Cybercrime - prosecution guidance
- Introduction
- Cyber-Dependent Crimes
- Cyber-Enabled Crimes
- Economic Related Cybercrime
- Intellectual Property Crime (Piracy, Counterfeiting and Forgery)
- Online Marketplaces for Illegal Items
- Malicious and Offensive Communications
- Offences that specifically target Individuals (including Cyber-Enabled VAWG)
- Child Sexual Offences and Indecent Images of Children
- Extreme Pornography and Obscene Publications
- Casework Handling
- Annex A: Cybercrime types and related Cyber-Dependent Offences
- Annex B: Cybercrime types and related Cyber- Enabled Offences
- Annex C: Abbreviations and Glossary
Introduction
This guidance provides a summary of the main types of cybercrime offending and highlights where further guidance is available. This guidance explains:
- The definition of cybercrime
- Cyber-dependent crimes and the legislation which should be considered when reviewing and charging a cyber-dependent case;
- Cyber-enabled crimes and the legislation which should be considered when reviewing and charging a cyber-enabled case, and
- Practical and operational points to consider when prosecuting a cybercrime case.
Definitions
Cybercrime is an umbrella term used to describe two closely linked, but distinct ranges of criminal activity. The Government's National Cyber Security Strategy defines these as:
- Cyber-dependent crimes - crimes that can be committed only through the use of Information and Communications Technology (‘ICT’) devices, where the devices are both the tool for committing the crime, and the target of the crime (e.g. developing and propagating malware for financial gain, hacking to steal, damage, distort or destroy data and/or network or activity).
- Cyber-enabled crimes - traditional crimes which can be increased in scale or reach by the use of computers, computer networks or other forms of ICT (such as cyber-enabled fraud and data theft).
Cyber-Dependent Crimes
Cyber-dependent crimes fall broadly into two main categories:
- Illicit intrusions into computer networks, such as hacking; and
- the disruption or downgrading of computer functionality and network space, such as malware and Denial of Service (DOS) or Distributed Denial of Service (DDOS) attacks.
Cyber-dependent crimes are committed for many different reasons by individuals, groups and even sovereign states. For example:
- Highly skilled individuals or groups who can code and disseminate software to attack computer networks and systems, either to commit crime or facilitate others to do so;
- Individuals or groups with high skill levels but low criminal intent, for example protest hacktivists;
- Individuals or groups with low skill levels but the ability to use cyber tools developed by others;
- Organised criminal groups;
- Cyber-terrorists who intend to cause maximum disruption and impact;
- Other states and state sponsored groups launching cyber-attacks with the aim of collecting information on or compromising UK government, defence, economic and industrial assets; and
- Insiders or employees with privileged access to computers and networks.
The majority of cyber criminals have relatively low skills levels, but their attacks are increasingly enabled by the growing online criminal marketplace, which provides easy access to sophisticated and bespoke tools and expertise, allowing these less skilled cybercriminals to exploit a wide range of vulnerabilities.
Hacking
Hacking is a form of intrusion targeted at computers, including mobile phones and personal tablet devices. It is the unauthorised use of, or access into, computers or networks by exploiting identified security vulnerabilities. Hacking can be used to:
- gather personal data or information of use to criminals;
- deface websites; or
- launch DoS or DDoS attacks.
Cybercriminals may use a number of methods to hack into a computer system or network. In many cases, the offender may be motivated by personal profit or financial gain. Consideration should be given to the impacts associated with the primary offending behaviour as well as any subsequent offending. For larger organisations, the financial losses may be very significant, or may have severe impacts on infrastructure, which also need to be taken into account.
Disruption of Computer Functionality
Malware (malicious software) spreads between computers and interferes with computer operations. Malware may be destructive, for example, deleting files or causing system crashes, but may also be used to steal personal data. Prosecutors need to be aware that some programmes have a dual use. They have a legitimate function but can also be used for criminal purposes. Types of malware include:
- Viruses are one of the most well-known types of malware. They can cause mild computer dysfunction, but can also have more severe effects in terms of damaging or deleting hardware, software or file They are self-replicating programs, which spread within and between computers. They require a host (such as a file) in a computer to act as a carrier, but they cannot infect a computer without human action to run or open the infected file.
- Worms are also self-replicating programs, but they can spread autonomously, within and between computers, without requiring a host or any human action. The impact of worms can therefore be more severe than viruses, causing destruction across whole networks. Worms can also be used to drop Trojans onto the network system.
- Trojans are malicious computer programs that present themselves as useful, routine, or interesting in order to persuade a victim to install it. This malware can perform functions, such as stealing data, without the user's knowledge and may trick users by undertaking a routine task while actually undertaking hidden, unauthorised action.
- Spyware is software that invades users' privacy by gathering sensitive or personal information from infected systems and monitoring the websites visited. This information may then be transmitted to third partie Spyware can sometimes be hidden within adware (free and sometimes unwanted software that requires you to watch advertisements in order to use it). One example of spyware is key-logging software which captures and forwards keystrokes made on a computer, enabling collection of sensitive data such as passwords or bank account details.
- Ransomware is software that can hold your data hostage, for example, a trojan may copy the contents of the ‘My Documents’ folder into a password- protected file and delete the original file. It will then send a message demanding payment in exchange for access to the folder.
Malware may be distributed by spam - unsolicited or junk email that is not targeted but typically sent in bulk to millions of recipients around the world.
A botnet is a term for a number of internet-connected computers under the control of a botnet controller. Usually the computers that make up a botnet have been infected with code that enables the botnet controller to undertake illegal activity through multiple devices.
A DoS attack is an attempt to make a machine or network resource unavailable to its intended users, to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
DDoS is where the attack source is more than one, and often thousands of, unique IP addresses. A common method is to flood an internet server with so many requests that they are unable to respond quickly enough. This can overload servers causing them to freeze or crash, making websites and web-based services unavailable to users.
Relevant Offences and Legislation
Computer Misuse Act 1990 (‘CMA1990’) is the main UK legislation relating to offences or attacks against computer systems such as hacking or denial of service.
