This article is more than 1 year old
Average convicted British computer criminal is young, male, not highly skilled, researcher finds
Analysis of Computer Misuse Act cases also draws heavily on El Reg archives
An academic researcher has analysed more than 100 Computer Misuse Act cases to paint a picture of the sort of computer-enabled criminals who not only plagued Great Britain’s digital doings in the 21st Century but were also caught by the plod.
The average Computer Misuse Act convict is likely to be a semi- or low-skilled individual, mostly working alone and more likely than not to have no knowledge of his or her victim, James Crawford of Royal Holloway, University of London, found.
In a “technical report” analysing a decade of publicly reported cases, Crawford looked at the apparent skillsets of crooks snared by the authorities under the Computer Misuse Act (CMA) before examining their motivations and demographics.
“The low skill category is largely made up of ex-IT employees who used their knowledge of the systems that they used to operate in order to damage their previous employers,” noted Crawford, who cited Jet2 miscreant Scott Burns as an example.
IT consultant who deleted every account on UK company Jet2's domain cops 5 months in jailREAD MORE
Indeed, a large number of his paper’s citations linked to The Register’s reporting of CMA cases over the years.
Males made up a whopping 97 per cent of perps in the data Crawford analysed, with just three criminals out of the 100 cases being women. “The average age of those deemed to be hackers in this project is just over 29 years old at the point of conviction. The youngest hacker in the survey was 16 on conviction (14 at the time he committed the crimes). The oldest was 69.”
Nonetheless, the median criminal computer abuser is “young and male, with mental health and development disorders over-represented in their number,” the researcher concluded.
Law not used all that often
Crawford was also less than positive about the use of the CMA as a law enforcement tool, stating: “… it seems safe to conclude that the CMA has seen a total return of eight convictions for hackers who have shown a high level of skill (or at least not substantially more than eight).
"This is not a particularly impressive return from the CMA over 12 years, especially considering the prominence that has been given to cybercrime over the period (caveated by the fact that highly skilled hackers may have been convicted under separate legislation).”
On the flip side, British police forces have been rather good at diverting young computer-enabled criminals into activities that harness their talents for positive things, such as working in the IT industry.
The relatively low frequency of CMA prosecutions matches what your correspondent has seen in the courts. Often crimes carried out with computers can be prosecuted under fraud laws, and prosecutors are under constant (and correct) pressure to pick charges with the greatest odds of a conviction. The CMA, which has no specific sentencing guidelines, may be a less attractive option when a judge or jury can be told a straightforward tale of deception instead of potentally hearing a load of tech jargon.
Crawford also noted that 172 CMA cases had been brought between 2008 and 2020 without any media or police PR activity. With no easily accessible evidence in the public domain, he was unable to analyse these cases. His report can be read here [PDF].
Lord joins campaign urging UK government to reform ye olde Computer Misuse ActREAD MORE
Statistics compiled by The Register in the summer of 2019 showed that between 2008 and 2018 a total of 422 people were charged with CMA offences, of which 343 were found guilty. Of the guilty parties, 135 received fines or community orders and 157 received prison sentences, either suspended or immediate custodial.
During that same 10-year period, 644 cautions were issued for breaches of the CMA, suggesting that police were prepared to give cyber crims a deserved slap on the wrist. ®