligent overall picture of what is actually going on" (Q 826).

7.28.  This is an extraordinary argument, placing the onus on the banking industry to take decisions on which crimes should or should not be reported to the police (and if so, to which force)—and what will or will not, as a result, appear on the crime statistics. It appears to overlook the obvious possibility that commercial factors might influence the banks' decisions on whether or not to report crimes to the police—that, in the words of Ross Anderson, they have "an institutional incentive to downplay the amount of fraud" (Q 678).

7.29.  A slightly more persuasive argument in defence of the Government's position was advanced by Geoff Smith, of the DTI. He claimed that the issue was "essentially about real-time stopping the money flowing, because if the bank is alerted very quickly then they can see the pattern of the phishing attack and they can … try and stop the cash transfers and they try and limit the damage through that. So … the banks have got to come into this very, very quickly. I think that going to a police station, yes, it is great for getting a crime number and it is great for the back end of the process, but it puts delay into actually trying to solve it" (Q 833).

7.30.  We also acknowledge that law enforcement agencies have thrown their weight behind the new guidelines. Commander Wilkinson described them as "very helpful". She continued, "individual reports to individual police forces about such phishing offences really do not give us a good picture of what is going on and it is impossible to get a proper crime pattern analysis as things stand at the moment. However, if all these reports are collated by the banks, who have very good support in terms of intelligence analysis, they are able to refer to us particular trends and patterns by collating right the way across the board and we get a much better overall picture" (Q 1098).

7.31.  Commander Wilkinson's comments are revealing—they demonstrate that the doubts expressed by a number of witnesses to this inquiry (for instance, by Garreth Griffiths of eBay, whose remarks are quoted above), over the capability of the police to collect, collate and investigate reports of e-crime, are fully justified. The proper response, we believe, would be to invest in developing the capacity of the police and law enforcement agencies, so that they could take on this crucial task—instead of which, the Fraud Alert team at the Metropolitan Police cannot even afford to spend £40,000 on software to automate the processing of e-crime complaints.

7.32.  In marked contrast, the United States is moving in the opposite direction. When we visited the Federal Trade Commission (FTC), which receives over 450,000 complaints of identity theft alone each year, we were told that a new reporting system was being introduced, requiring victims of identity theft (which would include thefts from online bank accounts) to file a police report as the first step in making a complaint; this would in turn trigger an investigation by financial institutions. Indeed, the Interim Recommendations of the President's Identity Theft Task Force, which appeared in late 2006, proposed that the FTC should develop "a universal police report, which an identity theft victim can complete, print, and take to any local law enforcement agency for verification".[40]

7.33.  We see no reason why a similar system in this country should be particularly bureaucratic, time-consuming or costly to implement. The logging of a complaint by the police could simultaneously alert the banks. At the same time, victims would be reassured that the crimes committed against them had been formally acknowledged and recorded, rather than disappearing into the banking system.

7.34.  Ultimately the new reporting system is likely to be judged by its results. It is too early to tell what these will be—but the omens are not good. On 21 June, for example, the BBC reported a dramatic fall in reports of fraud to police forces, with two smaller forces, Gwent and North Yorkshire, having received no reports since the new guidelines came into effect.[41] It is very unlikely that this drop in reported frauds reflects a real change in criminality—the risk is that while lower reporting will make the crime statistics look better, e-crime will continue to grow out of sight of the police and the public.

The structure of law enforcement

7.35.  Assuming that a complaint is made and recorded by the police, do they, or other law enforcement agencies, have the skills, resources and powers necessary to investigate it?

7.36.  The first key point is that the 43 police forces across England and Wales are essentially autonomous. Chief Constables report to police authorities, and inevitably respond to local needs and priorities. The size of police forces also varies hugely, from the Metropolitan Police Service, with over 30,000 officers, to forces with fewer than 1,000 officers, such as the City of London Police or Warwickshire Police. The resources available to tackle e-crime, as well as the priority given to it, vary widely from force to force.

