The shaping of public perceptions of cybercrime - LAw and technology ...

27 downloads 20845 Views 172KB Size Report
of a new form of cybercrime becomes reported, then other news sources will feed off .... crime networks operate compared to the old-style “top down” organised ...
Please Cite as Wall, D.S. (2008) ‘Cybercrime, Media and Insecurity: the shaping of public perceptions of cybercrime’, International Review of Law, Computers and Technology, vol. 22, nos. 1-2, pp. 45–63 (ISSN 0965-528X).

(Page 45)

CYBERCRIME, MEDIA AND INSECURITY: The shaping of public perceptions of cybercrime1 DAVID S. WALL* Centre for Criminal Justice Studies, University of Leeds, UK, [email protected] ABSTRACT. All too often claims about the prevalence of cybercrimes lack clarification as to what it is that is particularly ‘cyber’ about them. Perhaps more confusing is the startling contrast between the many hundreds of thousands of incidents of cybercrime supposedly reported each year and the relatively small number of known prosecutions. This contrasting evidence exposes a large gap in our understanding of cybercrime and begs a number of important questions about the quality of the production of criminological knowledge about it. For example, how reliable and partial are the informational sources that mould our opinions about cybercrime. Do we fully understand the epistemological differences between the various legal, academic, expert and popular (lay) constructions of cybercrime? Alternatively, is the criminal justice system just woefully inefficient at bringing wrongdoers to justice? Or are there still some major questions to be answered about the conceptual basis upon which information is gathered and assumptions about cybercrime made? This article takes a critical look at the way that public perceptions of cybercrime are shaped and insecurities about it are generated. It explores the varying conceptualisations of cybercrime before identifying tensions in the production of criminological knowledge that are causing the rhetoric to be confused with reality. It then contrasts the mythology of cybercrime with what is actually going on in order to understand the reassurance gap that has opened up between public demands for Internet security and its provision. Keywords: cybercrime; media and crime; insecurity Introduction: the cybercrime conundrum The drama of the spectacle of technology now permeating our everyday lives, combined with the fear of the potentially dystopic futures it could inflict upon us guarantees news articles about ‘cybercrime’ a place on the front page. Yet, all too often the claims made in those articles about the prevalence of cybercrimes lack clarification as to what it is that is particularly ‘cyber’ about them. Indeed, on the rare occasions that so-called cases of cybercrime come to court – typically comprising Internet fraud, theft, pornography, paedophilia, even hacking, etc. – they often have the familiar ring of the ‘traditional’ rather than the ‘cyber’ about them. Perhaps more confusing is the startling contrast between the many hundreds of thousands, even millions, of threats that Internet users supposedly receive each year and the relatively small number of known prosecutions. In September 2007, the cyber-security group Symantec published their seventh Internet Security Threat Report. It found that in ‘the first half of 2007, 212,101 new malicious code threats were reported to Symantec. This is a 185 percent increase over the second half of 2006’.2 In the week following its publication, the report’s findings became the basis for many news stories that were published in reliable and less reliable news * This article is based upon papers delivered at CRIMPREV, 12–13 October 2007, Ljubljana, Slovenia and the Max Planck Institute, Frieburg, Germany, 11 December 2007. See Endnote 1 for further details. The few minor differences to the published paper are in dark blue.

Electronic copy available at: http://ssrn.com/abstract=1124662

(Page 46) print and broadcast outlets.3 The news story bylines continued a long-standing line of reporting that portrays cybercrime as immensely prevalent and threatening. It is a practice that inevitably shapes and raises public and also media expectations of its impacts. These expectations contrast dramatically with the actual experience of cybercrime within the criminal justice system. In the UK, for example, there were only about 200 prosecutions under the Computer Misuse Act 1990 in the first 15 years following its introduction.4 In 2007 the Ministry of Justice still ‘had only a “handful” of cases pending’.5 Similar trends are found elsewhere.6 This conundrum needs to be resolved, because it is a graphic example of the continuing uncertainties about the Internet that are impeding the benefits that it can bring for citizenship through improved and accessible governance, increased commerce and benefits to leisure.7 It also reveals some of the current tensions in the policy making process relating to cybercrime. In September 2007, the House of Lords Science and Technology select committee report described the Internet as ‘increasingly the playground of criminals’8 and urged the government to take stronger measures against cybercrime. This was a view echoed by industry and others.9 Yet, the Government’s reply10 was less accepting of the report’s claims, no doubt, informed by the British Crime Survey (described later) which found relatively low levels of reported victimisation.11 Does this low prosecution rate represent an ‘absence of evidence’ or is it evidence of the absence of cybercrimes – to paraphrase former US Secretary of Defence, Donald Rumsfeld.12 Three possible explanations suggest themselves. The first is that the ‘cybercrime problem’ has simply been blown up out of all proportion and that the media news gathering process has, unintentionally fabricated an apparent crime wave out of a few novel and dramatic events. The worst case scenario is that we are in fact witnessing a deliberately calculated attempt to peddle fear, uncertainty and doubt by the media and cyber-security industry to further its interests, or by government to effect governance through fear of (cyber)crime! A second and very simple explanation is simply to say that the criminal justice process is woefully inefficient at bringing wrongdoers to justice? Indeed, can we realistically expect two century-old criminal justice processes designed to counter the social effects of urban migration to respond to an entirely new set of globalised ‘virtual’ problems? There are always post-hoc examples of police inefficiency that can be illustrated to support the point. The third possible explanation, to quote another Rumsfeldism, is that this contrast is evidence of ‘unknown unknowns’ about cybercrime. In other words, instead of accepting the information that we are given, should we be asking more fundamental and critical questions about what cybercrimes are? Questions that look deep into the conceptual basis upon which information is gathered and assumptions about cybercrimes are made. Clearly, the contrasting positions of high reporting versus low prosecutions expose a large gap in our understanding of cybercrimes and beg a number of important questions about the quality of the production of criminological knowledge about them. This article develops recent research13 findings to take a critical look at the various roles of the media in generating insecurities and shaping public perceptions of cybercrime. It looks specifically at the conceptualisation of cybercrime before identifying tensions in the production of knowledge about it that are causing the rhetoric to be confused with reality. It then contrasts the mythology of cybercrime with what is actually going on in order to understand the reassurance gap that has opened up between public demands for Internet security and its provision. The final part looks at the various challenges that cybercrimes pose for criminal justice and at how the digital realism of cybercrime and policing cybercrime can contribute to closing the reassurance gap. The conceptual origins of cybercrime The term ‘cybercrime’ is widely used today to describe the crimes or harms that result from opportunities created by networked technologies. Its origins lie in science fiction forums,

