Last updated: 
2 months 3 days ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Cybercrime reporting

Friday, May 4, 2012 - 09:01

The RAND Feasibility Study on a European Cybercrime Centre raises some interesting issues around reporting of cybercrime. Since even in the real-world the accuracy and meaning of crime statistics seem to be a matter of debate, it’s little wonder that cybercrime seems particularly hard to measure. Unfortunately there seems to be a particular vicious circle that businesses don’t report crimes because they don’t think police have resources to deal with them and the resulting low number of reported crimes makes it hard for the police to justify using resources on it.

That highlights two of the different purposes for crime reporting – to solve crimes and to inform the allocation of resources. A third is to detect trends in volumes and types of crime so that law enforcement and systems providers can be better prepared to deal with them. Unfortunately each purpose tends to need different information, and quite possibly different sources, so information collected for one purpose may be hard to use for another. Trends are easier to pick up from statistics that are gathered systematically, such as those from virus and spam filtering, than from voluntary reporting; anonymity might make businesses more willing to report that they had been a victim of crime (useful for statistics and intelligence) but such reports probably couldn’t be used as evidence to prosecute the offenders. Any reporting scheme therefore needs to think carefully what its information will be used for and ensure that it collects the right information and from the right sources to deliver that.

Another issue is what crimes should be counted as "cyber-" anyway? The Council of Europe’s Cybercrime Treaty (2001) covers a lot of crimes where the computer or network is just a communications tool (for example IPR and content-related crimes), whereas the European Union’s Framework Decision on Attacks on Information Systems (2005) looks only at crimes where a computer or network is the target (illegal access to information systems, illegal system interference and illegal data interference). Thus even in legal and law enforcement circles there doesn’t seem to be a common understanding of the term, and what Internet users will expect of a "cybercrime reporting point" is even harder to predict.

The RAND report quotes figures from an American system for reporting "Internet Crimes" ( that illustrate some of the potential problems. Despite a very wide definition of Internet Crime as "any illegal activity involving one or more components of the Internet", still only 26% of reports to the service were considered valid. The top ten complaints all seem to be types of fraud ("non-delivery of goods", "auction fraud", "check fraud", "419", etc.) and I don’t think any of them would fall within even the wide Council of Europe definition of "cybercrime". The main purpose of IC3 is to forward complaints to the relevant agency for them to be investigated, though it makes clear that it cannot guarantee that investigations will take place. However 74% of its visitors, who thought they had found a way to resolve their Internet problem, will have been disappointed at the very first step when they discovered that their complaint was out of scope. A cybercrime reporting service might have an even higher disappointment rate. How to turn people away without further lowering their confidence in Internet safety may be the hardest problem for a cybercrime reporting schem