Journal of Financial Crime — Vol. 9 No. 4

The Prosecution of Computer Crime R. E. Bell

INTRODUCTION Criminals have always exploited technological advances and therefore the advent of the gun, the telephone and the car created new opportunities for crime. Similarly, the increasingly widespread use of computers in society has led to computer-related crime.1

Computer-related crime may be divided into in a number of different categories. First, computers may be incidental to an offence, but still significant for law enforcement purposes. For example a compu­ter may have been used by a drugs trafficker to record details of shipments and corresponding payments and, although incidental to the offences, the compu­ter may therefore still have significant evidential value. Second, a computer may be a tool for commit­ting offences. In United States v Osowski and Tang the indictment alleged that the defendants exceeded their authorised access in order to enter a system used to manage stock option disbursals and direct that stock, valued at approximately $6.3m, be placed in their personal brokerage accounts.2 The phrase 'old crime, new tools' is sometimes used to describe this category of crime. For example, threats to kill is a 'traditional' crime that can now be carried out by the new tool of e-mail. Third, a computer may be the target of an offence. In 1988 Robert Morris launched a program, subsequently known as the 'Morris Worm' , infecting more than 10 per cent of the Internet. Many businesses and government sites disconnected themselves from the Internet as news of the incident spread. Costs to repair the infected sys­tems were estimated to be approximately $100m, and Morris was subsequently convicted in the USA under the Computer Fraud and Misuse Act.3 The phrase 'new crime, new tools' is sometimes used to describe this category of crime.

There are, of course, a range of other possible definitions and classifications of computer crime and room for much debate on what constitutes it. As a result there is yet no internationally recognised definition.4 The NCIS definition of computer crime as 'an offence in which a computer network is directly and significantly instrumental in the commission of a crime'5 may cover two of the cate­gories above. Computer crime can also be classified

into crime that involves the use of the Internet or crime that does not involve the Internet. A narrower definition might omit the use of computers to commit traditional crimes and focus on crimes where the computer is the target of the offence. On this basis not every crime committed with a computer would be a computer crime.

However computer crime is defined, computers are now emerging in many types of criminal investi­gations and their increasing use by criminals requires a consideration of whether we have adequate legal tools and resources to locate, identify and prosecute cybercriminals.

THE SCALE OF THE PROBLEM Although statistics showing the level of computer crime are limited, cybercrime has been described as 'one of the fastest evolving areas of criminal beha­viour'.6 The view of the UK Audit Commission is that computer fraud and abuse is on the increase and is expected to worsen as use of the Internet increases. According to its 1997 survey, computer fraud and abuse was increasing: 45 per cent of organi­sations then suffered from it, up from 36 per cent in 1994. Losses from fraud were up 25 per cent, from £28,000 per incident in 1994 to £35,000 in 1997.7

In a 2001 US survey, 85 per cent of respondent orga­nisations had detected a computer security breach that year; 64 per cent had suffered financial losses due to these breaches; 34 per cent had suffered theft of proprietary information; and 21 per cent had suf­fered loss through financial fraud.8 Computer-related crime is therefore increasing in both volume and complexity and, arguably, is now having a major impact on society. A 1997 estimate considered that computer crime cost between $500m and $10bn annually in the USA alone.9

Those concerned with financial crime must have a clear understanding of the issues involved in compu­ter crime, since much of it is financial crime or, at the very least, crime that has major financial implications for individuals, businesses or society as a whole. In the modern economy, intellectual property is often regarded as the most valuable asset owned by a busi­ness. As much of it is stored in digital format on com­puters, theft and copying of information becomes an

Journal of Financial Cr ime Vol . 9, No. 4, 2002, pp. 308-325

Henry Stewart Publications ISSN 1359-0790

Page 308

The Prosecution of Computer Crime

important area of criminal activity. Once stolen, it is useless arranging police roadblocks or watches at ports and airports, as digital property, unlike stolen paintings, can be sent out of the country via modem. However, even this assumes that the organi­sation recognises there has been unauthorised access to the computer holding the information and that it has been copied. In the new knowledge economy, hackers can make significant financial gain from the sale of stolen information and intellectual property. In 2000 hackers gained unauthorised access to the Benetton Formula One engine designs.10 Similarly, hackers are increasingly targeting the Hollywood film industry now that films are being stored using digital technology.11

Internet banking has brought a new dimension to potential fraudulent activity as it redefines consu­mer banking and creates new opportunities for high-tech crime. In 1994, unauthorised access to Citibank's cash management system was gained by hackers in Russia and more than $10m was wire transferred to pre-established accounts. The FBI began to monitor the cash movements and discovered cash being moved to accounts in Argentina, Indonesia, Finland, Russia, Switzerland, Germany and Israel. Eventually, all but $400,000 taken before monitoring began was recovered. The investigation resulted in six foreign nationals being charged in the USA. Vladimir Levin was arrested in England in 1995 and was extradited to the USA in 1997, later pleading guilty to conspiracy to commit bank fraud.12

The Internet has created new opportunities for various types of fraud. The Securities and Exchange Commission has stated that nearly 25 per cent of all US federal securities investigations in the USA now involve some form of Internet-related stock fraud. One of the most high profile of these cases was that of Jonathan Lebed, aged 15, who, after purchasing a large block of stock, sent numerous false and mis­leading e-mails to message boards. Consequent buying caused the price of the stock to increase dramatically, whereupon Lebed sold his stock, making profits of $272,826.13

The stereotypical picture of teenage hackers does not represent the only threat in terms of computer crime. Disgruntled employees have the capacity to cause significant financial damage to their employers. In United States v Lloyd,14 a former chief network administrator sacked from his job after working for the company for 11 years was convicted in relation

to deleting all design and production programs belonging to a high-tech measurement and control instruments manufacturer. The damage, in lost contracts and lost productivity to the company, totalled more than $10m. Of course an employee's motivation for computer misuse need not necessarily be financial. In R v Rymer, a male nurse was con­victed of two charges of unauthorised modification of computer material after hacking into a hospital computer system and prescribing potentially lethal drugs to patients.13

Computers also open up new opportunities for blackmail. In 1997, telephone calls were made to banks in Oregon and Massachusetts claiming that the institutions had been targeted by an environ­mental group. The caller explained that the group had penetrated the bank's computer systems and, if the banks did not make $2m in 'donations' to the group, the computer systems would be crashed. A subsequent telephone call was traced and the defendant was arrested and later pleaded guilty to extortion.16

Organised crime groups have become aware of the possibility of exploiting computers for criminal purposes and there are increasing incidences of such groups being engaged in high-tech crime.17 In Italy members of a criminal group allegedly succeeded in 'cloning' an online branch of the Banco di Sicilia and were preparing to remove funds from an account belonging to the Sicilian regional government. With the complicity of two bank employees and using stolen computer files, codes and passwords, the organisation had managed to compromise the bank's computer systems. The police view was that the operation was certainly authorised by the Sicilian Mafia.18 It is also believed that the Russian Mafia is becoming increasingly sophisticated in computer crime. Russian Mafia hacking rings are often run by former KGB agents who recruit hackers to hack into e-commerce computers and steal credit card and bank account numbers. More than 1 million credit card numbers have reputedly been stolen by Eastern European organised crime groups. Organised crime has also moved into 'cyberextortion' whereby hackers download proprietary information, such as trade secrets and customer databases, and then demand money, either to patch the system against other hackers or to prevent the sale of the material to foreign competitors of the businesses they were stolen from.19 The potential use of violence and intimidation either to recruit hackers or to obtain

Page 309

Bel!

computer passwords from employees should not be underestimated.

Nations also need to defend themselves from the risk of cyberterrorism. Since all critical infra­structures now rely on computers, advanced tele­communications and, to an increasing degree, the Internet for the control and management of systems, public safety can be endangered, telecommunications disrupted and banking and finance disrupted through computer misuse. Transport systems such as roads, railways and airports all depend on computer sys­tems, as do power companies, water supplies and emergency services. This new vulnerability means that a personal computer and a telephone connection to an Internet service provider20 anywhere in the world provide the means to conduct an attack. In the physical world, the range of people or groups that have the means and motive to cause widespread destruction of an infrastructure are relatively limited. But the accessibility of the information infrastructure, global connectivity and the rapid growth of a computer-literate population combine to ensure that millions of people around the world possess the means to engage in a cyberattack simply by down­loading an automated hacking tool from a website. 'Hacktivism',21 using tools such as Tribe Flood Net­work, also has the potential to become a major pro­blem. Accordingly, most developed countries are taking steps to defend themselves against an 'electro­nic Pearl Harbor' that could damage critical national infrastructures.

