Despite the increase in online fraud, enforcement of the law is a mess since the dissolution of the specialist agency set up to fight it, says Pete Warren
Been the victim of online fraud? Until recently you would have reported it to the police, but now the onus on investigating such crimes lies not with the boys in blue but with the banking industry. Without a hint of irony on April 1, the Association of Chief Police Officers announced that it would no longer be responsible for investigating e-crime. That move marked the final straw for some.
“You tell me of any other area of policing where the police would tell you to report a crime to a business,” says one police officer. “The government line is that the banking industry created the problem by having credit cards. In that case, should we report gun crime to the arms manufacturers?”
Another former police high-tech expert described the situation as stepping backwards 10 years, adding: “We are now at a situation where the middle- and lower-end crime is just not being dealt with.”
The move comes a year after the National High Tech Crime Unit, set up in April 2001 in response to a perception that e-crime was on the rise, was absorbed into the Serious and Organised Crime Agency (Soca). Soca took over this role because it was felt that financial e-crime was increasingly the preserve of organised crime, its principal area of responsibility. But the result, say people in both the banking and computer security industries, is a shambles.
That view was reinforced in January when the Metropolitan Police Authority, the 23-strong body including magistrates, members of the London Assembly and independent members that oversees the Metropolitan Police Service (MPS), said: “There is an unspoken public perception that e-crime is so pervasive that the police service do not have the capacity to investigate each individual allegation.”
The report went on to concede that e-crime units in regional police forces were unable to deal with the flood of high-tech crime before concluding that its assessment is “that specialist e-crime units can no longer cope with e-crime”.
And e-crime is on the rise. “The research and development that we are now seeing [from criminals] proves that the computer criminals are spending a lot of money,” said Mark Sunner, chief technology officer for Messagelabs – the computer security company which, among other things, has the task of protecting the government’s email.
In the UK, where the figures in the main deal with business losses, 84% of large companies surveyed told PricewaterhouseCoopers, the accountancy firm, that they had suffered a malicious attack on their computers between 2004 and last year. According to the report for the then Department of Trade and Industry, the average loss for businesses was between £65,000 and £130,000, with the largest companies reporting losses of around £1m.
“The government line is that the banking industry created the problem by having credit cards. In that case, should we report gun crime to the arms manufacturers?”
The confused situation is in sharp contrast to the admirable record of the now defunct NHTCU, which chalked up a number of significant achievements during its existence. These included the arrest of Gary McKinnon, who faces 80 years in US prisons after hacking into US military and Nasa computers. And three years ago, the unit arrested 12 people accused of being close to Russian crime syndicates involved in online banking frauds.
Police forces say they want a central unit to deal with e-crime. James Brokenshire, Tory MP for Hornchurch and shadow home affairs spokesman, says: “The police forces I have spoken to have all indicated that they want everything pulled together and dealt with centrally.”
The current picture is a patchwork. Some forces do still handle reports of e-crime from individuals. Others still have budgets for fighting online crime, but cash is no longer ring-fenced for this: it is now allocated at the discretion of chief constables, who can also decide to outsource such work to the private sector.
This move had been under way for some time before the ACPO’s announcement in April; some police forces had indicated to banks that they would no longer investigate internet fraud. “Two years ago the ACPO wanted card fraud recategorised as an economic crime,” says Apacs, the trade association for the clearing banks. “Now the Home Office has said that card fraud is not top of the police’s priorities.”
Professor Ross Anderson, a security expert at Cambridge University, remarked on his blog at the time that: “The Home Office wants to massage the crime statistics downwards, while the banks want to be able to control and direct such police investigations as take place.”
Apacs adds: “With the NHTCU there was at least a single point of contact for us to work with, and we did do a lot of work on joint initiatives. Apacs would welcome the establishment of a new NHTCU.”
Is this likely to happen? Under proposals published by the Metropolitan Police Authority in January, the MPS would become the lead force investigating e-crime, establishing a UK-wide fraud alert system and creating a response team. The authority also proposed that the MPS draws together all “e-crime assets within the MPS and across all 43 forces” to allow the best possible use of resources.
Although the MPS is optimistic that a new body will be established, the Home Office refuses to be drawn. It says that it “takes the issue of e-crime seriously and looks to work with industry and law enforcement to tackle the issue. We will consider proposals to tackle e-crime as they arise.” In the meantime, you will just have to hope that you are not the victim of internet crime.
Published in The Guardian, Thursday July 5, 2007