Electronic copy available at: http://ssrn.com/abstract=1124662

(Page 47) novels and films that progressively linked ‘cyberspace’ with ‘crime’ to describe crimes that take place in virtual environments. The term cyberspace, for example, appears to have been coined by William Gibson in his 1982 short story ‘Burning Chrome’ published in Omni Magazine14 – a science fiction meets science forum that existed between 1978 and 1998. The concept of cyberspace and virtual environments then evolved through cyberpunk science fiction short stories by Bruce Bethke15 and others, and novels such as Gibson’s Neuromancer16 and Stephenson’s Snowcrash17. The linkage between cyberspace and crime was always explicit in the concept of cyberpunk and it framed most dramatic fiction narratives, though the actual term ‘cybercrime’ seems to have emerged in the late 1980s or even early 1990s in the later cyberpunk novels and comic books.18 The cultural fusion of cyberspace and crime into mainstream popular culture is largely due to three generations of movies portraying hackers which infused some of the cyberpunk ideas. The first are the early first generation films defined by ‘the hack’ into an infrastructural system – Italian Job, 1969; Die Hard, 1988. They were followed by a second generation of films that were defined by, and romanticised, the gender specific (male) ‘hacker’ – War Games, 1983. The later second generation films shifted from portraying hacks across communications networks to hacks in different types of virtualised environments, with hackers still young, but less gender specific and less likely to adopt moral high ground than in earlier films – Johnny Mnemonic, 1995; Independence Day, 1996. The third generation of films were defined by both ‘hacker and hack’ being in virtual environments and epitomised by The Matrix, 1999,19 which itself is reputedly based upon Baudrillard’s ideas about Simulacra20 and simulation. The conceptual links between these images were subsequently reproduced in various similar forms in TV movies, TV programmes, comic books, novels and so on. The significance of these various sources of visual and textual imagery is that ‘contemporary movie and media imagery subconsciously orders the line between fact and fiction’21 and these ‘factional’ images (fact and fiction) have crystallised ‘the hacker’ offender stereotype as the archetypal ‘cybercriminal’.22 When framed by contemporary cultural reactions to technological change this ‘factional’ imagery distorts expectations of cybercrime. The dramatic narrative of the extra-human power that technological developments can bestow upon possessors and the social change it can create has long been popular with authors and readers. The Victorian science fiction novels of H.G. Wells23 and others were written during a time of great social upheaval caused by technological innovation and they described worlds transformed, but also threatened by new technologies. This traditional continued through to the present day via the works of Brian Aldiss, Aldous Huxley and contemporaries. Interweaved with science fiction was the social science fiction novel,24 of which the most well known example was probably Orwell’s Nineteen Eighty Four.25 In his, now, classic novel Orwell combined contemporary events with social theory and ideas about technological change to predict a dystopic future that captured the public imagination. While these creative works set the scene, contemporary cultural reactions to techno/social change frame the social science commentaries in a number of distinctive ways. First, there is Toffler’s Futureshock,26 which describes a fear of the future and the change it brings and which tends to rear its head whenever there is a significant period of technological transformation. Second, through a series of cultural processes described by Furedi27 and others, the culture of fear imbues the public with an ideological fear of crime that leads to exaggerated expectations of crime and danger – regardless of whether any actually exist. Such process is not far from Garland’s ‘crime complex’ whereby public anxiety about crime has become the norm and now frames our every-day lives28 so that we expect crime to exist regardless, and we are shocked when we do not find it! Simon and perhaps less explicitly, Garland, have gone further to suggest that governments and policymakers tactically use prevailing fears of

(Page 48) dangerous crime to control a broad range of risks.29 That this tactic should also be used with cybercrime is of no surprise. Third, and finally, the gap that emerges between the expected threat and the provision of security, displayed, for example, so graphically by the cybercrime conundrum illustrated earlier, is a reassurance gap 30 that needs to be closed. The need for reassurance typically becomes expressed in the form of demands for more ‘police’ action which, of course, the police find it hard to provide because their funding models are usually determined by routine activities based upon the 170 year old Peelian model of policing dangerousness.31 A model that remains similar in principle since the late 1820s, even though it is now performed in more complex late-modern societies. Myths and the construction of cyberfear – rhetoric vs reality The science fiction moulded conceptualisation of cybercrime has shaped and distorted our expectations of them as being dramatic, futuristic and potentially dystopic. This ‘distortion’ has reflected the way that incidents of cybercrime are reported, with the knock-on effect of heightening cyberfear. News reporting tends to simultaneously feed and feed off the public’s lust for ‘shocking’ information and this endless demand for sensation sustains the confusion of rhetoric with reality to create what Baudrillard has called ‘the dizzying whirl of reality’.32 By blurring predictions about ‘what could happen’ with ‘what is actually happening’ the impression is given by news reports that novel events are far more prevalent than they really are. Once a ‘signal event’, such as an example of a new form of cybercrime becomes reported, then other news sources will feed off the original report. Although signal events may not necessarily constitute a major infraction of criminal law, or necessarily a minor one, they ‘nonetheless disrupt the sense of social order’.33 They capture the media’s imagination and exert ‘a disproportionate impact upon public beliefs and attitudes when compared with their “objective” consequences’,34 raising levels of (cyber)fear and sustaining folk myths about the Internet. Since the early 1990s a number of popular myths about the Internet have become widespread and, while any factual basis that may have originally contributed to their creation may long since have disappeared, they still circulate and perpetuate the culture of fear and also distort our understanding of a new range of issues that are emerging in their place. A paragraph from the abstract of the House of Lords Science and Technology select committee report conveniently encapsulates this process.35 While the report and its evidence section are informative and useful documents, the summary tends to be what journalists pick upon. But the Internet is now increasingly the playground of criminals. Where a decade ago the public perception of the e-criminal was of a lonely hacker searching for attention, today’s ‘bad guys’ belong to organised crime groups, are highly skilful, specialised, and focused on profit. They want to stay invisible, and so far they have largely succeeded. While the incidence and cost of e-crime are known to be huge, no accurate data exist.36

The phrasing of this paragraph reflects a range of assumptions and prevailing myths: that the Internet is unsafe; users cannot be trusted and need to be protected from themselves; hackers are all powerful; hackers have become part of organised crime; hackers are anonymous; they cannot be tracked; they go unpunished; there is no data. With the exception of the latter point, which is dealt with in the next section, they are unpicked and explored below, along with responses and also some of the new issues that are emerging in their wake. Cyberspace is pathologically unsafe and criminogenic The sheer volume of users and increasing volume of person to person, person to business, business to business, government to person and business transactions that take place must be

(Page 49) testament to the fact that the Internet is currently working. If a good quality security product is installed and Internet browsers are used wisely then users will reduce levels of risk. Despite this, there remains the underlying public concern, propagated by media reportage and adverse commentary, that the Internet is not only criminogenic, but downright dangerous in that hackers can still make planes fall from the sky and interfere disastrously with aspects of the critical infrastructure. Yet, longstanding critical incident management plans mean that very few aspects (if any) of critical infrastructure are still connected directly to the Internet – if they are, then this is extremely problematic, if not negligent, and needs to be remedied. The main concerns about infrastructure are not so much the environment itself, but the management of the large amounts of critical information within it, especially when it is concentrated within one source such as a database. This issue became highlighted in November 2007, when CD-ROM disks containing the personal information of 25 million child benefit claimants were lost in postal (not electronic) transit from one public agency to another.37 The resulting panic not only brought to light other losses,38 but it has also illustrated how potentially vulnerable such concentrations of data are and how important security policies are to the politics of personal security. At the time of writing no evidence has yet been presented to suggest that any of the missing data has caused loss through fraud – though there may a time delay before any frauds are detected. In addition to outlining potential vulnerabilities, the data losses also emphasise the importance of maintaining existing security policies when critical functions are increasingly being outsourced, especially the security of public data when it is shared across the public and private sectors. Yet, these possibilities should also be part of information management plans. What these incidents do highlight most of all is that all activities within cyberspace will carry risks, as they do in the terrestrial world, and such risks have to be identified and remedied, however, as the events in the UK have illustrated, the risk lies more in human failings than in the virtual environment. Users need to be protected from themselves There seems to be a popular assumption in the security community that users have to be protected from themselves, from becoming victims or becoming offenders. This view runs counter to the findings of the British Crime Survey and Offending, Crime and Justice Surveys,39 which found relatively little personal victimisation and offending. The prospect of third party intervention also runs against the original end-to-end principles of the Internet, which favoured open communications with end users making the choices as to what to send and receive.40 Intertwined with the innate distrust in Internet users is the fairly widespread view that not only does the Internet place individuals at risk but it also corrupts normally law abiding individuals who go on a moral holiday when on the Internet. The Internet certainly broadens Internet users’ life experience and exposes them to a range of social activity that may be outside the confines of their everyday life. But the evidence of moral usage suggests that the greater majority of individuals tend to take their social values with them online.41 Furthermore, we must not lose sight of the fact that individual users should and do take responsibility for their actions and, rather controversially in light of some of the security reports, the Internet is remarkably ordered if you consider the sheer number of users and the volume of transactions that take place on it. All the more so because of the various mechanisms that currently exist to govern online behaviour (described later). The omnipotent (darkside) hacker or ‘superuser’ The old-style hackers were renowned and even feared, for their expert knowledge of the workings of communications systems. The mythology surrounding the omnipotent hacker assumes