UPGRADING OF LEGISLATION Legislation in many jurisdictions was drafted prior to the development of the personal computer and the widespread use of the Internet. Jurisdictions must therefore consider the extent to which their existing laws are sufficient to address computer misconduct, particularly that involving the Internet, as in some cases it may not be possible to apply current legisla­tion to computer crime. Some jurisdictions therefore still have weak laws, or no laws, against computer crime. A 2000 study of 52 countries found that the criminal law in most countries had not been extended to Internet-related computer crime, potentially making prosecution of computer misuses such as hacking and distributing viruses difficult. The study found that, of the 52 countries, 33 had not yet updated their laws to address any type of cybercrime; 17 were in the process of doing so; ten countries had

enacted legislation to address five or fewer types of cybercrime; and nine had updated their laws to prosecute six or more such crimes.22

The first major upgrade of UK law to take account of computer crime was the Computer Misuse Act 1990.23 During its passage, the House of Commons was informed that there was some inadequacy in the law as it stood,24 and that, if nothing were done, there was a real risk that the UK could become 'an international hackers' haven'.25 The 1990 Act introduced three new offences:

(i) unauthorised access to computer material;26

(ii) unauthorised access to computer material with intent to commit or facilitate the commission of a further offence;27 and

(iii) unauthorised modification of computer material.28

The UK again upgraded its legislation under the Regulation of Investigatory Powers Act 2000, which sought to balance the need for access to com­puter traffic data with a citizen's right to privacy. Although controversial,29 there is an increasing need to have a capability to intercept criminals' e-mail communications. A suspect alleged to have murdered an obstetrician in a US anti-abortion kill­ing was only arrested in France following FBI monitoring of a friend's e-mails.30 The need for this capability achieved greater recognition following the suggestion that those involved in the events of 11th September, 2001 communicated with each other via e-mail.31 Accordingly, the Anti-Terrorism, Crime and Security Act 2001 contained new provi­sions regarding the retention of communications data.

There have been a number of international attempts to harmonise the upgrading of national legislation in respect of computer crime. The G8 formed a Subgroup on Hi-Tech Crime in 1997 and has endorsed a statement of principles concerning computer crime. The U N has passed two resolutions on the subject32 and its Tenth Congress on the Prevention of Crime and the Treatment of Offenders considered computer crime issues. Most recently the Council of Europe's Convention on Cybercrime has been concerned with setting basic standards in relation to computers and criminal law and provides that signatories must create a number of cybercrime offences including illegal access, data interference, system interference and computer-related fraud.33 It

Page 310

The Prosecution of Computer Crime

also addresses such topics as jurisdiction, international cooperation, and search and seizure powers.34

Where legislation is not upgraded, criminals can commit computer crime with impunity. Onel de Guzman, who admitted 'accidentally' releasing the Love Bug worm, could not be prosecuted in the Philippines, since the Electronic Commerce Act, which prohibits computer hacking, only came into force after his actions, and was not retrospective.35

The criminal charges initially preferred against de Guzman, concerning the illegal use of passwords for credit card and bank transactions, were withdrawn after the Chief State Prosecutor concluded that the charges either did not apply to computer hacking or there was insufficient evidence to substantiate them.36

EVIDENCE IN A DIGITAL AGE There are a number of significant challenges in gathering and presenting evidence in computer crime prosecutions. First, investigators face challenges in ensuring that the integrity of computer evidence has been maintained. When a house is burgled, care must be taken properly to preserve fingerprints, fibres or D N A evidence. Similarly, in computer crime cases care must be taken to collect and preserve evidence in a way that it will be found admissible and reliable at trial, and this requires that investigators receive appropriate training in computer forensics.

The most common evidence of computer crime comes from a defendant's computer. Investigators use software such as EnCase to produce an image of the hard drive. An unsophisticated offender who attempts to 'delete' computer files may have left evidence of unlawful activity which a computer forensic expert can recover in cache files, swap files, temporary files, unallocated space, or slack space. Browser histories, address books and date and time stamps can also be useful sources of evidence. How­ever, an offender can accomplish the electronic equivalent of burning incriminating paper records by using 'wiping tools' to destroy electronic data permanently. Where a hacker has accessed a system, he may have installed audit disabling software to delete the record of his activity on the system.

Care needs to be taken about the procedures that are followed to obtain evidence from a defendant's computer. Since computer records may be updated and changed each time they are accessed, computers should be neither turned on nor off until examined by a computer forensics specialist. Care also needs

to be taken over the software tools that are used to recover such evidence. If hacking tools have been used, investigators cannot be certain that they have performed those operations on the data that they think they have, as the tools themselves may have corrupted the data. Guidelines drafted by the Com­puter Crime Committee of the Association of Chief Police Officers therefore exist in relation to proper procedures.37 It is likely that in the future computer forensic experts employed on behalf of defendants to check the correctness of procedures undertaken by prosecution computer experts will become common.38 Although an international consensus is now beginning to emerge regarding the preservation of computer evidence, no formal international standards have yet been agreed.39

Section 69 of the Police and Criminal Evidence Act 1984, now repealed, used to require the prosecution to prove that a computer was working properly at the time any documentary evidence was produced.40

This was very difficult, if not impossible, to prove in cases where a hacker had deleted files or intro­duced a virus.41 Defence counsel therefore some­times attempted to undermine the prosecution case simply by challenging the validity of s. 69 certificates. The Law Commission observed that the complexity of modern systems made it relatively easy to establish reasonable doubt in a juror's mind as to whether the computer was operating properly and that they were concerned about 'smoke-screens' being raised by cross-examination which focused in general terms on the fallibility of computers rather than on the reliability of particular evidence.42 Nevertheless, despite the repeal of s. 69, challenges to both admissi­bility and weight of evidence can be expected in computer crime cases. In R v Gold and Schrifreen, for example, the defence made an unsuccessful appli­cation to have the prosecution evidence excluded under s. 78 of the Police and Criminal Evidence Act 1984.43

It should not be assumed that the relevant evidence will always come from a defendant's own computer. Criminals may choose to store files on a computer other than their own, perhaps even in another juris­diction if a hacker has managed to gain control of a computer by using a Trojan horse. Kevin Mitnick admitted using computers belonging to the Uni­versity of Southern California to store proprietary software that he had stolen.44 This may create significant difficulties in seizing evidence.

Secondly, dealing with encrypted files poses a

Page 311

Bell

significant challenge to investigators attempting to gain evidence of computer crime.45 While encryp­tion has benefits for the privacy of individuals and the security of e-commerce, it can also assist crim­inals, as encrypted e-mails or files on the defendant's hard drive may be completely inaccessible to investi­gators. A 1999 Cabinet Office report noted that there was evidence that major criminals and terrorists were using encryption to conceal their activities.46 Down­loading free encryption software from the Internet is one of the first steps any computer-literate criminal can take. Sending e-mail through Hushmail or Zixmail will allow it to be encrypted. The Director General of the NCIS has said that encryption is one of the most important issues currently facing law enforcement throughout the world and that the widespread use of robust encryption by criminals could seriously damage the ability to fight serious and organised crime.47 The encrypted material may not even be at the suspect's house. In 1995 Christopher Pile was convicted of offences under ss 2 and 3 of the 1990 Act in connection with writing a computer virus. When police searched his home, no computer was discovered. Upon searching a com­puter found in the home of one of his friends, police discovered a small encrypted file, later decrypted to reveal a virus-writing program.48

Unless investigators possess a means of decrypting material, important evidence may remain unavail­able. One option for police is to raid the suspect's house to try and catch him with his computer turned on so that they can access it. Alternatively, police may uncover evidence such as printed copies of the encrypted documents, unencrypted copies of the file or evidence of the decryption key through surveillance. In United States v Scarfo the FBI con­ducted a search of premises owned by an alleged organised crime figure. A computer file, which the FBI believed contained evidence of Scarfo's racke­teering activities, was protected by PGP.49 The FBI subsequently obtained a warrant for a covert intru­sion and installation of a key logger which recorded each keystroke typed, so as to obtain Scarfo's pass­word.50 Nevertheless the problem of encryption remains a major one and it will be interesting to see whether any prosecuting authority will bring a child pornography prosecution based simply on the circumstantial evidence of a locked encrypted fib, which the defendant refuses to open, together with a browser history showing repeated visits to child pornography sites.

Thirdly, the ability of computers to retain vast amounts of material can pose document-handling challenges. In a US software piracy prosecution, more than seven gigabytes of illegal transactions, the equivalent of 20 million pages of information, were seized.51 Similarly, it is said that in R v Bedworth there was more evidence produced than in the whole of the Guinness fraud trials.52 The CPS stated that 'if all the diskettes seized were to be printed out on A4 paper together with the other documentation seized, there would be a pile of paper approximately 120 feet high'.53 The volume of potential evidence can therefore resemble what previously only existed in major serious fraud cases. Although in a computer crime the evidence may be produced in digital rather than paper form, and only accessible via a com­puterised search tool, this is not a perfect solution as keyword searches can miss relevant evidence. Such volume also creates greater difficulties for prosecutors in meeting their disclosure obligations.

