You are here
- Home
- Regulatory Developments
- Blogs
- Cybercrime reporting
Group administrators:
Recent members:
Cybercrime reporting
The RAND Feasibility Study on a European Cybercrime Centre raises some interesting issues around reporting of cybercrime. Since even in the real-world the accuracy and meaning of crime statistics seem to be a matter of debate, it’s little wonder that cybercrime seems particularly hard to measure. Unfortunately there seems to be a particular vicious circle that businesses don’t report crimes because they don’t think police have resources to deal with them and the resulting low number of reported crimes makes it hard for the police to justify using resources on it.
That highlights two of the different purposes for crime reporting – to solve crimes and to inform the allocation of resources. A third is to detect trends in volumes and types of crime so that law enforcement and systems providers can be better prepared to deal with them. Unfortunately each purpose tends to need different information, and quite possibly different sources, so information collected for one purpose may be hard to use for another. Trends are easier to pick up from statistics that are gathered systematically, such as those from virus and spam filtering, than from voluntary reporting; anonymity might make businesses more willing to report that they had been a victim of crime (useful for statistics and intelligence) but such reports probably couldn’t be used as evidence to prosecute the offenders. Any reporting scheme therefore needs to think carefully what its information will be used for and ensure that it collects the right information and from the right sources to deliver that.
Another issue is what crimes should be counted as "cyber-" anyway? The Council of Europe’s Cybercrime Treaty (2001) covers a lot of crimes where the computer or network is just a communications tool (for example IPR and content-related crimes), whereas the European Union’s Framework Decision on Attacks on Information Systems (2005) looks only at crimes where a computer or network is the target (illegal access to information systems, illegal system interference and illegal data interference). Thus even in legal and law enforcement circles there doesn’t seem to be a common understanding of the term, and what Internet users will expect of a "cybercrime reporting point" is even harder to predict.
The RAND report quotes figures from an American system for reporting "Internet Crimes" (www.ic3.gov) that illustrate some of the potential problems. Despite a very wide definition of Internet Crime as "any illegal activity involving one or more components of the Internet", still only 26% of reports to the service were considered valid. The top ten complaints all seem to be types of fraud ("non-delivery of goods", "auction fraud", "check fraud", "419", etc.) and I don’t think any of them would fall within even the wide Council of Europe definition of "cybercrime". The main purpose of IC3 is to forward complaints to the relevant agency for them to be investigated, though it makes clear that it cannot guarantee that investigations will take place. However 74% of its visitors, who thought they had found a way to resolve their Internet problem, will have been disappointed at the very first step when they discovered that their complaint was out of scope. A cybercrime reporting service might have an even higher disappointment rate. How to turn people away without further lowering their confidence in Internet safety may be the hardest problem for a cybercrime reporting schem