email: [email protected]
(Prepared for Presentation at the 70th
Conference of Commissioners of Police of Australasia and the Southwest Pacific
Region, Canberra, 13 March 2000)
This paper provides an
overview of computer-related crime.
Nine varieties of crime are
considered: theft of services; communications in furtherance of criminal
conspiracies; information piracy; the
dissemination of offensive materials (including extortion threats); electronic
money laundering; electronic vandalism and terrorism; telemarketing fraud;
illegal interception; and electronic funds transfer fraud.
Computer-related crime, like
crime in general, may be explained by the conjunction of three factors,
motivation, opportunity and the absence of capable guardianship. Motivations
will vary depending on the nature of the crime in question, but may include,
greed, lust, revenge, challenge or adventure.
Opportunities are expanding dramatically with the rapid proliferation
and penetration of digital technology. Significant challenges are posed by the
transnational nature of much computer crime.
The most appropriate strategies for the control of computer-related
crime entails a mixture of law enforcement, technological and market-based
solutions. Sigificant challenges arise
from the transnational nature of much computer crime, and from the need for the
law to keep abreast of developments in technology and their criminal
exploitation.
I.
INTRODUCTION
Willie Sutton, a notorious
American bank robber of a half century ago, was once asked why he persisted in
robbing banks. “Because that’s where the money is,” he is said to have replied.[1]
The theory that crime follows opportunity has become established wisdom in
criminology; opportunity reduction has become one of the fundamental principles
of crime prevention.
But there is more to crime
than opportunity. Crime requires a pool of motivated offenders, and a lack of
what criminologists would refer to as “capable guardianship”; someone to mind
the store, so to speak.
These basic principles of
criminology apply to computer related crime no less than they do to bank
robbery or to shop lifting. They will
appear from time to time throughout the following discussion. Not all of these factors are amenable to
control by governments alone. It
follows, therefore, that a variety of institutions will be required to control
computer related crime.
This paper discusses current
and emerging forms of computer-related illegality. It reviews nine generic
forms of illegality involving information systems as instruments or as targets
of crime.
It will also discuss issues
arising from the global reach of information systems. It is trite to describe the ways in which computers have,
figuratively speaking, made the world a smaller place. The corresponding
potential for trans-jurisdictional offending will pose formidable challenges to
law enforcement. For some crimes, this will necessitate a search for
alternative solutions.
The following pages will
suggest that much computer-related illegality lies beyond the capacity of
contemporary law enforcement and regulatory agencies alone to control, and that
security in cyberspace will depend on the efforts of a wide range of
institutions, as well as on a degree of self-help by potential victims of
cyber-crime.
The ideal configuration may
be expected to differ, depending upon the activity in question, but is likely
to entail a mix of law enforcement, technological and market solutions. The
paper will conclude with a discussion of the most suitable institutional
configuration to address those forms of computer-related crime which have been
identified.
Before we begin to review
the various forms of criminality involving information systems as instruments
and/or as targets, and the most appropriate means of controlling them, let us
first look at the questions of motivation and of opportunity.
The motivations of those who
would commit computer related crime are diverse, but hardly new. Computer
criminals are driven by time-honoured motivations, the most obvious of which
are greed, lust, power, revenge, adventure, and the desire to taste “forbidden
fruit”. The ability to make an impact on large systems may, as an act of power,
be gratifying in and of itself. The
desire to inflict loss or damage on another may also spring from revenge, as
when a disgruntled employee shuts down an employer’s computer system, or to
ideology, as when one defaces the web page of an institution that one regards
as abhorrent. Much activity on the
electronic frontier entails an element of adventure, the exploration of the
unknown. The very fact that some
activities in cyberspace are likely to elicit official condemnation is
sufficient to attract the defiant, the rebellious, or the irresistibly
curious. Given the degree of technical
competence required to commit many computer-related crimes, there is one other
motivational dimension worth noting here.
This, of course, is the intellectual challenge of mastering complex
systems.
None of the above
motivations is new. The element of
novelty resides in the
unprecedented capacity of
technology to facilitate acting on these motivations.