7.37.  Alongside the police forces is the Serious Organised Crime Agency (SOCA), which in 2006 took over the responsibilities previously exercised by the National Criminal Intelligence Service, the National Crime Squad, along with other agencies. Among the functions absorbed into SOCA were those of the National High Tech Crime Unit (NHTCU), formed in 2001 as part of the National Crime Squad specifically to combat e-crime. At the same time, the creation of the Child Exploitation and Online Protection Centre (CEOP), which is affiliated to SOCA and accounts to the SOCA Board, meant that online child abuse, formerly handled by the NHTCU, no longer fell within SOCA's operational remit.

7.38.  These organisational changes have raised a number of concerns. The Confederation of British Industry focused on "the perceived reduction in dedicated police resources to combat computer crime" resulting from the disappearance of the NHTCU (p 194). Microsoft suggested that it was now "unclear how cyber crime and reporting mechanisms are being systematically addressed" (p 94). The FIPR claimed that "the absorption of the NHTCU into SOCA has left a gap in the coverage of level 2 computer crime" (p 212)—that is to say, crime that has impacts across force boundaries, but not necessarily at national or international level.

7.39.  Some of these concerns were answered in the course of our inquiry. We note, for instance, that SOCA's board has determined that of the order of ten percent of the Agency's operational effort should be directed against fraud.[42] In evidence Bill Hughes, Director General of SOCA, while acknowledging that the changes might have appeared to show "a lack of interest in e-crime", argued that "the reverse is the case". The creation of a dedicated e-Crime Unit within SOCA (headed by Sharon Lemon, formerly head of the NHTCU), along with the creation of CEOP (thanks to which the Unit's resources were no longer at risk of being diverted into child abuse cases), meant that resources had been "marshalled … in a better way" (Q 1033).

7.40.  The situation on level 2 crime is less clear. The first point to be made—put very clearly by Bill Hughes—is that there is no neat dividing line between levels 1, 2 and 3 crime: "There is a danger when talking about levels one, two and three … people seem to think that crimes fall into nice convenient slots and that the law enforcement response can follow that same route. It does not; it has to be a continuum of activity and understanding" (Q 1054). But at the same time, there have to be robust procedures and organisational arrangements in place for this "continuum" to be workable in practice.

7.41.  Local level 1 crime falls to individual police forces; level 3, national or international crime, is the responsibility of SOCA. Asked who was primarily responsible for investigating level 2 crime, Sue Wilkinson, the Association of Chief Police Officers (ACPO) lead on e-crime, drew attention to the recent proposal by ACPO to establish a national e-crime unit to support individual police forces. At the time of our inquiry this remained under discussion between ACPO and the Home Office—Vernon Coaker commented that the Home Office had "not had the business case yet", and at the time he gave evidence (on 28 March) the Department had "made no commitment with resources" (Q 814).

7.42.  When we spoke to Commander Wilkinson a month later, she told us that ACPO now had "the go ahead" from the Home Office. However, no Government funding had been approved, and she was still "in the throes" of preparing a detailed business case. She was optimistic that "a considerable amount of sponsorship will be forthcoming"—indeed, she went so far as to say that potential sponsors were "ready with the money now and we have now entered the phase of actually going back to them and saying, 'Show us the colour of your money; show us how you are prepared to support us'" (Q 1087). However, when asked repeatedly whether a commitment by the Home Office to provide funding would be necessary to unlock this private sector backing, she declined to give a direct answer, simply repeating that she had "no undertakings currently of Government support" (QQ 1059-1063).

