Frequently Asked Questions
Introduction
Today we live and work in a world of global connectivity. We can exchange casual conversation or conduct multimillion-dollar monetary transactions with people on the other side of the planet quickly and inexpensively. The proliferation of personal computers, easy access to the Internet, and a booming market for related new communications devices have changed the way we spend our leisure time and the way we do business.
The ways in which criminals commit crimes are also changing. Universal digital accessibility opens new opportunities for the unscrupulous. Millions of dollars are lost by both businesses and consumers to computer-savvy criminals. Worse, computers and networks can be used to harass victims or set them up for violent attacks—even to coordinate and carry out terrorist activities that threaten us all. Unfortunately, in many cases law enforcement agencies have lagged behind these criminals, lacking the technology and the trained personnel to address this new and growing threat, which aptly has been termed cybercrime.
Even though interest and awareness of the cybercrime phenomenon have grown in recent years, many information technology (IT) professionals and law enforcement officers have lacked the tools and expertise needed to tackle the problem. To make matters worse, old laws didn't quite fit the crimes being committed, new laws hadn't quite caught up to the reality of what was happening, and there were few court precedents to look to for guidance. Furthermore, debates over privacy issues hampered the ability of enforcement agents to gather the evidence needed to prosecute these new cases. Finally, there was a certain amount of antipathy—or at the least, distrust—between the two most important players in any effective fight against cybercrime: law enforcement agents and computer professionals. Yet, close cooperation between the two is crucial if we are to control the cybercrime problem and make the Internet a safe "place" for its users.
Law enforcement personnel understand the criminal mindset and know the basics of gathering evidence and bringing offenders to justice. IT personnel understand computers and networks, how they work, and how to track down information on them. Each has half of the key to defeating the cybercriminal. This book's goal is to bring the two elements together, to show how they can and must work together to defend against, detect, and prosecute people who use modern technology to harm individuals, organizations, businesses, and society.
Defining Cybercrime
Cybercrime is a broad and generic term that refers to crimes committed using computers and the Internet, and can generally be defined as a subcategory of computer crime. If this sounds strange, consider that whether someone commits Internet fraud or mail fraud, both forms of deception fall under a larger category of fraud. The difference between the two is the mechanism that was used to victimize people. Cybercrime refers to criminal offenses committed using the Internet or another computer network as a component of the crime. Computers and networks can be involved in crimes in several different ways:
* The computer or network can be the tool of the crime (used to commit the crime).
* The computer or network can be the target of the crime (the "victim").
* The computer or network can be used for incidental purposes related to the crime (for example, to keep records of illegal drug sales).
Although it is useful to provide a general definition to be used in discussion, criminal offenses consist of specific acts or omissions, together with a specified culpable mental state. To be enforceable, laws must also be specific. In many instances, pieces of legislation contain definitions of terms. This is necessary to avoid confusion, argument, and litigation over the applicability of a law or regulation. These definitions should be as narrow as possible, but legislators don't always do a good job of defining terms (and sometimes don't define them at all, leaving it up to law enforcement agencies to guess, until the courts ultimately make a decision).
To illustrate this, we can look at the Council of Europe's Convention on Cybercrime treaty, which you can view at http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm. The treaty attempts to standardize European laws concerning crime on the Internet, but one of the biggest criticisms of the treaty is its use of overly broad definitions. For example, the definition of the term service provider is so vague that it could be applied to someone who sets up a two-computer home network, and the definition of computer data, because it refers to any representation of facts, information, or concepts in any form suitable for processing in a computer system, would comprise almost every possible form of communication, including handwritten documents and the spoken word (which can be processed by handwriting and speech recognition software). Likewise, the U.S. Department of Justice (DOJ) has been criticized for a definition of computer crime that specifies "any violation of criminal law that involved the knowledge of computer technology for its perpetration, investigation, or prosecution" (reported in the August 2002 FBI Law Enforcement Bulletin). Under such a definition, virtually any crime could be classified as a computer crime, simply because a detective might have searched a computer database as part of conducting an investigation.
Understanding the Importance of Jurisdictional Issues
Another factor that makes a hard-and-fast definition of cybercrime difficult is the jurisdictional dilemma. Laws in different jurisdictions define terms differently, and it is important for law enforcement officers who investigate cybercrime, as well as network administrators who want to become involved in prosecuting cybercrimes that are committed against their networks, to become familiar with the applicable laws. In the case of most crimes in the United States, that means getting acquainted with local ordinances and state statutes that pertain to the offense. Generally, criminal behavior is subject to the jurisdiction in which it occurs. For example, if someone assaults you, you would file charges with the local police in the city or town where the assault actually took place.