Recent and anticipated
changes in technology arising from the convergence of communications and
computing are truly breathtaking, and have already had a significant impact on
many aspects of life. Banking, stock exchanges, air traffic control,
telephones, electric power, and a wide range of institutions of health,
welfare, and education are largely dependent on information technology and
telecommunications for their operation. We are moving rapidly to the point
where it is possible to assert that “everything depends on software” (Edwards
1995). The exponential growth of this technology, the increase in its capacity
and accessibility, and the decrease in its cost, has brought about revolutionary
changes in commerce, communications, entertainment, and also crime. Along with
this greater capacity, however, comes greater vulnerability. Information
technology has begun to provide criminal opportunities of which Willie Sutton
would never have dreamed.
Statistics on computer use and connectivity are
notoriously evanescent. They are out
of date before they appear in print. Suffice it to say that the number of
people with internet connections will continue to increase dramatically, as
will the volume of electronic commerce in Australia, and around the world.
Not only does the increasing
connectivity increase the number of prospective victims of computer related
crime, it also increases the number of prospective offenders.
The variety of criminal
activity which can be committed with or against information systems is
surprisingly diverse. Some of these are
not really new in substance; only the medium is new. Others represent new forms
of illegality altogether.
The following generic forms
of illegality involve information systems as instruments and/or as targets of
crime. These are not mutually exclusive, nor is the following list necessarily
exhaustive.
A. THEFT OF
TELECOMMUNICATIONS SERVICES
The “phone phreakers” of
three decades ago set a precedent for what has become a major criminal
industry. By gaining access to an
organisation’s telephone switchboard (PBX) individuals or criminal
organisations can obtain access to dial-in/dial-out circuits and then make
their own calls or sell call time to third parties (Gold 1999). Offenders may gain access to the switchboard
by impersonating a technician, by fraudulently obtaining an employee’s access
code, or by using software available on
the internet. Some sophisticated
offenders loop between PBX systems to evade detection. Additional forms of
service theft include capturing “calling card” details and on-selling calls
charged to the calling card account, and counterfeiting or illicit
reprogramming of stored value telephone
cards.
It has been suggested that as long ago as 1990, security failures
at one major telecommunications carrier cost approximately £290 million,
and that more recently, up to 5% of total industry turnover has been lost to
fraud (Schieck 1995: 2-5; Newman 1998).
Costs to individual subscribers can also be significant In one case,
computer hackers in the United States illegally obtained access to Scotland
Yard’s telephone network and made £620,000 worth of international calls
for which Scotland Yard was responsible (Tendler and Nuttall 1996).
B. COMMUNICATIONS IN
FURTHERANCE OF CRIMINAL CONSPIRACIES
Just as legitimate
organisations in the private and public sectors rely upon information systems
for communications and record keeping, so too are the activities of criminal
organisations enhanced by technology.
There is evidence of
telecommunications equipment being used to facilitate organised drug
trafficking, gambling, prostitution, money laundering, child pornography and
trade in weapons (in those jurisdictions where such activities are illegal).
The use of encryption technology may place criminal communications beyond the
reach of law enforcement.
The use of
computer networks to produce and distribute child pornography has become the
subject of increasing attention. Today, these materials can be imported across
national borders at the speed of light (Grant, David and Grabosky 1997). The more overt manifestations of internet
child pornography entail a modest degree of organisation, as required by the
infrastructure of IRC and WWW, but the activity appears largely confined to
individuals.
By contrast, some
of the less publicly visible traffic in child pornography activity appears to
entail a greater degree of organisation. Although knowledge is confined to that
conduct which has been the target of successful police investigation, there
appear to have been a number of networks which extend cross-nationally, use
sophisticated technologies of concealment, and entail a significant degree of
coordination.
Illustrative of
such activity was the Wonderland Club, an international network with members in
at least 14 nations ranging from Europe, to North America, to Australia. Access
to the group was password protected, and content was encrypted. Police
investigation of the activity, codenamed “Operation Cathedral” resulted in
approximately 100 arrests around the world, and the seizure of over 100,000
images in September, 1998.
