Policing Cybercrime: A 21st Century Challenge (Part I)
This blog was written to accompany a guest lecture for "Understanding Policing", a Criminology module at Swansea University. It is written in two parts: part 1 explains what cybercrime is (context); part 2 discusses the challenges of policing cybercrime (what students should focus on). This blog should not be construed in any way as legal advice!
Part I - What is Cybercrime
Cybercrime may be most simply described as crime which takes place in cyberspace. But what and where is cyberspace? This wonderous (no)place originated in science fiction, being first coined by William Gibson in his short story “Burning Chrome”, published in the July 1982 issue of Omni Magazine. But what if a computer is attacked while offline (say with an infected USB stick)? What about crimes which existed before computers became part of our everyday lives? Are they any different now they take place online? Unsurprisingly, some authors would argue that there is nothing revolutionary about crime in cyberspace and that we should probably just call it crime (e.g. Grabosky 2001). Still, we will use “cybercrime” as an all-encompassing umbrella term, a useful artefact... If nothing else, it is an unavoidable concept given its popularity and embeddedness in public discourse. However, it needs further definition if we want understand the challenges it poses to policing.
A categorisation frequently used by UK government and law enforcement agencies distinguishes between cyber-dependent and cyber-enabled crimes. Cyber-dependent crimes are those “that can only be committed by using a computer, computer networks, or other form of ICT.” (HO 2013, p.5). In contrast, cyber-enabled are “traditional crimes that are increased in their scale or reach by the use of computers, computer networks or other ICT” (Ibid.). Based on all that was said up until now and drawing on the work of Wall (2007) and Yar (2013), I will therefore define cybercrime as follows:
Cybercrime refers to a diverse range of illegal activity which occurs primarily within an electronic environment, enabled by the Internet. This includes new crimes which did not exist prior to networked computers, as well as crimes which pre-date the Internet but have been significantly ‘transformed’ by it.
The Legal landscape
Now we have established a working definition of cybercrime, we can focus on understanding the legal landscape in a bit more detail. What crimes do we mean exactly, when we discuss the policing of cybercrime? In my guest lecture, I divided these into a few categories (based on Yar 2013), which are in turn examined below.
The above category of cyber-trespass falls under the UK’s Computer Misuse Act 1990. This includes a number of offences, mostly building on the broad section 1 offence of “unauthorised access” (i.e. hacking). Legally, “hacking” means to knowingly cause a computer to perform any function without authorisation, a very broad offence indeed. For example, in the case of Ellis v DPP (2001), an alumnus from Newcastle University was found guilty of a section 1 offence for browsing the internet, because he used library computers which had been left logged-in by current students. Building on this offence, section 2 criminalises unauthorised committed with the additional intention of carrying out a further offence (e.g. such as fraud, as in the case of Raphael Gray). Furthermore, section 3 of the act criminalises unauthorised acts intended or recklessness as to impairing a computer such as malware or DOS attacks; while section 3A makes it a crime to develop “hacker tools”. Finally, section 3ZA was designed to cover acts of cyberterrorism and it will be further discussed below.
Scenario: Bob’s housemate left her laptop unlocked and logged into Facebook. Bob writes a status via their account. Has Bob committed a crime?
Answer: Yes, Bob committed the basic offence of unauthorised access to a computer (i.e. hacking). However, it is unlikely that this would meet the public interest test for a CPS prosecution.
Cyber-deceptions and thefts
Cyber-deceptions and thefts are cyber-enabled crimes which involve “stealing” money or property, e.g. credit card fraud or intellectual property violations (such as copyright violations aka “piracy”). Based of the Fraud Act 2006 we can define fraud as the mechanism through which a fraudster intends to obtain a financial advantage, cause loss or expose another to the risk of loss, by implicitly or explicitly acting dishonestly (Levi and Burrows 2008). As such, a fraud is complete even if the fraudster is not successful in deceiving the victim. For cybercrime, this means that technically, each received phishing email in the UK amounts to an instance of fraud.
On the subject of Intellectual Property (IP) “theft” , this is better described as an infringement of an individual's or a business’ right as creators or IP holders. These IP rights may be related to copyright (e.g. the reproduction and distribution content), which means that the unauthorised distribution and streaming of films and music online, as well as using the so-called peer-to-peer (P2P) networks for file sharing, infringes someone’s copyright. While copyright infringement is mostly enforced in the civil courts, criminal prosecutions are possible under section 107 of the Copyright, Designs and Patents Act 1988. However, this is only where the infringement is on a commercial scale e.g. Operation Buccaneer.