Fourthly, computer crime can present new challenges in terms of identification evidence. Since anonymity is much easier on the Internet, the identi­fication of defendants becomes much more difficult. Stealing money from a bank used to mean entering by the front door, risking identification by staff" and customers, or by being caught on closed circuit tele­vision cameras. N o w it is possible to enter a bank by an 'electronic back door' and this requires a different approach to identification evidence. If the case con­cerns a hacker who has gained unauthorised access to a computer system via the Internet, investigators have to trace an 'electronic trail' leading from the vic­tim's computer to the defendant's computer and arrange for the preservation of critical traffic data. Although users are assigned Internet protocol addresses, an ISP may have 1 million customers but maintain only 20,000 phone lines, based on an expec­tation that no more than 20,000 customers will ever dial in at any given time. The ISP may therefore give a dynamic Internet protocol address to each incoming call which will then be reassigned to the next customer using that line. Although data logs are kept, much information gathered in the logs is only retained temporarily for billing purposes. How­ever, ISPs currently have different standards as to how long, if at all, they retain logs. Accredited UK police officers may request an ISP to retain data pend­ing receipt of a certificate under the Data Protection Act 1998. An International Association of Prosecutors Working Group has recommended that ISPs should

Page 312

The Prosecution of Computer Crime

retain data logs of dynamic IP addresses for 12 months.54 Since tracing a communication may be possible only when the hacker is actually online, this creates the need for real-time tracing of Internet communications across traditional jurisdictional boundaries. This may be particularly difficult when the communication passes through different carriers in different countries, in different time zones and sub­ject to different legal systems. By using laptop com­puters connected to mobile phones, and combined with identity theft, hackers can make investigation even more difficult.

Investigators may track a connection back to a particular computer, but this does not necessarily mean they can identify who used it at the relevant time. It is notable that, although financial institutions have customer identification requirements, ISPs do not. Individuals can provide false biographical infor­mation or adopt misleading screen names. When a computer is seized in a single-occupancy dwelling, the material on it can usually be assumed (with the exception of the problem of Trojan horses) to belong to the person living there. The issue becomes more difficult when a computer is shared by many users in a family home, a university department, or an office. It may therefore be necessary to attempt human or video surveillance to prove who was sitting at the keyboard committing the illegal act. Other means of concealing identity which may cause identification evidence problems are the use of anonymous re-mailer services and e-mail spoofing.

Fifthly, many computer crime cases will require courts to consider the working operations of com­puters, necessitating the calling of expert witnesses to give evidence, perhaps on software, hardware, telecommunications or Internet matters. As those with significant computer expertise in the public sector may work for intelligence agencies, and may not wish to appear, the prosecution may therefore be forced to use private sector computer expertise, which may have significant resource implications.

Sixthly, steganographic tools can be used to con­ceal important evidence from the authorities. These tools are programs that hide data in graphic or audio files and can enable criminals to use Web images as 'digital dead drops' for information.56

Of course it should not be assumed that evidence in computer crime cases will always be evidence from or about computers. All other types of evidence may be relevant. In R v Pryce, the crucial evidence that allowed the investigators to identify the culprit

was evidence from an informant who told them that 'Datastream Cowboy' was a UK hacker and gave them his telephone number.57 As Sommer has written:

'Most successful prosecutions rely on more than one stream of computer-derived evidence. What is needed is a multiplicity of independent streams of evidence, both computer- and non-computer-dcrived, which corroborate each other. Any single stream may fail either because of intrinsic inadequacy or because the courts find it too difficult to understand.58

Thus the normal investigative skills of CID officers are not overtaken by computer forensics skills, rather one supplements the other.

INVESTIGATIVE EXPERTISE Cybercrime cannot be effectively prosecuted without it having been effectively investigated. Unless inves­tigators develop or have access to the necessary tech­nical expertise, there will be no effective gathering of sufficient evidence against the perpetrators. Indeed, unless investigative expertise exists, police may strug­gle to understand whether a computer crime has been committed or not. The training curve in computer forensics is three to five years for an investigator to become competent. Agencies need to develop differ­ent levels and types of competences, varying from basic search and seizure competences to accredited computer forensic competences. Undoubtedly differ­ences in capabilities exist between different jurisdic­tions and there is a need to share expertise both within and amongst jurisdictions.

In the UK there has been recognition of this need for investigative expertise by the creation of compu­ter crime units in police forces, often attached to local fraud squads, and in other investigative agencies such as HM Customs and Excise. For example, the Com­puter Crime Unit of the Royal Ulster Constabulary was actively involved in 189 investigations in 1999-2000.59 Although specialised units have the advantage that staff develop expertise, the difficulty with this organisational response is that the knowl­edge will often not become spread more widely. In addition, tenure policies can cause significant loss of knowledge. Despite the establishment of specialist units, which may vary significantly in the level of resources and expertise, it has been suggested that the complexity of computer crimes is exceeding the

Page 313

Bell

ability of law enforcement agencies to prosecute them60 and that investigators are lagging behind criminals in training and ability to combat cyber­crime.61 It has also been alleged by defence experts that law enforcement investigators regularly mis­handle computer evidence and, as a result, defendants may be being seriously prejudiced. Indeed it is suggested that prosecutions are quite frequently aban­doned before trial as a result of contamination of computer evidence by careless handling procedures.62

The recent establishment of the UK's National Hi-Tech Crime Unit63 has been described as ' a milestone in modern policing'.64 The functions of the unit are to:

(i) investigate, or support the investigation of, serious and organised crime usually operating on a national or international scale, that wholly or partly involve computers or computer networks such as the Internet;

(ii) investigate attacks on the UK critical national infrastructure;

(iii) undertake forensic retrieval and examination of computer-based evidence gathered in its investigations;

(iv) provide the national point of contact for overseas investigators of international offences involving computer networks;

(v) provide technical support and advice to investigators in the police service and other law enforcement agencies across the UK;

(vi) work in partnership with local police and other agencies taking forward initiatives to promote information security and other high-tech crime reduction strategies, and

(vii) liaise with industry on behalf of the police service, for example through the Internet Crime Forum, the Association of Chief Police Officers' Telecommunications Strategy Forum and the G8 Government-Industry Dialogue on Confidence and Security in Cyberspace, to sup­port cooperation between law enforcement and industry in the detection, investigation and reduction of high-tech crime.65

Some in the private sector have expressed doubts whether the unit will be able to do much to stem the rising tide of cybercrime, since the resources being committed to it are tiny when compared to the resources brought to bear on cybercrime by the worldwide computer security industry.66 It has

been suggested it will only be able to catch 'the low-hanging fruit, the easy pickings, the people that are not very good at covering their tracks'.67

However this pessimistic assessment fails to recognise that opposing computer crime requires a partnership between industry and law enforcement.

One of the difficulties faced in all jurisdictions is that of staff retention since, once trained in computer forensics, investigators may be poached for higher salaries by the private sector.68 In Australia almost the entire Federal Police Computer Fraud Detection Unit joined Arthur Andersen in 1998, reputedly after being frustrated by inadequate funding to keep pace with cybercriminals. Several months later the majority of Victoria's Computer Crime Squad also left to work in the private sector.69 Indeed, in Australia, one-third of all police computer crime specialists resign each year on average.70 This repre­sents a major loss of experience and expertise. A partial solution to this problem may be secondments between the private sector and law enforcement agencies. It is notable that in the Mitnick investiga­tion the US authorities required private sector expertise to arrest the world's best-known hacker.71

PROSECUTORIAL EXPERTISE In addition to investigative expertise, there is a need to develop prosecutorial expertise in relation to com­puter crime. A former member of the Metropolitan Police Computer Crime Unit has stated that the CPS has had difficulty in finding computer-literate staff to prosecute the more complex computer crime cases72 and another police officer involved in such investigations has observed that it has sometimes been difficult to convince CPS prosecutors that a computer crime has taken place.73 It may of course be that the second observation is linked to the first. Unless prosecutors receive training in relation to computer crime, they may lack the fundamental understanding of the technical issues that is necessary properly to assess the evidence, and will thus be unable properly to assess whether a case possesses a reasonable prospect of a conviction. In 1999 the Director of Public Prosecutions for England and Wales admitted that while the CPS had prosecuted a number of cybercrime cases, particularly in regard to child pornography, it still had much to learn.74

Undoubtedly the same is true of other prosecuting authorities in the UK.

Prosecuting authorities often, however, respond

Page 314

The Prosecution of Computer Crime

more slowly than investigative agencies in develop­ing specialist expertise in particular fields. This may be due to a number of factors. First, investigators arc forced to develop investigative expertise in order to gather evidence effectively. Second, prose­cuting agencies tend to have fewer staff than investigative agencies. This tends to limit the opportunities to have specialists. Nevertheless each jurisdiction must have prosecutors who are experi­enced in, and trained to deal with, computer crime. Some juridictions may be able to justify the allocation of prosecutors to computer crime on a full-time basis. A US Assistant Attorney General has observed:

'The complexity of these technologies, and their constant and rapid change mean that investigating and prosecuting offices must designate investigators and prosecutors to work these cases on a full-time basis, immersing themselves in computer-related investigations and prosecutions.'75

In the Department of Justice there are 20 attorneys in the Computer Crime and Intellectual Property Section. In addition, each US Attorney's Office has assistant attorneys known as computer and tele­communications coordinators who are given special training and equipment and serve as their office's expert in computer crime cases and who receive special training in the legal, technological and prac­tical challenges involved in investigating and prose­cuting cybercrime.76 These form a network of prosecutors who are available 24 hours a day and seven days a week to provide legal advice and obtain whatever court orders are necessary in respect of computer crime. The level of prosecutor­ial expertise necessary in the USA is affected by the close involvement of prosecutors in the investiga­tive process. Nevertheless other jurisdictions have also established specialist prosecutorial units. For example, the Department of Justice in Hong Kong has established a Computer Crime Section within its Prosecutions Division whose duties include the provision of legal advice to law enforce­ment agencies regarding criminal charges to be laid in the area of computer crimes and the actual conduct of such prosecutions in the courts.77 Smaller jurisdic­tions may find it more realistic to designate certain prosecutors as those who will deal with such cases in the event they arise.