C. TELECOMMUNICATIONS PIRACY
Digital technology permits
perfect reproduction and easy dissemination of print, graphics, sound, and
multimedia combinations. The temptation
to reproduce copyrighted material for personal use, for sale at a lower price,
or indeed, for free distribution, has proven irresistable to many.
This has caused considerable
concern to owners of copyrighted material.
Each year, it has been estimated that
losses of between US$15 and US$17 billion are sustained by industry by reason
of copyright infringement (United States, Information Infrastructure Task Force
1995, 131).
The
Software Publishers Association has estimated that $7.4 billion worth of
software was lost to piracy in 1993 with $2 billion of that being stolen from
the Internet (Meyer and Underwood 1994).
Ryan
(1998) puts the cost of foreign piracy to American industry at more than $10
billion in 1996, including $1.8 billion in the film industry, $1.2 billion in
music, $3.8 billion in business application software, and $690 million in
book publishing.
According to the Straits
Times (8/11/99) A copy of the most recent James Bond Film The World is Not Enough, was available free on the internet
before its official release.
When creators of a work, in
whatever medium, are unable to profit from their creations, there can be a chilling
effect on creative effort generally, in addition to financial loss.
D. DISSEMINATION OF
OFFENSIVE MATERIALS
Content considered by some
to be objectionable exists in abundance in cyberspace. This includes, among
much else, sexually explicit materials, racist propaganda, and instructions for
the fabrication of incendiary and explosive devices. Telecommunications systems
can also be used for harassing, threatening or intrusive communications, from
the traditional obscene telephone call to its contemporary manifestation in
“cyber-stalking”, in which persistent messages are sent to an unwilling
recipient.
One man allegedly stole nude photographs of his former girlfriend and her new boyfriend and posted them on the Internet, along with her name, address and telephone number. The unfortunate couple, residents of Kenosha, Wisconsin, received phone calls and e-mails from strangers as far away as Denmark who said they had seen the photos on the Internet. Investigations also revealed that the suspect was maintaining records about the woman’s movements and compiling information about her family (Spice and Sink 1999).
In another case a rejected
suitor posted invitations on the Internet under the name of a 28-year-old
woman, the would-be object of his affections, that said that she had fantasies
of rape and gang rape. He then
communicated via email with men who replied to the solicitations and gave out
personal information about the woman, including her address, phone number,
details of her physical appearance and how to bypass her home security system.
Strange men turned up at her home on six different occasions and she received
many obscene phone calls. While the woman was not physically assaulted, she
would not answer the phone, was afraid to leave her home, and lost her job
(Miller 1999; Miller and Maharaj 1999).
One former university
student in California used email to harass 5 female students in 1998. He bought information on the Internet about
the women using a professor’s credit card and then sent 100 messages including
death threats, graphic sexual descriptions and references to their daily
activities. He apparently made the
threats in response to perceived teasing about his appearance (Associated Press
1999a).
Computer
networks may also be used in furtherance of extortion. The Sunday Times
(London) reported in 1996 that over 40 financial institutions in Britain and
the United States had been attacked electronically over the previous three
years. In England, financial institutions were reported to have paid
significant amounts to sophisticated
computer criminals who threatened to wipe out computer systems. (The Sunday Times, June 2,
1996). The article cited four
incidents
between 1993 and 1995 in which a total of 42.5 million Pounds Sterling were paid
by senior executives of the organisations concerned, who were convinced of the
extortionists' capacity to crash their
computer systems (Denning 1999 233-4).
One case, which illustrates
the transnational reach of extortionists, involved a number of German hackers
who compromised the system of an Internet service provider in South Florida,
disabling eight of the ISPs ten servers. The offenders obtained personal
information and credit card details of 10,000 subscribers, and, communicating
via electronic mail through one of the compromised accounts, demanded that
US$30,000 be delivered to a mail drop in Germany. Co-operation between US and
German authorities resulted in the arrest of the extortionists (Bauer 1998).
