PREAMBLE

  1.  The 2nd European Conference on E-Crime and Digital Evidence (ECCE) was held in Nottingham from 12-14 September 2006. Delegates are specialists in the forensic collection evidence of all kinds of computer and Internet related crimes, and came from all over the world and many legal jurisdictions. One of the sessions of that conference was a participatory workshop which focused on the questions asked by the Select Committee. This evidence submission has been prepared from those discussions to enable the Committee to benefit from the collective expertise available at this event.

  2.  The Committee's preference for short submissions was noted, and as a result the detailed and technical discussions during the workshops have been reduced to summary conclusions for submission as evidence.

COMPUTERS AS A DOMESTIC PRODUCT

  3.  The consensus of opinion was that one of the biggest factors is the public's ignorance of computing technology and their use of a computer as if it was a home appliance, much as other high technology devices like Hard Disk video recorders, digital television, MP3 players and so forth. This impression is exploited by computer and Internet vendors in the marketing of their products. However, when the computers and Internet services are purchased by a consumer, the view of the vendor changes to one of detachment from the security problems, and a transfer of responsibility to the consumer. Consumers are expected to understand the risk areas of computers and Internet technology in detail and select appropriate mitigations and prophylactic applications, but this is rarely a factor mentioned in the sale and marketing, other than to amplify aspects of the safety of buying the product.

  4.  There was a strong view that the vendors should accept more responsibility for the more technical nature of the product and the risks it engenders. An example of the kind of responsibility that can be shown by a vendor would be to ensure that the latest software patches are all installed, and that the best security protection is already installed and configured by the vendor, rather than expect the consumer to be aware that they needed to install it. Computers and software should be sold fully "Internet enabled" and not just capable.

INTERNET SERVICE

  5.  The provision of Internet Service was an area where the public was also being exposed to unnecessary risk, and there is ample scope for a regulator to improve capability in this provision. The view of the providers that they are only providers of bandwidth and not service is part of the problem, as is the promotion of Internet bandwidth as a national strategy. With Internet bandwidth comes risk of crime, and action to mitigate against that risk needs to be included with its provision. Most commercial enterprises and institutions who use computer networking employ a number of security precautions against intrusion and criminal use of their network. They include the control of certain types of traffic and access to certain Internet services and the location of server computers. Those providing Internet bandwidth should also be providing those kind of network management services, and the regulators should be taking steps to see that the best practises of the sector prevail.

  6.  Those that offer services on the Internet, such as site hosting, or Internet auctions often dissociate themselves from the risks to the public that their services enable. Web pages which host software of malicious intent, such as directly attacking a reader's computer through the placing of keylogging applications without permission, or the advertising of goods fraudulently, often say they are not responsible to those that fall victim. Although they may not be fully liable for the crime that results, there is often action that they could be taking to protect the public, which has much less technical expertise than they themselves do. These suppliers should be given a greater duty of care towards the public than they currently do.

OPEN SYSTEMS

  7.  The forensic examination of computers requires information regarding their design, operation and implementation to be available to criminal investigators. Criminal investigators operate both within law enforcement and in private practice so that all courts, prosecution and defence have access to proper investigation capabilities. It was noted that there is a move towards proprietary systems with undisclosed specifications which inhibit criminal investigation. These proprietary systems are often promoted as being more secure, and the secrecy is part of that security enhancement. Security through obscurity often places the advantage in the hands of the criminal and not enforcement, and should not be lauded. A move towards more open systems was seen as a development that could assist the development of security products and forensic analysis of criminal evidence.

LAW ENFORCEMENT

  8.  The lack of a visible presence of law enforcement on the Internet and in the prosecution of computer based crimes was noted. Many had experienced difficulties in reporting computer and Internet based crime to the authorities, despite their greater experience and knowledge of the area. Many authorities regarded computer and Internet crime as trivial or not part of their responsibility; even when the evidence showed otherwise. What is needed is a clear route to UK authorities mandated to handle computer and Internet based crime, with relevant links to appropriate international bodies. The theft of a pound from four million discrete people by a single party is currently perceived as many trivial offences whereas the theft of a single amount of four million pounds from one party is seen as a serious crime. Both incidents should be seen as similarly serious.