Given the speed at which computer hardware,

software and infrastructures change, and because criminal methodology generally changes rapidly, it is desirable that prosecutors receive ongoing training in the investigation and prosecution of high-tech crime issues. In the USA, federal high-tech prosecutors receive one week's annual training delivered by both government and private sector experts. It may therefore be desirable for a number of CPS lawyers to receive some basic tech­nical training by police in computer forensics methods so that they are in a position genuinely to understand the evidence that is submitted to them in computer crime cases.

Fraud prosecutors in particular need to develop computer expertise, given the possible new methods and models of fraud. Their casework may be affected by, for example, e-mails replacing advance-fee fraud letters from West Africa and the forging of digital signatures.78

As well as the development of in-house expertise, prosecuting agencies also need to consider the issue of expertise in respect of counsel who conduct trials on their behalf, and who need to understand the tech­nological dimension sufficiently well to explain it to a jury possessing varying degrees of computer knowl­edge. Where a jury is composed of computer-literate members, prosecuting counsel might opt to run the case in one way, but where it is composed of mem­bers with little computer knowledge and experience, counsel may choose to run it in differently. It is noteworthy that the defence team in the case of R v Bedworth contained a senior counsel who was a criminal law specialist and a junior counsel who was a computer specialist. The latter, who described himself as adopting the role of 'a hacker with a wig on', supplied questions for the technical witnesses and was deferred to by both the judge and the prose­cution when called upon to explain computing concepts or jargon.79 Prosecuting attorneys in the USA have found they have faced a steep learning curve in respect of computer crime and there are those who believe that computer law and evidence will become another specialised field within the legal profession.80

The alternative approach to training prosecutors is to adopt the view that agencies only need to provide training on a case-by-case basis as and when investi­gation files concerning computer crime are submitted for consideration. However, as has been written, 'The trouble with the future is that it usually arrives before we are ready for it.81

Page 315

Bell

MUTUAL LEGAL ASSISTANCE One of the effects of information and communication technologies is the ability of individuals to commit crimes in jurisdictions to which they have never physically travelled. They therefore do not have to pass through immigration controls or show a pass­port. A paedophile can store his pornographic images on someone else's computer on another con­tinent without their knowledge if he has managed to gain control of their system using a Trojan horse. The successful investigation and prosecution of computer-related crime will often therefore require mutual legal assistance from other jurisdictions, as evidence from witnesses in foreign jurisdictions may be required to prove the case.

However, the current system of mutual legal assistance has been variously described as 'a complex system which is totally out-of-date',82 'slow, formalistic and not responsive to the needs of the prosecution',83 'excessively bureaucratic'84 and 'time consuming and inefficient'.85 It has been suggested that there are 'significant delays' in respect of requests to countries outside the EU,86 and that the UK Central Authority is overwhelmed by requests.87 It is to be hoped that the establishment of Eurojust may lead to a significant improvement in the current position. Delays do not bode well for the successful prosecution of transnational computer crime. As the United Nations has written:

'More than in any other transnational crime, the speed, mobility, flexibility, significance and value of electronic transactions profoundly challenge the existing rules of international criminal law.'88

There has nevertheless been successful mutual legal assistance in computer crime cases. In United States v Zezov and Yarimaka the FBI began investigating a computer break-in at New York-based Bloomberg News. Zezov had gained unauthorised access to the company's computer system from computers located in Kazakhstan. Zezov sent a number of e-mails to Michael Bloomberg, the founder and owner of the company, demanding that Bloomberg pay $200,000 into an offshore account in exchange for his pro­viding information as to how he was able to hack into the company's computer system. However, the cooperation the FBI received from the Kazakh authorities was excellent. With the help of the Kazakhs, the two defendants were lured to London. Zezov and Yarimaka met there with Michael

Bloomberg and two Metropolitan Police officers, one posing as a Bloomberg executive and the other serving as a translator. Shortly after the meeting, Zezov and Yarimaka were arrested by the Metro­politan Police.89 The defendants were each charged with one count of interfering with commerce by using extortion; one count of extortion of a corpora­tion using threatening communications; and one count of unauthorised computer intrusion.90

However, computer-related crime has the poten­tial for creating unique mutual legal assistance diffi­culties. To ensure that investigations are effectively carried out, each nation needs to have the ability to respond on a 24/7 basis to international requests. Mutual legal assistance will often be required to trace the electronic trail of a hacker as a matter of urgency, since delay in such an investigation can be critical. If the ISP in his jurisdiction is not required to keep records concerning each individual commu­nication, the trail of a criminal may be impossible to trace once his modem has been switched off. The ability to persuade another jurisdiction to preserve critical evidence such as log files and e-mail traffic is essential. Therefore, investigators and prosecutors with expertise in this field must be available 24 hours a day so that appropriate steps can be taken in urgent investigations. The system of letters of request sent by post is too slow and cumbersome to cope with such problems. Jurisdictions must retain critical evidence on the basis of e-mailed requests, subsequently turning it over to the request­ing state on the basis of a formal letter of request. The action plan following the 1997 G8 summit agreed that points of contact available on a 24-hour basis would be designated.91

The Convention on Cybercrime requires signa­tories to adopt such measures to provide mutual legal assistance. These include expedited preservation of stored computer data; measures for search and seizure of computer data; and real-time collection of traffic data. The convention also provides generally that the signatories should cooperate with each other to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence.92 The convention also provides that signatories should designate a point of contact available on a 24-hour, sevend days per week basis in order to ensure the provision of immediate assis­tance for the purpose of investigations or proceedings

Page 316

The Prosecution of Computer Crime

concerning criminal offences related to computer systems and data.93

An important factor which can affect mutual legal assistance is the degree to which a jurisdiction has updated its legislation to take account of computer crime. Where one jurisdiction's laws criminalise computer crime and another's do not, mutual legal assistance may not be possible. In respect of search and seizure powers dual criminality is often required and, where this is lacking, assistance may not be pos­sible. In 1992 hackers from Switzerland attacked the San Diego Supercomputer Centre. The USA sought help from the Swiss, but the lack of dual crim­inality limited the ability of the Swiss authorities to provide mutual legal assistance. Before long, the hacking stopped and the investigation concluded unsuccessfully.94

Mutual legal assistance may also be limited by the availability of resources that a jurisdiction has. Inevitably this makes smaller jurisdictions with limited computer crime resources more attractive to criminals. A knowledgeable hacker will make use of servers in countries which are less likely to be able to give assistance to his own.

THE DISCRETION TO PROSECUTE In determining whether to prosecute computer offences, prosecutors should take into account all the considerations normally associated with the sound exercise of prosecutorial discretion. Thus, prosecutors should evaluate, first, the sufficiency of the evidence with a view to determining whether there is a reasonable prospect of a conviction and, second, whether proceedings are in the public inter­est. Although each case must turn on its own facts, there are five major public interest issues that fre­quently arise for consideration in respect of computer crime.

First, whether proceedings are in the public inter­est will depend on the seriousness of the offence. There is a significant public interest in keeping a country's computer networks secure from hackers. Following conviction of David Smith for unleash­ing the Melissa virus, the US Attorney General stated:

'In light of society's increasing dependence on computers, the Department will vigorously inves­tigate and prosecute computer crimes that threaten our computer infrastructure.'95

The virus infected more than 1 million personal computers in North America, disrupted computer networks in business and government, and caused more than $80m in damage. The importance of intellectual property to the US national economy, and the scale of intellectual property theft, led the US Department of Justice to designate intellectual property crime as a priority for federal law enforce­ment. This means that US cases involving intellectual property theft are less likely to be written off as not to be prosecuted in the public interest.96 On the other hand, unauthorised access to a minor private sector system is less likely, without further aggravating factors, to be prosecuted due to its less serious nature. Nevertheless 'white-hat hackers', whose hobby is to find weaknesses in computer systems and then publicise them to allow the weaknesses to be rectified, can still be prosecuted for unauthorised access.

Secondly, there is the issue of whether to prosecute juvenile offenders. Where the defendant is a teenage offender who has gained unauthorised access to a computer, is it in the public interest to prosecute him or would an alternative method of disposal, such as restorative justice, be sufficient? Where the offence is simple unauthorised access motivated by curiosity, then the public interest may not require criminal proceedings. Where some further offence has been committed, for example theft of intellectual property or blackmail, the public interest will usually require prosecution. In United States v An Unnamed Juvenile97 the first-ever charges against a juvenile hacker were brought by the US government for commission of a computer crime where the defen­dant disabled a key telephone company computer servicing a Massachusetts airport, causing both the main radio transmitter, and a circuit which enabled aircraft to send an electric signal to activate the runway lights on approach, to be non-operational. The US Attorney stated:

'This case reflects our intention to prosecute in federal court anyone, including a teenager, who commits a serious computer crime. The plea agree­ment is a balanced effort, weighing the seriousness of this juvenile's computer intrusions and his lack of malevolence.'98

Although criminalising juveniles is recognised, in general, as undesirable, criminal prosecution may be the only meaningful deterrent for the curious and

Page 317

Bel!

persistent juvenile hacker, and when dealing with juveniles, prosecutors should apply their normal considerations. Nevertheless, even in serious cases proceedings may not be commenced. For example, a terminally ill teenage hacker would be unlikely to be prosecuted.

