George E Higgins & Scott E Wolfe. 21st Century Criminology: A Reference Handbook. Editor: J Mitchell Miller. 2009. Sage Publications.
Computer crime has been an issue in criminal justice and criminology since the 1970s. In this venue, the types of computer crimes have been categorized in two ways. First, a prevalent activity is that of criminals stealing computers. Second, criminals use computers to commit crimes. The recent development of the Internet has created a substantial increase in criminals using computers to commit crimes. Thus, an emerging area of criminal behavior is cybercrime.
Cybercrime is a criminal act using a computer that occurs over the Internet. The Internet has become the source for multiple types of crime and different ways to perform these crimes. The types of cybercrime may be loosely grouped into three categories of cybercrimes. First, the Internet allows for the creation and maintenance of cybercrime markets. Second, the Internet provides a venue for fraudulent behavior (i.e., cyberfraud). Third, the Internet has become a place for the development of cybercriminal communities. The purpose of this chapter is to outline and exemplify these different forms of communities. The chapter then shifts into a discussion of policy steps to reduce some forms of cybercrime.
The Internet allows for illicit markets to be created and maintained. The Internet provides its users with an opportunity to hide their identities and to be in remote locations to create and be part of illicit markets. For instance, cybercriminals can use different Web sites to trade (i.e., buy or sell) merchandise illegally through legitimate sources (e.g., eBay) or through illegal sites. Some of these Web sites are not able to be traced back to their original sources. While a host of illicit markets exists (e.g., illegal adoptions, surrogate mothers, egg donors, obtaining banned substances, organ donors thieves, forbidden animals, endangered species, and illegal gambling), four markets will be discussed here.
One of the most pervasive forms of cybercrime is digital piracy (Gopal, Sanders, Bhattacharjee, Agrawal, & Wagner, 2004). Digital piracy is defined as the illegal act of copying digital goods, software, digital documents, digital audio (including music and voice), and digital video for any reason without explicit permission from and compensation to the copyright holder (Gopal et al., 2004; Higgins, Fell, & Wilson, 2006). The Internet has facilitated an increase in digital piracy in recent years. Wall (2005) notes four characteristics of the Internet that have enabled individuals to easily commit criminal activity: It allows anonymous communication, it is transnational, it has created a shift in thinking from the ownership of physical property to the ownership of ideas, and it is relatively easy. In addition, Wall contends that the Internet facilitates piracy because it allows the offense to take place detached from the copyright holder, which provides the offender with the perception that the act is victimless.
Several researchers have acknowledged subforms of digital piracy (i.e., audio and video piracy) as being increasingly pervasive (Gopal et al., 2004; Hinduja, 2003). Higgins et al. (2006) defined audio and video piracy as the “illegal act of uploading or downloading digital sound or video without explicit permission from and compensation to the copyright holder” (p. 4). Technological advancements are partly responsible for the increased ease and accessibility of digital piracy. The International Federation of Phonographic Industries (IFPI) (2006) estimates that one in three music discs purchased around the world is an illegal copy. The IFPI further estimates that 37% of all CDs purchased in 2005 were pirated, resulting in 1.2 billion illegal copies purchased worldwide. In fact, the IFPI concludes that pirate CD sales outnumbered legitimate CD sales in 30 markets across the world and resulted in a loss of $4.5 billion from the music industry.
Similar issues take place in the context of the movie industry. To be clear, industry figures indicate that the costs of unauthorized copying and redistribution of movies via physical media (e.g., video cassettes, DVDs, VCDs, etc.) exceed several billion dollars annually. In 2005, the Motion Picture Association of American (MPAA) reported that over 90% of the movies that are initially pirated are due to the use of camcording in movie theaters. The Internet has allowed movie pirates to be able to illegally download movies (MPAA, 2004). In 2004, the MPAA reported that $2.3 billion were lost due to Internet piracy.
Several researchers have argued that college students are likely to pirate almost all forms of digital media (Hinduja, 2003; Higgins et al., 2006). This includes software piracy. According to the Business Software Alliance (BSA, 2007), the trend of piracy among college students has been going up slightly compared to 2003 and 2005 rates. Importantly, two thirds of the students surveyed still believe that it is okay to swap or illegally download software without paying for it (BSA, 2007).