7.43.  Just before our Report was agreed, on 19 July, the name of the new unit was announced (the "Police Central ecrime Unit") and its projected budget (£4.5 million). However, it appeared that the Government had still made no commitment as to funding. But assuming the new unit does secure funding from Government and private sector sponsors, its role will essentially be to help establish the continuum of which Bill Hughes spoke, between the work of local police forces and that of SOCA and its international partners. Sue Wilkinson confirmed that she and Sharon Lemon were "currently working on putting together a protocol whereby the nature of e-crime is such that any small local report can turn out to be the end product of a multi-national crime issue" (Q 1054). The successful establishment of the Police Central ecrime Unit, and the agreement of such protocols, appear to be essential if Bill Hughes' vision of a continuum of policing of e-crime is to be achieved.

Police skills and resources

7.44.  Even if the organisational arrangements described above fall into place, law enforcement agencies at every level will need skills, knowledge and resources if e-crime is to be investigated effectively. On the one hand, the public have a right to expect that if they report an e-crime at their local police station the officer at the desk will have a general understanding of the kind of crime that has been committed; on the other hand, computer forensics are hugely expensive and laborious, and police investigating major e-crimes will need access to specialised and well-equipped forensic laboratories.

7.45.  At a basic level, training and information for all police officers will be increasingly important as interconnective devices proliferate, and their use, whether to commit crime or in normal life, becomes all but universal. At crime scenes, officers need to observe key rules to ensure that the evidence stored on computers or other devices is not contaminated. Computers or laptops should not be started up or searched, they should be disconnected from routers and modems, mobile telephones should be kept charged so as not to lose data, and so on.

7.46.  In the United States we were given copies of an impressive "pocket guide for first responders", issued by the Department of Homeland Security and the United States Secret Service, summarising best practice in a compact, readily accessible form. Sue Wilkinson assured us that ACPO also published "good practice guides", including one covering "computer based electronic evidence and evidence retrieval" (Q 1085). However, we note that the online version of this guide runs to 51 A4 pages[43], in marked contrast to the American guide, which is ring-bound, pocket-sized and waterproof—intended specifically for use by officers at a crime-scene.

7.47.  Assuming the police have launched an investigation, there is also the question of the resources and skills required for detailed forensic analysis of computers and other materials that have been seized. Here again we were impressed by the approach adopted in the United States, where the FBI has co-ordinated the development of a national network of 14 Regional Computer Forensic Laboratories. These receive federal funding to support running costs, such as IT equipment and premises, but the staff are largely provided and funded by local law enforcement. In return, the laboratories provide forensic analysis to local police free of charge.

7.48.  Clearly, 14 laboratories in a country the size of the United States is not a large number. But at least the model of central provision of the highly specialised facilities recognises the unique challenge posed by computer forensics. Chris Beeson, Director of the Silicon Valley laboratory, told us that the volume of data processed had increased from 40 Terabytes in 2000 to over 1,400 Terabytes[44] in 2005. We question whether it will be possible for all of the 43 police forces in England and Wales to maintain the level of skills and equipment necessary to keep pace with this rate of growth.

7.49.  Sue Wilkinson described the creation of such a national network in the United Kingdom as the "ideal scenario"—but conceded it would "take some time to achieve". In the meantime, ACPO had conducted a "very provisional capability assessment" of the 43 police forces, and had "publicised who is where, who has got what capability so that police forces around the country know where to go to get support and help" (Q 1083). In the longer term, however, the proposed ACPO national e-crime unit was "needed to get standards, policy, training and skills levels standardised across the country" (Q 1085). When the establishment of a national network was put to the Minister, he simply reiterated that he was "waiting for Commander Sue Wilkinson and others to come forward with the proposals" (Q 817).

7.50.  Pending the development of a national unit or network specialising in e-crime and computer forensics, ACPO's approach is to "mainstream" e-crime within conventional policing. The rationale behind this approach is to escape from what Sharon Lemon described as "the problem with policing [which] is that anything involving a computer or the slightest bit of technology is put into a specialist bracket and it is confusing the issue and leaving a smaller number of specialist resources dealing with what is traditional crime" (Q 1034).

