Drawing on Legislation to Support Local Government in the Fight Against Online Fraud

The last couple of years has seen much of the business carried out by Local Government conducted remotely, and online. A very rapid shift to online working took place during March and April 2020, due to the Covid pandemic. A multitude of computing/mobile devices were (and still are) used by the public and businesses to interact with Local Government services. Therefore, we have seen a shift in the ways in which fraud is carried out – almost always these days it is through the Internet whilst using a PC, laptop or smartphone.

The question then becomes: What support is there to try and fight online fraud? This article focuses on the legal framework available to Local Government to pursue fraudulent activity. Of course, a very important distinction when trying to legally frame online fraud is the jurisdiction in which said fraud had been committed. To this end, I will discuss UK-based legislation and also some international perspectives.

We spoke to Dr Lucian Tipi, Head of Teaching and Learning Enhancement of the College of Business, Technology and Engineering at Sheffield Hallam University, about what legislation supports Local Authorities against online fraud. This piece follows on from an interview we conducted with Dr Tipi earlier this year focussing on how the public sector can be better equipped to tackle fraud.

UK Legal Framework

The main piece of legislation available to deal with computer-related crime is still the Computer Misuse Act 1990. One cannot escape noticing that this piece of legislation is 32 years old now. It has been updated several times during the last decades, yet research shows that it is more than ready for reform:

We must examine its main provisions, which for our purposes are as follows:

• Section 1: Deals with unauthorised access to computer materials
• Section 2: Delas with unauthorised access with intent to commit or facilitate the commission of further offences
• Section 3: Deals with unauthorised modification of computer material

Every section of the act are relevant from a fraud perspective.

Modifications to the act

This act was modified by firstly by the Police and Criminal Justice Act 2006. The main provision of the Police and Justice Act 2006 that we’re interested in here is Section 5, referring to miscellaneous issues, including amendments to the Computer Misuse Act 1990 referring through impairing the operation of a computer, again of relevance in as far as amending data and information for carrying out fraudulent activity.

Therefore, Section 3 of the Computer Misuse Act 1990 as amended by the Police and Justice Act 2006 becomes much more extensive:

• Section 3 (Amended): Now deals with unauthorised acts with intent to impair or with recklessness as to impair operations of a computer
• Section 3A (New Section): Refers to making supplying or obtaining articles for use in the offence under Sections 1 or 3

Further modifications of the Computer Misuse Act 1990 were made by the EU Directive 2013/40EU. The changes aim to tackle sophisticated and large-scale forms of attacks on information systems. This provision would be applicable to organised fraud, driven by external or internal actors. The EU directive was incorporated in the Serious Crime Bill 2015, which is the latest UK based act to modify and update the Computer Misuse Act 1990. Notable amendments are:

• Unauthorised acts causing or creating a risk of serious damage – punishable by up to 14 years in jail or fine or both
• Targeting individuals obtaining tools such as malware with the intention of committing cybercrime, including fraud
• Widens UK courts’ jurisdiction to prosecute UK nationals committing offences physically outside the UK & foreign nationals committing crimes in the UK (something quite important in the context of the increased incidence of fraud carried out from abroad)
• Allowing for sentences of up to life imprisonment for serious crimes affecting life or national security – intended to target serious/organised crime and not low-level activity

A further review of the Computer Misuse Act 1990 was due to take place in September 2020, delayed due to the Covid pandemic. Priti Patel announced in May 2021 the intention of the UK Government to go ahead with the review, to address in part the significant growth of online fraud.

Other Significant Acts

The Regulation of Investigatory Powers Act 2000 extends the powers of public bodies to carry out surveillance and investigation, and covering the interception of communications. It was introduced to take account of technological change such as the growth of the Internet and strong encryption and is being used widely in the UK to tackle fraudulent activity. Given the very drastic provisions of this act, it was intended to cover mainly threats of a very serious nature, yet there is evidence of the misuse of the act and the use of it for investigating individuals committing petting crime, including small scale fraudulent activity such as obtaining free school meals or a place at a preferred school.

Whilst not of great importance for our discussion in this article, I have to mention the Digital Economy Act 2010, that deals with digital media, copyright infringement, and obligations of internet service providers to implement technical measures that could be used to monitor and detect fraudulent activity as well.

The Data Retention and Investigatory Powers Act 2014 attempts to clarify existing laws and ensures that critical capabilities to fight crime (including fraud) and protect the public are maintained. There are provisions to ensure access to communications data is limited to what is strictly necessary.

