US has lessons for Britain on e-crime punishment

Analysis: as the US charges three major e-criminals, report says Britain lacks capacity in tackling such crime

August was not a good month for American e-criminals. Michael Dolan pleaded guilty on 23 August to federal charges, having admitted to using malicious software to steal AOL user identities, and then sending spam emails claiming to be electronic greeting cards from Hallmark which in fact installed trojan software which asked for personal information. He will be charged in November, and may face seven years in prison.

On 10 August, an Arizona court gave Vincent Green-Bressler a seven year sentence for using information stolen by others to defraud thousands of bank customers. And at the start of the month, Christopher Smith (also known as "Rizler") was sentenced to 30 years in prison: he was arrested in 2005 for running an unlicensed online pharmacy which employed 85 people. This was closed down by federal authorities, which also seized £2.1m in assets.

Other countries have also reported recent successes in fighting e-crime: August also saw four men in China charged in connection with creating a worm which stole usernames and passwords for online gamers, while in July the Italian Guardia di Finanza arrested 26 people alleged to have sent phishing emails purporting to be from Poste Italiane's online banking service.

Graham Cluley, senior technology consultant at UK anti-malware supplier Sophos, tracks such cases, and reckons many countries are toughening their stance on e-crime as it has become clear that e-crime has moved from vandalism to serious and organised mass fraud.

"There is international pressure and international co-operation: we see hackers arrested in Turkey leading to further arrests in Russia," he says. "We're not seeing what we saw seven or eight years ago, when countries would hail their hackers," such as when the president of the Philippines praised the local writer of the ILoveYou virus.

Cluley says that the US seems to pass some of the harshest sentences, although he does not mention any country as representing a weak spot. However, this was not the conclusion reached by the House of Lords science and technology select committee report, released on 10 August. It reported "considerable scepticism over the capacity of the police and the criminal justice system in this country to enforce the law".

The report's authors argued that the UK is hobbled by its lack of a legal definition of e-crime, the technical challenges involved and the global nature of the internet: the last causes problems because "the mechanisms for international co-operation are inefficient and slow-moving".

Although British law has been amended to cover most electronic crime - Commander Sue Wilkinson of the Association of Chief Police Officers and the Metropolitan Police Service told the enquiry that the legal framework is "entirely adequate" - the report's authors found two gaps.

Firstly, it is not an offence in itself to hire a botnet, a network of zombie computers used for distributing spam email and viruses. Vernon Coaker, minister for crime reduction, argued this was similar to knives being illegal in some circumstances but not banned outright. The select committee questioned this, given botnets, unlike knives, are built for crime.

The second, related, problem is that prosecuting British spammers is difficult in comparison with the US, where federal and state laws allow companies to take legal action on behalf of their customers. Also, class actions are easier, partly because losers do not have to pay costs.

The report also criticised British police forces for failing to tackle e-crime. Partly this was due to police forces focusing on high-value cases, while e-crime tends to be low in unit value, but very high in volume. Ross Anderson, professor of security engineering at Cambridge University, suggested that a proportion of minor offences could be chosen at random for investigation, to counter this bias.

The report's authors, who visited US law enforcement bodies and companies, said Britain should copy the US Federal Bureau of Investigation in establishing a central referral system, the Internet Crime Complaint Center (IC3): the median loss of the 42% of reports investigated in 2006 was just $724 (£361, €533 at current rates), but with 86 000 cases investigated, this totalled $198m.

Currently in Britain, such crime is logged by individual forces, and although the largest - London's Metropolitan Police - has a 'Fraud Alert' reporting web-site, it is not automated and is not widely publicised, as more work would overload the staff. Commander Wilkinson told the enquiry that the UK had "a lot to learn" from IC3.

The select committee also believed that the government's recommendation that from 1 April online fraud be reported to banks, rather than to the police, should be reversed. It appears to have led to a drop in fraud reported to the police, but the authors commented: "It is very unlikely that this drop in reported frauds reflects a real change in criminality - the risk is that while lower reporting will make the crime statistics look better, e-crime will continue to grow out of sight of the police and the public."

Again, the US is moving in the other direction: the Federal Trade Commission is planning a new reporting system for its 450 000 annual complaints of identity theft, which would start by victims reporting it to the police, which would then trigger investigations by financial institutions. Other American innovations which the committee believed Britain should copy include police officers being issued with pocket guides for dealing with computer-based crime, and the FBI's network of 14 computer forensics laboratories.

While the report found that US law enforcement bodies see Britain as a reliable partner in the fight against e-crime, its authors clearly believe that in this field, Britain has a lot to learn from America.

This article was first published on Infosecurity magazine's website.

Read more on IT risk management