The CMA 1990 deliberately does not define what is meant by a 'computer', to allow for technological development. In DPP v McKeown and, DPP v Jones [1997] 2 Cr App R 155 HL, Lord Hoffman defined computer as 'a device for storing, processing and retrieving information'; this means that a mobile smartphone or personal tablet device could also be defined as a computer in the same way as a traditional 'desk-top' computer or 'PC'.
There is jurisdiction to prosecute all CMA 1990 offences if there is "at least one significant link with the domestic jurisdiction" (England and Wales) in the circumstances of the case.
Offences under the CMA 1990:
- Section 1 CMA 1990 – causing a computer to perform a function with intent to secure unauthorised access to computer material. This offence involves 'access without right' and is often the precursor to more serious offending. There has to be knowledge on the part of the offender that the access is unauthorised; mere recklessness is not sufficient. There also must have been an intention to access a program or data held in a computer. Note the offence is committed irrespective of whether access is obtained.
- Section 2 CMA 1990 - unauthorised access with intent to commit or facilitate commission of further offence
- Section 3 CMA 1990 - unauthorised acts with intent to impair the operation of a computer. The offence is committed if the person behaves recklessly as to whether the act will impair, prevent access to or hinder the operations of a computer. Section 3 should be considered in cases involving DDoS.
- Section 3ZA - unauthorised acts causing, or creating risk of, serious damage, for example, to human welfare, the environment, economy or national security. This section is aimed at those who seek to attack the critical national infrastructure.
- Section 3A CMA 1990 - making, supplying or obtaining articles for use in offences contrary to sections 1,3 or 3ZA CMA 1990. Section 3A CMA 1990 deals with those who make or supply malware.
There is jurisdiction to prosecute all CMA 1990 offences if there is "at least one significant link with the domestic jurisdiction" (England and Wales) in the circumstances of the case. Further guidance can be found in the prosecution guidance on the Computer Misuse Act 1990.
Under section 3(1) of the Investigatory Powers Act 2016 (‘IPA 2016’), which came into force on 27 June 2018, it is an offence to intentionally intercept a communication (in the UK and without lawful authority) in the course of its transmission by means of a public or private telecommunication system or a public postal service. Such offences are triable either way and any prosecution requires the DPP's consent.
A similar offence, now omitted under Schedule 10, paragraph 45 of the IPA 2016, existed under section 1 of the Regulation of Investigatory Powers Act 2000 (‘RIPA’) and continues to apply to offences committed before 27 June 2018.
Offences under sections 170 to 173 of the Data Protection Act 2018 (‘DPA 2018’) may be committed alongside cyber-dependant crimes. These include:
- Knowingly or recklessly obtaining or disclosing personal data without the consent;
- Procuring the disclosure of any personal data to another person without consent or after retaining personal data without the consent of that person
- Selling personal data disclosed or retained without consent.
Further guidance can be found in the prosecution guidance on the DPA.
Cyber-Enabled Crimes
These are crimes which do not depend on computers or networks but have been transformed in scale or form by the use of the internet and communications technology. They fall into the following categories:
- Economic related cybercrime, including:
- Fraud
- Intellectual property crime - piracy, counterfeiting and forgery
- Online marketplaces for illegal items
- Malicious and offensive communications, including:
- Communications sent via social media or other electronic means
- Cyber bullying/trolling
- Virtual mobbing
- Offences that specifically target individuals, including cyber-enabled violence against women and girls (‘VAWG’):
- Disclosing private sexual images without consent
- Cyber stalking and harassment
- Coercion and control
- Child sexual offences and indecent images of children, including:
- Child sexual abuse
- Online grooming
- Prohibited and indecent images of children
- Extreme pornography, obscene publications and prohibited images
Economic Related Cybercrime
Economic related cybercrimes include unauthorised access, sabotage or use of computer systems with the intention to cause financial gain to the perpetrator or financial loss to the victim. It may involve computer fraud or forgery, hacking to steal personal or valuable data for commercial gain or the distribution of viruses.
Victims may not report these crimes if, for example, they feel that the issue is trivial or do not actually recognise that what has happened to them is in fact a crime. Additionally, where individuals have had their bank account details accessed or hacked, either the bank or the individual or both may not report the crime if the individual is reimbursed by their bank. Similarly, some businesses may not report for the same reasons, or for fear of reputational damage, or may choose to deal with such issues internally.
Fraud
Cyber-enabled fraud is possibly the most common of all cybercrime offences. The internet allows offenders to hide their identities behind websites and email addresses, providing a forum in which they never have to meet a victim in person to commit the crime. Some offenders may also be part of a wider criminal gang who may also never meet each other, with members based anywhere in the world.
Online fraud can be committed in a number of ways. For example:
- Electronic financial frauds, for example, online banking frauds and internet enabled card-not-present (CNP) fraud. Internet-enabled CNP fraud involves transactions conducted remotely, over the internet, where neither cardholder nor card is present. Related to this are e-commerce frauds, which refer more generally to fraudulent financial transactions related to retail sales carried out online. Both businesses and customers may be victims.
- Fraudulent sales through online auction or retail sites or through fake websites, which may offer goods or services that are not provided. Alternatively buyers may be led to purchase a counterfeit product (when led to believe it was an original). This may also include other retail misrepresentations, such as online ticketing fraud
- Mass-marketing frauds and consumer scams, including but not limited to:
- Phishing: these scams are a particular kind of mass-marketing fraud - they refer specifically to the use of fraudulent emails disguised as legitimate emails that ask or fish for personal or corporate information from users, for example, passwords or bank account details. Phishing attempts can be sent out en masse to a range of potential targets;
- Pharming, which occurs when a user is directed to a fake website, sometimes from phishing emails, to input their personal details; and
- Online romance (or social networking/dating website) frauds. Individuals may be contacted via social networking or dating sites and persuaded to part with personal information or money following a lengthy online relationship.
Cyber criminals may seek to obtain personal and financial data for fraudulent purposes. Valuable forms of data may include:
- personal information (names, bank details, and National Insurance numbers);
- company accounts;
- client databases; and
- intellectual property (for example, new company products or innovations).
Action Fraud is the UK's national reporting centre for fraud and cybercrime and more details about specific types of cyber fraud is available from Action Fraud.