Since the Copyright Act of 1976, digital piracy has been a criminal act (Higgins et al., 2006). Mass copyright violations of movies and music were made a felony offense in 1982 by the Piracy and Counterfeiting Amendments Act, which was amended to include the distribution of copyrighted materials over the Internet via the No Electronic Theft Act (Koen & Im, 1997). That is, when an individual proceeds to burn an extra copy of a music CD, download music from the Internet without paying, or use a peer-topeer network to download music information, he or she is pirating music. This is especially true for digital music piracy that is committed through a multitude of modi operandi (e.g., CD burning, peer-to-peer networks, LAN file sharing, digital stream ripping, and mobile piracy [see http://www.IFPI.org for a discussion of these techniques]). The penalties for these acts may be civil (e.g., $10,000 per pirated copy) as well as criminal (e.g., possible jail sentences) (Koen & Im, 1997).
Cybercrime includes the promotion and the distribution of pornography. When done over the Internet, this is known as cyberpornography. While viewing pornography may not be criminal for those who are of age, the Internet does not discriminate based on age. That is, teenagers’ fantasies about nudity may easily be replaced by hardcore pornographic images of every conceivable sexual activity.
In the academic literature, some researchers have shown that access to and viewing of cyberpornography is a behavior that is increasing. Ybarra and Mitchell (2005) used data from kids and young adults to examine exposure to cyberpornography. They showed that individuals that sought out cyberpornography were likely to be male, 14 years old and older, and more depressed, whereas those younger than 14 were more likely to be exposed to pornography through traditional means—movies and magazines.
Others have shown that cyberpornography is not just for teenagers, making the behavior non–age specific. Stack, Wasserman, and Kern (2004) used the General Social Science Survey to examine who viewed pornography using the Internet and the reasons why. They showed that individuals that had weak religious ties, unhappy marriages, and past sexual deviance are more likely to view pornography via the Internet. Buzzell (2005) examined the factors that influence access to cyberpornography. The study showed that when employment status increases, technology does play a role in the access to cyberpornography.
The Internet allows cybercriminals to participate in underage liaisons. One form of this particular type of cybercrime is the online solicitation of children for sex. This is exploitation that involves an adult who engages in discussion with a child online and uses his or her manipulation skills to coerce the child to meet in person for sexual purposes. Importantly, the number of children that are approached on the Internet for these types of offenses is staggering. Finkelhor, Mitchell, and Wolak (2000) showed that 1 out of every 5 youths is solicited by someone online for sexual relations.
The anonymity of the Internet allows cybercriminals to disguise their postings, responses, and identities. This affords the cybercriminals the opportunity to disappear at a moment’s notice. In short, the Internet allows cybercrimes to be performed more easily and simply while making criminals’ detection, apprehension, and prosecution more difficult. Therefore, the Internet makes cybercrimes through illicit markets more difficult to examine.
Cyberfraud includes behaviors that occur with guile and deceit. An example of this behavior is identity theft that may lead to identity fraud. Hoar (2001) argues that identity theft is a criminal activity for the new millennium. Unfortunately, the definition of identity theft varies. For instance, one definition of identity theft is “the unlawful use of another’s personal identifying information” (Bellah, 2001, p. 222). Others have defined identity theft as “involv[ing] financial or other personal information stolen with intent of establishing another person’s identity as the thief’s own” (Identity Theft, 2004). The Federal Trade Commission (FTC, 2006) sees identity theft as “occur[ring] when someone uses your personally identifying information, like your name, social security number, or credit card number without your permission, to commit fraud or other crimes.” The present article adopts the FTC’s definition of identity theft, although some may regard this definition as identity fraud. In one sense, identity fraud involves financial or other private information stolen, or totally invented, to make purchases or gain access to financial accounts (Higgins, Hughes, Ricketts, & Fell, 2005).
The FTC’s definition clarifies some of the potential forms of personal information that may be used in identity theft. Other forms of personal information include address, date of birth, alien registration number, and government passport. While these forms of personal information and the definition of identity theft provide some context, identity theft can be summed up as constituting the unauthorized use of someone else’s personal information for criminal activity.
The crime of identity theft has received substantial coverage from a wide variety of legal mechanisms. A substantial number of federal and state statutes relate to the criminality of identity theft and those who suffer its victimization. In the federal arena, the laws relating to identity theft are convoluted. They can, however, be divided into statutes that relate to criminality and penalties, and statutes that provide consumers with information or rights. The primary criminal statute in the federal system is the Identity Theft and Assumption Deterrence Act of 1998. Specifically, 18 U.S.C. § 1028 makes it a federal crime when anyone acts as follows:
Knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.
