‘Can you show me any other area of policing where the police would tell you to report a crime to a business because they no longer detect that type of crime?

The government line is that the banking industry created the problem of Cyber-Crime by having credit cards.

In that case, should we report gun crime to the arms manufacturers?’

Best Practice.

In the US the Department of Homeland Security and the United States Secret Service has issued a slim, clearly written pocket reference guide on e-crime for those involved in its detection; whilst in the UK the Association of Chief Police Officers (ACPO) who coordinate the direction and development of the police service in England, Wales and Northern Ireland) has published ‘good practice guides’ for investigators, including one covering ‘computer based electronic evidence and evidence retrieval’ the online version of this runs to a staggering 51 A4 pages.

In contrast the American guide is ring-bound, pocket-sized and waterproof.

an alliance of the FBI and the
National White Collar Crime Center
has chalked up a number of
significant achievements during
its seven year existence

IC3, an alliance of the FBI and the National White Collar Crime Center has chalked up a number of significant achievements during its seven year existence including the arrest of Gary McKinnon, who faces 80 years in US prisons after hacking into US military and Nasa computers. And three years ago, the unit arrested 12 people accused of being close to Russian crime syndicates involved in online banking frauds.

The body is well-funded and has the latest back-end software which has the capacity to collect and collate reports of e-crime, identify patterns, and generate data on the incidence of criminality – an invaluable source of information for both law enforcement agencies and researchers.

IC3 has also recruited Gary Warner the nationally hailed chief of cyber-sleuthing and forensic computer expert to help train a new generation of FBI agents in how to detect suspicious internet activity.

Warner is also building a 256-node supercomputer which could eventually become the largest computer on the planet, capable of reading 100 million email messages a day which will provide critical data for IC3 agents to track phishing scams and other web-bound crime.

His expertise is much sought after especially as internet based crime continues to increase at an alarming rate.

In its sixth annual report published in 2006 (the last year available) IC3 reported a total of 12, 698 complaints from the state of Texas alone.

The total dollar loss across in the US was $198.44 million with an average loss of $724.00 per complaint – up $183.12 million in from 2005.

Though the majority of fraudsters were based in the US (with most coming from the densely populated areas such as California, Texas, Florida and New York) a significant number were based in Britain.

Bad Practice

In public the FBI has said that they view the UK as a ‘good partner’ in the international action on e-crime; but privately they must be rather more circumspect; indeed Britain has yet to ratify the Council of Europe’s 2001 Convention on Cybercrime – a matter which vexes the Peers of the Realm.

The government lamely replied they were of course ‘committed to ratifying the Convention but certain minor legislative changes were required, and these would be completed by means of the Serious Crime Bill.

However while the Government had ‘been generally looking at mutual legal assistance requests’ they admitted that there was ‘nothing specific in this particular area that is being done’.

Won’t Practice.

As many now realize the gap between British law enforcement agencies and those in America has become a chasm. Until recently if you had been the victim of an online fraud in the UK you would have reported the matter to the police. Now the onus on investigating such crimes lies rather bizarrely, not with the boys in blue but with the banking industry.

Last year, ACPO announced that it would no longer be responsible for investigating e-crime.

That move marked the final straw for some since it placed the onus on the banking industry to take decisions on which crimes should or should not be reported to the police and if so to which force area. Indeed some industry analysts say that ACPO’S decision appears to overlook the obvious possibility that commercial factors might influence the banks’ decisions on whether or not to report crimes to the police.

“the Home Office wants
to massage the crime
statistics downwards”

Professor Ross Anderson, professor of security engineering at the University of Cambridge Computer Laboratory claims ‘that the Home Office wants to massage the crime statistics downwards, while the banks want to be able to control and direct such police investigations as take place. ‘The banks after all have an institutional incentive to downplay the amount of fraud,’ he argues.

Defending the move Geoff Smith, Head of the Government’s Information Security Policy Group claims that the issue is really about ‘the real-time stopping of money. If the banks are alerted very quickly then they can see the pattern of the phishing attack and they can try and stop the cash transfers and then try and limit the damage through that.

the middle- and
lower-end crime is just
not being dealt with.

‘The banks have got to come into this very, very quickly. I think that going to a police station, yes, it is great for getting a crime number and it is great for the back end of the process, but it puts delay into actually trying to solve it.’ A former police high-tech expert described the situation as stepping backwards 10 years, adding: ‘We are now at a situation where the middle- and lower-end crime is just not being dealt with.’

The ‘Please copy us in’ Cop-out

So what is happening with the investigation and detection of e-crime in Britain and why the unseemly tussle between financial institutions, business and the police?

