Cybercrime

Criminal law
Elements
Actus reus Mens rea Causation Concurrence
Scope of criminal liability
Accessory Accomplice Complicity Corporate Principal Vicarious
Severity of offense
Felony (or Indictable offense) Infraction (also called violation) Misdemeanor (or Summary offense)
Inchoate offenses
Attempt Conspiracy Incitement Solicitation
Offense against the person
Assassination Assault Battery Child abuse Criminal negligence Defamation Domestic violence False imprisonment Frameup Harassment Home invasion Hate crime Homicide Human trafficking Intimidation Kidnapping Menacing Manslaughter (corporate) Mayhem Murder felony Preterintention Homicide Negligent homicide Robbery Stalking Stabbing Torture
Sexual offenses
Adultery Bigamy Child sexual abuse Cybersex trafficking Fornication Homosexuality Incest Indecent exposure Masturbation Obscenity Prostitution Rape Pederasty Sex trafficking Sexual assault Sexual slavery Voyeurism
Crimes against property
Arson Arms trafficking Blackmail Bribery Burglary Cybercrime Embezzlement Extortion False pretenses Forgery Fraud Gambling Intellectual property violation Larceny Looting Payola Pickpocketing Possessing stolen property Robbery Smuggling Tax evasion Theft Trespass to land Vandalism, Mischief
Crimes against justice
Compounding Malfeasance in office Miscarriage of justice Misprision Obstruction Perjury Perverting the course of justice
Crimes against the public
Apostasy Begging Corruption Censorship violation Dueling Genocide Hostage-taking Ethnic cleansing Smuggling Illegal consumption (such as prohibition of drugs, alcohol, and smoking) Miscegenation Piracy Regicide Terrorism Usurpation War crimes
Crimes against animals
Cruelty to animals Poaching Wildlife smuggling Bestiality
Crimes against the state
Lèse-majesté Treason Espionage Secession Sedition Subversion
Defenses to liability
Actual innocence Automatism Consent Defense of property Diminished responsibility Duress Entrapment Ignorantia juris non excusat Infancy Insanity Justification Mistake (of law) Necessity Provocation Self-defense
Other common-law areas
Contracts Defenses Evidence Property Torts Wills, trusts and estates
Portals
Law
v t e

Computer Crime, E-Crime, Hi-Tech Crime or Electronic Crime is committed when a computer is the target of a crime, or the means adopted to commit a crime. Most of these are not new except for the tools used. Criminals simply devise different ways to undertake well-known crimes such as fraud, theft, blackmail, forgery, and embezzlement using the new medium, often involving the Internet.

There are three major classes of criminal activity with computers: unauthorized use of a computer, which might involve stealing a username and password, or might involve accessing the victim's computer via the Internet through a backdoor operated by a Trojan Horse program. Creating or releasing a malicious computer program (e.g., computer virus, worm, Trojan Horse), harassment and stalking in cyberspace.

A computer can be the target of crime, for example, when a person intends to steal information from, or cause damage to, a computer or computer network. This can be entirely virtual, i.e. the information only exists in digital form and the damage, while real, has no physical consequence other than the machine ceases to function. In some legal systems, intangible property cannot be stolen and the damage must be visible, e.g. as resulting from a blow from a hammer. Yet denial of service attacks for the purposes of extortion may result in significant damage both to the system and the profitability of the site targeted. A further problem is that many definitions have not kept pace with the technology. For example, where the offense requires proof of a trick or deception as the operative cause of the theft, this may require the mind of a human being to change and so do or refrain from doing something that causes the loss. Increasingly, computer systems control access to goods and services. If a criminal manipulates the system into releasing the goods or authorizing the services, has there been a "trick", has there been a "deception", does the machine act because it "believes" payment to have been made, does the machine have "knowledge", does the machine "do" or "refrain from doing" something it has been programmed to do (or not). Where human-centric terminology is used for crimes relying on natural language skills and innate gullibility, definitions have to be modified to ensure that fraudulent behaviour remains criminal no matter how it is committed (consider the definition of wire fraud).