7.51.  Mainstreaming, on the other hand, means adopting an extremely wide definition of e-crime ("the use of networked computers, telephony or Internet technology to commit or facilitate crime"—Q 1036), to emphasise that e-crime is in reality just crime, requiring all police officers, not just the specialists, to acquire a basic level of skills. The objective was summarised by Sue Wilkinson as "not to try to shift everything into specialist units but to raise the level of awareness and capability right the way across the board" (Q 1037).

7.52.  The intention behind mainstreaming is laudable, but there is a fundamental contradiction: as we noted in Chapter 2, treating e-crime as conventional crime means that it is impossible to assess its rate of growth, or the cost to individuals or the economy; it also makes it impossible to set policing targets or priorities relating to e-crime. The logical consequence of "mainstreaming" e-crime is that the bulk of e-crime will be subsumed into conventional crime, in which case it will no longer be a distinct policing priority. All that will be left will be the rump of e-crimes that exist only because the technology exists—typically, offences covered by the Computer Misuse Act 1990, as amended.

7.53.  A balance has to be struck. We have considerable sympathy with Sharon Lemon's view that specialists are called in unnecessarily to investigate traditional crimes that just happen to involve a computer. But we also believe that if there is enough investment in such specialist resources, the skills developed will be of enormous use in combating not just Computer Misuse Act offences, but the extortion, the frauds, the thefts and all the other conventional offences which currently thrive in the fertile soil of the Internet.

7.54.  Another issue raised in the course of our inquiry was the extent to which the police have the resources, and, more critically, the powers to investigate e-crime proactively, through monitoring Internet traffic. As we noted in Chapter 2, and as the FBI confirmed when we visited Silicon Valley, huge volumes of criminal activity are conducted online, sometimes openly, on Internet Relay Chat, Peer-to-Peer (P 2P) or other networks. However, while researchers in the United States, such as Team Cymru, are entitled to monitor such traffic for the purposes of research, US law enforcement agencies are forbidden from doing so unless they have "probable cause".

7.55.  In this country, the police are able to monitor online communications, provided that their activity is permitted under the surveillance provisions of Part II of the Regulation of Investigatory Powers Act 2000. On our visit to the Metropolitan Police Computer Crime Unit we met officers who were actively monitoring the online behaviour of paedophiles, a number of whom they had already arrested. However, at present there does not seem to be any monitoring within the UK, even for basic intelligence purposes, of the "underground economy" identified by Team Cymru.

7.56.  An alternative approach, put forward by Ross Anderson, might simplify the process whereby investigations are launched. This was for "randomised enforcement". In other words, the volume of e-crime is such that if the police decide to investigate one randomly selected and apparently minor offence, such as a petty online fraud, each month, "you ensure that someone who perpetrates millions of £10 frauds comes into the police sight eventually" (Q 703).

International action

7.57.  The nature of e-crime is to cross national jurisdictions. The victim may live in the Home Counties—but the perpetrator could be anywhere in the world. International co-operation between law enforcement agencies and judicial systems is therefore vital.

7.58.  We were not able to establish a clear or consistent picture of the state of international co-operation. On the one hand, Sharon Lemon told us that SOCA's e-crime unit had "established some exceptional working relationships with our international partners". She also mentioned a range of international task-forces for particular offences, while Bill Hughes drew attention to the "international liaison network" within SOCA. He also cited "good examples of work for example with the Russian and the Chinese" (Q 1108), while refusing to identify any problem countries.

7.59.  In marked contrast, Shena Crowe at the FBI laboratory in Silicon Valley told us that international action was difficult and slow, with requests for assistance often either ignored or subject to barter. She noted that Russia and China were often cited as major sources of international e-crime—Shane Tews at Verisign in Washington also told us that states in eastern Europe and Asia were turning a blind eye to organised criminals operating on the Internet. To add to the confusion, Sharon Lemon also told us that "the current procedures for sharing information and intelligence can be extremely sluggish", while Sue Wilkinson said that "investigations can fall down because of the fact that legislation does not really cover the international challenge" (Q 1038).