A third issue that may often arise is whether to prefer charges against an offender if he can be charged in his own jurisdiction. Prosecution in his own juris­diction may be a more effective use of resources than the expensive option of extradition proceedings. In making their decision prosecutors should weigh all relevant considerations, including the strength of the other jurisdiction's interest in prosecution; the other jurisdiction's ability and willingness to prose­cute effectively; and the likely sentence if the defendant is convicted in the other jurisdiction.

Fourthly, it is notable that financial institutions often regard it as in their private interest not to report computer crime for prosecution. Could it be that the public interest might require certain compu­ter crimes not to be prosecuted so that the authorities do not have to reveal the vulnerability of sensitive systems? This is unlikely. There have been a number of prosecutions where defendants have hacked into highly sensitive military computers and yet proceedings have been commenced. Nevertheless it is a factor which it is sometimes suggested is taken into account. The non-prosecution of 'Phantomd' for hacking into classified US military systems, including nuclear weapons laboratories, served the public interest, it was suggested, by keeping details out of the public realm. However, a more likely explanation may be that prosecutors made their decision because of the difficulty of proving intent, given that 'Phantomd' had been variously diagnosed as schizophrenic or as having severe learning difficulties.99

Fifthly, prosecutors should consider the deterrent effect of prosecution. The chief technologist at a computer security firm observed in 1999 that since the 1995 conviction and imprisonment of Christopher Pile, no major viruses had been propa­gated in the UK.100 In 2001, however, a UK citi­zen was charged in connection with creating the W32-Leave.worm.101 Although the general view is that enforcement of the criminal law has a deterrent effect, some research suggests that aggres­sive legislation directed at virus writers cannot be shown to have any positive impact on the virus problem.102

SELECTION OF CHARGES Where laws have not been updated to take account of computer crime, prosecutors can be left struggling to find appropriate offences with which to charge defen­dants. Prior to the introduction of the 1990 Act, UK prosecutors laid charges under the Forgery and Counterfeiting Act 1981 in the case R v Gold and Schrifreen103 and under the Criminal Damage Act 1971 in R v Whiteley.104 The Court of Appeal said in R v Gold and Schrifreen:

'We have accordingly come to the conclusion that the language of the Act was not intended to apply to the situation which was shown to exist in this case. The defence submissions at the close of the prosecution case should have succeeded. It is a conclusion which we reach without regret. The Procrustean attempt to force these facts into the language of an Act not designed to fit them pro­duced grave difficulties for both the judge and jury which we would not wish to see repeated.'105

The passing of the 1990 Act therefore significantly improved the charging options for prosecutors.

Neither the Code for Crown Prosecutors in England and Wales nor its Commonwealth Australian equivalent include any specific guidelines regarding selection of computer crime charges. Both are brief documents setting out general princi­ples and do not purport to deal with specific types of crime. The US Attorney's Manual, however, con­tains material drafted by the Computer Crime and Intellectual Property Section of the Department of Justice on the subject of intellectual property crime, much of which is computer-related.

Essentially, of course, the available evidence will determine the charges that a prosecutor may prefer. In some cases the evidence will permit only charges under the 1990 Act to be preferred. In others, only 'traditional' charges, such as dishonesty offences, may be possible. Where more than one defendant is engaged in the conduct, conspiracy to defraud may be applicable. Many cases of computer crime can be dealt with simply by preferring traditional offences, which may have distinct advantages. Prosecutors and judges may be more comfortable with a familiar statute, and juries may believe that fraud is more accessible to their experience and understanding than computer offences. In a UK case, those who sent hoax e-mails to a business rival asking him to travel to India to complete a business deal were

Page 318

The Prosecution of Computer Crime

charged with forgery offences.106 Where the computer crime has led to financial gain, there may also be a possibility of preferring money laundering charges. In United States v Gajdik, the defendant admitted that he posted and advertised for sale through eBay items such as Rolex watches that he did not have for sale. eBay users in countries such as the USA, Japan, Australia and Israel subsequently bid on, purchased and sent Gajdik money for the items. The US Attorney preferred charges of mail fraud, wire fraud and money laundering.107

A prosecutor may wish to direct 'technical' computer charges in case a jury is unable to reach a verdict on a traditional charge. This may include the possibility of directing charges of attempting and conspiring to commit offences under the 1990 Act. There may be possible advantages in charging computer offences as opposed to traditional offences, in particular the necessary proofs may differ. Never­theless prosecutors who lack training and familiarity with computers may view the evidence from a tradi­tionalist perspective and omit specific computer-related offences. There have inevitably been some unsuccessful prosecutions in the UK under the 1990 Act. Indeed one commentator observed that 'the Act has been plagued by failed prosecutions'.108 In R v Bedworth the defendant was acquitted after his defence argued he lacked the necessary intent because of 'computer addiction'.109 In R v Gooding the defen­dant denied unauthorised modification of computer material. Gooding had resigned as skipper of a fishing boat after an argument over maintenance costs and had deleted coordinates of lobster pots from the boat's positioning system. His solicitor successfully argued Gooding owned the copyright to the infor­mation he entered into the boat's computer and that the symbols of fish, boats and wrecks counted in law as a literary work.110 In R v Mahomet and Arlidge, a former BT engineer and a journalist were acquitted in a case which concerned whether it was unauthorised access for the former to show the latter a security breach in the BT system.111 Prosecu­tors also have every reason to be cautious in their selection of charges, given that the meaning of a central concept under the 1990 Act, unauthorised access, was only settled by the House of Lords in 1999.112 Where computer-related offences are preferred, care should be taken in the drafting of computer charges. The British Computer Society has suggested that prosecution allegations are often inadequately specified in technical terms and that

the non-technical drafting of charges may result in the misuse of terms of art.113

In many cases, however, there may be a choice of charges, which the prosecutor can direct. Where the prosecutor has such a choice, it will usually be advisable to prefer a balanced indictment containing both traditional and computer-related offences. In R v Borg114 an analyst in an investment company was alleged to have set up dummy accounts to swindle over £1m from her employer. She was charged with an offence under s. 2 of the 1990 Act and with conspiracy to steal. Following her agree­ment to plead guilty on other charges, no evidence was offered by the prosecution on the 1990 Act offence, which she had denied. However, prosecutors do not always direct computer offences even where they would appear to be supported by the evidence. A council employee who accessed a council's com­puter and transferred £67,000 into a bogus building society account was prosecuted for, and convicted of, theft and obtaining property by deception. For some reason charges under ss 1 and 3 of the 1990 Act were not also directed.115

Another possible charging option for prosecutors may be to charge unlawful obtaining, selling or offer­ing to sell personal data contrary to s. 55 of the Data Protection Act 1998. In Director of Public Prosecutions v Bignell116 two police officers instructed computer operators to extract car ownership details from the police national computer for their own personal use. As a result they were convicted of offences under s. 1 of the 1990 Act. Their convictions were quashed on appeal on the basis that their use of the computer, even if it had been for private purposes, was not within the definition of 'unauthorised access'. The Court of Appeal impliedly criticised the choice of charges, observing that the defendants could have been prosecuted under the provisions of the Data Protection Act 1984.

Because of the convergence of computers and tele­communications, prosecutors may also have charging options under the telecommunications legislation. The facts may permit a hacker to be charged under ss 42 or 42A of the Telecommunications Act 1984 if there has been a fraudulent use of the telecommuni­cations system (much hacking involves 'phone-phreaking') or under s. 1 of the Regulation of Investigatory Powers Act 2000 if, for example, there has been an unlawful interception of e-mail. In R v Strickland and Woods, the defendants were charged with conspiring to obtain telegraphic

Page 319

Bell

services dishonestly and engaging in the unauthorised publication of computer information.117

Where the activities of hacktivists are concerned, charges under the Terrorism Act 2000 may also be possible. Under the 2000 Act terrorism is defined as including the use or threat of action which is designed seriously to interfere with or seriously to disrupt an electronic system, and which is designed to influence the government or to intimidate the public or a section of the public, and which is made for the pur­pose of advancing a political, religious or ideological cause. Thus a person could be prosecuted for posses­sion of an article for terrorist purposes under s. 57 of the 2000 Act if he possesses a computer with which he has carried out a hacktivist attack. Similarly, the mere collection of electronic data for the purposes of hack-tivism might be prosecuted under s. 58 of the 2000 Act. The institutions of such proceedings require the consent of the Director of Public Prosecutions or, where the offences are committed for a purpose connected with the affairs of a country other than the UK, the consent of the Attorney General.118

Where a hacker changes material on a system, a prosecutor's mind may turn to whether criminal damage charges might properly lie. However, charges for criminal damage are no longer possible because of s. 3(6) of the 1990 Act which provides that, for the purposes of the Criminal Damage Act 1971, a modification of the contents of a computer shall not be regarded as damage to a computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition. Other jurisdictions have adopted a different approach, amending their criminal damage legislation to allow prosecution where hack­ers alter data within a system.119 Prosecutors in the UK have to rely on the unauthorised modification offence in the 1990 Act in such circumstances.