Issues surrounding hacking, copyright infringement through warez, child pornography, and paedophilia (see child grooming), have become high-profile. But this emphasis fails to consider the equally real but less spectacular issues of obscene graffiti appearing on websites and "cyberstalking" or harassment that can affect everyday life. There are also problems of privacy when confidential information is lost, say, when an e-mail is intercepted whether through illegal hacking, legitimate monitoring (increasingly common in the workplace) or when it is simply read by an unauthorized or unintended person.

In R v Stanford (2006) EWCA Crim 258 http://www.oup.com/uk/booksites/content/0199275297/Updates06/march_06/#top the defendant was charged with the unlawful interception of e-mail communications to a public company under s1(2) Regulation of Investigatory Powers Act 2000. After his resignation as deputy chairman of the company, he was found to have intercepted e-mail to and from certain persons in that company. His defense under s1(6) was that the interceptions had been made at his request by the company's computer system administrator who was excluded from criminal liability because either he was a person who had a right to control the operation or use of the system (s1 (6) (a)) or because he had the express or implied consent of such a person to make the interception (s1(6)(b)). The Court of Appeal held that to "control" for the purposes of s1(6) meant to "authorize and forbid". An administrator only has the power physically to use and operate the system. There is no control in the management sense. The objective of s1 of the Act was to protect the privacy of e-mails. If anyone with unrestricted ability to operate and use a telecommunications system were exempt from criminal liability for intercepting communications, it would defeat the purpose of the statute.

E-mail and Short Message Service (SMS) messages are seen as casual communication including many things that would never be put in a letter. But unlike spoken communication, there is no intonation and accenting, so the message can be more easily distorted or interpreted as offensive. In England and Wales, s43 Telecommunications Act 1984 makes it an offense to use a public telecommunications network to send 'grossly offensive, threatening or obscene' material, and a 'public telecommunications network' is widely enough defined to cover Internet traffic which goes through telephone lines or other cables.

Secondly, a computer can be the tool used to plan or commit an offense such as larceny or the distribution of child pornography. The growth of international data communications and in particular the Internet has made these crimes both more common and more difficult to police. And using encryption techniques, criminals may conspire or exchange data with fewer opportunities for the police to monitor and intercept. This requires modification to the standard warrants for search, telephone tapping, etc.

Thirdly, a computer can be a source of evidence. Even though the computer is not directly used for criminal purposes, it is an excellent device for record keeping, particularly given the power to encrypt the data. If this evidence can be obtained and decrypted, it can be of great value to criminal investigators. Thus, specialized government agencies and units have been set up to develop the necessary expertise. See below for a link to the U.S. Department of Justice's website about e-crime and its computer forensics services.

Hacking may be defined as, "deliberately gaining unauthorized access to an information system" and, in extreme cases, it may amount to industrial espionage or a national security crime when the defendant accesses commercially or nationally sensitive materials. Under English law, the Computer Misuse Act 1990 creates three offenses which reflect the range of seriousness in what may be done. Thus, out of curiosity or a sense of public duty, white hat hackers may identify and exploit security flaws. Although this may represent a threat to commercially or militarily sensitive sites, this form of activity is not necessarily against the public interest and should be distinguished from both nuisance attacks and the more serious, malicious assaults, even though all "victims" may still incur financial "loss" whether through the unexpected cost of having to repair insecure systems, or downtime on a retail portal. If the "victims" are big commercial organizations, they may suffer from bad reputation even if they have implemented better security measures after the attack.

The more genuinely criminal threats can be external threats, e.g. those who wish to break into the systems from outside, or internal threats in employees wishing to steal from their employers or to place a logic bomb or something similar when leaving their employment. The cost and inconvenience involved can be substantial. For example, the development of computer viruses such as the "love bug", worms, trojans, etc. represent major threats. Less obvious but no less costly is telephone hacking or "phreaking", i.e. unauthorized access into an organisation's telephone system to make free long-distance calls. Even New Scotland Yard was a victim and lost £1 million when hackers accessed the DISA (Direct Inward System Access) facility on the main PBX (DISA allows teleworkers at home or travelling to call into the corporate telephone system, enter an authorization code and gain access to system features or make long distance calls).