Eighteen months ago the National High Tech Crime Unit, specifically set up in April 2001 as part of the National Crime Squad specifically to combat e-crime was merged into the Serious and Organized Crime Agency (SOCA), Britain’s watered down version of the FBI. SOCA took over the e-crime role because the government and police said that the majority of Cybercrime attacks were perpetrated by professional criminals, SOCA’s principal area of responsibility.

But the result, say critics in the banking and computer industries, is a shambles.

When senior officers from the Metropolitan Police and SOCA visited IC3 last year they admitted that they had ‘a lot to learn’ from the organization which is backed up to some extent by the Federal Trade Commission (FTC) which among its other roles educates the public about identity theft.

It is necessarily an ongoing task. The FTC receives over 450,000 complaints of identity theft alone each year. A new reporting system is just about to be introduced, requiring victims of identity theft (which include thefts from online bank accounts) to file a police report as the first step in making a complaint.

In effect this means that the logging of a complaint by the police should simultaneously alert the banks. At the same time, victims are reassured that the crimes committed against them had been formally acknowledged and recorded, rather than disappearing into the banking system

it is necessary to navigate
to another page to locate
the Metropolitan Police
email address

By comparison anyone logging onto the Metropolitan Police’s Fraud Alert site is faced with instructions to ‘send all banking related phishing emails to an unrelated police address sereports@banksafeonline.org.uk. If people have queries related to Paypal or Ebay should they are advised to send them to spoof@paypal.co.uk and spoof@ebay.co.uk. This is followed by a rather optimistic request to ‘Please copy us into any emails that are sent to these organizations'” – although it is necessary to navigate to another page to locate the Metropolitan Police email address.

Assuming the UK police have the capacity to launch an investigation in the first place, there is also the question of the resources and skills required for detailed forensic analysis of computers and other materials that may have been seized.

In contrast the FBI has coordinated the development of a national network of 14 Regional Computer Forensic Laboratories which receive federal funding to support running costs, such as IT equipment and premises.

The staff are largely provided and funded by local law enforcement. In return, the laboratories provide forensic analysis to local police free of charge.

Ideas Dismissed Out of Hand

A recent House of Lords Inquiry into Personal Internet Security recommended a host of policy measures which included that the Government work in partnership with ACPO and SOCA to develop a unified, web-based reporting system for e-crime. The public face of which should be a web-site designed to help the public and business report suspect online behaviour.

They also urged the Home Office to provide the necessary funds to kick-start the establishment of the Police Central e-crime unit without waiting for the private sector to come forward with funding saying it was time for Government to ‘demonstrate their good faith in fighting e-crime.’

“Unfortunately, the government dismissed
every recommendation out of hand, and its
approach seems to solely consist of
putting its head in the sand”

As well as these measures, they advised the Government to fulfill its commitment to ratify the Council of Europe CyberCrime Convention at the earliest possible Opportunity and to ‘review the procedures for offering mutual legal assistance in response to requests for help from other countries in investigating or prosecuting e-crime. So what happened to all these bright proposals? All were rejected by the government. ‘Unfortunately, the government dismissed every recommendation out of hand, and its approach seems to solely consist of putting its head in the sand,’ Inquiry member Lord Erroll said at the time.

In terms of e-crime detection Britain is doing worse than India. The Rajajinager police station in Bangalore (widely recognized as the country’s IT capital) has had its own e-crime detection squad since 1999. Two other cyber crime police teams exist in Hyderabad and Mumbai.

Meanwhile the new reporting system in the UK is likely to be judged by its results. And though it is too early to tell what these will be, the omens are not good.

A couple of weeks ago the BBC reported a dramatic fall in reports of fraud to police forces, with two smaller forces, Gwent and North Yorkshire, having received no reports since the new guidelines came into effect.

“The UK has become a soft touch for e-crime”

The police themselves confess that it is unlikely that this drop in reported frauds reflects a real change in criminality. At the same time they admit the risk is that while lower reporting will make the crime statistics look better, e-crime will continue to grow out of sight of the police and the public.

‘The police forces I have spoken to have all indicated that they want everything pulled together and dealt with centrally. The UK has become a soft touch for e-crime,’ says an exasperated David Davis, the Conservative Party’s Shadow Home Secretary.

‘Government has got to get a grip and get a grip quickly,’ he said. ‘At the local level this means making it a lot easier for victims of online crime to make a report to the police directly or by other channels and know that the information they give will be used.

‘The United States has had IC3 for some seven years. It is long past time that we developed something similar.’

A frustrated senior police officer tells me

‘Can you show me any other area of policing where the police would tell you to report a crime to a business because they no longer detect that type of crime?’

‘The government line is that the banking industry created the problem of financial crime by having credit cards.

‘In that case, should we report gun crime to the arms manufacturers?’