Where the computer has been used to copy intel­lectual property, charges under the Copyright, Designs and Patents Act 1988 may be the most usual preferred by a prosecutor. Where the defendant has gained unauthorised access to carry out the copy­ing, charges under the 1990 Act should of course also be considered.

In selecting particular charges, the prosecutor must bear in mind that the object of the charging decision is to prefer an indictment that accurately reflects the defendant's actions and will provide for a fair and proper sentence on conviction.120 The prosecution should, of course, never prefer more charges than

are necessary simply to encourage the defendant to plead guilty to a few of them.121 Prosecutors must also remember that there is an important need to keep the case as straightforward as possible for the jury and thus the indictment must not be overloaded.

JUDGES AND JURIES Computer crime prosecutions will inevitably have an impact on the judiciary and the United Nations has observed that those who fulfil judicial duties must possess enough technical knowledge to be able properly to adjudicate on computer crime cases.122

Judicial Studies Boards should therefore ensure that they provide sufficient legal and technical training for judges to be able to preside effectively over such cases. Failure to do so may result in inappropriate acquittals. It is noteworthy that in R v Cropp, the first prosecution under the 1990 Act, the trial judge misdirected the jury as to the application of the Act.123

Judicial training should also take into account such matters as sentencing in computer crime cases, as there has been criticism of the way the judiciary have treated some computer crime defendants. In R v Goulden, the defendant pleaded guilty to an offence under s. 3 of the 1990 Act following his installation of a program on a printing company's computer that included a facility to prevent access without use of a password. Claiming that he was owed fees of £2,275, Goulden denied the company access to their printing facilities and it was unable to function for a number of days, losing £36,000 of business as a result. The trial judge imposed a conditional dis­charge for two years and a £1,650 fine. The judge also commented that Goulden's actions were 'at the lowest end of seriousness'. However, because of Goulden's actions, the company went into liquida­tion. This sentence was criticised on the basis that it 'did not assist in facilitating the use of the 1990 Act as a deterrent'.124 As there are indications in some jurisdictions of judicial discretion being exercised to wide degrees in computer crime cases,125 sentencing guidelines from the Court of Appeal may be desirable.

Computer crime prosecutions may also create difficulties for juries as finders of fact. Indeed, there have been suggestions that 'specialist juries' might be better able to follow the complexities of technical evidence in computer misuse cases. One

Page 320

The Prosecution of Computer Crime

commentator has suggested that it was too demand­ing of jurors to ask them, in effect, to undertake 'a crash-course in extremely complicated computer science'.126 If suggestions to abandon jury trials in complex fraud cases were adopted, it would seem logical to consider the same in complex computer misuse cases. Such a recommendation has been made by the British Computer Society.127

In jurisdictions which allow challenges to potential jurors, the existence of computer evidence in a case may lead to a particular pattern of jury challenges.128

The prosecution may be eager to have younger jurors who may be more conversant with computer technology. The defence may wish for an older, less technologically aware panel. Prosecutors need to be aware of the need to help juries to understand unfamiliar and technical terminology. For some computer crime prosecutions in the USA, expert witnesses have practised explaining technical issues to non-technical laypeople.129 For prosecution and defence alike the recruitment of appropriate experts may present difficulties, not least in resource terms.

The nature of computer evidence adduced in the majority of cases has meant there has not been the expected problem with baffled juries. The evidence has most often simply been copies of letters and text files which have not given rise to arguments over interpretation. In certain cases, however, the evidence has been more complex. In R v Garrett the jury was given a courtroom demonstration of how the Back Orifice Trojan horse software operated.130

CONCLUSION Computer-related crime can be expected to increase both in complexity and quantity as newer genera­tions of criminals inevitably become more computer literate. Although some agencies in certain jurisdic­tions have recognised this and made responses to pre­pare, others have not. Some commentators believe that cybercrime is a serious threat which is largely being ignored and predict that, due to law enforce­ment inadequacies, it will increase by two or three orders of magnitude by 2004.131 While low-tech criminals will always be with us, a major challenge to law enforcement is to keep pace with high-tech criminals who pose a threat to individuals, businesses and the economy and society of every developed nation.

It seems clear that, although police in the UK have developed specialist expertise in computer crime,

T a b l e 1: Convictions in England and Wales under the Computer Misuse Act 1990

Section 1 Section 2 Section 3

1991

Not available 0 3

1998 1999

3 3 2 1 4 7

prosecutors and judges have not yet developed the depth of expertise that currently exists in their US counterparts. Those in senior management who are less computer literate need to become aware of the issues involved in this field and to seek appropriate resources. Even where additional resources are unavailable, basic awareness sessions from computer crime investigators would be valuable.

As with any legislation, it is not the passing of it that deters offenders, it is the success of its enforce­ment. In this regard the low number of prosecutions under the 1990 Act are a cause for concern (Table 1).

One UK commentator has, however, suggested that, although there have been 'a disappointing number of prosecutions' and 'a few high-profile failures', nevertheless, with some recent prosecutions, there is now beginning to build up 'a record of significant successes'.132

One of the most significant factors contributing to the low numbers of prosecutions is the failure of victims to report computer crime. It is suggested that many attacks on computer systems in financial institutions go unreported so as to avoid embarrass­ment. This is dangerous and short-sighted. Financial institutions need to begin to report computer crime for intelligence purposes rather than concealing crime and disposing of any valuable evidential traces left in their computer systems. Law enforce­ment agencies could make arrangements to carry out forensic examinations of systems in a way that does not draw attention to the security breach or embarrasses the institution. However, there are indi­cations that reporting attitudes are changing. In the 2001 US computer crime survey, 36 per cent of respondents had reported intrusions to law enforce­ment, a significant increase from the previous year.

The problem of computer crime cannot, of course, be dealt with by prosecution alone. The private sector has a major role to play and its own security practices are important. Just as house owners have a responsibility to install good locks on their doors

Page 321

Bell

and windows, computer owners have a responsibility to try to keep their systems secure by firewalls, pass­words and anti-virus programs. As the private sector owns and operates many of the computer infrastruc­tures, it must be involved in helping defend them. The private sector is also the greatest source of exper­tise and knowledge and this expertise needs to be shared with law enforcement agencies if computer networks are to become more secure.

In addition, there needs to be societal change. This means educating our youth and others that computer hacking is not only illegal, but is ethically wrong. Most citizens know that it is wrong to break into a neighbour's house or read his mail, but many have not applied these same values to their online activities. In the past there has been a romanticisation of hackers, although this attitude too now seems to be changing.

Computer crime has the capacity to skew the application of investigative and prosecutorial resources in a number of ways. First, it could be suggested that investigative resources would be best allocated towards other types of criminal behaviour. Indeed it has been observed that prosecutors below the federal level in the USA are reluctant to handle computer crime cases because these prosecutors are subject to election, and their constituents would rather see them prosecuting murderers and rapists.134

Second, the limited resources that do exist to investi­gate computer crime mean that there is a need to target those resources on the most important crime. Some computer crime, low-value offences in particu­lar, may escape prosecution because of the limited resources available. Third, while the use of the Internet and computers to transfer and store child pornography is a serious problem which has already led to a number of major investigations and pro­secutions, there may be a risk of computer crime resources being devoted towards dealing principally with child pornography cases, to the neglect of other types of computer crime. The largest known commercial child pornography case involved revenues which reached $1.4m in one month.135

Although computer technology offers paedophiles new tools,136 this one type of crime should not be allowed to dominate the computer crime agenda.

The lack of UK strategic planning and coordina­tion of strategy development in the field of computer crime has been criticised137 and a DTI Foresight Panel has called for the establishment of a national e-crime strategy.138 While the Internet Crime Forum serves a

useful purpose as a discussion group between govern­ment and ISPs and the Internet Task Force on Child Protection focuses on child pornography and groom­ing, there is as yet little real coordination in respect of law enforcement's approach to computer crime in the UK, merely rapidly developing pockets of expertise. Hence there is a need for ' joined-up' government in this field. A possible solution is the establishment of a Home Office Working Group on Computer Crime consisting of representatives of the Home Office, the Data Protection Registrar, ACPO, the NHICU, the NCIS, the CPS, HM Customs and Excise and the Department of Trade and Industry. Such a group could monitor the levels and types of high-tech crime and make recommendations as to required legislative change.

In computer jargon the 1990 Act could be described as 'Legislation 1.0'.139 Since computers and the infrastructure of the Internet have now significantly developed, it is in clear need of reform.140 The head of the N H T C U has expressed the view that the legislation regarding theft and deception needs to be updated to cope with crimes committed across computer networks.141 The Law Commission commented that it was all too aware that the law of dishonesty had failed to keep up with the ever-increasing complexity of modern com­mercial life and with the technological developments of the last 30 years.142 In particular it has expressed the view that the dishonest obtaining of a service is criminal only where it is done by deception and, since deceit can only be practised on a human mind where a service is dishonestly obtained from a com­puter over the Internet upon the automated checking of a credit card number, no offence has been com­mitted.143 Other problems also exist in regard to UK law. For example, it is unclear in a denial of service attack, where the target computer is not accessed, nor its contents altered, but it is simply 'busied out', whether an offence has been com­mitted.144 Consideration should also be given as to whether possession of a virus or virus engine without reasonable excuse should be a criminal offence. It has also been suggested that there is a need to create an offence to tackle the use of the Internet for grooming children for sexual abuse.145 Undoubtedly, the UK response to the Cybercrime Convention will deal with some of these issues.