Hacking frequently involves people acting in different states. Criminal jurisdiction is usually invoked both when the defendant and/or the accessed computer is physically within the territory of the prosecuting state.

Internet fraud is any dishonest misrepresentation of fact intended to induce another to do or refrain from doing something which causes loss. In this context, the fraud will result in obtaining a benefit by:

• altering computer input in an unauthorized way. This requires little technical expertise and is not an uncommon form of theft by employees altering the data before entry or entering false data, or by entering unauthorized instructions or using unauthorized processes;
• altering, destroying, suppressing, or stealing output, usually to conceal unauthorized transactions: this is difficult to detect;
• altering or deleting stored data; or
• altering or misusing existing system tools or software packages, or altering or writing code for fraudulent purposes. This requires real programming skills and is not common.

Manipulating banking systems to make unauthorized electronic funds transfers or to divert the whole or part of the retail prices collected by a portal would be serious thefts (see salami slicing). An increasing problem is the unauthorized use of credit card numbers and other data collected as part of identity theft.

Despite the fact that many of these cons that trade on human gullibility are genuinely old and notorious, the internet gives criminals the opportunity to reach millions of innocent people who may be tempted by the prospect of easy money. An example is the Nigerian Banking Scam, in which the victim is contacted by a Nigerian "banker" who needs to transfer funds to the US (or Europe) and will pay a percentage of the large sum to someone who will allow the money to be transferred to their account. Of course, when the victim sends their bank details, money is taken away rather than deposited.

Most states have enacted laws to protect copyrighted materials, and people who distribute and download copyrighted recordings without permission are liable to face civil actions for damages and penalties and/or criminal prosecution. For the most part, the criminal law is only used for commercial piracy except where a non-commercial distribution has an insignificant effect on the copyright owner's business. The theft of software, the copying of licensed software without permission, and software counterfeiting are not only a matter for the police but can also involve customs officers, agencies tasked to protect consumers and/or IPR holders, and agencies responsible for ensuring that advertising is not misleading.

• distributes, sells or hires out unauthorized copies of CDs, VCDs and DVDs;
• on a larger scale, distributes unauthorized copies as a commercial enterprise on the internet;
• possesses unauthorized copies with a view to distributing, selling or hiring these to other people;
• while not dealing commercially, distributes unauthorized copies on such a scale as to have a measurable impact on the copyright owner's business.

The penalties for these "copyright theft" offenses depend on the seriousness of the offenses:

• before a magistrates' Court, the penalties for distributing pirated files are a maximum fine of £5,000 and/or six months imprisonment;
• in the Crown Court, the penalties for distributing pirated files are an unlimited fine and/or up to 10 years imprisonment.

Also note s24 Copyright and Related Rights Regulations 2003 which creates a range of offenses relating to the distribution of any device, product or component which is primarily designed, produced, or adapted for the purpose of enabling or facilitating the circumvention of effective technological measures. When this is for non-commercial purposes, it requires there to be a measurable effect on the rights holder's business.

One of the things the malicious can do with root access to a computer is to hold its files for ransom. By encrypting them, they are rendered useless to the victim who will have to pay or otherwise to receive the decryption key needed to access the files again. Attacks of this kind were first described by Young & Yung (Malicious Crtypography, Wiley) and have now been seen in reality (http://news.bbc.co.uk/1/hi/england/manchester/5034384.stm).

A substantial quantity of both hardcore and softcore pornography, including material designed to appeal to paedophiles, is available on the Internet. Ostensibly, it is aimed at adults and it may or may not be illegal for adults to read or view depending on the rules of the state of residence. Child pornography is illegal in most states. Even if the pornography is not illegal per se, it may nevertheless be considered harmful or distressing for others to see, whether as adults coming across it unexpectedly or as children. The various offenses relate to possession, storage and distribution of obscene material, although some states do not criminalize mere possession so long as there is no attempt to show it to others, and then only if distribution is for gain (English law: s2(1) Obscene Publications Acts 1959 and 1964). But child pornography, which features the sexual abuse of children, is often considered so serious that mere possession is an offense. The general test of "obscenity" is whether the material tends to "deprave and corrupt" those who are likely to read, see, or hear it.