Relevant Offences and Legislation
Offences under the Fraud Act 2006 are applicable to a wide range of cyber-frauds by focussing on the underlying dishonesty and deception. The nature of the offending will dictate the appropriate charges, and prosecutors may also consider offences under the Theft Act 1968, Theft Act 1978, CMA 1990, Forgery and Counterfeiting Act 1981, and Proceeds of Crime Act 2002 (‘POCA 2002’).
Note that if an offender accesses data, reads it and then uses the information for his/her own purposes, then this is not an offence contrary to the Theft Act. Confidential information per se does not come within the definition of property in section 4 of the Theft Act 1968 and cannot be stolen (Oxford v Moss 68 Cr App R183 DC). It is likely however that this would constitute an offence under section 1(1) CMA 1990. Also, if it was done with the intent to commit or facilitate the commission of further offences, it would constitute an offence contrary to section 2(1) CMA1990.
Where there are a number of suspects allegedly involved in an online fraud, a statutory conspiracy under section 1 of the Criminal Law Act 1977, or common law conspiracy to defraud may be appropriate. Prosecutors should consider the Attorney General's Guidelines on the Use of the common law offence of Conspiracy to Defraud before making a charging decision. Where several people have the same access to a computer, one way to seek to prove the involvement of suspects will be to follow the payment trail as payments will often be required to be sent to a designated account, and may be attributed to an individual.
The acts of setting up a false social networking accounts or aliases could also amount to criminal offences under the Fraud Act 2006 if there was a financial gain, as under section 8 possession or making or supplying articles for use in frauds includes any program or data held in electronic form. For further guidance see the prosecution guidance on the Fraud Act 2006.
Intellectual Property Crime (Piracy, Counterfeiting and Forgery)
Intellectual property is defined as a right by an owner, of a copyright, design, patent or trademark. Intellectual property crime can cover a wide range of activities, such as the unauthorised use of another's intellectual property, through the manufacture, use, sale/import of the property without prior permission.
Most intellectual property crime falls under the umbrella of counterfeiting goods, where trademarks are wilfully infringed (see below) and breaches of copyrights, which are usually termed as piracy, and the development of technology to enable such offences to be committed.
Piracy is the unauthorised copying of an original recording for profit. Pirated products will often have different packaging to the genuine product and may often take the form of newly created compilations.
The internet may be used to distribute, share or make available pirated music, films, games or other items in the following ways:
- Use of legitimate file sharing technologies to share copies of music and films e without permission of the intellectual property right holder;
- Posting protected content on a webpage without permission, for example, uploading a copy of a new cinema release;
- Streaming live sports matches, or concerts, out to audiences directly over the internet, without permission; and
- Putting protected content, like a video game, into a cyber- locker, or online storage system, and providing the details on how to access the content on the internet, or a specific group of people.
Counterfeiting is when money or currency is forged but may also relate to goods if they are not manufactured or produced by the designated manufacturer or producer given on the label or flagged by the trademark symbol. The internet may be used as a way of counterfeiting goods, and physical copies of pirated media through:
- offering items, either billed as genuine, or clearly fake, for sale through online shops and auction sites, or on social networking sites;
- Setting up and running sophisticated websites, for example which purport to be genuine retail outlets; and
- Using easily available technology to set up websites offering fake goods, either billed as genuine, or clearly fake.
Forgery involves making a false object or document with the intention to induce somebody to accept it as genuine and thereby act to his own or another's prejudice. Computers (including computer files), mobile phones, social networking and internet sites can all be used in the creation and transmission of forged or falsified instruments or documents. Moreover, the documents or instruments created can also be used for further offending.
Relevant Offences and Legislation
Cyber piracy of music/films/e-books and other items is copyright infringement and is an offence under the Copyright Designs and Patents Act 1988. Counterfeiting goods is a trade mark infringement and is an offence under the Trade Marks Act 1994.
Consideration should also be given to the Counterfeiting and Forgery Act 1981, Video Recordings Act 2010, the Registered Designs Act 1949.
As well the predicate intellectual property offences governed by the relevant legislation, general statutory offences under the Fraud Act 2006 and money laundering offences under Part 7 of POCA 2002 should also be considered.
For instance, if an individual offers a fake item for sale online, which they falsely represent to be a genuine article, prosecution under the Forgery and Counterfeiting Act 1981 should be considered, alongside offences under the Fraud Act 2006 and POCA 2002.
In instances where an individual offers fake identity documents online, prosecution should also be considered under the Identity Documents Act 2010, where the document is one prescribed under section 7.
For further guidance see the prosecution guidance Intellectual Property Crime and Forgery and Counterfeiting.
Online Marketplaces for Illegal Items
Online marketplaces are used by criminals to not just to trade cyber skills, tools and techniques, but to trade and sell other illegal items, such as stolen credit card details, drugs and firearms. These marketplaces are often 'hidden' online, and facilitated by individuals coordinating the trading of these goods.
Where more than one individual is collectively running such a website, a charge of conspiracy against those doing so, under section 1(1) of the Criminal Law Act 1977, may be considered.
However, when considering a case involving the trading of illegal goods online, it is advisable to consider charges against individuals 'selling', or facilitating the selling of objects online, as distinct from those who are 'buying'. Each case must be considered on its merits, but in many instances, there may not be sufficient evidence to demonstrate a large conspiracy between multiple users of one marketplace, where a number of seemingly distinct transactions have been made.
If an individual is selling or facilitating the trading of illegal goods online, consideration should be given to charges of encouraging or assisting an offence, under section 46 of the Serious Crime Act 2007. It can be charged where the defendant does an act capable of encouraging or assisting the commission of one or more of a number of offences, believing one or more will be committed.
Where individuals are suspected of purchasing illegal goods online, consideration should be given to charges of attempting to commit an offence, such as one under the Fraud Act 2006, Misuse of Drugs Act 1971, or Firearms Act 1968, where it can be proved the suspect has gone beyond the preparatory stage of doing so. A charge of conspiracy under section 1(1) of the Criminal Law Act 1977, or the common law offence of conspiracy to defraud, may also be appropriate.
For further guidance, see the prosecution guidance on Inchoate Offences.