(Page 50) that once the ethical hacker’s moral bind has eroded and they go over to the ‘darkside’ then they become a danger to society. The threat of these omnipotent ‘darkside’ hackers is found everywhere from the cyberpunk literature to the policy debates. But remember that at the height of hacker mystique in the 1980s and 1990s, overall levels of security were much lower than today. It was not uncommon, for example, to find systems with a default user identity of ‘Admin’ being accompanied by the password ‘Admin’. Where security was tighter, the majority of deep level penetration was and still is the result of ‘social engineering’ – persuading those in low level occupations within an organisation to reveal their legitimate access codes. Yet, despite the evidence that criminals tend to focus their efforts upon the easy victim or ‘low hanging fruit’,42 as in the terrestrial world, the cybercrime expert discourse is replete with the construction of what Paul Ohm43 calls the ‘superuser’, a mythic superhacker who is assumed to be immune to technical constraints and aware of legal loopholes. This ‘superuser’ is the person most feared by policy makers, who, Ohm argues, exaggerate his (the assumption is that he is male) power and ‘too often, overreact “passing overbroad”, ambiguous laws intended to ensnare the Superuser, but which are used instead against culpable, ordinary users’.44 The old style of hacking characterised by the penetration of computer systems has more or less lost the social capital, credibility and popularity it once had. Sommer has argued that the hacker myth is today little more than: ‘an amusing diversion and [no longer] an opportunity to dust down 20-year old cliche´s about teenage geniuses’.45 Ironically, the omnipotent hacker myth contrasts with a new style of automated hacking that is potentially more potent in the way that it casts a wide net for victims by using malicious software (viruses, worms) that install remote administration software, key-stroke loggers, spyware, etc. These tools are unwittingly downloaded onto computers through spam, deceptive emails or from fake www sites. Once activated, the software enables others to obtain access information, and even use the computers remotely. Consequently, identity theft and account take-over is now of great concern, though it is mostly related to collecting information as a precursor to credit card fraud rather than what we conventionally understand as hacking. It is not the result of a direct hack attack, but an electronic trawl or ‘phishing’ expedition. Once the impact of ID theft is felt beyond the credit card and its attendant bank guarantees then the intrusion into one’s life can become extremely invasive – a spectre that has the hallmarks for spawning a new series of myths. Hackers have become part of organised crime The alleged link between hackers and organised crime has always lacked conclusive proof; however, what is understood as constituting organised crime can vary considerably. Views vary from three or four individuals working together to commit a crime and then dissipating, to massive ‘mafia’ type organisations with clearly defined lines of command and control. The term ‘organised crime’ invokes imagery of the latter rather than the former. In her study, Brenner predicted that organised criminal activity on the Internet would more likely manifest itself in ‘transient, lateral and fluid’ forms, as networks of criminals46 rather than replicate the ‘gang’ and hierarchical US ‘Mafia’ models of organised criminal activity found offline in the terrestrial world. Mainly because they evolved in response to real world opportunities and constraints that are largely absent in cyberspace. In support of Brenner’s 2002 prediction, there have since been a number of examples of the emergence of new forms of online organisation. The first is the finding in 2004 by German Magazine C’T, following the botnet explosion in 2003/4,47 that virus writers had been selling the IP addresses of computers infected with their remote administration Trojans to spammers.48 The second was in June 2005 when NISCC (The National Infrastructure Security Co-ordination Centre) warned users about ‘a highly sophisticated

(Page 51) high-tech gang’ reputed to be located in the Far-East using various means, including botnets, to infect sensitive computer systems to steal Government and business secrets.49 The final example is ‘Operation Firewall’ which led to the investigation and prosecution of ‘shadowcrew’, an international identity theft network that hosted online forums that shared information about stealing, trading and selling personal information that could be used to commit frauds. The various reports of the investigation and prosecution illustrate how different the groups were in terms of their networked organisation. The head of e-crime at SOCA50 observed that the Shadowcrew worked ‘remotely, without ever needing to meet’, which is ‘typical of how the new ecrime networks operate compared to the old-style “top down” organised crime groups’.51 These groups have a very detailed division of labour with specific skill sets rather than the ‘usual pyramid structure’. One person would provide the documents, ‘another would buy credit card details, another would create identities while another would provide the drop address’.52 The key difference is its networked structure and global reach. Together both examples detail the relatively new forms of networked criminal organisation that depart from traditional thinking about hierarchically organised crime. Criminals are anonymous and cannot be tracked While it is true that individuals can use false identities to go online, one of the more stunning and frequently overlooked features about networked technologies is that every move online can be tracked and the ‘mouse droppings’ as they are called, leave a data trail behind. The issue is therefore not so much one of anonymity, but one of investigators having the human and technological resources available to follow the digital trail. See for example, the case of the ‘Shadowcrew’ investigations mentioned earlier. The members of the ring had never met in person and thought their participation was anonymous, but the ring had been penetrated by the US Secret service and the UK’s SOCA who tracked their activities electronically and remotely.53 We are actually witnessing the ‘disappearance of disappearance’54 because we cannot hide any more, only disguise immediate identities and even then our online behaviour patterns leave ‘signatures’ that can allegedly be traced with the right technology. Criminals go unpunished and get away with crime The low report to prosecution rate observed at the beginning of this article could be interpreted to suggest that there is some substance to this statement. However, low reporting to prosecution rates are to be found with nearly all aspects of crime, terrestrial or online. Is something being overlooked here? Do cybercrimes have different qualities perhaps? While it is important to note here that some types of Internet offending may be proceeded with under other bodies of law, this displacement will not explain such low prosecution rates. Earlier research into offences reported to, and recorded by, the police found very few related to the Internet.55 Furthermore, not only is the nature of cybercrime victimisation considerably different (see later) because there are more of them and over a broader area, but, as the example of ‘Operation Bot Roast’ described later illustrates, there are also relatively fewer offenders than at first appears because the technologies give criminals a wider reach. This critical appraisal of prevailing assumptions is important in an information age in which technological development and its associated thinking changes very quickly, we have to continually subject our conventional wisdoms to critical appraisal, because an acceptable position, say, 2 years ago may have changed by the present time. Such appraisal is an important tool in the dispelling of myths, because they are at their most destructive when they triumph over reason:

(Page 52) ... myths are not like truths: they are the triumph of credulity over evidence; there is a minimum of evidence with which it must comply, if it is to live; but once lip service has been paid to that undeniable minimum, the human mind is free to indulge its own capacity for self-deception.56

While Trevor-Roper was describing here the deliberate creation and manipulation of myths for malicious reasons, his observation about their effects is still very pertinent and reminds us how hard myths are to dissipate. Understanding change as it happens around us requires new types of methodological thinking and is a challenge to be faced. After all, the paragraph cited earlier from the House of Lords select committee report does imply in the last sentence that the statements are not based upon ‘accurate data’ and must therefore be assumptions. Tensions in the production of criminological knowledge about cybercrimes One of the principal reasons for the persistence of Internet myths is the tensions that currently exist in the ways that knowledge about cybercrimes are produced and currently impede the full perspective. The existence of multiple discourses about cybercrime – legislative–academic–expert–popular Cybercrime means different things to different groups of people and so it is viewed differently by each in terms of their respective functions. Contemporary debates about cybercrime encompass a range of legal–political, technological, social, and economic discourses that have led to some very different epistemological constructions of cybercrime. The legal–administrative discourse explores what is supposed to happen by establishing and clarifying the rules that identify boundaries of acceptable and unacceptable behaviour; the criminological and general academic discourse mainly provides an informed analysis about what has happened, and why; the security expert identifies what is actually happening and what, from their own perspective, the tactical solutions might be, and what will happen if those solutions are not adopted; the popular–lay discourse reflects what the person on the street thinks is happening. The security expert discourse is currently the most influential yet prescient of the various discourses because it combines selfcollated statistical information (see next subsection) to form predictions about the future. The disintermediation of news sources and statistical information The networking of information and the proliferation of different and alternative news sources has dis-intermediated the reporting of news. Today, editors do not exercise the overall level of editorial control over the news process that they once did so that sources of information are no longer subjected to the same balances and checks.57 Not only has the editorial top– down gate-keeping role lost the control it once exercised over the news process, but there has also taken place ‘a major restructuring of the relationship between public and media’ with the effect that public discourse has become disintermediated because the public can now directly access politicians and the political process, and vice versa.58 Just as news sources have become dis-intermediated, then so have the ways that statistics about cybercrime are collected. Without commonly applied standards there are arguably fewer checks on information quality and mis-information can be circulated. Not only are there disagreements about what constitutes cybercrime and therefore what is included in statistical compilations, but there are also no reliable centralised collection points, such as the police. The importance of having reliable statistical information was highlighted by the UK All Party Internet Group in May 2004 when it reviewed the Computer Misuse Act 1990. The