7.60.  A more concrete description of the difficulties of international action was provided at eBay. The view of Rob Chesnut, Senior Vice President for Trust and Safety, was clear—the best way to deter e-crime was to put the fraudsters in jail. The main impediment to achieving this was the fact that the authorities in some countries simply were not interested in helping investigations. eBay devoted considerable effort to developing relationships with international law enforcement agencies, and had supported over 100 convictions in Romania alone, by providing materials and in some cases by paying for victims to go there to give evidence in person. One of the company's key recommendations was that laws of evidence should be relaxed to make it easier for testimony to be given from outside the country concerned, for instance using written statements or video links.

7.61.  It was clear from our visit to the United States that the United Kingdom is seen as a "good partner" in international action on e-crime. Despite this, the United Kingdom has yet to ratify the Council of Europe's 2001 Convention on Cybercrime. This is a matter of concern, particularly as among the provisions in the Convention is a requirement that parties should "afford one another mutual assistance to the widest extent possible for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence" (Article 25).

7.62.  When we asked the Minister about the delay in ratification, he confirmed that the Government were "committed to ratifying the … Convention" (Q 804). Certain minor legislative changes were required, and these would be completed by means of the Serious Crime Bill (which at the time of writing was being considered by the House of Commons). However, when asked about mutual assistance he deferred to his official Stephen Webb, who told us that while the Government had "been generally looking at mutual legal assistance requests" there was "nothing specific in this particular area which is being done" (Q 805).

The courts

7.63.  Issues of skills and resources permeate every level of the criminal justice system. Given the rate at which e-crime continues to evolve it was perhaps not surprising that we heard some concerns expressed over the capability of courts to understand the technology underpinning it. Professor Walden, on the basis of several years' experience training prosecutors, claimed that prosecutors had experienced "bad judgments, bad case law, which may have been corrected but we have problems in explaining the technology to jurors and explaining the technology to judges" (Q 375).

7.64.  Nicholas Bohm argued that "ensuring that the police have the intellectual infrastructure to deal with crimes involving electronics and computers and that the courts can readily grasp what they are about" would be the most effective way to improve the way the justice system deals with e-crime (Q 368). More concretely, Bill Hughes reflected on "how better we can present the case in court … In the same way that you have a technological advisor here it may be useful to do the same in some of the courts when we are dealing with some of these cases" (Q 1038). However, this proposal might be difficult to reconcile with fact that court proceedings, unlike those of Select Committees, are adversarial. Even expert witnesses, though notionally working for the court, in practice appear on behalf of, and are paid by, either prosecution or defence.

7.65.  Nevertheless, Bill Hughes' suggestion of a expert adviser to assist the courts in assessing IT-based evidence is attractive. A case in point is the weight placed by the courts upon the illegal use of credit cards online. As we have previously noted, the introduction of "chip and pin" has led to a rapid increase in online card-not-present fraud. We have also seen Team Cymru's research, showing huge volumes of stolen credit card details being bought and sold online. In the context of data security breach notification we have also noted that one retailer alone, TK Maxx, has since 2005 lost the details of some 45 million cards to hackers. Potentially any one of these cards, belonging to innocent individuals, could be used online for illegal purposes—in transactions relating to terrorism, or to purchase child abuse images.

7.66.  This issue led to an exchange of letters between the Committee and, on the one hand, Jim Gamble, Chief Executive of CEOP, and, on the other hand, Duncan Campbell, an investigative journalist, regarding the conduct of Operation Ore, the investigation of over 7,000 individuals in this country whose credit card details were found on a database held by an American company, Landslide Inc, which until it was closed down in 1999 offered access to a number of child abuse websites. When Jim Gamble gave evidence on 10 January, he was asked whether the prevalence of credit card fraud raised any problems in the conduct of such investigations. His response was as follows: "We never prosecute someone simply on the basis of their credit card being used. You are going to look at all of the circumstantial evidence which when taken together provides overwhelming evidence" (Q 221).