There is a growing international willingness, fuelled not least by the desire to participate in e-commerce, to tackle the problem of computer

Page 322

The Prosecution of Computer Crime

crime. However, upgrading legislation is just the beginning. Educating those who are participants in the criminal justice system and resourcing investiga­tions and prosecutions then have to follow. The move to a cashless society will increase pressure on criminals to commit computer-related crime. Modern-day Willie Suttons, when asked why they committed computer crime, will, like their fore­runner, reply 'because that's where the money is'. Prosecuting authorities must be ready, able and resourced to prosecute it.

REFERENCES (1) In this paper the terms 'computer-related crime', 'computer

crime', 'cybercrime' and 'high-tech crime' will be used interchangeably.

(2) Press release, US Attorney's Office for the Northern District of California, 4th April, 2001.

(3) 'Electronic Crime Needs Assessment for State and Local Law Enforcement', National Institute of Justice, Washington D C , 2001.

(4) The lack of an agreed definition of computer crime may cause difficulties when extradition proceedings arc being considered.

(5) 'Project Trawler: Crime on the Information Highways', National Criminal Intelligence Service, London, 1999, para. 2.

(6) Statement of the Director of the Federal Bureau of Investi­gation to the Senate Committee on Judiciary Subcommittee for Technology, Terrorism and Government Information, Washington DC, 28th March, 2000.

(7) Press release, 19th February, 1998, Audit Commission, www.audit-commission.gov.uk/ac2/NRfirst.htm.

(8) 'Computer Crime and Security Survey', Computer Security Institute, San Francisco, 2001.

(9) Statement of Robert S. Litt, Deputy Assistant Attorney General, before the US Senate Ways and Means Committee, Subcommittee on Social Security, Washington D C , 6th May, 1997.

(10) 'Renault blames spies for designs theft', New Zealand Herald, 18th July, 2001.

(11) 'Hollywood under reel attack', New Zealand Herald, 9th August, 2001.

(12) Testimony of Jonathan Winer, Deputy Assistant Secretary, Bureau for International Narcotics and Law Enforcement Affairs, before the US House of Representatives Committee on Banking and Financial Services, 11th June, 1998.

(13) Press release, Securities and Exchange Commission, 20th September, 2000.

(14) Press release, US Attorney's Office, New Jersey, 9th May, 2000.

(15) 'Nurse alters hospital prescriptions', Computer Fraud & Security Bulletin, February 1994.

(16) Statement by Neil J. Gallagher, Deputy Assistant Director, Criminal Division Federal Bureau of Investigation, before the Joint Economic Committee, United States Congress, 24th March, 1998.

(17) 'Organized Crime: The National Security Dimension', report of the George C. Marshall European Centre for Security Studies Conference, Germany, 1999.

(18) 'Mafia caught attempting on-line bank fraud', IDG News, 3rd October, 2000, www.nwfusion.com/news/2000/ 1004mafia.html.

(19) 'Russian Mafia threatens Net ' , ZDNETNews, 16th July, 2001, www.zdnet.com/zdnn/stories/news/ 0,4586,2784950,00.html.

(20) Hereafter referred to as 'ISP'. (21) Politically motivated attacks on Web pages or e-mailer

servers. (22) 'Cyber Crime and Punishment? Archaic Laws Threaten

Global Information', McConnell International, December 2000.

(23) Hereafter referred to as 'the 1990 Act'. (24) Hansard, House of Commons, 9th February, 1990, col. 1134. (25) Ibid. (26) Section 1 of the 1990 Act. (27) Section 2 of the 1990 Act. (28) Section 3 of the 1990 Act. (29) Akdeniz, Y., Taylor, N . and Walker, C. (2001) 'Regulation

of Investigatory Powers Act 2000 (1): BigBrother.gov.uk: State Surveillance in the Age of Information and Rights ' , Criminal Law Review, p. 73. Similar controversy has arisen in the USA over Carnivore. Carnivore, which is specialised software installed on an ISP's network under a federal wiretap warrant, has been renamed DCS1000 but is still often referred to by its former name.

(30) 'Tracing Anti-Abortion Network to a Slaying Suspect in France', New York Times, 31st March, 2001.

(31) 'Hijackers may have accessed computers at public libraries', Washington Post, 17th September, 2001.

(32) Resolutions 52/91 of 12th December, 1997 and Resolution 53/110 of 9th December, 1998.

(33) Convention on Cybercrime, Strasbourg, December 2000, http://conventions.coe.int/treaty/en/projects/finalcybercrime. htm.

(34) The Convention is not without its critics: 'Cybercrime Solution Has Bugs', www.wired.com/news/print/ 0,1294,36047,00.html.

(35) 'Love bug case dead in Manila', Wired News, 21st August, 2000,www.wired.com/news/lovebug/0,1768,38342,00.html.

(36) 'Philippines drops charges in " I L O V E Y O U " virus case', www.cnn.com/2000/TECH/computing/08/21/computers . philippines.reut/.

(37) An interesting area for debate is whether it would be desir­able to replace these guidelines with a statutory scheme such as a new code of practice under the Police and Criminal Evidence Act 1984.

(38) An example of such a challenge being made was in R v Garrett: 'Hacker awaits verdict in Back Orifice case', New Zealand Herald, 17th July, 2001.

(39) 'Electronic Crime Scene Investigation: A Guide for First Responders', National Institute of Justice, Washington D C , 2001.

(40) See 'Analysis of the Police and Criminal Evidence Act, s. 69 — Computer Generated Evidence', Hoey, A., [1996] 1 Web JCLI.

(41) Blyth, A., 'Computer Misuse and Computer Law', w w w . comp.glam.ac.uk/ism23/Addit ional-Material /Computer-Crime&Law.html.

(42) 'Evidence in Criminal Proceedings: Hearsay and Related Topics', Consultation Paper N o . 138, London, 1995, para. 14.20.

(43) [1988] 1 AC 1063. Examples of the challenges that prosecu­tion evidence in a hacking case may be subjected to are found in Sommer, P., 'Intrusion Detection Systems as Evidence', paper submitted by the British Computer Society to the Criminal Courts Review, March 2000, www.bcs.org. uk/ 2ac/ids.htm.

(44) Press release, US Attorney's Office for Southern California, 9th August, 1999.

(45) Denning, D . E. and Baugh, W. E. (1999) 'Hiding Crimes in

Page 323

Bell

Cyberspace', Information, Communication and Society, Vol. 2, N o . 3, Autumn, p. 251.

(46) 'Encryption and Law Enforcement', Performance and Inno­vation Unit, Cabinet Office, London, 1999, p . 10.

(47) Press release, NCIS, 26th January, 1999. (48) 'Computer Forensics nabs bad guys: a working example. . . ' ,

New Scientist, 4th October, 1997. (49) 'Pretty Good Privacy' is encryption software developed by

Philip Zimmerman. (50) 'Organised crime case raises privacy issues', New York Times,

30th July, 2001. (51) Statement by Neil J. Gallagher, Deputy Assistant Director,

Criminal Division Federal Bureau of Investigation, before the Joint Economic Committee, United States Congress, 24th March, 1998.

(52) Battcock, R., 'The Computer Misuse Act 1990:5 Years On ' , http://crsc.lse.ac.uk/ComputerMisuseAct1990.htm.

(53) Kelman, A., 'Computer Crime in the 1990s — A Barrister's View', http://csrc.lse.ac.uk/ComputerCrime1990s.htm.

(54) 'Combating Use of the Internet to Exploit Children', Best Practice Series N o . 1, www.iap.nl.com/cxploit.htm.

(55) 'Watch out for spoofs', Financial Times, 27th June, 2001. (56) Denning and Baugh, ref. 45 above. (57) Power, R . (2000) 'Tangled Web ' , Que Corporation, p . 70. (58) Sommer, P. (1998) 'Digital Footprints: Assessing Computer

Evidence', Criminal Law Review, 'Special Edition: Crime, Criminal Justice and the Internet', pp. 61—75.

(59) Repor t of the R U C Chief Constable, Belfast, 1999-2000, p. 88.

(60) 'Cybercops Need Better Tools', PC World, 31st July, 2000. (61) 'Police Outgunned by Cybercriminals', USA Today, 6th

December, 2000. (62) Submission of the British Computer Society to the Criminal

Courts Review, para. 4.5. (63) Hereafter referred to as ' the N H T C U ' . (64) 'Police in new pledge to help curb cybercrime', Financial

Times, 19th April, 2001. (65) Hansard, House of Commons, Written Answers, 21st

November, 2000, col. 151. (66) 'Tackling computer crime', BBC Online News, 19th April,

2001, http://news.bbc.co.uk/hi/english/sci/tech/newsid_1283000/ 1283866.htm.