Because cybercrimes often occur in the virtual "place" we call cyberspace, it becomes more difficult to know what laws apply. In many cases, offender and victim are hundreds or thousands of miles apart and might never set foot in the same state or even the same country. Because laws can differ drastically in different geographic jurisdictions, an act that is outlawed in one location could be legal in another.
What can you do if someone in California, which has liberal obscenity laws, makes pornographic pictures available over the Internet to someone in Tennessee, where prevailing community standards—on which the state's laws are based—are much more conservative? Which state has jurisdiction? Can you successfully prosecute someone under state law for commission of a crime in a state where that person has never been? As a matter of fact, that was the subject of a landmark case, U.S. v. Thomas and Thomas (see the "CyberLaw Review" sidebar in this section).
Even if the act that was committed is illegal across jurisdictions, however, you might find that no one wants to prosecute because of the geographic nightmare involved in doing so (see the "On the Scene" sidebar in this section for an example of one officer's experience).
Although we'll discuss jurisdictional issues in greater depth in Chapter 16, it is important that we also notice the other edge of this double-edged sword. Legislation in different states or countries may be in direct conflict or diverge from the intent of different laws or constitutional rights. For example, in 2001, a number of nonmember States of the Council of Europe signed the Convention on Cybercrime treaty that we discussed earlier. These included Canada, Japan, and the United States. The treaty was ratified by the U.S. Senate in 2006 and put it into force January 1, 2007, improving international cooperation in cybercrime investigations. However, this has created some controversy, as the treaty doesn't require dual criminality, whereby an act must be criminal under the laws of both countries. This would enable one country to spy on the Internet activities of citizens of another country, where no laws have been broken. Under the terms of the treaty, a service provider would need to cooperate with search and seizures (without reimbursement), and may be prevented from deleting logs or other data related to a person who is law abiding in that country.
Quantifying Cybercrime
Although the potential infringement on a person's rights may seem like something out of George Orwell's 1984, we would do well to remember that sacrificing privacy and certain freedoms has become a norm in the twenty-first century. For better or worse, the Internet has largely grown beyond the anonymous free-for-all that was seen in its early years. Fears of terrorism, identity theft, predators on the Internet, and other criminal activity have brought about new laws, and it will take years to iron out the inconsistencies in courts, political debates, and public forums such as the Internet. Although cybercrime once sounded like the stuff of futuristic science fiction novels, law enforcement, computer professionals, and the general public have grown to recognize it as a contemporary problem.
* The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), and provides a way to report Internet crimes online. The IC3 began as the Internet Fraud Complaint Center (IFCC), and during its first year of operation (May 2000 and May 2001) its Web site received 30,503 complaints of Internet fraud. Changing its name to reflect the broadened scope of Internet crimes, in June 2007 the IC3 received its 1 millionth complaint, with 461,096 of the cases reported to it being referred to federal, state, and local law enforcement. Of this, these cases reflected an estimated loss of $647.1 million, or a median loss of $270 per complainant. You can find annual reports reporting these figures on the IC3 Web site (www.ic3.gov/media/annualreports.aspx).
* In its 2007 Annual Report, the IC3 reported that the majority of cybercrime complaints (44.9 percent) involved cases of Internet auction fraud, where people would bid online for various items. Of these complaints, 19 percent involved situations in which people had paid for items but never received the merchandise, or in which the merchandise had been sent to a bidder and payment was never received (www.fbi.gov/majcases/fraud/internetschemes.htm).
* According to the Computer Security Institute's Computer Crime and Security Survey for 2007, 494 computer security professionals in U.S. corporations, government agencies, universities, and financial and medical institutions reported that fraud was the greatest source of financial losses, with losses resulting from virus attacks falling into second place for the first time in seven years. In addition to this, 29 percent of the organizations suffered a computer intrusion that they reported to law enforcement (www.gocsi.com).
* According to the Cybersnitch Voluntary Online Crime Reporting System, the most-reported Internet-related crime is child pornography, with other crimes ranging from desktop forgery to such potentially violent crimes as electronic stalking and terrorist threats. (A full list of reported cybercrimes is available at www.cybersnitch.net/csinfo/csdatabase.asp.)
Although almost anyone has the potential to be affected by cybercrime, two groups of people must deal with this phenomenon on an ongoing basis:
* IT professionals, who are most often responsible for providing the first line of defense and for discovering cybercrime when it does occur
* Law enforcement professionals, who are responsible for sorting through a bewildering array of legal, jurisdictional, and practical issues in their attempts to bring cybercriminals to justice
(Continues...)
Excerpted from Scene of the Cybercrime by Michael Cross Copyright © 2008 by Elsevier, Inc.. Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.