7.67.  The Committee then received a letter from Duncan Campbell, who has appeared as a defence expert witness in a number of Operation Ore cases, flatly contradicting Mr Gamble's statement. The letters that followed, from both Mr Campbell and Mr Gamble, are printed as evidence with this Report (see pp 77-81, 363-365).

7.68.  This exchange of correspondence strayed far beyond the remit of this inquiry, and we have no wish to comment on the wider issues raised. However, Mr Gamble did confirm that the Crown Prosecution Service had developed a "response for occasions where no images were found", making use of the common law offence of incitement. He further noted that in such cases "the evidential connection between the personal details provided, the identity of the user and a direct link to a site offering child abuse images is clearly key". Such issues were assessed "on a case by case basis" (p 78).

7.69.  Thus such cases of alleged "incitement" (of which, according to Mr Gamble, there had been 161, with just ten outstanding, though Mr Campbell claimed there were still 2,000 outstanding) rely heavily on evidence of electronic transactions between a suspected individual and a site offering child abuse images online. It is clear us that in assessing such evidence the weight placed upon online credit card transactions will be fundamental. It is essential therefore that judges, prosecutors and magistrates (who decide on applications for search warrants) are able to make intelligent and informed assessments of such evidence.

Sentencing

7.70.  Finally we turn to sentencing. Once criminals are convicted of e-crimes it is essential that sentences are robust enough to serve as a deterrent to others. The sentences for technology specific crimes (particularly those under the Computer Misuse Act) are defined in statute. But where "traditional" crimes are committed online, once again the phenomenon of high volume, low denomination crime, creates difficulties. Such crimes are not one-off incidents—if someone is convicted of one online fraud, it is extremely likely that they will have committed many more. We therefore asked a number of witnesses whether the use of a computer to commit an offence could be recognised by the court when sentencing, for instance as an aggravating factor.

7.71.  In response, Bill Hughes took the view that the commission of crimes online could feasibly be "reflected in the sentencing, depending on the aggravation factor". He cited as an example the lottery scams which target "the more vulnerable in society"—those who by responding to bogus emails have found themselves on the criminals' "sucker list" (Q 1040). The Government were less sympathetic to this idea, and Stephen Webb, of the Home Office, suggested that "You have to make a case for why it was worse to defraud someone over the Internet rather than sending them the 419 letter[45] by post, or scamming them and meeting them face to face on the street" (Q 28).

7.72.  Other aggravating factors that could influence sentencing might include the high level of intrusion involved in crimes committed via electronic networks—for instance, the courts could recognise that making threats by means of text messages or Instant Messaging constituted an invasion of the home on top of the basic offence committed. Bill Hughes again offered some sympathy, if not direct support, for this view:

"This takes me back to when we started doing drug investigations and often you would find courts who were not familiar with the effects of a particular drug or how large or what the significance of the sort of seizure was that had been made by police or customs officers and how much money and how much damage that could cause. We may actually be in that same type of environment … how do you present this in a court case where you can realise the aggravating factors and the damage that this can cause" (Q 1041).

7.73.  In summary, our concern is whether the criminal justice system as a whole has a sufficiently high and consistent level of understanding of e-crime to be able to make balanced, evidence-based decisions. Do police officers across the 43 forces observe consistent best practice in the way in which they handle such investigations? Do magistrates understand the value and the limitations of electronic evidence, in particular evidence of online credit card transactions, so as to be able to judge the appropriateness or otherwise of issuing search warrants? Are judges in the crown courts competent to direct juries in such cases, or to hand down adequate sentences to those found guilty? On the basis of the evidence received in this inquiry, the answer to all these questions currently seems to be "no".

Conclusions and recommendations

7.74.  We recommend that the Government introduce amendments to the criminal law, explicitly to criminalise the sale or purchase of the services of a botnet, regardless of the use to which it is put.