More recently, an
extortionist in Eastern Europe obtained the credit card details of customers of
a North American based on-line music retailer, and published some on the
Internet when the retailer refused to comply with his demands (Markoff
2000).
E. ELECTRONIC MONEY
LAUNDERING AND TAX EVASION
For some time now,
electronic funds transfers have assisted in concealing and in moving the
proceeds of crime. Emerging technologies will greatly assist in concealing the
origin of ill-gotten gains. Legitimately derived income may also be more easily
concealed from taxation authorities. Large financial institutions will no
longer be the only ones with the ability to achieve electronic funds transfers
transiting numerous jurisdictions at the speed of light. The development of
informal banking institutions and parallel banking systems may permit central
bank supervision to be bypassed, but can also facilitate the evasion of cash
transaction reporting requirements in those nations which have them.
Traditional underground banks, which have flourished in Asian countries for
centuries, will enjoy even greater capacity through the use of
telecommunications.
With the emergence and
proliferation of various technologies of electronic commerce, one can easily
envisage how traditional countermeasures against money laundering and tax
evasion may soon be of limited value. I may soon be able to sell you a quantity
of heroin, in return for an untraceable transfer of stored value to my
“smart-card”, which I then download anonymously to my account in a financial
institution situated in an overseas jurisdiction which protects the privacy of
banking clients. I can discreetly draw upon these funds as and when I may
require, downloading them back to my stored value card (Wahlert 1996).
F. ELECTRONIC VANDALISM, AND
TERRORISM
As never before, western
industrial society is dependent upon complex data processing and
telecommunications systems. Damage to, or interference with, any of these
systems can lead to catastrophic consequences. Whether motivated by curiosity
or vindictiveness electronic intruders cause inconvenience at best, and have
the potential for inflicting massive harm (Hundley and Anderson 1995, Schwartau
1994).
While this potential has yet
to be realised, a number of individuals and protest groups have hacked the official
web pages of various governmental and commercial organisations (Rathmell
1997).
http://www.2600.com/hacked_pages/
(visited 4 January 2000). This may also operate in reverse: early in
1999 an organised hacking incident was apparently directed at a server which
hosted the Internet domain for East Timor, which at the time was seeking its
independence from Indonesia (Creed 1999).
Defence planners around the
world are investing substantially in information warfare-- means of disrupting
the information technology infrastructure of defence systems (Stix 1995).[2] Attempts were made to disrupt the computer
systems of the Sri Lankan Government (Associated Press 1998), and of the North
Atlantic Treaty Organization during the 1999 bombing of Belgrade (BBC 1999).
G. SALES AND INVESTMENT
FRAUD
As electronic commerce
becomes more prevalent, the application of digital technology to fraudulent
endeavours will be that much greater. The use of the telephone for fraudulent
sales pitches, deceptive charitable solicitations, or bogus investment
overtures is increasingly common. Cyberspace now abounds with a wide variety of
investment opportunities, from traditional securities such as stocks and bonds,
to more exotic opportunities such as coconut farming, the sale and leaseback
of automatic teller machines, and
worldwide telephone lotteries (Cella and Stark 1997 837-844). Indeed, the
digital age has been accompanied by unprecedented opportunities for
misinformation. Fraudsters now enjoy
direct access to millions of prospective victims around the world,
instantaneously and at minimal cost.
H. ILLEGAL INTERCEPTION OF
TELECOMMUNICATIONS
Developments in
telecommunications provide new opportunities for electronic eavesdropping. From
activities as time-honoured as surveillance of an unfaithful spouse, to the
newest forms of political and industrial espionage, telecommunications
interception has increasing applications. Here again, technological
developments create new vulnerabilities. The electromagnetic signals emitted by
a computer may themselves be intercepted. Cables may act as broadcast antennas.
Existing law does not prevent the remote monitoring of computer radiation.
It has been reported that the notorious American hacker Kevin Poulsen was able to gain access to law enforcement and national security wiretap data prior to his arrest in 1991 (Littman 1997).