Dark Web
The dark web comprises of internet sites and content that are, intentionally hidden and inaccessible through standard web browsers. The dark web is used to facilitate criminal activity across a wide range of threats and can be used by criminals to create so-called “safe spaces” for conspiring to commit offences, such as child sexual exploitation or the sale and purchase of illegal items (such as drugs or firearms).
Malicious and Offensive Communications
Every day millions of communications are sent via the internet and online platforms such as social media and photo sharing sites. Some individuals use these online forums to send abusive, threatening, indecent, offensive and false messages that could be capable of committing a criminal offence.
Electronic Communications
When considering whether an offence might be committed by electronic communication, including via social media, prosecutors should make an initial assessment of the content of the communications and the conduct in question to distinguish between those which:
- are a credible threat (violence to the person or damage to property);
- specifically target an individual or individuals and which may constitute harassment or stalking, controlling or coercive behaviour, disclosing private sexual images without consent, an offence under the Sexual Offences Act 2003, blackmail or another offence;
- are breaches of court orders or a statutory provision; and
- are grossly offensive, indecent, obscene or false.
Relevant Offences and Legislation
Before the commencement on 30 January 2024 of the communications offences in Part 10 of the Online Safety Act 2023 (‘OSA 2023’), specific communications offences available to prosecutors were
- the summary offences under section 127 of the Communications Act 2003(‘CA 2003’)
- the either-way offences under section 1 of the Malicious Communications Act 1988 (‘MCA 198’) [which became either-way offences from 13 April 2015, under section 2 Criminal Justice and Courts Act 2015]; and
- the either-way offence of ‘revenge pornography’ under section 33 of the Criminal Justice and Courts Act 2015 (‘CJA 2015’)
For communications offences committed prior to 30 January 2024, the offences in section 127 CA 2003 (subject to the extended summary time limit in section 127(5) CA 2003), and section 1 MCA 1988 continue to remain available.
For communications offences committed on or after 30 January 2024, the OSA 2023 has repealed:
- The either-way offence of sending a threatening communication under section 1(1)(a)(ii) MCA 1988;
- The offences of sending false messages under section 127 of the Communications Act 2003 and s.1 of the Malicious Communications Act 1988; and
- The either-way offence of Revenge Pornography under s.33 of the Criminal Justice and Courts Act 2015.
Part 10 of the OSA 2023, in force from 30 January 2024, has introduced a series of new communications offences, including:
- A false communications offence under Section 179 OSA 2023
- A threatening communications offence under Section 181 OSA 2023
- An offence of sending/showing flashing images electronically (also known as epilepsy trolling) under Section 183 OSA 2023
- An offence of sending photographs or film of genitals (also known as cyber-flashing) under a newSection 66A of the Sexual Offences Act 2003 [as inserted by Section 187 OSA 2023]
- An offence of encouraging or assisting serious self-harm, under Section 184 OSA 2023
- Offences of sharing or threatening to share intimate photographs or film, under a new Section 66B(1)-(4) and Section 66C of the Sexual Offences Act 2003 [as inserted by Section 188 OSA 2023]
Prosecutors should be careful to apply the provisions which were in force at the date an offence was committed.
Cyber-Bullying/Trolling
Cyber bullying is bullying that takes place using communications technology, such as social media, but also text messages, apps, chats, emails and other forms of communication. Depending on the nature of the bullying, it may also constitute criminal activity and prosecutors should apply the principles outlined in the prosecution guidance on communications Offences when considering allegations of this nature. For example, cyber bullying might involve harassment, threatening behaviour, sending false information about someone, impersonation, cyber stalking or grossly offensive messages.
It is important to remember that evidence of bullying online may be indicative of bullying and possible further offences offline too.
Virtual Mobbing
Virtual mobbing occurs when a number of individuals use social media or messaging to make comments about another individual, usually because they are opposed to that person's opinions. As above, the principles outlined in the prosecution guidance on communications sent by social media should be applied. In cases where certain individuals encourage others to send such messages, prosecutors should consider offences of encouraging or assisting crime under sections 44-46 under the Serious Crime Act 2007.
False accounts
Setting up a false social networking accounts or aliases could amount to criminal offences under the Fraud Act 2006 if there was a financial gain. Under section 8 possession or making or supplying articles for use in frauds includes any program or data held in electronic form. Some social networking sites may disable false accounts when they became aware of them.
Offences that specifically target Individuals (including Cyber-Enabled VAWG)
Developments in technology have also created a new landscape for controlling, sexually-motivated or other forms of interpersonal relationship offending. Disclosing private sexual images without consent, cyber stalking and harassment, and coercive and controlling behaviour crimes are predominately but not exclusively perpetrated against women and girls, with online activity being used to humiliate, control and threaten as well plan and orchestrate acts of violence.
Such crimes are often part of a wider pattern of behaviour and incidents should be viewed within this wider context which can encapsulate both online and offline activity, including physical abuse. All VAWG related charging decisions should consider the context of the crime including the potential use of social media to exert power and control. For example, in cases of 'honour' based violence and forced marriage, threats to post personal information on social media can be used to bring shame on victims in order to silence and coerce.
Offences under the CMA 1990, such as unauthorised access to computer material with the intent to commit further offences or to impair the operation of a computer, are also often part of a wider pattern of coercive and controlling offending or stalking and harassment. For example, a stalking victim may have their bank or social media accounts compromised or private intimate photographs copied from their computer hard drive, leading to a range of harm from theft and defamation to a physical attack.
As with online romance fraud, offenders may use online dating sites or social media to facilitate offending under the Sexual Offences Act 2003, by arranging to meet a victim with a view to committing rape or other sexual offences. See the prosecution guidance on Rape and Sexual Offences for further information.
Disclosing private sexual images without consent ('revenge pornography')
Having been repealed by the OSA 2023, the offence under section 33 CJCA 2015 remains available for offences committed on or after 13 April 2015 and prior to the date of commencement of Part 10 OSA 2023 on 30 January 2024. Initially limited to offences of ‘disclosing’, the offence was extended from 29 June 2021 to include ‘threatening’ to disclose private photos/film.
Section 33 of the Criminal Justice and Courts Act 2015 provides for an offence of disclosing (or threatening to disclose) private sexual photographs or films without the consent of an individual who appears in them and with intent to cause that individual distress.