(67) Ibid. (68) 'Computer forensics booms as importance of electronic

evidence grows' , San Francisco Chronicle, 26th February, 2001.

(69) 'Cybercrime squads depend on charity', www.smh.com.au/ news/0012/07/text/b12com2.html.

(70) 'The Virtual Horizon: Meeting the Law Enforcement Chal­lenges', Australasian Centre for Policy Research, Payneham, SA, 2000, p . 42.

(71) 'How Shimomuru snared the prince of hackers', New York Times, 28th February, 1995.

(72) Armstrong, I. (2000) 'Computer Forensics', Secure Computing Magazine, April.

(73) Davis, D . J. (1998) 'Criminal Law and the Internet: An Investigator's Perspective', Criminal Law Review, 'Special Edition: Crime, Criminal Justice and the Internet', pp. 48-49.

(74) 'Wake U p T o Cybercrime, DPP Tells Prosecutors', CPS press release, 18th June, 1999.

(75) Speech by James K. Robinson to the International Computer Crime Conference, Oslo, 29th-31st May, 2000.

(76) Ibid. (77) Report of the Inter-Departmental Working Group on

Computer-related Crime, September 2000, Hong Kong, para. 12.14.

(78) 'Global jurisdiction: the effect of e-commerce on issues of

international jurisdiction and applicable law — the criminal jurisdiction', speech by Rosalind Wright, Director SFO, London, 1st March, 2001.

(79) Kelman, ref. 53 above. (80) 'Legal system gears up for computer crime cases'

www.cnn.com/2000/TECH/computing/06/27/computer . law.idg/index.html.

(81) Glasgow, A. H., quoted in Sullivan, P. (1996) Australian Computer Society Newsletter, March.

(82) Oral evidence of Per Brix Knudsen to the House of Lords Select Committee on the European Communities, Ninth Report , 1998-99, HL Paper 62, p. 22.

(83) Evidence of Mr C. A. de Beaufort, Rotterdam Public Pro­secutor's Office, to the European Parliament Committee of Enquiry into the Community Transit System.

(84) Report of the European Parliament Committee of Enquiry into the Communi ty Transit System, para. 1.1.5.

(85) Memorandum by JUSTICE to the House of Lords Select Committee on the European Communities, Ninth Report , 1998-99, HL Paper 62, p . 121.

(86) Oral evidence of Rosalind Wright to the House of Lords Select Committee on the European Communities, Ninth Report , 1998-99, HL Paper 62, p . 36.

(87) Ibid. (88) 'Manual on the Prevention and Control of Computer-

Related Crime' , United Nations, N e w York, 1999, p. 47. (89) 'US cybercops face challenge', Financial Times, 24th

October, 2000. (90) Press release, US Attorney's Office for the Southern District

of N e w York, 14th August, 2000. (91) G8 communique, Washington D C , 10th December, 1997. (92) Convention on Cybercrime, Strasbourg, 2000, http://con-

ventions.coe.int/Treaty/EN/projects/FinalCybercrime.htm. (93) Ibid. (94) 'The Electronic Frontier: T h e Challenge of Unlawful

Conduct Involving the Use o f the Internet', report of the President's Working Group on Unlawful Conduct on the Internet, Washington D C , 2000.

(95) Press release, US Attorney's Office, District of N e w Jersey, 9th December, 1999.

(96) 'Prosecuting Intellectual Property Crimes Manual', www.cybercrime.gov/ipmanual.htm.

(97) Press release, US Attorney's Office, Massachusetts, 18th March, 1998.

(98) Ibid. (99) Freedman, D . H. and Mann, C. C. (1997) 'Cracker', US

News and World Report, 2nd June. (100) 'Will Melissa author's conviction deter virus writers?',

ZDNetNews, 9th December, 1999, www.zdnet.com/ eweek/stories/general/0,11011,2406928,00.html.

(101) 'UK man faces charge of creating W32-Leave.worm' , IDG News Service, 15th August, 2001.

(102) Gordon, S. (2000) 'Virus Writers: The End of Innocence?', paper delivered at the Virus Bulletin Conference, Orlando, 28th September.

(103) [1988] 1 A C 1063. (104) (1991) 93 Cr App R 25. Although Whitely was convicted,

the Law Commission was uneasy. (105) [1987] QB 1116, 1124. The Computer Misuse Act 1990 can

therefore be seen as a response to the failed prosecution in R v Gold and Schrifreen.

(106) 'Three charged for "hoax" e-mail', The Times, 16th August 2001. The businessman, who had a history of mental illness, suffered a mental breakdown and, on his return, killed his 12-year-old daughter.

(107) Press release, US Attorney's Office for the Central District of Illinois, 20th December, 2000.

Page 324

The Prosecution of Computer Crime

(108) Swarbrick, D., Wrigley Claydon Solicitors, www.swarb. co.uk/lawb/cpucmaAuth.html.

(109) Kelman, ref. 53 above. (110) 'A fisherman accused of wiping information off a computer

leading to the loss of £9,000 of lobster pots was acquitted after magistrates decided a collection of symbols on a screen was a literary creation', Express & Echo (Exeter), 12th June, 1998.

(111) See 'Telecom computer sheds its secrets: An Independent staff reporter finds out how easy it is to access sensitive information from BT' , The Independent, 28th November, 1994.

(112) R v Bow Street Metropolitan Stipendiary Magistrate and Another, ex parte Government of the United States of America [2000] 2 A C 216.

(113) Submission of the British Computer Society to the Criminal Courts Review, para. 4 .1 .

(114) Battcock, ref. 52 above. (115) 'Man hacks into council system to pay debts', Computing,

August 1992. (116) [1998] 1 Cr .App.R. 1. (117) 'Hackers' threat to Gulf War triumph', Mail on Sunday, 21st

March, 1993. (118) Section 117 of the 2000 Act. (119) Ireland's Criminal Damage Act 1991 provides that

'property' includes data. (120) In relation to sentencing, prosecutors should consider

whether to make an application for a deprivation order in respect of the defendant's computer equipment under s. 143 of the powers of Criminal Courts (Sentencing) Act 2000 and for a compensation order under s. 130 of the 2000 Act, as well as a confiscation order if the defendant has obtained property as a result of or in connection with his offence.

(121) The Code for Crown Prosecutors, Crown Prosecution Service, London, 2000, para. 7.2.

(122) 'Manual on the Prevention and Control of Computer-Related Crime' , United Nations, N e w York, 1999, para. 218.

(123) Attorney General's Reference (No. 1 of 1991) [1993] Q B 94, CA.

(124) Blyth, A., 'Computer Misuse and Computer Law', w w w . comp.glam.ac.uk/ism23/Addit ional-Material /Computer-Crime&Law.html.

(125) 'Judicial discretion key to dealing with young hackers', The Straits Times (Singapore), 17th October, 1999.

(126) Kelman, ref. 53 above. (127) Submission of the British Computer Society to the Criminal

Courts Review, para. 6.8. (128) The right of the defence in England and Wales to challenge

jurors without cause was abolished by s. 118(1) of the Criminal Justice Act 1988. It still exists, however, in

Northern Ireland. (129) 'Legal system gears up for computer crime cases', 27th

June, 2000, www.cnn.com/2000/TECH/computing/06/27/ computer.law.idg/index.html.

(130) 'Jury finds half of hacking counts proven', New Zealand Herald, 18th July, 2001.

(131) 'Cybercrime more than just a pesky computer virus', Info World, 23rd March, 2001.

(132) Battcock, ref. 52 above. (133) Press release, Computer Security Institute, San Francisco,

12th May, 2001. (134) Info World, ref. 131 above. (135) ' U S says it broke pornography ring featuring youths', New

York Times, 9th August, 2001. (136) For example digital cameras obviate the need to have

traditional films developed. (137) 'The Virtual Horizon: Meeting the Law Enforcement

Challenges', Australasian Centre for Policy Research, Payneham, SA, 2000, p . 73.

(138) 'Turning the Corner' , Foresight Crime Prevention Panel, Department of Trade and Industry, 2000, p. 16.

(139) The legislation was introduced to deal not with the problem of computer crime generally but rather the problem of hacking. 'Computer Misuse', Law Commission, Cm. 819, 1989, para. 2.10.

(140) The USA's Computer Fraud and Abuse Act passed in 1984 but subsequently amended in 1988, 1989, 1990, 1994 and 1996 to fine-tune some of its drafting and address new developments. Power, R . (2000) 'Tangled Web' , Que Corporation, p. 4.

(141) 'High-Tech Crime Chief Calls for Tighter Laws', Computer Weekly, 19th July, 2001.

(142) 'Offences of Dishonesty: Money Transfers', Law Commission Report , No . 243, H C 690, London 1996, para. 5.7.

(143) 'Legislating the Criminal Code: Fraud and Deception', Law Commission, Consultation Paper N o . 155, London, 1999, para. 8.36.

(144) 'Out-of-Date Legislation Overdue for Change' , Computer Weekly, 12th April, 2001.

(145) Gillespie, A. A. (2001) 'Children, Chatrooms and the Law', Criminal Law Review, p . 435.

Dr R. E. Bell, Department of the Director of Public Prosecutions for Northern Ireland, writing in a personal capacity.

© R. E. Bell

Page 325