(Page 53) group found that without understanding exactly how big a problem cybercrime is, there is no political pressure to deal with the issue and the police will not therefore be adequately resourced.59 This view, however, assumes that cybercrime is a problem that the police can deal with effectively! The primary source of statistical information tends to be the cybercrime security industry, which arguably has an interest in perpetuating the illusion of high levels of crime – to which end Rosenberger60 rather cynically stated: ‘would umbrella manufacturers predict good weather?’ The fact is that these statistics do exist and in many cases they are all we have. Therefore, it is arguable that if we understand what they represent, we are aware of their limitations and how they were collected, then we can use them within that specific context. Until we develop new methodologies or even just establish standard protocols for collecting statistics then they will remain open to misinterpretation. To this end, a very useful case in example is the report of the ‘212,101’ threats mentioned in the cyber-conundrum earlier. These data are not actually personal reports by net users of their victimisation, rather the 212,101 statistic actually represents infringements of scientific rules, not the law per se, which are automatically reported by Symantec’s proprietary brand of security software and recorded on a database. The journalists covering the stories have tended to reduce Symantec’s important phrase ‘new malicious code threats’61 to the word ‘threats’,62 and in so doing completely change the meaning of the findings to imply general threats.63 Consequently, if industry generated statistics are used to indicate levels of offending, they will be greatly misleading, because they over-report the problem, however, if the methodologies of those same statistics are understood then they may be of some use when describing, for example, levels of potential online risk, or data trends over time. Victimisation surveys are much more reliable methods of measuring levels of victimisation than either reporting statistics or the numbers of crimes recorded by the police and such surveys do exist. The findings do however tend to show some marked contrasts, though for explainable reasons that relate to the victim groups being canvassed. Different Internet constituencies have different experiences of victimisation. Surveys of business victims, on the one hand, such as the DTI64 survey in the UK and the CSI65 survey in the USA, report high rates of business victimisation. This victimisation does not tend to get reported to the police because of the commercial sensitivity of their losses and the victim’s preference to deal with the matter privately. The few surveys of individual victimisation, including the British Crime Survey, on the other hand, show very low levels of overall victimisation that individuals consider serious enough to warrant action, which is consistent with the earlier observations.66 These differences in findings are understandable and communicable, however, the media reportage focuses only upon the more sensational findings, notably the results of the business surveys and generalises them to all Internet usage.67 Under-reporting by victims Following on from the above we have the curious phenomenon of the simultaneous over-reporting and under-reporting of cybercrimes. Some of the automatically reported threats will, of course, eventually result in actual victimisations, for example, if personal information stolen by Trojans is subsequently used to defraud the owner of the data. Yet there exist a number of distinct reasons why these crimes are under-reported. The fraud, for example, may be reported straight to the bank and may not ever appear as an Internet related statistic. Even when there is a clear Internet link, individuals may be embarrassed to report their victimisation, or their loss may be small. Otherwise, the dangers posed may not be immediately evident, or not regarded as serious by the victim, or the loss may genuinely not be serious. Alternatively, it may be the case, as with credit card frauds, that police refer reportees back to their banks who are viewed as the real victims. Where the victims are corporate entities, such as banks, reporting losses may expose

(Page 54) a commercial weakness and threaten their business model, which raises clear conflicts between the private vs public justice interest with regard to cybercrimes. It may also be that the consequences of being victimised are not immediately apparent to victims. For example, computer integrity cybercrimes such as hacking or identity theft are often precursors for more serious offending. The information gathered may later be used against the owner, or crackers may use remote administration Trojans to control the computers of others. Similarly, computer-related cybercrimes, such as Internet scams, may seem individually minor in impact to each victim, but serious by nature of their sheer volume. Finally, computer content crimes may seem less significant because it is informational, but it may nevertheless be extremely personal or politically offensive, or could even subsequently contribute to the incitement of violence or prejudicial actions. Low levels of offender profiles Because so few cybercrimes are reported, relatively little is therefore known about the profiles of offenders, especially those who commit the small-impact, bulk impact victimisations, although these profiles are being compiled as offenders get identified and apprehended. Jurisdictional disparities in terms of (a) definitions of cybercrime (b) levels of co-operation between police Disparities in legal coding across jurisdictions can frustrate law enforcement efforts, despite attempts by the likes of the Council of Europe Cybercrime Convention to harmonise laws.68 Panjurisdictional idiosyncrasies’ legal process can also interfere with levels of interjurisdictional police cooperation. Lack of common definitions of cybercrimes Despite there being a fairly common agreement that cybercrimes exist, there is an absence of consensus as to what they actually are that enables confusion to thrive. Low level of public knowledge about risks Because of an overall lack of public knowledge about the real risks of cybercrimes, those who are not discouraged from going online are often unable to make informed choices about the risks that they may face, especially where the threat is new. The tensions in the production of knowledge about cybercrime outlined above explain the sporadic nature of media reportage and also why the ‘signal event’ (mentioned earlier) has gained in significance. A useful example of a signal event was cyber-stalking, which became a matter of concern in the early 2000s when the issue of stalking became mixed up with Internet grooming. A few cases, followed by news reports sparked off a viral flow of information across the ‘blogosphere’ which created a minor panic that, without any concrete evidence, led to demands for anti-stalking legislation – demands that were ultimately resisted. The concerns continue to be expressed today because debates over stalking and Internet grooming remain tied to the more general concern over online vulnerability. Recent examples of the power of viral information flows69 across the blogosphere causing mass public reaction have been the Northern Rock financial panic70 in October and November 2007, also the widespread public concerns throughout 2007 over child abduction following the disappearance of Madeleine McCann in Portugal.71

