Examination of Witnesses (Questions 404
WEDNESDAY 15 MARCH 2000
404. Good afternoon, gentlemen. Thank you very
much indeed for sparing us the time this afternoon. Thank you
also for the very comprehensive paper you supplied in advance
which the Committee has found of considerable interest. Given
that you submitted that to us, if it is agreeable to you we will
move straight into questioning rather than invite you to make
an opening statement. When we get to the end, if there is any
sweeping up statement you might like to make please feel free
to indicate that you want to do that. I would like to open and
move us down to international issues. I know it is not in the
precise order in which your paper was written but you will appreciate
that this Committee's remit has a European dimension to it, so
I would like to address those questions first of all and then
I am quite sure we will come back to deal with United Kingdom
issues primarily. You said that the CCWG liaises with the G8 Group
and we were wondering why it appears that the G8 Group figures
so significantly in the paper that you have put to us. I also
notice that there is a reference to the Council of Europe Cyber
Crime Convention which is expected to be completed in October
2000. I wonder if perhaps you would enlighten us as to what is
happening on that front if you know anything about it. Thirdly,
have you done much work in Europe, and, if not, why not? Do you
not see this as being significant?
(DCS Akerman) There is no deliberate plan of action
in relation to why we have liaised with G8. It has just happened.
The fact is that we were working as a group. G8 had formed their
various sub-groups looking at issues like this, particularly cross-border
search and seizure, data preservation and the rest of it, and
we were invited to join the United Kingdom delegation. That was
particularly the case because a lot of the issues that were being
addressed in G8 were of particular significance and interest to
us on the national side of things. As far as the Council of Europe
is concerned, we did not have the arrogance to go and say to them,
"I think you ought to involve us." However, as a result
of the work with G8 we were invited to give a presentation recently.
I did not go but Nigel did and he will be able to give you a full
version of what happened there. As a result of that there is a
strong possibility (a) that they have adopted some of the suggestions
we have made, and (b) we may become more involved in the process.
405. I am particularly interested in the Council
of Europe issue because it was drawn to my attention by the Computer
Consultants' Organisationand I declare an interest here
that I have a relationship with Andersen Consultingthat
there was some material on the Net which apparently had been leaked
from the Dutch Government about activities that were at Council
of Europe level. We were not aware of what was going on, so that
is how it came to our notice as an example of how the Net can
work in a whole variety of different ways.
(DS Jones) I can certainly deal with the informal
meetings that are currently taking place, and these are under
the auspices of the EC Directorate General for Information Society
and the Directorate General of Justice and Home Affairs. The objective
there is to discuss with states the need for an EU level of combating
computer related crime effectively. I gave a presentation on the
work of the United Kingdom Internet Crime Forum at the recent
meeting in March. There is an industry meeting taking place today
in Brussels and it is expected that a further joint meeting will
take place in April following which it is anticipated that recommendations
will be made. As far as the Council of Europe is concerned, the
Cyber Crime Convention has been worked on for some two years.
The United Kingdom delegation consists mainly of Home Office representation
and also Customs and Excise representation. Many of the issues
that have been discussed in the Cyber Crime Convention are in
parallel with those being discussed within the G8 Group that we
have documented in our evidence.
406. Are they in secret?
(DS Jones) I do not know because we do not attend
those particular meetings.
407. Do you think there is a case for a joint
European Union initiative?
(DCS Akerman) The main point we would make, whatever
initiative takes place, is the importance of co-ordination of
effort, not re-inventing the wheel, and making sure our resources
are optimised in the right places. This is half the trouble. Certainly
you have got G8 going on at the moment looking at a lot of stuff.
The Council of Europe has certainly started, you have got the
United Nations, you have also got Europol and Interpol, all looking
at very similar issues. That is superb if we are going to get
an end product, but if we are notand that is our real concernthen
frankly it is a waste of everybody's time. There are some key
issues here to be addressed. The fact is that whatever the United
Kingdom does on its own is entirely irrelevant if the rest of
the world does not follow suit, and that is because of the nature
of the technology. We can come up with some good standards and
protocols here but you can go and set up in the Caribbean or South
America somewhere and destroy every single principle that we have
408. Do you think that you may be ahead of the
field in the rest of Europe?