Similar to the Regulation of Investigatory Powers Act 2000 and extending its scope and remit the Investigatory Powers Act 2016 is a bill that makes provisions for the interception of communications, equipment interference and the acquisition and retention of communications data, bulk personal datasets and other information. It makes provision about the treatment of material held as a result of such interception, equipment interference or acquisition. Given the very draconian provisions of this act it has been dubbed the Snooper’s Charter, and it is interesting to explore a couple of further sources here:

• Investigatory Powers Act
• UK Investigatory Powers Act 2016: How to Prepare For A Digital Age

The act introduced new powers and restated existing ones, for UK intelligence agencies and law enforcement to carry out targeted interception of communications. Local government can draw on the provisions of this act to pursue fraudulent activity, even though its main stated purpose is to combat terrorism related activity. The act created an Investigatory Powers Commission (IPC) to oversee the use of all investigatory powers and requires communication service providers (CSPs) to retain UK internet users’ Internet connection records. It allows police, intelligence officers and other government department managers to see the Internet connection records and it permits the police and intelligence agencies to carry out targeted equipment interference, that is, hacking! It provides local government with some investigatory powers, useful for monitoring fraud-related activity. There is a new criminal offence for a CSP or someone who works for a CSP to reveal that data has been requested, in an effort to ensure that successful prosecutions can take place at a later date.

International Perspectives

International efforts to try and introduce some consistency in combating serious and organised cross-border criminal activities have started some time ago. Notable efforts are:

Convention on Cybercrime (Budapest Convention)

The first international treaty seeking to address Internet and computer crime by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. Adopted in 2001 and came into force in 2004. Signed/ratified by more than 65 countries including UK, US, Canada, and Australia (ratified by UK 2011). It is a ‘convention’ requiring each state to transpose certain crimes into their own law. A common legal framework would eliminate jurisdictional hurdles to facilitate the law enforcement of borderless cybercrimes, however, a complete realization of a common legal framework may not be possible because of varying states’ constitutional principles.

European Cybercrime Centre

The European Cybercrime Centre was set up by Europol in 2013 to strengthen the law enforcement response to cybercrime in the EU. This centre helps protect European citizens, businesses and governments from online crime.

EU General Data Protection Regulation

At this moment in time, the regulation is applicable in the UK. It came into effect on the 25th May 2018. Expands considerably on the concept of personal data which is any information relating to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, an ID number, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. Huge fines possible – maximum of €20 million or 4% of annual turnover for the most serious breaches! Given that for the identification of fraud personal data is essential, this act is a bit of a minefield for investigators, yet it is clear in the act that the use of data for prevention/detection/prosecution of criminal activity is legitimate – something that the public and even fraud investigators do not seem to be aware of widely!

Other European Legislation

• International Criminal Tribunal for Cybercrime
• Geneva Declaration for Cybercrime – A proposed global
• Commonwealth Cybercrime initiative – First announced in October 2011

US Legislation

This legislation is significantly out of date given the technological progress we have experienced since they were passed.

• The Computer Fraud and Abuse Act, a cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. The law prohibits accessing a computer without authorization, or in excess of authorization.
• The Sarbanes–Oxley Act of 2002 also known as the “Public Company Accounting Reform and Investor Protection Act. Particular relevance for organisation fraudulent financial reporting.

Where does all of this leave us?

This brief review shows fairly clearly that UK legislation has not necessarily kept pace with extremely rapid technological developments; this gives fraudsters the edge. This is a phenomenon observed at scale during the pandemic years as the latest (May 2022) DWP figures show that Universal credit fraud is at a record high of 13% of all spending on the benefit, costing the taxpayer £5.6 bn/year. Fraud levels across all benefits stand at 3%, resulting in huge losses for the taxpayer!

The UK government intended to overhaul relevant legislation, however, exiting the pandemic and issues such as Partygate have diverted attention from these projects.

Things are even worse if we consider the international context in which fraud takes place and the virtual impossibility of prosecuting fraud across borders. Whilst efforts are being made internationally to improve this state of affairs, I am not optimistic that this will happened in the near or medium term. The latest global conflicts with Russia and China means that the world’s attention is diverted from what is seemingly less serious fraudulent activity by individuals and businesses.

Concluding Thoughts

Whilst this article has dealt mainly with the legislative framework, one must mention that just having good and fit-for-purpose laws in place is not enough. Law enforcement’s capacity and expertise for dealing with fraud is very limited and there is not a week that goes by nowadays without hearing how UK police forces are under-resourced and not able to deal with various crimes. As the UK public sees as police priorities other issues than fraud (e.g. violent crimes) one can see that we have a long way to in combating fraudulent activity.

This leads to the final thoughts. Prevention is better than finding a cure with online fraud. Investing in systems and processes design, and implementation, as well as training of Local Government staff with fraud prevention in mind, is much better than trying to recover lost money. It is estimated that every pound invested in systems, processes and training saves £3-4 in lost money, the figures speak for themselves!