The legislation specifies the offence as "photographs or films which show a person engaged in sexual activity or depicted in a sexual way where part or all of their genitals or pubic area is exposed, and where what is shown would not usually be seen in public".
The offence is known colloquially as "revenge pornography", which is a broad term that usually refers to the actions of an ex-partner, who uploads a sexually intimate photograph or a video where a person is engaged in a sexual activity on to the internet, or shares by text or email, with the intent of causing the victim humiliation or embarrassment as revenge for the breakup of their relationship. For further information, see the Communications Offences prosecution guidance.
Cyberstalking and online harassment
Generally, cyberstalking is described as a threatening behaviour or unwanted advances directed at another, using forms of online communications. Cyberstalking and harassment are often combined with other forms of 'traditional' stalking, such as being followed or, receiving unsolicited phone calls or letters, as well as 'traditional' forms of harassment. Examples of cyberstalking may include:
- threatening or obscene emails or text messages;
- spamming (where the offender sends the victim multiple junk emails);
- live chat harassment or flaming (a form of online verbal abuse);
- leaving improper messages on online forums or message boards;
- trolling or cyber bullying;
- sending electronic viruses;
- sending unsolicited email; and
- cyber identity theft.
In such cases the gathering of data from electronic storage devices and social networking sites will be vital for case building. For further guidance, see the prosecution guidance on Stalking and Harassment and Social Media.
Coercion and Control
The Serious Crime Act 2015 introduced a domestic abuse offence to capture coercive and controlling behaviour in intimate and familial relationships. This offence closed a gap in the law around patterns of coercive and controlling behaviour in an on-going relationship between intimate partners or family members. The pattern of behaviour and access to resources that the victim has must be considered when contemplating this offence. The use of the internet, social media, spyware and software to track and monitor the whereabouts of a victim and control their contact with others must be taken into account. For further guidance see the prosecution guidance Controlling or Coercive Behaviour in an Intimate or Family Relationship, Domestic Abuse andStalking and Harassment.
Child Sexual Offences and Indecent Images of Children
The rapid growth of cyberspace has given perpetrators of child sexual abuse, and those who create and disseminate indecent images, a range of new tools to facilitate their offending. These crimes can be perpetrated through various social media, such as chat rooms, social networking sites, gaming devices that connect to the internet, as well as through direct email addresses or mobile numbers belonging to victims.
Child Sexual Abuse
Cyberspace has the potential to allow offenders to target hundreds of children at a time and once initial contact with a child is made, the children may be subjected to threats and intimidation. The online abuse can be an end in itself without any contact offences taking place. However, contact offences may occur through arranging to meet up with the child, or persuading them to engage in sexual activity whilst they are filmed or photographed. Further offending may also occur through the dissemination of these films or photographs.
Offenders for example may use various control elements as a tool to stop a victim reporting the sexual abuse (the control might take the form of threatening to publish photographs or recordings of them, including images of the victim being naked or being abused).
Charges under the Sexual Offences Act 2003, Sexual Offences Act 1956 and Indecency with Children Act 1960 may all be considered. Note that section 69 of the Serious Crime Act 2015 created the offence of possessing a paedophile manual or any item that contains advice or guidance about abusing children sexually. This offence captures material giving advice on how to entrap or groom a child, commit other child abuse offences and escape capture. For further guidance, see the prosecution guidance on Child Sexual Abuse and Rape and Sexual Offences.
Online grooming
Predatory individuals may access internet sites that children and young people visit in order to search for potential victims by location or interest. Children and young people may often reveal personal information online, such as where they live or go to school, or their family name, which is used by groomers to manipulate behaviours and build relationships with their victims. Information may be published through a number of different online platforms which are accessible to others, including social networking sites, multi-player gaming portals and other web-based forums.
Section 36 of the Criminal Justice and Courts Act 2015 amends section 15 of the Sexual Offences Act 2003 (the offence of meeting a child following sexual grooming etc.) so that the number of initial occasions on which the defendant must meet or communicate with the child in question in order to commit the offence is reduced from two to one.
Following any initial communication or meeting, the defendant must intentionally meet, arrange to meet or travel with the intention of meeting the child, or the child must travel with the intention of meeting the defendant; and the defendant must intend to do something to or in respect of the child during or after any meeting which would, if done in England and Wales, amount to an offence under Part 1 of the Sexual Offences Act 2003.
Section 36 came into force on 13 April 2015. The offence can only be committed as amended (i.e. by proof of a single initial communication or meeting) if that communication or meeting took place on or after 13 April 2015.
For further guidance, see the prosecution guidance on Child Sexual Abuse.
Indecent Images of Children (IIOC)
The use of cyberspace and the variety of digital tools available has further facilitated the taking, making, showing and distribution of indecent images of children. Advances in digital programs, technological solutions and enhanced computer graphics have also made it easier to create 'pseudo-photographs' of children.
It is an offence for a person to take, make, distribute or advertise indecent images of children. The main offences for consideration when dealing with this type of offending fall within:
- Section 1 of the Protection of Children Act 1978 (‘PCA’)
- Section 160 of the Criminal Justice Act 1988 (‘CJA’)
These are either way offences, but offences under the PCA are likely to be the appropriate charges in the majority of cases, as the charge of 'making' under section 1(1)(a) has been developed to cover activities such as opening attachments to emails and downloading or simply viewing images on the internet (as a copy of the image will automatically be created on the device in question's hard drive). By contrast, the same conduct often cannot lead to a possession charge contrary section160 of the CJA.
The decision of whether to charge 'making' under section 1(1)(a) of the PCA, or 'possessing' contrary to section 160 of the CJA will often depend how the images came to be located on a device and how accessible they are.
Section 1 of the PCA has a maximum sentence of 10 years' imprisonment. Section 160 of the CJA carries a maximum sentence of 5 years' imprisonment.
For further guidance on this and cases involving non-photographic images, such as computer generated images (CGI's), cartoons, manga images and drawings, see the prosecution guidance on Indecent and Prohibited Images of Children.