(DCS Akerman) In some areas yes, but it is only right
and proper to say that some of our European colleagues have got
some excellent expertise in different fields. For example, the
Dutch are well ahead in terms of forensic issues. By "forensic"
I mean the actual examination of the computer per se. The Germans
are very good on investigations. I think the Swedes are particularly
good as well. From our perspective where we are perhaps ahead
of the game is because we saw a need to consult and debate with
a whole range of other people. Nigel has already alluded to the
Internet Crime Forum which is an excellent platform mutually to
discuss problems. That has proved very effective in a whole range
of areas, as a result of which first of all you heard that Nigel
went across and gave a presentation to the European Commission
and they look as though they want to take that initiative themselves.
From the G8 perspective they have already adopted some of the
409. In your submission you say that the police
do not collect statistics. Why not, on the basis that prevention
is better than cure, and if you collected some statistics you
might be able to prevent further excesses of problems rather than
just waiting for them to hit you?
(DCS Akerman) That is perfectly true and valid but
the trouble is that the police service is inundated with requests
for statistics. If you to talk to any chief officer he or she
will quickly say to you, "Look; we are actually cheesed off
with this. You keep demanding more and more information from us.
For what purpose is it required?" The fact is that the chief
officers already supply to the Home Office a whole range of statistics
related to crime. The big problem here is divorcing the true Internet
related crime from existing terrestrial crime. Most of the crime
being committed through the medium of the Internet is terrestrially
based in some shape or form, so the statistic has already been
collected but it will not show up as Internet. That is part of
the problem. The other thing is, and I am being absolutely frank
with you here, that this sort of crime does not feature as a ministerial
or government priority at the moment. Those have been set quite
clearly for the police service, and they are burglary, motor car
crime, reducing road casualties, answering 999 calls and so on.
At the moment hi-tech crime, if I can use that expression, does
not feature. There is an education programme to be embarked on
from the very top to the very bottom.
410. Knowing that the City of London Police
are fraud experts, are they doing anything in the special category
of Internet crime, do you know?
(DCS Akerman) No, not particularly. The City of London
Police, because of their unique position in relation to fraud,
chair two of the three main fraud related working groups which
ACPO have set up. That is the credit card one and the ordinary
fraud working group. We have a strong liaison with them. But looking
at it specifically the answer is no.
411. What do you think the most prevalent types
of crime on the Internet would be?
(DCS Akerman) There are a whole range of them. Because
I cannot measure them at the moment, for the reasons I have just
articulated, it is very difficult.
412. I said "think". I did not say,
"What are they?" As you are working with this group
all the time you must have some idea in your head.
(DCS Akerman) The one that gets the most media attention,
the one that the public worry about most at the moment, is credit
card fraud. People are very concerned that if they use their credit
card on the Net it will be hijacked and used for goodness knows
what purpose. We have seen a proliferation of the use of the credit
card in that way. In one particular case, and I will not name
the company, over 9,000 fraudulent uses were made which is quite
substantial. That could well have happened terrestrially as well,
so we should not zoom off unnecessarily and think, "Oh, my
goodness, we have got a hell of a problem here". The credit
card generatorsI do not know if you are familiar with the
credit card generators on the Net.
(DCS Akerman) It is a wonderful instrument, the Internet,
for information and intelligence. The fact is that criminal and
nefarious elements have set up a system where you can actually
download some software on to your computer which effectively gives
you a range of credit card numbers within those that will be issued
by some of the credit card companies. Linked to that is essentially
what is the voters' list for the United States, so if you want
a Mastercard, for example, to use on the Net, you put in a bank,
let us say the Bank of Nevada, so you just type in, "Bank
of Nevada, Mastercard." Then you say, "I had better
have something to say who I am", and as you are a lady you
pick a lady, Mary Bloggins, 1 High Street, Nevada. That will check
out, the number will check out, it is one of those issued to the
bank and you can generate that number then and use it. If the
person on whom the fraud is being perpetrated has got any sense
they will check the numbers, but, depending on the volume of business,
they do not. The big problem at the moment, certainly for us,
is simply this, that on a lot of the indecency/porn sites where
you purchase your material everything is done through a machine.