(Page 55) The ‘real realities’ of cybercrime If reality is ‘the state of things as they actually exist’,72 as opposed to the ‘dizzying whirl of’ reality, then the reality of cybercrimes is that network technologies have transformed crime in the following distinctly different ways.73 Networked technologies have contributed to the reorganisation of criminal labour online Criminal labour, like labour in the work process has been prone to rationalisation in an effort to make it more efficient and cheaper to deliver. Such a process begins by dividing the work into component tasks and then automating them where possible. This process deskills the individual components of the task; however, in so doing, eventually results in the reskilling of the individuals who then use technology to control the whole process. Network technologies enable one or possibly two people to now control a whole criminal process. A good example of this transformation is to compare the complexities of organising a US$40 million bank robbery with the organisation of 40 million US$1 thefts using computers.74 The bank robbery is high risk with a relatively low return on investment and takes much organisation, whereas computer crimes, in contrast, are low risk with a high return on investment and one person can theoretically control the whole process. Two recent events emphasise the scale of the above transformation in criminal labour. In June and November 2007, the US FBI’s anti-botnet crime initiatives, ‘Operation Bot Roast I & II’,75 broke up botnets that exploited up to two million infected computers. An FBI report76 on this initiative, subsequently reported by the media, claims that more that US$20 million losses were reported by victims. As part of ‘Operation Bot Roast’, the New Zealand police questioned a teenager, known as ‘Akill’ who was thought to be the ringleader of an international cyber-crime group alleged to have infected more than onemillion computers and stolen millions of dollars from people’s bank accounts.77 In a further case, in December 2007, an American computer security consultant, using the name ‘Acid’ or ‘Acidstorm’, pleaded guilty to using botnets to illegally install malware (malicious software) on more than 250,000 computers to steal online banking identities and later transfer money out of his victims’ accounts. He was also found to have taken US$19,000 in commission from a third party for installing adware on 110,000 end users’ machines without their permission.78 These cases demonstrate two points made earlier, the globalised extent of the offender’s reach and also that while individual losses may be relatively small,79 the aggregate loss is relatively high due to the volume of offending. We have experienced the evolution of cybercrime from traditional to sui generis cybercrimes through three generations The first generation of cybercrimes were traditional or ordinary crimes that used computers to communicate or gather precursor information that assists in the organisation of a crime. Remove the Internet and the behaviour continues because offenders simply revert to using other forms of available communication or information gathering. The second are the hybrid cybercrimes, or traditional–existing crimes for which network technology has created entirely new global opportunities. Take away the Internet and the behaviour continues by other means, but not in such great volume or upon such a global scale. In contrast to the earlier generations, the third generation are true cybercrimes and solely the product of the Internet – remove it and they vanish. True cybercrimes are, like cyberspace, informational, globalised and networked.80 This latter generation of true cybercrime includes spamming, online identity theft and variations of intellectual property piracy.81 One of its defining characteristics is that it utilises

(Page 56) malicious software (viruses and worms) to automate victimisation. Offenders are now employing spammers who employ hackers and virus writers to write the scripts to do the spamming that launches the hacking software for them! This is a new world of low-impact multiple victim crimes that creates de minimis problems for law enforcement and for the policing of offenders. Since 2002–3 there has emerged a new generation of automated cybercrime caused by malicious viruses and worms, spread by spam, which can render infected computers susceptible to remote administration. These ‘botnets’ of infected computers can be used to commit a range of networked computer offences of which Phishing82 (stealing personal financial information) is perhaps the most best known. These new forms of offending are evolving quickly, see for example, the evolution of Phishing (using emails) to Pharming83 (DNS cache poisoning that directly connects to the www page once the email is opened) into SMiShing84 (using SMS texting) to Vishing85 (using Voice over Internet Protocol). Cybercrimes fall into three groups of crime with different characteristics (integrity, assisted and content crime) Cybercrimes include three main offending patterns. The focus of the offending can either be the integrity of the system (hacking) or the computer can be used to commit an offence, else the content of the computer itself can be the object of the offending. Each are represented by specific bodies of law and generate different crime and technology discourses.86 By understanding the way that technology has changed the nature of criminal labour and by discerning between these three generations of cybercrime and also the three different groups of behaviour, we can begin to make sense of some of the differences in understanding cybercrime. Whereas criminal justice systems tend to see cybercrimes as ‘familiar’ crimes, already the subject of legislation, that use the Internet, there is a new generation of crimes of the Internet that is by nature of being informational, global and networked, mainly small-impact multiple victimisations. What are the challenges that cybercrimes pose for criminal justice? For the reasons outlined above, cybercrimes tend to be missed by the Criminal Justice radar. This omission introduces a number of challenges for the criminal justice system to overcome, resolve or in some circumstances accept. Of these, the under-reporting of cybercrimes (those which are deemed serious by victims) was discussed earlier. Despite the existence of applicable bodies of law backed up by international harmonisation and police co-ordination treaties, the characteristics of cybercrimes that are serious enough to get reported, conspire to impede the traditional investigative process. Simply put, their informational, networked and globalised qualities cause them to fall outside the traditional localised, even national, operational purview of police. They are clearly different from the regular police crime diet, which is one reason that they can evade the criminal justice gaze. On the few occasions where cybercrimes are familiar to the routine police diet, then it is often the case that the computing misuse component of the offending gets dropped in favour of a charge for the offence for which the computer was used for. For the most part, however, cybercrimes tend to be too individually small in impact (de minimis)87 to warrant the expenditure of finite police resources in the public interest. Also, by falling outside routine police activities then the police accrue little general experience in dealing with them as a mainstream crime. This becomes additionally problematic when disparities in legal coding across jurisdictions conspire to frustrate law enforcement initiatives. The big question here is how might these challenges be addressed?

(Page 57) The digital realism of policing cybercrime In the process of governing behaviour online through policing, the direct impact of law is limited as it is found to be only one of a number of factors that can shape behaviour. Law is important, but its regulatory effect has to be understood alongside other factors such as social values (shaping behaviour through information and education), market forces (shaping behaviour by manipulating the laws of supply and demand) and technological devices (shaping behaviour by manipulating the architecture of the environment in order to restrict opportunity). These factors proscribe the digital realism of cybercrime. The digital realism of networked technologies is such that the same technologies that give rise to criminal opportunity can also be used to police it.88 Examples of such technological methods, range from spam filters, to honeynets (www sites that attract and entrap offenders),89 through to optical character recognition and sophisticated online surveillance techniques. There is a distinct danger here in reducing law to scientific rules in software because then the spectre of ubiquitous and automated policing arises, which coldly applies rules without the prospect of discretion. So, the application of technology has a number of ramifications, not least that it accelerates the onset of the actuarial control society away from the current disciplinary society. In other words, the concern is that when technology is used to replace discretion (without checks and balances), individuals may come to be judged by what they might or could do, rather by what they have done and disciplined by exclusion. Evidence of this change from a disciplinary society to control society is becoming increasingly characterised by the gradual shift in the burden of proof and the increase in the number of strict liability offences. The increased use of technology to police populations creates added strain on finite police resources by unearthing evidence of many new, mostly minor, offences – previously invisible – which nevertheless have to be investigated by police and, thus, draw officers away from the primary police mission and create a further division of policing labour. Also there is the temptation to investigate the offences that are the easiest (the low-hanging fruit).90 In such exercises there is a specific legal need to discern between collecting evidence of wrong-doing that can be used in court and collecting criminal intelligence that cannot, but can lead to further investigation. Furthermore, ‘ubiquitous’ online policing through surveillance creates the potential problem of not being able to call the police to account for their actions – Quis Custodiet Ipsos Custodiet. Yet, with a twist of fate the same networked technologies that create criminal opportunity and which can be used to police online behaviour, can also be used to police the police because they also cannot escape from technology’s panoptic gaze. The same technologies can also assist with the implementation of police reform. Clearly, cybercrimes are characteristically incompatible with traditional routine police practice. Despite being in the twenty-first century information age, the police still continue to work mainly along the lines of their 170 year old public mandate to regulate the ‘dangerous classes’. Hence the understandable focus upon policing dangerous individuals such as paedophiles, child pornographers, fraudsters and terrorists who threaten the infrastructure. However, this is not to say that cyberspace goes un-policed, because, as in the terrestrial world: ‘not all policing lies in the police’.91 Nor is it necessarily the case that police activity is either inefficient or ineffective. Rather, the public police role has to be understood within a broader and largely informal architecture of networked Internet policing that not only enforces laws, but also maintains order through different layers of governance online.92 Internet users and user groups, for example, maintain online behaviour through the application of moral censure. Virtual environment security managers are collectively emerging as a new strata of behaviour governors. They ‘police’ the behaviour of the online community according to its particular norms and can apply a range of sanctions from censure, to temporary