Scenario: Bob has used a P2P network to download a brand new film for the purposes of watching it at home. Can Bob be criminally liable?
Answer: Bob has infringed the copyright owner’s rights and strictly speaking this could attract criminal liability. However, it is more likely that if the copyright owner finds out, they will sue Bob for compensation in a civil court. For a criminal prosecution the CPS would have to demonstrate that the infringement was on a commercial scale.
Section 1 of Protection of Children Act 1978 primarily criminalises the taking, making, distribution, showing etc of indecent images of children, while section 160 of the Criminal Justice Act 1988 criminalises its possession. In addition, adult pornography may be illegally distributed under section 1 of the Obscene Publications Act 1959 if its publication “depraves and corrupts” those likely to see it (e.g. if children are likely to get hold of it). Hilariously, the test of obscenity was established in the case of R v Hicklin (1967-8) by a Judge whose surname was “Cockburn”! Furthermore, sections 63-67 of The Criminal Justice and Immigration Act 2008 created the first ever offence in Europe criminalising possession of adult pornography where the content is: 1) pornographic 2) obscene etc 3) depicts an explicit and realistic “extreme act” - i.e. a scene of death or grievous bodily harm.
Finally, the publication of “extremist” content may also constitute the offence of “encouraging terrorism” under section 1 of the Terrorism Act 2006. This government flagship measure came into place in March 2006 and carries maximum of 6 years. Here, the defendant has to have intentionally or recklessly published, or caused someone else to publish, a statement likely to be understood by some or all members of the public as encouragement or inducement to the commission or preparation of a terrorist act.
In short, possession and distribution of illegal content on the Internet may be prohibited under laws relating child pornography, obscenity, or terrorism. However, as it will be discussed in part 2 of this blog, it is incredibly challenging to police and enforce these laws in cyberspace.
Last but not least, cyber-violence may be understood as cyber-enabled crimes which involve causing psychological harm to, or inciting physical harm against others, thereby breaching laws relating to the protection of the person, e.g. hate speech or harassment.
Cyber-harassment falls under the Protection from Harassment Act 1997, which requires the perpetrator to engage in a “course of action” (i.e. at least two occasions) amounting to harassment. In the case of only one instance of communication intended to cause distress and anxiety, this may nonetheless amount to a crime under other provisions such as section 127 of the Communications Act 2003. Furthermore, if that one message or social media post is a photograph and is considered to be of a private and sexual nature, posting it may be considered a crime under section 33 of the Criminal Justice and Courts Act 2015, known as the “revenge porn” offence.
Finally, we can also include the possibility of a cyber-terrorist attack in the category of cyber-violence, where an attack on critical national infrastructure such as a hospital may lead to harm or the loss of life. Such an attack would fall under section 3ZA of the Computer Misuse Act 1990.
We have defined cybercrime as a diverse range of illegal activity which occurs primarily within an electronic environment, enabled by the Internet. This includes new crimes which did not exist prior to networked computers, as well as crimes which pre-date the Internet but have been significantly ‘transformed’ by it. We have identified a number of categories of cybercrime which fit this definition including cyber-trespass, cyber-deceptions and thefts, illegal content online and cyber-violence. Finally, we explored in some detail crimes falling within the broad categories of cybercrime. In part 2 of this blog, I will discuss in more detail the challenges which come with policing these crime types. When reading about these challenges, it will be useful to think about how they may apply to each of the categories of cybercrime discussed above.
Clough, J. (2015). Principles of Cybercrime (2nd ed.). Cambridge: Cambridge University Press.
Grabosky, P. N. (2001). Virtual Criminality: Old Wine in New Bottles? Social & Legal Studies, 10(2), 243-249.
McGuire, M., & Dowling, S. (2013). Cyber crime: a review of the evidence: Home Office.
Wall, D. S. (2007). Cybercrime : the transformation of crime in the information age. Cambridge: Cambridge : Polity.
Yar, M. (2013). Cybercrime and Society (2nd ed. ed.). London: SAGE Publications.