Extreme Pornography and Obscene Publications
Whilst the creation of extreme pornography, obscene publications and prohibited images are offences in their own right, cyber-enabled dissemination, usually on a large scale, may also be occurring and should be considered by prosecutors. Dissemination can be via various avenues such as chat rooms, social networking sites, gaming devices that connect to the internet, as well as through a direct email address or mobile number.
Extreme Pornography
When considering what may be classified as extreme pornography, it should be borne in mind that all extreme pornography is obscene as defined by the Obscene Publications Act 1959; however, not all obscene material is extreme.
The offence of possessing extreme pornographic images, under section 63 of the Criminal Justice and Immigration Act 2008, requires the consent of the DPP to institute proceedings and should be sought at the earliest opportunity. Consent cannot be implied by the fact that the CPS is conducting proceedings. For further guidance, see the prosecution guidance on Extreme Pornography.
Obscene Publications
The Obscene Publications Act 1959 (‘OPA’) was amended to deal with electrically stored data or the transmission of that data. Transmitting comments to another person in the context of an internet relay chat is publication, even if there is just one recipient and one likely reader of the article. If the publication is obscene, prosecution under the OPA can be considered. For further guidance, prosecutors should refer to the prosecution guidance Obscene Publications.
Casework Handling
Digital Evidence Gathering
Computer systems and their components can provide valuable evidence. The hardware and software together with items stored on the computer itself, such as documents, photos, image files, photographs, emails and attachments, databases, financial information, internet browsing history, chat logs, event logs etc. can all be used as potential sources of evidence.
Games consoles connected to the internet may also provide a source of electronic evidence. Some devices will contain on-board or removable flash storage which allows the user to not only play games, but to also visit websites and store videos, photos, messages etc.
Many mobile phones have multimedia functionality, allowing internet access and access to email, in addition to sending text messages and photographs. Different phones will have varying capabilities and often require specialist equipment to capture the information effectively whilst retaining the integrity of the evidence. Portable media players (such as tablets or music players) may also be used to store and play digital media.
Digital evidence and communications data can also be obtained directly from Communication Service Providers (‘CSPs’) as well as from computers and digital storage devices. Investigators have the power to serve orders on CSPs that oblige them to disclose communications data. Many CSPs are based in the US and may be obtained through Mutual Legal Assistance (‘MLA’, see below).
Verifying the origin and use of some digital evidence can be challenging as it may have been created using complex codes and data, but this should not be seen as a barrier to presenting digital evidence in court. It is important to stress that digital evidence is no different to other evidence, however it is worth noting that:
- digital evidence can be easily altered by a user and may sometimes be hard to detect;
- some digital evidence may need to be interpreted by a specialist;
- some evidence may be altered or destroyed through normal use (for example, saving a document alters its properties); and
- the nature and source of digital evidence is constantly evolving as the technology advance
It is important that evidence is handled in an appropriate way from the moment it is identified.
See also to the ACPO (now NPCC) Good Practice Guide for Computer-Based Electronic Evidence.
When presenting communications data in court, careful consideration must be given to the way in which it will be presented to the jury and make it as simple to understand as possible.
Disclosure Management
A complex cybercrime case is likely to have voluminous electronic data, including communications data and other computer downloads, GPS data, memory or cloud storage, banking evidence and digital tachographs. The disclosure of unused electronic data must be carried out in accordance with the Criminal Procedure and Investigations Act 1996 (CPIA). The normal rules of disclosure apply to material in electronic form and prosecutors are responsible for serving evidence as is appropriate to prove the case for the prosecution, in accordance with the Criminal Procedure Rules. Bulk electronic material should not be served wholesale without consideration of this overriding principle.
For further information, see guidance on Disclosure - Guidelines on Communications Evidence and Disclosure - A guide to "reasonable lines of enquiry" and communications evidence.
Jurisdiction
Where jurisdiction is challenged, the courts look at where the site is hosted, its intended audience, the material posted, the nationality of the webmaster and where the information was created and downloaded, applying the 'substantial measure' principle set out in R v Smith (Wallace Duncan) (no.4) (2004) 2 Cr App R 17, which states:
"The English Courts … seek … to apply the English criminal law where a substantial measure of the activities constituting the crime take place in England, and restricts its application in such circumstances solely to cases where it can seriously be argued on a reasonable view that these activities should on the basis of international comity not be dealt with by another country."
R v Sheppard and Whittle (2010) EWCA Crim 65, Sheppard posted racially inflammatory material to a website, registered in his name and operated by him, but based in California. Once the material reached the server in California, it was posted online and made available on the internet to all those visiting the website, including people in the jurisdiction of England and Wales. The court came to the conclusion that jurisdiction was governed by the substantial measure principle enunciated by the court in R v Smith (supra). Everything in the case related to England and Wales except for the server being in California.
International Enquiries
MLA is a method of cooperation between states for obtaining assistance in the investigation or prosecution of criminal offences. MLA is generally used for obtaining material that cannot be obtained on a police cooperation basis, particularly enquiries that require coercive means. Requests are made by a formal international Letter of Request (LOR), usually on the basis of a bilateral treaty or multilateral convention. In cases where the requirement of information may be for only traffic or communications data (rather than content), then an LOR is unlikely to be required; some information could be sought directly from the CSP. For further guidance, see the prosecution guidance on International Enquiries.
Note that when the relevant provisions are commenced, the Crime (Overseas Production Order) Act 2019 will provide an alternative approach to obtaining material from CSPs overseas.
Joint Investigation Teams
Complex cybercrime investigations often span several jurisdictions. Investigators and prosecutors need to be able to co-ordinate their approach and respond quickly to developments and opportunities to disrupt or prevent illegal activity, obtain evidence and make arrests. Consideration should be given as to whether a Joint Investigation Team (‘JIT’) is appropriate.
A JIT is a team set up between two or more countries, under judicial supervision, for the purpose of investigating specific serious cross-border crime and with a limited duration. The legal basis of a JIT is under Article 13 of the EU Convention on Mutual Legal Assistance in Criminal Matters 2000, Article 20 of the Second Additional Protocol to Council of Europe Convention on Mutual Assistance in Criminal Matters 1959, the UN Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances 1988, UN Convention against Transnational Organised Crime 2000, or the UN Convention against Corruption 2003.