(Page 58) or permanent withdrawal of access rights. Network infrastructure providers (ISPs) draw upon the terms and conditions of their contracts with clients. The ISPs themselves, are also subject to the terms and conditions laid down in their contracts with the telecommunications providers who host their services. Corporate security organisations preserve their corporate interests through contractual terms and conditions; but also use the threat of removal of privileges or the threat of private (or criminal) prosecution. Non-governmental, non-police organisations, such as the Internet Watch Foundation, act as gatekeepers by accepting and processing reports of offending then passing them on (mostly related to obscenities), as well as contributing to cybercrime prevention and public awareness. Governmental non-police organisations use a combination of rules, charges, fines and the threat of prosecution. Not normally perceived as ‘police’, they include agencies such as Customs, the Postal Service and Trading Standards. A higher tier of these agencies also oversees and enforces national Internet infrastructure protection policies. Public police organisations, as stated earlier, therefore play only a relatively small, but nevertheless significant, role in imposing criminal sanctions upon wrongdoers. Although located within nation states, the public police are joined together in principle by a tier of transnational policing organisations, such as Europol and Interpol. Conclusions: is the absence of evidence, evidence of its absence, or just evidence of something else? To return to the cyber-conundrum outlined earlier and also to respond to the ‘Rumsfeldisms’: the absence of evidence in terms of the low number of prosecutions is certainly not evidence of the absence of cybercrimes. Cybercrimes certainly do exist, but they are being looked at through the wrong lens. Their digital realism is paradoxically different to that which the mythology of cybercrime predicts. Why that should be the case lies within the initial conceptualisation of cybercrime. Its science fiction origins, along with competing media processes framed cybercrime in a language of prospective technological impacts that distorts our understanding of it – in the absence of reliable information. The reporting of actual, and especially novel, events therefore become dramatised, propagates the various myths circulating about cybercrime and reinforces the culture of fear. Add these distortions to the construction of crime forged by Peelian concepts of policing and criminal justice, and a popular view emerges of cybercrimes as dramatic, highly prevalent, dystopic and catastrophic events – events that the police, as governmental protectors of peace and enforcers of law, are expected to deal with, but for good reasons often cannot. In short, cybercrimes scare us and we expect to be scared by them, a fear that is made worse by the gap that has opened up between our expectations of cybercrime and our expectations of Internet security. Any attempt to close this ‘reassurance’ gap tends to be thwarted by tensions in the production of our knowledge about cybercrimes which serve to perpetuate both the culture of fear about cybercrime and also the various myths that have emerged about it. If there is a good side to this debate, it is that all parties are gradually learning more about the impact of networked technologies upon criminal behaviour through research findings. In addition, the public (and private) police are also establishing a corpus of policing experience in the field because of the maturation of the various hi-tech crime units at national and regional levels within the police services. Legislation is also being tuned to the problems of today through revisions.93 The key to formulating effective responsive strategies to cybercrime is to understand the different perspectives that the different actors in the field of cybercrime bring to the subject rather than see them in binary terms as either right or wrong. See, for example, the different, but real, experiences of the business community and the individual user. It is also crucial to

(Page 59) hold realistic expectations of what the police can and cannot do. This includes accepting that not all policing lies with the police because the policing function is also to be found within other nodal and networked structures of order. In the ideal world, the governance of online behaviour should therefore be designed to assist and strengthen the Internet’s natural inclination to police itself, keeping levels of intervention relevant while installing appropriate structures of accountability. Remember that the same networked technologies that create criminal opportunity can also be harnessed to police cybercrime and also that the bodies policing the Internet include the many other nodes in the networked model of Internet policing outlined earlier. Without a framework of accountability there arises the uncomfortable prospect of over-policing using technology, and all the more worrying if the basis of the policing exercise is the application of scientific rather than legal rules. We therefore need to be clear about where we set the balance between the need to maintain order online and the need to enforce law, until this balance has been achieved the cybercrime ‘reassurance gap’ will not be closed. Notes 1. This article is based upon a paper that was first delivered at the ‘Media and Insecurities’ CRIMPREV meeting, 12–13 October 2007, Faculty of Criminal Justice, University of Maribor at Ljubljana, Slovenia. It was later delivered in more advanced form at the Max Planck Institute, Freiburg im Breisgau, Germany, 11 December 2007. The primary reference point for this article is D.S. Wall, Cybercrimes: The transformation of crime in the information age (Cambridge, Polity, 2007). All of the definitions are derived from the book’s glossary at pp. 219–232. Specific and additional references are also included. 2. Symantec Internet Security Threat Report, Trends for January–June 07, Vol. XII (Cupertino, CA: Symantec, September 2007), 7 and 77. 3. The ‘212,101’ statistic was also covered by many of the reliable sources of information including the BBC, ‘Hi-Tech Crime “is Big Business”’, BBC News Online, 17 September 2007, http:// news.bbc.co.uk/1/hi/technology/6998068.stm (accessed 10 March 2008); The Observer, see N. Mathiason, ‘The Guardian of Cyberspace’, The Observer, 23 September 2007, http:// www.guardian.co.uk/business/2007/sep/23/technology.interviews (accessed 10 March 2008); Fox News.com, ‘Symantec: Online Criminals Now More Organized, Professional’, Fox News.com, 17 September 2007 http://www.foxnews.com/story/0,2933,297063,00.html (accessed 10 March 2008). The extent and variation of the coverage can be seen by simply doing a Google search for ‘212,101’. 4. See Hansard, 26 March 2002: column WA35; also Wall, Cybercrimes, 54. 5. Evidence of the Ministry of Justice to the 2007 House of Lords Science and Technology select committee enquiry into ‘Personal Internet Security’. Reported in BBC, ‘Lords Offer New Angle on E-Crime’, BBC News Online, 24 April 2007, http://news.bbc.co.uk/1/hi/technology/6589137. stm (accessed 10 March 2008). 6. See among others, R.G. Smith, P.N. Grabosky and G. Urbas, Cyber Criminals on Trial (Cambridge: Cambridge University Press, 2004). 7. J. Leyden, ‘Security Fears Stymy Online Sales: Nothing to Fear But Fear Itself’, The Register, 17 December 2007, http://www.theregister.co.uk/2007/12/17/e_commerce_security_fears/ (accessed 10 March 2008). Also see further the survey of Internet users by Get Safe Online, http://www. getsafeonline.org/ (accessed 10 March 2008). 8. House of Lords, Personal Internet Security, vol. I: Report, Science and Technology Committee, 5th Report of Session 2006–07, HL Paper 165–I, 10 August 2007 (London: The Stationery Office, 2007), 6. Available at http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/ 165i. pdf (accessed 10 March 2008).

