żěè¶ĚĘÓƵ

How a dedicated cyber-court could halt the rise of online crime

Crimes carried out online are already illegal, so politicians should stop calling for new laws and start enforcing the old ones

computer code

OVER the past few years, crime statistics in England and Wales have risen dramatically, following decades of steady decline. According to the UK’s Office for National Statistics (ONS), .

It’s not that there has been a recent crime spree – this isn’t about a rise in acid attacks or knife crime. Rather, it was only in 2016 that the ONS began estimating cybercrime figures, exposing how criminal operations are increasingly moving online. After all, why rob a bank when you could hack someone’s account or steal their bitcoins?

The ONS says there were 6.2 million crimes committed offline in 2016, and 5.6 million cybercrimes, with similar figures in 2017. Even those numbers may be optimistic when it comes to capturing the true impact of online crime. “There’s no clear agreement on how to define cybercrime,” says Frank Pace, a security researcher and EU law enforcement specialist. With the problem only likely to get worse, is it time to radically change our approach to tackling online crimes?

“We already have laws against libel, theft and basically everything else that is now cyber-enabled”

Computer exploits once available only to the most tech-savvy crooks are now easily accomplished by anyone with a kit sold on the dark web, complete with instructions.

Clearly, we need to tackle this fast-growing problem. Prime Minister Theresa May around cybercrime to combat online harassment and intimidation. France last week also announced for failing to take down hate speech, following a similar law introduced in Germany at the start of this year.

But the internet enables a lot more than just harassment – phishing attacks, identity theft and cryptocurrency scams are all either exacerbated or created online. Then there are mass data leaks; take the current row over the actions of UK data analysis firm Cambridge Analytica (see “Felons on Facebook?”). Some say there should be bespoke laws criminalising each.

“Nonsense,” says Mark King at European e-identity organisation . “We already have laws against libel, theft, impersonation and basically everything else that is now cyber-enabled.”

Rather than new laws, we need a better way to track the problem. Part of the reason we are likely to be underestimating the scale of cybercrime is that many instances go unrecorded, says King. Scam victims often don’t bother going to the police, and some cybercrime is simply unnoticed, for example when your device is infected with malware.

Inspector gadget

Even when people do go to the police, they can encounter officers who aren’t specifically equipped to deal with digital crimes. We have all heard the stories of detectives who ask why victims of online abuse don’t just turn off the computer, but this goes beyond fallible individuals.

“The entire reporting system is not fit for purpose,” says King. You can’t forward a suspected phishing email to the police, because it will get caught by their spam filters. Most police departments don’t have dedicated computers or other ways of processing this kind of evidence.

“If the police are a problem, the prosecutors are a bigger problem, and the biggest problem of them all are the judges,” says Marc Goodman, a former advisor to the FBI and Interpol and author of the book Future Crimes – many have no idea how cybercrimes are perpetrated .

In an effort to change this, the City of London announced plans last October to create a dedicated cyber-court dealing with online financial crimes and fraud. “There’s plenty of precedent for specialist courts,” says Patrick Curry, who runs the British Business Federation Authority, which develops authentication and identity standards. “We already have divorce courts, family courts, and the US even has special veterans courts.”

The idea is that judges will already be familiar with how the online world works, so prosecutors don’t have to do the equivalent of explaining automotive engineering to the person presiding over a car theft case. There will be 18 court rooms equipped with isolated computers capable of demonstrating evidence without the risk of spreading malware.

In Hangzhou, China, a to hear disputes arising from online shopping, defamation, copyright infringement and loans. It was created mainly to take on the rising number of legal cases relating to e-commerce, largely by putting the entire process online. Everything from discovery of evidence to judgments happens digitally – people even receive their verdicts on the platform. If a written record is necessary, a speech recognition system automatically transcribes the trial.

However, this court only addresses disputes inside China. London’s cyber-court is billing itself as a place where cases can be brought internationally. However, practising cross-border law throws up a number of hurdles.

For example, last month a British man who had extorted children and teenagers online was . It took law enforcement agencies across multiple countries five years to track down enough evidence to prosecute him, as the .

“If criminals use an anonymising service like a proxy, the chances of prosecution plummet”

“Right now these requests are done by sending diplomatic pouches to the state department or the foreign ministry for review,” says Pace. “It’s all based on 19th-century law.”

Improvement may be coming soon. The US both seek to clarify what counts as lawful use of overseas data and reconcile different laws around how evidence is obtained when different countries’ laws clash. The UK should even be able to take advantage of these laws post-Brexit.

However, not all countries will play along. Just as Switzerland and the Cayman Islands offer tax havens to people who want to hide their money, some states are becoming cybercrime havens, says Curry: “Think of Ukraine, Russia, China. Here you can pay-off local law enforcement and if they don’t cooperate with authorities in affected countries, well, tough.”

Ultimately, even if local law enforcement is willing to cooperate, obtaining evidence in online cases is very difficult. If criminals use an anonymising service like a proxy, the chances of prosecution plummet, no matter how clued up the judge is. “You can have all the special courts and special experts you want,” says Curry. “If the evidence isn’t there, what’s the judge going to be able to use to make a ruling?”

That opens the floor to a very uncomfortable question – should we stop letting people be anonymous on the internet? “Specialist courts strike me as a pretty lame idea,” says , an experimental criminologist at the University of Cambridge. Especially, he says, when compared with a recent proposal to redesign the internet to require identification of all users. Under this system, all online information would be assigned a “handle” that could be tied to your real-world identity, making anonymous crime much more difficult. Curry and King also point to proposals to give people ID cards for the internet, using biometrics that tie us to specific devices.

Such suggestions go against the Wild West ethos on which the internet was originally built, but they would solve the problem of hauling someone known only as “Haxx0r420” into the dock. With cybercrime only set to rise, perhaps it’s time we brought some lawfulness to the online frontier.

Felons on Facebook?

Earlier this month, we may have had their data swiped from Facebook and used by UK data analysis company Cambridge Analytica. , but has a crime been committed?

Following these reports, UK data watchdog the Information Commissioner’s Office applied for a . Meanwhile in the US, multiple government entities including the are now investigating Facebook.

All are likely to be looking for evidence that federal or state privacy laws were broken, but this may not be straightforward. Existing regulations around data harvesting are notoriously open to interpretation, and many depend on what users knew about how their data was shared.

British data protection laws make it illegal to sell personal data to a third party without consent, so a lot will depend on who consented, and what data was sold to whom.

Putting all this information together in a timely fashion will require cooperation between the two countries, which could prove difficult (see main story).

It is unlikely that new laws will be needed in the wake of this breach of trust, but many are clamouring for better clarity, enforcement and ability to send evidence across national boundaries.

This article appeared in print under the headline “The online arm of the law”

Topics: Computer crime / cyberattacks / Law