There are a number of advantages in considering a JIT for a complex case. For example, it allows JIT members to:
- share information directly / request investigative measures without the need for MLA;
- be present at house searches, interviews, etc;
- co-ordinate efforts on the spot;
- informally exchange specialised knowledge;
- build mutual trust between practitioners from different jurisdictions working together and deciding on investigative and prosecution strategies; and
- enable Eurojust and Europol to be involved with direct support and assistance.
Eurojust can assist when considering the creation of a JIT, or when dealing with jurisdictional and logistical issues where offending occurs in more than one country. It provides a neutral venue for meetings where prosecutors and investigators from two or more Member States can review such cases and agree future actions. Early consultation with the UK desk at Eurojust when dealing with transnational crime is recommended, particularly if the offending occurs in three or more EU Member States.
The aim of a JIT is to encourage and modernise co-operation between judicial and law enforcement agencies in EU Member States.
Further assistance
The Global Prosecutors E-Crime Network (‘GPEN’) was launched in 2008 with the aim of assisting countries to establish a safe and secure online environment, by ensuring prosecutors have the tools to deal effectively with cybercrime. Under the umbrella of the International Association of Prosecutors (‘IAP’) each organisational member nominates at least one prosecutor to be registered as the GPEN national contact point. The GPEN network provides a:
- database of nominated e-crime prosecutors from around the world;
- forum for the exchange of expertise, queries and advice;
- collection of e-crime prosecution resource material, for example; national legislation and prosecution guidance;
- virtual Global E-Crime Prosecutors' College, a database of e-crime training courses and presentations; and
- global community of e-crime prosecutors sharing expertise and experience.
GPEN was the initiative of the CPS and since its inception the CPS has promoted GPEN both nationally and internationally, has contributed training material to the GPEN library and has assisted in capacity building in a number of countries. To access GPEN please contact IJOCD Policy.
Annex A: Cybercrime types and related Cyber-Dependent Offences
| Hacking | |
|---|---|
| Offences | Guidance |
|
|
| Manufacture and/or distribution of virus software, Trojans, malware and Worms | |
|---|---|
| Offences | Guidance |
|
|
| Manufacture and use of Spyware | |
|---|---|
| Offences | Guidance |
|
|
Annex B: Cybercrime types and related Cyber-Enabled Offences
| Fraudulent sales through online auction/retail sites; Scams and mass-marketing frauds; Phishing scams | |
|---|---|
| Offences | Guidance |
|
|
| Online Romances / Persuasive Tactics with Intent to Deceive / Defraud | |
|---|---|
| Offences | Guidance |
|
|
| Intellectual Property | |
|---|---|
| Offences | Guidance |
|
|
| Forgery and Counterfeiting | |
|---|---|
| Offences | Guidance |
|
|
| Selling Illegal Goods Online | |
|---|---|
| Offences | Guidance |
|
|
| Purchasing Illegal Goods Online | |
|---|---|
| Offences | Guidance |
|
|
| Malicious Communications | |
|---|---|
| Offences | Guidance |
|
|
| Cyber Bullying/Trolling | |
|---|---|
| Offences | Guidance |
|
|
| Disclosing Private Sexual Images without Consent | |
|---|---|
| Offences | Guidance |
|
|
| Cyber-Stalking and Online Harassment | |
|---|---|
| Offences | Guidance |
|
|
| Coercion and Control | |
|---|---|
| Offences | Guidance |
|
|
| Child Sexual Offences and Indecent Images of Children (IIOC) | |
|---|---|
| Offences | Guidance |
|
|
| Prohibited and Indecent Images of Children; Sexual Offences | |
|---|---|
| Offences | Guidance |
|
|
| Extreme Pornography | |
|---|---|
| Offences | Guidance |
|
|
| Obscene Pornography | |
|---|---|
| Offences | Guidance |
|
|
Annex C: Abbreviations and Glossary
Address
The term address is used in several ways:
- An Internet address or IP address is a unique computer (host) location on the Internet
- A web page address is expressed as the defining directory path to the file on a particular server.
- A web page address is also called a Uniform Resource Locator, or UR
- An e-mail address is the location of an e-mail user (expressed by the user's e- mail name followed by an "at" sign (@) followed by the user's server domain name
Archive file
A file that contains other files (usually compressed files). It is used to store files that are not used often or files that may be downloaded from a file library by Internet users
BIOS
Basic input output system. A programme stored on the motherboard that controls interaction between the various components of the computer.
Botnet
Computers can be unknowingly co-opted to be part of a network used by controller to undertake illegal activity (such as being used in a Distributed Denial of Service attack). Such computers are known as botnets.
Byte
In most computer systems, a byte is a unit of data generally consisting of 8 bits. A byte can represent a single character, such as a letter, a digit, or a punctuation mark.
Cache
A place to store something more or less temporarily. Web pages browsed to are stored in a browser's cache directory on a hard disk. When returning to a page recently browsed to, the browser can get it from the cache rather than the original server, saving time and the network the burden of some additional traffic. Two common types of cache are cache memory and a disk cache.
Cloud
A network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer.
Coding
Coding is used to write computer programmes or software. Highly-skilled coders are able to write sophisticated programmes (using 'scripts') to facilitate unauthorised access to networks or data.
Communication
This includes anything comprising speech, music, sounds, visual images or data of any description in relation to a telecommunications operator, telecommunications service or telecommunications system.
Communications data
The 'who', 'when' and 'where' of communication, but not the 'what' (i.e. the content). For example, internet connection records (ICR) can tell the authorities which websites and applications a user has visited, but not what specific pages on those websites they viewed or what information they exchanged with the app. See also “entity data” and “event data”.
Content of a communication
Any meaning arising from the fact of the communication or any data relating to the transmission of the communication.
CSP
Communications Service Provider. A CSP is a company which provides a particular communication service. Examples would be Vodafone, BT, Apple, Google or WhatsApp. Many are based overseas rather than in the UK.
Computer
Defined as 'a device for storing, processing and retrieving information' In DPP v McKeown and DPP v Jones [1997] 2Cr App R 155 HL. This means the term encompasses mobile smartphones, personal tablet devices and games consoles as well traditional 'desk-top' computer or laptops.