In 2004, the Identity Theft Penalty Enhancement Act was enacted. This act provides for enhanced punishments for identity thieves. For example, the act requires an additional 2 years of punishment for those violators using another’s identity in the commission of a crime and 5-year sentences for the use of a false identity in the commission of a terror offense. Sentencing discretion is also restricted in that sentences may not run concurrently for offenses, and probation is prohibited for those convicted under the statute.
Other federal statutes provide some aid for victims of identity theft. The Fair Credit Reporting Act establishes procedures for persons seeking to correct mistakes on their credit record and ensures that credit histories are only provided for legitimate business needs. The Fair and Accurate Credit Transactions Act allows consumers to obtain free copies of their credit reports as well as restricts what information can be placed on a sales receipt. Similarly, the Fair Credit Billing Act establishes procedures for resolving billing errors on credit card accounts and establishes limits on a consumer’s liability for fraudulent credit card charges. Finally, the Electronic Fund Transfer Act focuses upon transactions using debit cards or electronic means to debit or credit an account and limits the liability for unauthorized electronic fund transfers.
Since the majority of all criminal prosecutions occur in state court systems, state legal schemes are critically important. All 30 states and the District of Columbia have criminal laws relating to identity theft (FTC, 2006). Thirty-one states have created freeze laws for persons fearing identity theft. These laws generally lock access to credit reports and credit scores. While these laws vary greatly, there is generally no charge for the creation, temporary lifting, or complete termination of a freeze (a socalled credit thaw) for the victim of identity theft. Others wishing to limit their risks may have to pay between $5 and $20 (see http://www.consumersunion.com). While these freezes will not completely shield a consumer from victimization, they will stop the creation of any new victimization where the issuer relies upon a credit report to provide credit. A few states have credit information – blocking statutes that require the credit reporting agencies to block false information from consumer victims’ credit reports within a certain time frame or upon the receipt of a police report.
California was the first state to pass a mandatory disclosure law for persons whose information has been compromised. Currently, at least 35 states have some form of breach notification statute. These laws vary greatly by state (Krebs, 2007). The threshold for notification may be mandatory upon a security breach. For example, Massachusetts recently passed a mandatory notification law similar to California’s. Other states have a risk-based analysis requiring notification only in cases of substantial risk of harm. These laws are based on three rationales. First, with timely notice, consumers can take preventive measures to limit or reduce the potential for identity theft. Second, reporting provides an ability to accurately measure the true number of breaches and thus aids in research on identity theft. Finally, the social and pecuniary costs associated with notification provide substantial motivation to protect consumer information (Schneier, 2006). Notification laws differ from fraud alert protections. An alert requirement forces notification if a person’s credit file receives an inquiry. A breach notification law requires that a consumer be informed that his or her information has been compromised.
Identity theft or identity fraud is responsible for a large number of issues concerning the theft of information. Identity thieves commit fraudulent acts to obtain identities of other individuals. For instance, identity thieves may hack (i.e., break into network databases) via the Internet to obtain personal information. Another form of fraudulent activity is the use of phishing. Phishing is when an identity criminal goes online and poses as a corporation (e.g., Western Union, Amazon, eBay, or PayPal) or an individual in need and requests personal information. Phishing schemes include travel scams, stock frauds, financial transfers, nondelivery of merchandise, Internet auction fraud, credit card fraud, and so forth. An emerging form of identity theft is pharming, which is when a hacker redirects an individual from a legitimate site to a fraudulent site without the user’s knowledge.
These forms of identity theft over the Internet are costly to the economy and the victim. For instance, Allison, Shuck, and Lersch (2005) argue that the U.S. economy is particularly susceptible to identity theft. In the United States, identity theft has resulted in actual losses ranging from $442 million to $745 million over a span of 3 years (U.S. General Accounting Office, 2002, cited in Allison et al., 2005). Others have estimated that identity theft costs between $53 billion and $73.8 billion per year (Weingart, 2003). While this gives some perspective, the true extent of identity theft is unknown. Identity theft can also have profound individual costs. For instance, a victim can expect to pay up to $3,000 and spend a substantial amount of time restoring his or her identity (FTC, 2006). Therefore, cyberfraud is an important criminal activity that needs further exploration.
