Computers are useful for a great many things; they are particularly useful in the solving of crime. The Gardai use the PULSE system, which is due to be upgraded. Its use is also due to be audited by the Data Protection Commissioner. Being able to process large amounts of data effectively and efficiently can be a highly effective tool. It also lacks glamour: one waits in vain for the day that some fictional successor to Inspector Morse will respond to a crime by utilising HOLMES – the Home Office Large Major Enquiry System, something that real English policemen have been doing since 1986.
Unfortunately, computers can also be used to commit crimes as well as solve them. Such crimes may be roughly categorised as follows:
- Computers can be used maliciously to damage others, what might be termed ‘hacking’ type offences;
- Computers can be used to communicate with victims, what might be termed ‘fraud’ type offences;
- Computers may be used to create, display and publish material that is criminal in nature, what might be termed ‘content’ offences;
- Computers may be used to organise other offences, which do not themselves involve the use of computers, this gives rise to issues of evidence.
Computer crimes are different from conventional crimes in many ways. They may leave no physical evidence for one thing; they can be conducted remotely for another. This makes such crimes difficulty to combat: some cybercriminal groups have constructed giant botnets consisting of millions of computers that they control. Such botnets are used to commit further crimes, ranging from spamming to denial-of-service attacks.
Cybercrime as an international crime
The internet is a global network, which cuts across physical borders. Cybercriminals do the same. Nationalities can still be significant online, but many cybercrime groups function as international networks. This means that they require an international response. One such response is the Council of Europe’s Cybercrime Treaty, which has been signed and ratified by the USA as well as most European nations. The EU Commission has responded with a policy and a proposal for a Directive. Europe also has a number of cyber-security initiatives, including ENSIA the European Network and Information Security Agency.
Just because a crime is committed across borders does not mean that it cannot be prosecuted. The European Arrest Warrant (EAW) offers an effective mechanism to ensure the swift arrest and surrender of criminals within Europe. The EAW is necessitated by EU Law and implemented by the European Arrest Warrant Act 2003.
However, the EAW only applies between Member States of the EU; otherwise extradition will have to be sought. In any such application for extradition the question of jurisdiction is likely to be key: if someone in Ireland uses the internet to illegally access or otherwise interfere with a computer somewhere else do they commit an offence here or there? The Irish Courts have yet to consider such a question. If and when they do, someone arguing against their own extradition might compare themselves to Sean Garland whose extradition to the USA was refused on the basis that his alleged offences took place in Ireland. The Criminal Damage Act 1991 and the Criminal Justice (Theft and Fraud Offences) Act 2001 are designed to have extra-territorial effect. However, such an argument did not succeed before the English High Court in McKinnon v Secretary of State for Home Affairs. The facts had been recounted in a previous appeal (at para 11-15) in the House of Lords and were as follows:
‘Using his home computer the appellant, through the internet, identified US Government network computers…and from those extracted the identities of certain administrative accounts and associated passwords. Having gained access to those accounts he installed unauthorised remote access and administrative software…that enabled him to access and alter data upon the American computers at any time and without detection …. he then installed software facilitating both further compromises to the computers and also the concealment of his own activities. Using this software he was able to scan over 73,000 US Government computers for other computers and networks susceptible to similar compromise… Having gained access to these computers the appellant deleted data from them including critical operating system files from nine computers, the deletion of which shut down the entire US Army’s Military District of Washington network of over 2000 computers for 24 hours … The appellant also copied data and files onto his own computers… The cost of repair was alleged to total over $700,000’
The appellant argued that he should be prosecuted for these alleged offences before the Courts of England, not the USA. Burnton LJ. made it clear that this was ultimately a decision for the DPP, he indicated (at para 46) that whilst it was:
‘…true that the Claimant’s offending conduct took place in this country… it was directed at the USA, and at computers in the USA; the information he accessed or could have accessed was US information; its confidentiality and sensitivity were American; and any damage that was inflicted was in the USA. The witnesses who can address the damage done by his offences are in America. Moreover, because the information was sensitive, it will be far more difficult for it to be put before a judge in this country than before a US judge’
The reference to damage in the above passage may be particularly relevant in Ireland, which criminalises computer hacking as a form of criminal damage. And so the English High Court went onto hold that it would not permit a judicial review of the English DPP’s refusal to prosecute, so opening the door to McKinnon’s extradition. Notwithstanding this judgment McKinnon remains in the USA to this day. His case was again mentioned in January 2012, when two judges of the English High Court expressed concern about the delays in the case and listed it for July.
Cybercrime as an organised crime
The vision of a hacker as a lonely cybercriminal is an anachronism. Cybercriminals tend to hang out in groups, one such is the LulzSec hacking group, two alleged members of which were arrested by the Gardai in March 2012. One of the advantages of being in such a group is that elements of the crime can be split between members, such conspiracies makes crime harder to detect and to prove. Conspiracy is a common law crime for which the Irish Courts seem to have lost their historic distaste, but see DPP -v- Sharon Collins the appellant used a website called hitmanforhire in an attempt to arrange the murder of her partner.
As an alternative to the common law offence charges might be brought pursuant to Part 7 of the Criminal Justice Act 2006 which provides for a statutory offence of conspiracy. Part 7 is directed against offences committed for the benefit of a criminal organisation, which it defines as:
‘a structured group, however organised, that… is composed of 3 or more persons acting in concert… is established over a period of time… has… as its main purpose or main activity the commission or facilitation of one or more serious offences in order to obtain, directly or indirectly, a financial or other material benefit…’
The Act goes onto create an offence of organised crime and committing an offence for the benefit of a criminal organisation. These offences are designed to have an extra-territorial effect.