Online criminals have it too easy

The probability, or even the possibility, of punishment is the one essential deterrent for criminals. Yet the numbers convicted of hi-tech crimes are pathetically small, and every hacker knows it.

Yes, there are laws to protect individuals and businesses from falling foul of online criminals. And occasionally we hear of high-profile prosecutions of people caught committing crimes over the internet, such as reformed hacker Kevin Mitnick.

But the fact that the detection and punishment of the perpetrators of such a widespread crime still makes the news speaks volumes.

There is a general impression that online fraud is easy, and that catching the hackers is hard. So if it's easy to obtain people's credit card details, and easy to get away with it, why are businesses so reluctant to do anything about it?

They're in a Catch 22 situation, according to Beatrice Rogers, e-business programme manager at industry body Intellect.

"Shops [or online retailers] are sometimes loath to have this adverse publicity and deal with it outside of the courts," she explained. "However, this means that there is no publicity about those who do hack and those that are brought to justice.

"Do you persist and make people aware of the liabilities if they do something outside the law, and build trust and confidence? It's going to take some very strong-minded companies to take people to court and, until there are several test cases, it won't be the norm."

Retailers must deploy a policy pledging to people who intend to use their site that they take security breaches seriously, and will prosecute anyone infringing these rules.

But even if retailers do report such breaches, the chances of anyone being punished is very slim, particularly in the UK.

"The UK's hi-tech crime units are woefully understaffed and under funded," said Bob Ayers, director of business risk services at security specialist @stake.

Even in countries where resources are in abundance, detection and prosecution rates are still surprisingly poor. Ayers pointed out that figures from the US Department of Justice show that only one in every 50 reported computer crimes results in prosecution.

"If you're a computer criminal the odds are pretty good that you're not going to get caught," he explained. "If you do get caught, the odds are you won't be prosecuted. And if you are prosecuted, the laws aren't necessarily accurate and you could be prosecuted for something such as trespassing."

There have been calls recently for the government to change the clauses of the Computer Misuse Act to make it easier to bring prosecutions against alleged online criminals.

But this alone is not enough. There needs to be a shift in the mindsets of online retailers towards the benefits of prosecution, and a deeper understanding by the consumer that such actions don't mean that the site they are transacting with is insecure, but that the retailer won't tolerate such behaviour.

E-envoy Andrew Pinder has another theory about the low number of prosecutions relating to online crime. "One reason why there may not be many prosecutions is because there's not a lot of offences," he suggested.

"But where something hasn't been reported, we need to find out why. Often the time and effort is more hassle than it's worth, but I would encourage people to prosecute if a crime has taken place."

Until there are specific and frequent examples of online criminals being brought to justice, retailers will still be reluctant to report crimes, with credit card charges covering the resulting costs.

The UK must ensure that it takes online crime seriously, and organisations such as the National High-Tech Crime Unit need to be given sufficient resources to tackle online offenders.