Computer Network
A computer network is where a number of different computers are connected. These can vary in size from either a small local network - where a number of computers are joined together, such as in a workplace - to the internet which is essentially a connection of billions of computers.
CPU (Central Processing Unit)
The most powerful chip in the computer. Located inside a computer, it is the "brain" that performs all arithmetic, logic and control functions.
Data
Digital material which may be stored on physical devices or in the 'cloud'. Data can include personal or sensitive information which may be exploited by criminals if obtained by them.
Database
Structured collection of data that is organised so that it can easily be accessed, managed, and update e.g. database of addresses.
Deleted files
A subject may delete files in an effort to eliminate evidence but depending on how the files are deleted, in many instances a forensic examiner is able to recover all or part of the original data.
Denial of Service (DoS)
An attack to make a machine or network resource unavailable to its intended users, to temporarily or indefinitely interrupt or suspend services offered by a website. DoS attacks can be undertaken for criminal, political/protest or other purposes.
Distributed Denial of Service (DDoS)
Similar to DoS attacks but effected by using multiple devices (often thousands) to bombard a website with requests, causing it to cease effective functioning. Like a DoS, this tactic may be employed for criminal, protest/political or other purposes.
Entity data
Any data which is about an entity, an association between a telecommunications serve or an association between any part of a telecommunication system that consists of or includes, data which identifies or describes the entity and is not events data. See also “Communications Data” above.
Events data
Any data which identifies or describes an event by means of a telecommunication system where the event consists of one or more entities engaging in a specific activity at a specific time. See also “Communications Data” above.
e-commerce fraud
Fraudulent financial transactions related to retail sales carried out online. This may include fraudulent card-not-present (CNP) transactions, which take place over the internet when both cardholder and card are based remotely.
Encryption
The process of scrambling, or encoding, information in an effort to guarantee that only the intended recipient can read the information.
Flaming
Online verbal abuse, similar to trolling.
Gigabyte
A gigabyte is a measure of memory capacity and is roughly one thousand megabytes or a billion bytes.
GPEN
The Global Prosecutors E-Crime Network is a global community of cybercrime prosecutors and a forum for sharing expertise and experience.
Hacking
A loosely-defined term which refers to the unauthorised access to a device or computer network. This can either be through the use of illegally-obtained passwords or more sophisticated technical know-how to bypass security systems. Hacking can be used to gather personal data or information, or disrupt computer networks.
Hacktivism
When hacking activities are motivated by political rather than criminal causes, for example to raise awareness of a protest movement.
JIT
A Joint Investigative Team is set up between two or more countries, under judicial supervision, for the purpose of investigating specific serious cross-border crime and with a limited duration.
Malware
Malware is malicious software designed to interfere with or destroy computers or data. This includes stealing or destroying personal data. Malware is an umbrella term for viruses, worms, Trojans, spyware and ransomware. Malware may be distributed by spam (unsolicited) mail.
Memory
Often used as a shorter synonym for random access memory (RAM). Memory is the electronic holding place for instructions and data that a computer's microprocessor can reach quickly. RAM is located on one or more microchips installed in a computer.
MLA / LOR
Mutual Legal Assistance and Letters of Request. A method of obtaining material held by Communication Service Providers (CSPs) based overseas.
Online grooming
When children are deliberately targeted and groomed by an individual who intends to abuse them either online or by meeting in person.
Operating system
Software that is usually loaded into the computer memory upon switching the machine on and is a prerequisite for the operation of any other software.
Pharming
Where a user is directed to a fake website, sometimes from phishing emails, to input their personal details into what they think is a legitimate website but is actually fake.
Phishing
Use of fraudulent emails disguised as legitimate communication which ask or 'fish' for personal or corporate information from users, for example, passwords or bank account details.
Pirate software
Software that has been illegally copied.
Port
- An interface on a computer to which you can connect a device. Personal computers have various types of ports, including internal ports for disk drives, display screens and external ports for connecting modems, printers and other peripheral device
- A computer or a program connects to somewhere or something else on the Internet via a por The port number in a URL identifies what type of port it is.
Private Telecommunication System
Any telecommunication system which is not attached, directly or indirectly to a public communication system.
Public Telecommunication System
Any telecommunication service which is offered or provided to the public or a section of the public in any one or more parts in the UK.
Ransomware
Software that can collect personal data, documents or information and demand payment in order to avoid its destruction.
Removable media
Items e.g. floppy disks, CDs, DVDs, cartridges, tape that store data and can be easily removed. Small-sized data storage media which are more commonly found in other digital devices such as cameras, PDA's (Personal Digital Assistants) and music players.
Scripts
Lines of code which amount to programmes or instructions which tell computers what actions to take.
Social media
These are computer-based tools which allow people or companies to create, share or exchange information, ideas, pictures and videos. Facebook and Twitter are both examples of social media.
Software
Programmes which run on computers or other devices. Some malicious software may be specifically designed to attack computer networks and systems.
Spyware
Software that secretly gathers sensitive or personal information from infected systems, including monitoring websites visited. This information may then be transmitted to third parties. One example of spyware is key-logging which captures and forwards keystrokes made on a computer, enabling collection of sensitive data such as passwords or bank account details.
Trojan
Malicious computer programmes that present themselves as useful, routine or interesting in order to persuade a victim to install them. They can then perform functions such as stealing data without the user's knowledge.
Trolling/Cyber bullying
Bullying that takes place using communications technology, such as social media, but which may also involve text messages, apps, chats, emails and other forms of communication. Cyber bullying might involve harassment, threatening behaviour, sending false information about someone, impersonation, cyberstalking or grossly offensive messages.
Virus
Self-replicating programs that spread within, and between, computers. They can cause mild computer dysfunction, but can also have more severe effects in terms of damaging or deleting hardware, software or files.
Virtual mobbing
This occurs when a number of individuals use social media or messaging to make directed comments about another individual, usually because they are opposed to that person's opinions.
Worm
A self-replicating program that can spread autonomously within, and between, computers. The impact of worms can be more severe than viruses, causing destruction across whole networks. Worms can also be used to drop Trojans onto the network system.