The content of websites and other electronic communications may be harmful, distasteful or offensive for a variety of reasons. Most states have enacted law that place some limits on the freedom of speech and ban racist, blasphemous, politically subversive, seditious or inflammatory material that tends to incite hate crimes. This is a sensitive area in which the courts can become involved in arbitrating between groups with entrenched beliefs, each convinced that their point of view has been unreasonably attacked. In England, s28 Crime and Disorder Act 1998 defines a racial group, following Mandla v Dowell-Lee (1983) 2 AC 548 (in which a requirement to wear a cap as part of a school uniform had the effect of excluding Sikh boys whose religion required them to wear a turban), as a group of persons defined by reference to race, colour, nationality (including citizenship) or ethnic or national origin; and a religious group as a group of persons defined by reference to religious belief or lack of religious belief. Therefore, it is equally an offence to show hostility to a person who practices a particular faith as to a person who has no religious belief or faith.

Whereas content may be offensive in a non-specific way, harassment directs obscenities and derogatory comments at specific individuals focusing on gender, race, religion, nationality, sexual orientation. This often occurs in chat rooms, through newsgroups, and by sending hate e-mail to interested parties (see cyber bullying, harassment by computer, stalking, and cyberstalking). In England, in a broader form than s43 Telecommunications Act 1984, s1 Malicious Communications Act 1988 makes it an offense to send an indecent, offensive or threatening letter, electronic communication or other article to another person. Now, s2 Protection from Harassment Act 1997 criminalizes a course of conduct amounting to harassment which the defendant knows, or ought to know, amounts to harassment of another. If a reasonable person in possession of the same information would think the course of conduct amounted to harassment of the other, the knowledge will be imputed to the defendant. Although harassment is not defined, s7 states that it includes causing alarm or distress, and conduct is defined as including speech in all its forms. In DPP v Collins (2006) 1 WLR 308 the defendant repeatedly telephoned the offices of his MP on a wide range of political matters. In conversations with employees at the office and on messages left on the telephone answering machine, he used racist terms to show the frustration he felt at the way in which his affairs were being handled. No-one was personally offended, but the staff became depressed. Charged under s127(1) Communications Act 2003, the magistrates found that the terms were offensive but that a reasonable person would not find them grossly offensive. To determine whether any message content is merely offensive or grossly offensive depended on their particular circumstances and context, i.e. in the wider society which is an open and just multi-racial society, the test of offensiveness was objective.

More problematic are deliberate attacks which amount to defamation although, in March 2006, Michael Keith-Smith became the first person to win damages from an individual internet user after she accused him of being a 'sex offender' and 'racist blogger' on a Yahoo! discussion site. She also claimed that his wife was a prostitute. The High Court judge decided that Tracy Williams, of Oldham, was "particularly abusive" and "her statements demonstrated that ... she had no intention of stopping her libellous and defamatory behaviour". She was ordered to pay £10,000 in damages, plus £7,200 costs. In general, libel is not treated as a criminal matter except when it may provoke the person defamed into retaliatory violence (see cybersmearing as it affects business [1]. All forms of unsolicited e-mail and advertisements can also be considered to be forms of Internet harassment where the content is offensive or of an explicit sexual nature. Now termed SPAM, it has been criminalized in various countries[2]

Drug traffickers are increasingly taking advantage of the Internet to sell their illegal substances through encrypted e-mail and other Internet Technology. Some drug traffickers arrange deals at internet cafes, use courier Web sites to track illegal packages of pills, and swap recipes for amphetamines in restricted-access chat rooms.

The Internet's easy-to-learn, fast-paced character, global impact, and fairly reliable privacy features facilitate the marketing of illicit drugs. Detecting money laundering of cash earned by drug traffickers is very difficult, because dealers are now able to use electronic commerce and Internet banking facilities. Also, traffickers have been using online package tracking services offered by courier companies to keep tabs on the progress of their shipments. If there happened to be some sort of undue delay, this could signal authority interception of the drugs, which would still allow the dealers time to cover their tracks. Law enforcement is also more deficient because illicit drug deals are arranged instantaneously, over short distances, making interception by authorities much more difficult.