9. For example, the Corporate IT Forum which ‘was initiated in 1996 by some of the largest corporate users of IT creating a confidential, vendor-free environment in which IT professionals could exchange practical and strategic intelligence’ (http://www.tif.co.uk/); see further R. Cellan-Jones, ‘Government “Failing on ECrime”’, BBC News Online, 5 December 2007, http://news.bbc.co.uk/1/hi/ technology/7128491.stm (accessed 10 March 2008). (Page 60) 10. Home Office, The Government Reply to the Fifth Report from The House of Lords Science and Technology Committee, Session 2006-07 HL Paper 165, Personal Internet Security, October 2007. Available at http://www.official-documents.gov.uk/document/cm72/7234/7234.pdf (accessed 10 March 2008). 11. Reported in J. Allen, S. Forrest, M. Levi, H. Roy and M. Sutton, ‘Fraud and Technology Crimes: Findings from the 2002/03 British Crime Survey and 2003 Offending, Crime and Justice Survey’, Home Office Online Report 34/05, 2005. Available at http://www.homeoffice.gov.uk/rds (accessed 10 March 2008). Also D. Wilson, A. Patterson, G. Powell and R. Hembury, ‘Fraud and Technology Crimes: Findings from the 2003/04 British Crime Survey, the 2004 Offending, Crime and Justice Survey and Administrative Sources’, Home Office Online Report 09/06, 2006. Available at http:// www.homeoffice.gov.uk/rds/pdfs06/rdsolr0906.pdf (accessed 10 March 2008). 12. M. Barone, ‘The National Interest: Absence of Evidence is Not Evidence of Absence’, US News & World Report, 24 March 2004. Available at http://www.usnews.com/usnews/opinion/barone web/mb_040324.htm (accessed 10 March 2008). 13. See generally Wall, Cybercrimes, and references therein. 14. Later reproduced in J. Dann and G. Dozois, eds., Hackers (New York, NY: Ace Books, 1996). Please note that there are a number of different claims over the development of the concepts. At the time there was a lot of discussion about the concepts because they excited participants in the discourse. Regardless of the actual assignation, the main point is the cultural formation and links that were made. 15. Writer Bruce Bethke is accredited with coining the word ‘Cyberpunk’ in his 1980 story Cyberpunk. See B. Bethke, ‘The Etymology of “Cyberpunk”’, 1997, available at http://www.brucebethke.com/ nf_cp.html (accessed 10 March 2008). 16. W. Gibson, Neuromancer (London: HarperCollins, 1984). 17. N. Stephenson, Snowcrash (London: ROC/Penguin, 1992). 18. Please note that the examples of books and films given here and below are intended to be representative and not exhaustive. Choices of particular media can become very personal, the object of the exercise is to draw conclusions of types that illustrate change. 19. In The Matrix Neo kept his computer disks in a hollowed out copy of Jean Baudrillard’s, Simulacra and Simulation (Ann Arbor: University of Michigan Press, 1994). Baudrillard’s ideas are reputed to have inspired the film’s producers and writers, although Baudrillard is reported to have curmudgeonly stated that he thought they misunderstood his work. See R. Hanley, ‘Simulacra and Simulation: Baudrillard and the Matrix’, Whatisthematrix, December 2003. Available at http://whatisthematrix. warnerbros.com/rl_cmp/new_phil_fr_hanley2.html (accessed 10 March 2008). 20. Simulacra (simulacrum in singular) is a term used by Baudrillard (Simulacra and Simulation) to describe a situation where one can have copies without originals. It introduces a useful language to describe the construction and dissemination of multi-media materials in computer file format. Simulation captures the essence of a real object in such a way that it can be used to observe and predict how that object may behave when subject to changing inputs. 21. F. Furedi, Culture of Fear (London: Continuum, 2002). 22. Wall, Cybercrimes, 16.

23. H.G. Wells’ better known science fiction novels are The Time Machine, 1895; The Island of Dr Moreau, 1896; The Invisible Man, 1897; The War of the Worlds, 1898; The First Men in the Moon, 1901. 24. Social science fiction is a sub-genre of science fiction that focuses upon the forms of society that result from technological change. 25. G. Orwell, 1984 Nineteen Eighty-Four (London: Penguin Books, 1990). 26. Toffler, Future Shock (New York: Bantam Books, 1970). 27. Furedi, Culture of Fear. 28. D. Garland, The Culture of Control (Oxford: Oxford University Press, 2001), 367. 29. ‘Governance through crime’ is a discourse in (terrestrial) criminology that locks into the work of Jonathan Simon and David Garland respectively. For the (terrestrial) debates, see further, J. Simon, Governing through Crime: How the War on Crime Transformed American Democracy and Created a Culture of Fear (New York: Oxford University Press, 2007). Also Garland, Culture of Control. 30. M. Innes, ‘Reinventing Tradition? Reassurance, Neighbourhood Security and Policing’, Criminal Justice 4, no. 2 (2004): 151–71. 31. See further, the references in Wall, Cybercrimes, 161. (Page 61) 32. J. Baudrillard, The Consumer Society: Myths and Structures (London: Sage, 1998), 34. 33. Innes, ‘Reinventing Tradition?’, 151. 34. M. Innes, ‘Why Disorder Matters? Antisocial Behaviour and Incivility as Signals of Risk’, paper given to the Social Contexts and Responses to Risk (SCARR) Conference, Kent, UK, 28–29 January 2005, p. 5. Available at http://www.kent.ac.uk/scarr/papers/papers.htm (accessed 10 March 2008). 35. Convenient, because I did not have to search far. Despite this rather journalistic abstract, the House of Lords Science and Technology Select Committee report is a very informative and useful document. 36. Ibid., 6. 37. BBC, ‘The Government’s Explanation for the Loss of Discs with 25 m Child Benefit Records on is Facing Fresh Scrutiny’, BBC News Online, 22 November 2007. Available at http:// news.bbc.co.uk/1/hi/uk_politics/7106987.stm (accessed 10 March 2008). 38. BBC, ‘Up to 3,000 Patients’ Data Stolen’, BBC News Online, 14 December 2007. Available at http:// news.bbc.co.uk/1/hi/wales/7143358.stm (accessed 10 March 2008). Also BBC, ‘Data of 60,000 on Stolen Computer’, BBC News Online, 7 December 2007. Available at http://news.bbc.co.uk/1/hi/ northern_ireland/7133194.stm (accessed 10 March 2008). 39. See Allen et al., ‘Fraud and Technology Crimes’; and also, Wilson et al., ‘Fraud and Technology Crimes’. 40. See further J. Saltzer, D. Reed and D. Clark, ‘End-to-End Arguments in System Design’, ACM Transactions in Computer Systems 2, no. 4 (1984): 277–88. 41. See further Walker and Bakopoulos’s research into young people and chatrooms. R. Walker and B. Bakopoulos, ‘Conversations in the Dark: How Young People Manage Chatroom Relationships’, First Monday 10, no. 4 (2005). Available at http://firstmonday.org/issues/issue10_4/walker/ index.html (accessed 10 March 2008).

42. B. Ortega, ‘News’, Security & Privacy Magazine 4, no. 6 (2006): 6–9. 43. P. Ohm, ‘The Myth of the Superuser: Fear, Risk, and Harm Online’, University of Colorado Law Legal Studies Research Paper no. 07-14, 22 May 2007. 44. Ibid, 1. 45. P. Sommer, ‘The Future for the Policing of Cybercrime’, Computer Fraud & Security 1 (2004): 8–12 at 10. 46. S. Brenner, ‘Organized Cybercrime? How Cyberspace may affect the Structure of Criminal Relationships’, North Carolina Journal of Law & Technology 4, no. 1 (2002), 1–41 at 1. 47. Botnets comprise lists of the Internet Protocol (IP) addresses of ‘zombie’ computers that have been infected by remote administration tools (malcode) and that can subsequently be controlled remotely. Botnets are valuable commodities because of the power they can place in the hands of the remote administrators (bot herders) to deliver a range of harmful malicious software. For this purpose they can be hired out, sold, or traded. 48. ‘Uncovered: Trojans as Spam Robots’, C’T Magazine, 23 February, 2004. Available at http://www. heise.de/english/newsticker/news/44879 (accessed 10 March 2008). 49. See ‘Targeted trojan email attacks’, NISCC Briefing 08/2005, 16 June, 2005. Available at http:// www.cpni.gov.uk/Docs/ttea/pdf (accessed 10 March 2008). Also P. Warren, ‘UK Trojan Siege has been Running over a Year’, The Register, 17 June, 2005. Available at http://www.theregister. co.uk/2005/06/17/niscc_warning/ (accessed 10 March 2008). 50. See further http://www.soca.gov.uk ‘The Serious Organised Crime Agency (SOCA) is an Executive NonDepartmental Public Body sponsored by, but operationally independent from, the Home Office. The Agency has been formed from the amalgamation of the National Crime Squad (NCS), National Criminal Intelligence Service (NCIS), that part of HM Revenue and Customs (HMRC) dealing with drug trafficking and associated criminal finance and a part of UK Immigration dealing with organised immigration crime (UKIS). SOCA is an intelligence-led agency with law enforcement powers and harm reduction responsibilities. Harm in this context is the damage caused to people and communities by serious organised crime.’ 51. L. Rodgers, ‘Smashing the Criminals’ E-Bazaar’, BBC News Online, 20 December 2007. Available at http://news.bbc.co.uk/1/hi/uk/7084592.stm (accessed 10 March 2008). 52. Ibid. 53. See Wall, Cybercrimes, 80; Rodgers, ‘Smashing the Criminals’ E-Bazaar’; also E. Parizo, ‘Busted: The Inside Story of “Operation Firewall”’, SearchSecurity.com, 28 November 2005. Available at http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1146949,00.html (accessed 10 March 2008). (Page 60) 54. K. Haggerty and R. Ericson, ‘The Surveillant Assemblage’, British Journal of Sociology 51, no. 4 (2000): 605–622. 55. Wall, Cybercrimes, 164. 56. H. Trevor-Roper, The Last Days of Hitler (London: Pan Books, 1972), 259. 57. It must be noted, however, that pre disintermediated news sources were the subject of criticism for the opposite reasons – that the editors exercised too much control and in so doing applied their own value systems!