7.75.  We recommend that the Government, in partnership with the Association of Chief Police Officers and the Serious Organised Crime Agency, develop a unified, web-based reporting system for e-crime. The public face of this system should be a website designed to facilitate public and business reporting of incidents. The back-end software should have the capacity to collect and collate reports of e-crime, identify patterns, and generate data on the incidence of criminality. The website could also serve as a portal to other more specialised sites, for instance on online child abuse or identity theft. It would be an invaluable source of information for both law enforcement and researchers.

7.76.  As a corollary to the development of an online reporting system, we recommend that the Government review as a matter of urgency their decision to require online frauds to be reported to the banks in the first instance. We believe that this decision will undermine public trust in both the police and the Internet. It is essential that victims of e-crime should be able to lodge a police report and have some formal acknowledgement of the fact of a crime having been committed in exchange. We see no reason why such reports should not be made online, processed and forwarded to the banks automatically.

7.77.  If these recommendations are to be acted upon, the police service will need to devote more resources to e-crime. We acknowledge the good work undertaken by SOCA and on behalf of ACPO, but within the police skills and forensic capability still vary from force to force. While it is vital to raise police skills across the board, rather than just those of specialists, "mainstreaming" is only part of the answer. We therefore recommend the establishment of a network of computer forensic laboratories, under the aegis of the proposed ACPO national e-crime unit, but with significant central funding.

7.78.  We further urge the Home Office, without delay, to provide the necessary funds to kick-start the establishment of the Police Central ecrime Unit, without waiting for the private sector to come forward with funding. It is time for the Government to demonstrate their good faith and their commitment to fighting e-crime.

7.79.  These recommendations will all cost money. But e-crime is expanding rapidly: the choice is either to intervene now to make the necessary investment, and perhaps to keep the threat to the Internet under control, or to let it grow unchecked, and risk an economically disastrous, long-term loss of public confidence in the Internet as a means of communication for business and Government alike.

7.80.  We urge the Government to fulfil its commitment to ratify the Council of Europe CyberCrime Convention at the earliest possible opportunity. At the same time, in order to ensure that the United Kingdom fulfils the spirit as well as the letter of Article 25 of the Convention, we recommend that the Government review the procedures for offering mutual legal assistance in response to requests for help from other countries in investigating or prosecuting e-crime.

7.81.  Finally, we recommend that the Government take steps to raise the level of understanding of the Internet and e-crime across the court system. In particular:

• In the context of the prevalence of identity theft and online card fraud, we urge the Government to issue new guidance to the courts, including magistrates' courts, on the reliability of unsupported credit card evidence as an indicator of guilt;
• We recommend that the Government review the availability to the courts of independent specialist advice in cases of Internet-related crime;
• We believe that the sentence should fit the crime. The nature of e-crime is such that mostly (but not exclusively) small crimes are committed in very large numbers; they also generally involve a high level of intrusion into personal life. Sentencing guidelines should be reviewed in recognition of these realities.

38   See http://www.ic3.gov/.  Back

39   See http://www.ic3.gov/media/annualreport/2006_IC3Report.pdf.  Back

40   See http://www.idtheft.gov/about.html.  Back

41   See http://news.bbc.co.uk/1/hi/business/6224912.stm.  Back

42   See http://www.soca.gov.uk/aboutUs/aims.html.  Back

43   See http://www.acpo.police.uk/asp/policies/Data/gpg_computer_based_evidence_v3.pdf.  Back

44   1 Terabyte = 1 million Megabytes, or 10¹² bytes. Back

45   The "419 fraud" is a form of advance fee fraud, in which the victim is persuaded to put down a sum of money in anticipation of a much larger gain, which then fails to materialise. The modern manifestation of this ancient fraud emerged in Nigeria in the 1980s-the number 419 refers to the relevant article of the Nigerian criminal code. Back