One agency to net the phishers and crooks

Published in Tribune (16 February 2007), p19

Amid the regular tabloid panic over violent crime, paedophiles and terrorists, there is a far more mundane criminal threat that we overlook. Online crime is a remarkably successful growth industry across the world, and its international reach makes it hard for individual police forces to tackle alone.

Online crimes take many forms. At one end of the spectrum is the ubiquitous junk email, or “spam”, typically trying to sell dodgy prescription drugs, bogus financial products or pornography. More a nuisance than a serious threat, spam relies on the recipient’s gullibility to make a quick buck for the sender. However, if you exercise a little vigilance, the limit of junk email’s ability to harm you is the speed at which it fills your inbox with unwanted pap.

But just as “real world” crime ranges from beggars asking for a few pence, to drug-addled muggers in the street stealing wallets at knifepoint, to white-collar crooks raiding their workers’ pension funds, online crimes range from the irritating and unsophisticated to the truly alarming and dangerous. Among the most unpleasant of such practices is a kind of bank account fraud known as “phishing”.

Internet banking has become hugely popular in the past few years – letting you access your account, move funds, pay bills and check your balance from your desk. Access to these services is usually from a secure section of your bank’s website, accessible only with your user name and password – much like cash machines can only be used with your card and PIN number.
Phishing takes the form of criminals creating fake versions of a bank’s website, with a similar design and an address which looks or sounds similar to the genuine article. Customers are duped into typing in their bank details as they would in the legitimate website – thereby handing over all of their details to people who can use them to steal the funds in the account or even steal their victim’s identity.

So what’s the Government doing about all this? It’s tempting to say “not very much,” but that isn’t entirely accurate. At the turn of the millennium, the Government introduced the Kafkaesque Regulation of Investigatory Powers Act (RIPA), which far from regulating the state’s investigatory powers. actually grants it wide-ranging rights to snoop on private citizens’ emails, install surveillance equipment in internet service providers’ systems, and prescribes up to two years in prison for anyone refusing to hand over an electronic encryption key to an officer of the law.

At the same time, the National High-Tech Crime Unit, which provided at least some central authority for dealing with internet crime, has been shut down. Its responsibilities were handed over to the Serious Organised Crime Agency (SOCA) last year and its website has been replaced with a message telling people to report any online crime to their local police station.

This situation is absurd. Online crimes are different in the ways in which they are committed, not in what they are trying to achieve. Spam is not illegal because the RIPA made it so, but because it is breaking decades-old legislation about data protection, direct marketing and medicines control. Likewise, phishing has the same objectives as old-fashioned fraud or deception – and can be punished under the same laws.

This mess is symptomatic of a deep ignorance of information technology at the highest levels of government. Tony Blair is said to have started using email for the first time last year, while Alastair Campbell claims never to have sent an email in the decade he worked for Blair.

Blair’s Government has promised to extend massively the amount of electronic information the state holds on its citizens, in the form of the egregious national identity cards project and the even more sinister (if less visible) plan to hold information on all of us in a national identity database.

This is presented as an opportunity to tackle terrorism, fraud and identity theft. However, if previous events are any indicator, the safeguards will be largely ineffectual and the scheme will merely offer a new arena for criminals to act. Only this time, there won’t be any opportunity to avoid the threat by staying offline, because everyone’s details will be on the system.

The solution to internet crime isn’t to pass ever more draconian (but ineffectual) laws, or to foist ID cards on the population. It is to create a single agency responsible for investigating these crimes, and with a simple reporting mechanism for citizens to turn to when they have been victims of an online crime.

The United States has such a system – the Internet Crime Complaint Centre, and it works, receiving more than 10,000 complaints a year. Meanwhile, the Serious Organised Crime Agency, the equivalent organisation in Britain, tells people to report online crimes to their local station.

Creating such an organisation would not be complicated – after all, we’ve been here before. In the 19th century, Britain was transformed, economically, socially and politically by a communications network that brought as many risks with it as it did opportunities. That network was the railway system – and we can thank the British Transport Police for it being safe, efficient and crime-free today.

Thanks to Jerry Fishenden for help with this article.