58. See further R. Sambrook, ‘How the Net is Transforming News’, BBC News Online, 20 January 2006. Available at http://news.bbc.co.uk/1/hi/technology/4630890.stm (accessed 10 March 2008). 59. APIG chairman Derek Wyatt, cited by M. Broersma, ‘Boost UK Govt Cybercrime Resources’, ComputerWeekly, 17 May 2004. Available at http://www.computerweekly.com/Articles/2004/ 05/17/202467/boost-uk-govt-cybercrime-resources.htm (accessed 10 March 2008). 60. R. Rosenberger, ‘Would Umbrella Manufacturers Predict Good Weather? (Part 2)’, Vmyths, 17 August 2001. Available at http://www.vmyths.com/column/1/2001/8/17/ (accessed 10 March 2008). 61. Symantec, note 2, 7, 77. 62. See note 3, for example, the BBC, ‘Hi-Tech Crime’, or Mathiason, ‘The Guardian of Cyberspace’. 63. This is the case in the BBC and The Observer articles referenced above (note 62). 64. DTI, Information Security Breaches Survey 2004, Department of Trade and Industry, London, 2004. 65. CSI/FBI, CSI/FBI Computer Crime and Security Survey 2006 (San Francisco: Computer Security Institute, 2006). 66. In the UK, for example, the British Crime Survey contains Internet crime questions. See for the British Crime Survey, Allen et al., ‘Fraud and Technology Crimes’; and also, Wilson et al. ‘Fraud and Technology Crimes’. In the USA the National Crime Victimization Survey (NCVS) has, or is due to have, similar questions included. 67. No examples of media reportage were found that described low levels of findings. 68. For details of the convention and the additional protocol, plus the latest on signatories see COE, ‘Convention on Cybercrime’, Council of Europe, Budapest, 23 November 2001 (ETS no. 185). Available at http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm (accessed 10 March 2008). Also the COE, ‘Additional Protocol to the Convention on Cybercrime, Concerning the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems’, Council of Europe, Strasbourg, 28 January 2003 (ETS no. 189). Available at http://conventions.coe.int/ Treaty/en/Treaties/Html/189.htm (accessed 10 March 2008). 69. Viral information flow is a term that describes how information proliferates across distributed networks by word of ‘mouse’ (rather than mouth). The information flows can be almost viral in the way that they are distributed exponentially from node to node across networks. The term ‘viral’ is now used colloquially to describe the Internet video phenomenon; indeed they are actually called ‘virals’. 70. BBC, ‘Northern Rock Besieged by Savers’, BBC News Online, 17 September 2007, http:// news.bbc.co.uk/1/hi/business/6997765.stm (accessed 10 March 2008). 71. See for example, Daily Telegraph.co.uk ‘Madeleine McCann’ pages, http://www.telegraph.co.uk/ news/main.jhtml?xml¼%2Fnews/exclusions/madeleine/nosplit/madeleine.xml (accessed 10 March 2008). 72. ‘Reality’ entry in the Shorter Oxford Dictionary. 73. For more elaborate explanations see further, Wall, Cybercrimes. 74. Wall, Cybercrimes, 3. 75. See FBI, ‘Over 1 Million Potential Victims of Botnet Cyber Crime’, FBI Press Release, 13 June 2007. Available at http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm (accessed 10 March 2008); also news coverage at D. Goodin, ‘Botmaster Owns Up to 250,000 Zombie PCs: He’s a Security Consultant. Jail

Beckons’, The Register, 9 November 2007. Available 2007/11/09/botmaster_to_plea_guilty/ (accessed 10 March 2008).

at

http://www.theregister.co.uk/

76. FBI, ‘BOT Roast II: Cracking Down on Cyber Crime’, FBI Headline Archives, 29 November 2007. Available at http://www.fbi.gov/page2/nov07/botnet112907.html (accessed 10 March 2008). 77. BBC, ‘Arrests Made in Botnet Crackdown’, BBC News Online, 30 November 2007. Available at http://news.bbc.co.uk/1/hi/technology/7120251.stm (accessed 10 March 2008). 78. D. Goodin, ‘FBI Crackdown on Botnets gets Results, but Damage Continues: 2 Million Zombies and Counting’, The Register, 29 November 2007. Available at http://www.theregister.co.uk/2007/11/ 29/fbi_botnet_progress_report/ (accessed 10 March 2008). (Page 63) 79. The amount that ‘small’ refers to varies according to constituency. Individuals will only write off very small amounts of money. Corporate entities, however, are alleged to write off much larger sums, for example £500 was one sum mentioned, because of the costs of investigation. While this may efficiently resolves the private interest in an economic sense, it does nevertheless mean that important criminal intelligence is lost. 80. See further Wall, Cybercrimes, chaps. 4–6. 81. See further Wall, Cybercrimes, chaps. 4 and 7 for the reasons why spamming etc are different to hybrids. 82. Phishing is the use of Internet communications, e.g. emails, to socially engineer (trick people) out of personal financial information. Variations include ‘spear phishing’ where specific, rather than blanket, targets are chosen. Also pharming, smishing, vishing. 83. Pharming is an automated version of phishing that does not rely upon social engineering to trick the recipient because it automatically redirects the recipient to the offending site. 84. Smishing is a form of phishing that uses bulk text messaging facilities to target mobile devices such as phones or PDAs (personal digital assistants) with urgent text requests for the recipient to call an alleged bank phone number or log onto a website and change their security information, thereby revealing it. 85. Vishing is another form of phishing that uses VoIP (voice over Internet protocol) to spam recorded messages to telephone numbers. The VoIP messages purport to be from banks, other financial institutions, online merchants such as Amazon or Internet auction houses such as eBay, and warn that their credit card has been used for fraudulent transactions. As with phishing and its variations, recipients are asked to contact a phone number or logon to a website to verify and change their security information. 86. See further Wall, Cybercrimes, chaps. 4–6. 87. De minimism is from de minimis non curat lex, where it means the ‘law does not deal with trifles’. It is used in this book to describe low-impact, bulk victimisations that cause large aggregated losses spread out globally across potentially all known jurisdictions. 88. See Wall, Cybercrimes. 89. Honeynets are fake websites constructed to socially engineer offenders into accessing them and showing intent by wilfully passing through various levels of security, agreeing at each stage that they are aware of the content and indicating their intent. Offenders eventually find themselves facing a law enforcement message (a ‘gotcha’) and a notice that that their details will be recorded or that they will become subject to investigation in cases where intent is clear. See further, Honeynet Project, Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community (Harlow, Essex: Addison Wesley, 2002). 90. M. Goodman, ‘Why the Police Don’t Care about Computer Crime’, Harvard Journal of Law and Technology 10 (1997): 645–694 at 484. Also Y. Jewkes and C. Andrews, ‘Policing the Filth: The Problems of

Investigating Online Child Pornography in England and Wales’, Policing & Society 15, no. 1 (2005): 42–62 at 51. 91. R. Reiner, The Politics of the Police, 3rd ed. (Oxford: Oxford University Press, 2000), xi. 92. See Wall, Cybercrimes, chap. 8. 93. In the UK, computer misuse legislation has, for example, been revised to assist the policing of cybercrime. The Police and Justice Act 2006 amends the Computer Misuse Act 1990 to include DDOS attacks (CL 40), as well as increasing the penalty for unauthorised access (CL 39) and making illegal the making, supplying or obtaining articles for use in computer misuse offences (CL 41) (HL Bill 104, 2005–6).