The rise in Internet drug trades could also be attributed to the lack of face-to-face communication. These virtual exchanges allow more intimidated individuals to more comfortably purchase illegal drugs. The sketchy effects that are often associated with drug trades are severely minimized and the filtering process that comes with physical interaction fades away. Furthermore, traditional drug recipes were carefully kept secrets. But with modern computer technology, this information is now being made available to anyone with computer access.

The 1990s birthed the concept of 'raves', underground dance parties that often house a wide range of club drugs. These club drugs include such substances as MDMA, GHB, LSD, and ketamine. The internet provides a perfect service that integrates the promotion of raves and the offering of these club drugs. Since rave promoters have come under scrutiny in the past decade they have paid much attention to the use of words and phrases they use to advertise these potentially dangerous parties. Most websites will avoid the term ‘rave’ and often label the gathering as a Christian get-together that prohibits the use of drugs or alcohol. They tend to advertise water, pacifiers, and candy, which help counteract the effect of drugs such as MDMA or ecstasy. It is essential that individuals can recognize these common rave implications and take action accordingly.

Government officials and IS security specialist have documented a significant increase in Internet probes and server scans since early 2001. There is a growing concern among federal officials that such intrusions are part of an organized effort by cyberterrorists, foreign intelligence services, or other groups to map potential security holes in critical systems. A cyberterrorist is someone who intimidates or coerces a government or organization to advance his or her political or social objectives by launching computer-based attack against computers, network, and the information stored on them.

Even before the September 11, 2001, terrorist attacks, the U.S. government considered the potential threat of cyberterrorism serious enough that is established the National Infrastructure Protection Center in February 1998. This function was transferred to the Homeland Security Department's Information Analysis and Infrastructure Protection Directorate to serve as a focal point for threat assessment, warning, investigation, and response for threats or attacks against our country's critical infrastructure, which provide telecommunications, energy, banking and finance, water systems, government operations, and emergency services. Succesful cyberattacks against the facilities that provide these services could cause widespread and massive disruptions tothe normal function of our society.

Cyberterrorism in general, can be defined as an act of terrorism committed through the use of cyberspace or computer resources. As such, a simple propaganda in the Internet, that there will be bomb attacks during the holidays can be considered cyberterrorism. At worst, cyberterrorist may use the Internet or computer resources to carry out an actual attack.

• Australian High Tech Crime Centre
• Australian Computer Abuse Research Bureau (ACARB) introduction to computer abuse concepts
• European Convention on Cybercrime [3]
• Computer Crime Research Center - Daily news about computer crime, Internet fraud and cyber terrorism
• Computer Forensics
• Cyber Crime Law - News and commentary on preventing, detecting, and prosecuting computer crimes
• Information Security Investigations - Real-life stories of hunting down computer criminals and cyber terrorists
• http://www.cybercrime.gov - U.S. Department of Justice cybercrime web site
• http://www.e-crimecongress.org/ecrime2005/website.asp - E-Crime Conference 2005
• http://www.ecce-conference.com/ - e-crime and computer evidence conference (first held in 2005 - now an annual event)
• U.S. Department of Justice National Institute of Justice Electronic Crime Program

• Brenner, Susan W. "Is There Such a Thing as 'Virtual Crime'?" (2001) 4 Cal. Crim. Law Rev. 1 [4]
• Dmitrieva, "Stealing Information: Application of a Criminal Anti-Theft Statute to Leaks of Confidential Government Information", (2003) Vol. 55, No. 4 Florida Law Review, 1043.
• Jacobson, "Computer Crimes", (2002) Vol. 39 American Criminal Law Review, 273.
• Solove, "Identity Theft, Privacy, and the Architecture of Vulnerability", (2002) Vol. 54 Hastings Law Journal, 1227.
• Stair, Ralph and Reynolds, George. Fundamentals of Information Systems. 3rd Edition
• Reynolds, George. Ethics in Information Technology, (2006)