With our legislation at the moment you cannot deceive a machine.
That is fine. Not many people are worried about that at the moment
because who cares about some idiot who has decided to access the
site and get illicit material down? You cannot get too excited
about that. However, you have seen just recently a number of major
companies band together to sell particular items. Music is the
key one. You are going to be able to purchase your music soon
by downloading it on to your MP3 player and you are away and running.
All that is going to be automated. You are going to have a lot
of businesses who are going to be really annoyed when they are
ripped off and with our legislation at the moment you cannot deceive
a machine, and we will say, "Sorry".
Lord Faulkner of Worcester
414. You make this point about it not being
possible to deceive a machine. Are you saying then that if the
credit card is stolen and is then used to make a transaction on
the Internet without there being any contact with a human being,
and it is all done in a chronology, no crime has been committed?
(DCS Akerman) Apart from the theft of the credit card
in the first instance.
415. The use of it does not aggravate that original
(DS Jones) This was raised prior to the 1978 Theft
Act being introduced. The issue there was people swiping a credit
card into a petrol pump, and it was held then that no deception
is involved when there is no human intervention. We have been
looking for other offences which may have been committed, and
we looked at the 1978 theft of making off without payment. But
you then get into arguments about whether you make off from your
virtual presence on a computer somewhere else in the world or
your physical presence from where you are in the room. We think
that may be too problematic to charge that offence. That is the
case at the moment.
416. So have you made representations to the
Home Office saying you want the law changed?
(DS Jones) Oh yes.
(DCS Akerman) Absolutely. The Home Office has been
very good, I have to say. We were invited to address their Crime
Strategy Group about a fortnight ago and we laid out some of these
problems to them. Over the past three or four years that Nigel
and I have been involved in this we have submitted letters and
papers like the ones you have seen before trying to get something
done about it.
417. That was all news to me until I read this
paper. Can you say a word about the money laundering through Internet
gambling because I thought the point about money laundering with
gambling was that it was hot notes which went into a betting shop
or into the casino and then went into the system, whereas with
Internet gambling there are no notes involved.
(DCS Akerman) There are a whole range of issues associated
with Internet gambling. Let me deal with your specific point.
The State of Nevada is a good one because gambling is legal in
the State of Nevada. You say to a bank in the State of Nevada,
"I have just won half a million pounds on X through playing
poker", and you deposit it in a cyber bank, so you get cyber
dollars back. You then go round the Internet and because of your
position you fancy a Rolls-Royce, so you purchase a Rolls-Royce
using your cyber dollars, paying the necessary importation tax
and VAT, and you then perhaps buy a few other items, jewellery
or whatever, and you have finished. You have spent X amount of
your cyber dollars. You then go back to the bank and say, "Right;
I have finished. This is the balance. Would you now transfer those
funds to an ordinary bank", if I can use that expression.
It is a poor one but I will use it. Because it is an inter-bank
transfer it is not questioned to the same degree as it would otherwise
be. That is just one illustration.
418. It is difficult enough in one's own country
to investigate these things and taking it to other countries even
now takes a long time to investigate. What are the chances of
bringing people to book in a different country? Another question
which worries me even more is that a man who does a big fraud
plans it in a good deal of time, but what stops him from going
to a country where you have no chance of bringing him to book?
(DCS Akerman) Nothing is the answer to your question.
I will give you a recent example, a very simple one. A retailer
in this country is contacted via e-mail, because they have a website
so they attract customers by e-mail, from Spain to say, "I
would like 5,000 CDs" of whatever the latest single is. I
am not up with it, I am afraid. Frank Sinatra; that is one I know.
419. He is in cyberspace!
(DCS Akerman) His music still sells very well. "I
want 5,000 CDs of Frank Sinatra and here are my credit card details."
This is a genuine case I am talking about. "There is a group
of three of us so here are our three credit card details."
At this time the victim, if I can use that expression, is a little
bit shrewd and checks to see if the numbers are all right and
finds that they have not been issued. It is the old credit card
generator again. He tells us, e-mails back and says, "Right,"