The Internet provides a place for cybercriminal communities to exist and flourish. The communities may be seen as subcultures. Subcultures are cohesive cultural systems that vary in form and substance from the dominant culture. To be clear, a subculture maintains its own values, beliefs, and traditions that differ from the dominant culture. Thus, the individual performs behaviors that are consistent with those of his or her subculture, but that differ from the dominant culture. Some subcultures may be based on ethnic groups, delinquent gangs, or religious sects. Subcultures may take place through the Internet or the cyber environment.
For instance, subcultures harbor some of the individuals that seek to understand computer operating systems (i.e., hackers), individuals that seek to destroy or do harm within a computer system (i.e.,crackers), or individuals that seek to steal telephone services (i.e., phreakers). Other deviants or criminals may also be part of an online subculture (e.g., pedophiles, depressives, anorectics, and bulimics). Cybercrime communities function as the venue where the criminal activity is reinforced and encouraged. The cybercrime communities provide an opportunity for transmittal of knowledge that make the criminal behavior more effective and legitimate. In short, the individual participating in these deviant subcultures learns new techniques for performing his or her behavior and how to handle potential issues (e.g., dealing with outsiders, securing legal or medical services). The cybercrime communities provide a place for the sharing of knowledge to take place on a level playing field. That is, in most other communities, individuals are alienated, rebuked, or ostracized based on age, race, sex, marital status, ethnicity, or socioeconomic status. However, in cybercrime communities, all that is required is a computer and an Internet connection and the individual is able to participate. The cybercrime communities provide an opportunity for individuals to be in touch with others from different geographical locations. Thus, someone in the United States can participate in a community in Australia.
Criminal Justice Response to Cybercrime
The criminal justice system response to cybercrime is the advent and development of the field of digital forensics, which has its roots in data recovery methods. That is, digital forensics has evolved into a field of complex, controlled procedures that allow for near real-time analysis leading to accurate feedback. Such analysis allows individuals in criminal justice to track the changes and key issues that are pertinent to good investigation of cybercrime.
Another method that criminal justice uses to combat cybercrime is through education of the public. This includes publishing important tips for reducing victimization. For instance, the National White Collar Crime Center’s (NW3C) 2007 report suggested several ways that various forms of cybercrime may be reduced. For example, cyberstalking may be reduced by following these steps:
- Use a gender-neutral user name and email address.
- Use a free email account such as Hotmail (http://www.hotmail.com) or YAHOO! (http://www.yahoo.com) for newsgroups/mailing lists, chat rooms, instant messages (IMs), emails from strangers, message boards, filling out forms, and other online activities.
- Don’t give your primary email address to anyone you do not know or trust.
- Instruct children to never give out their real name, age, address, or phone number over the Internet without your permission.
- Don’t provide your credit card number or other information to access or subscribe to a Web site with which you are not familiar.
- Monitor/observe newsgroups, mailing lists, and chat rooms before “speaking” or posting messages.
- When you do participate online, be careful—type only what you would say to someone’s face.
- When communicating online, don’t reveal personal things about yourself until you really and truly know the other person.
- The first instinct when someone attacks you online may be to defend yourself—Don’t. This is how most online harassment situations begin.
- If it looks too good to be true, it probably is.
The National White Collar Crime Center’s (2007) report indicates some tips to reduce instances of identity theft:
- Check your credit reports once a year from all three of the credit reporting agencies (Experian, Transunion, and Equifax).
- Guard your social security number. When possible, don’t carry your social security card with you.
- Don’t put your social security number or driver’s license number on your checks.
- Guard your personal information. You should never give your social security number to anyone unless you can verify that the person is required to collect it.
- Carefully destroy papers you discard, especially those with sensitive or identifying information such as bank account and credit card statements.
- Be suspicious of telephone solicitors. Never provide information unless you have initiated the call.
- Delete any suspicious email requests without replying. Remember, if your bank or credit card company needs you to contact it, there are telephone numbers and Web site information on your statement. You do not have to click on unsolicited emails to contact the company.
Here are some steps to take if victimized:
- Contact the fraud departments of each of the three major credit bureaus and report that your identity has been stolen.
- Get a “fraud alert” placed in your file so that no new credit will be granted without your approval.
- Contact the security departments of the appropriate creditors or financial institutions for any accounts that may have been fraudulently accessed. Close these accounts. Create new passwords on any new accounts that you open.
- File a report with your local police or the police where the identity theft took place.
- Retain a copy of the police report because it may be needed by the bank, credit card company, or other businesses as evidence that your identity was stolen. (NW3C, 2007)