Stealing Intellectual Property Information Communication Technology is a term that not many people would have been familiar with 20 years ago. Back then offices were full of grey four-drawer filing cabinets. We employed filing clerks and typists. We bought box after box of carbon paper. And all of the information that we considered valuable or commercially sensitive was locked up in the safe in the boardroom behind the picture of the Chairman. Fast forward two decades and its a different story. Almost all commercial information is now stored electronically on computer systems and can be instantly accessed by authorised staff. The trouble is, that its much harder to keep it under lock and key and prevent unauthorised staff gaining access. Information-thieves dont even have to leave their desk, let alone snoop around in the boardroom. A recent survey commissioned by the ibas Group (www.ibas.com) revealed that 69.6% of business professionals have stolen some form of corporate intellectual property (IP) from their employer when leaving a job. The information stolen may not necessarily be our top corporate secrets (the secret sauce recipe, for example), but it certainly represents the investment of numerous hours of hard work to create and maintain. To give that hard work to a competitor is no different to giving away our most valuable company assets. Rapid developments in computer technology enables us to store larger and larger amounts of data. A typical 60 gigabyte hard disk drive can store the equivalent of 30 million sheets of A4 paper. It would take ten people reading at a rate of 60 seconds a page more than 24 years to read this amount of information. But volume alone does not create value. It is the processing ability of the simplest computer that enables that information to be used to save time and effort. Technology has also enhanced the ease at which such data can be copied and removed from its owners premises. Floppy disks remain the popular choice of data thieves even though their capacity is comparatively very low at a tiny 1.44 megabytes. However, sophisticated USB storage devices are now readily available storing up to 5,000 times more than a floppy disk. These devices are small enough to appear on key rings and have been made to appear as credit cards, pens and even a fully functional wristwatch. The combination of the increase in value and the increase in opportunity has made commercial information an attractive commodity that is illicitly traded. The most common case that we investigate is the theft of customer information - whether in a database or even as an email address book. This information amounts to the lifeblood of a company and can make the difference between corporate survival and unemployment. Over 54% of respondents to ibas survey said that they had taken an email address book and/or a contact database with them when they left their previous employer. Information or data cannot be construed as property within the meaning of the Theft Act as it cannot be measured and is intangible. In addition to which, the information is only copied and therefore there is no intent to permanently deprive the other of it. So although copying valuable data is described as IP Theft, which may reflect the level of hurt it inflicts, it cannot currently be prosecuted as a criminal offence under the Theft Act. We recently investigated a case where an allegation had been made that several employees of Company A had stolen intellectual property from Company B, their former employer. The property in question was in various parts as a number of Microsoft Word documents. Although there were a number of issues in this case, one of the most interesting was the revelation that although Company A did posses, or had possessed, the questioned documents, the forensic examination uncovered that originally these documents belonged to Company X. This raised the issue that, if we did keep the Theft Act analogy, can you steal property that is already stolen? The Copyright Designs and Patents Act, although it includes material stored electronically, addresses only material that is considered to be a work of art. Although a work of art represents a great deal of intellectual property I do not believe that the spirit of the act would allow it to be extended to include commercial information. The Data Protection Act is, in my opinion, clearly intended to deal with the protection and processing of personal information. Although contact information and details found in email address books and customer databases may arguably be included within the Data Protection Act, the remainder of commercial IP in the form of projects, manuals, proposals, research and development almost certainly would not fall within its protection. Nearly all crime requires some form of motive as well as a physical ability to commit the act. With computer crime and computer related incidents there is an added requirement for the technical ability and knowledge to gain access to the data and create the copy in such a manner that is undetected. Ten years ago a computer criminal was undoubtedly very technically competent. All todays data thieves need is access to the Internet. We maintain a library of tools and utilities that we have encountered in our investigations, or have discovered on the World Wide Web, that enable a user to access sensitive or valuable information, to hide it from owners, security managers or even the police and, most of all, to remove traces and evidence of the deed. In our library we have more than 400 of these tools. All of them can be obtained either free of charge or at a cost of less than £50. In 1999, while conducting computer forensic investigations I encountered these tools in less than 5% of cases. In 2003, I encountered these tools in 56% of cases. Understanding and detecting these tools are one of the basic skills required by computer forensic investigators. The bad guys believe that it is unlikely that security managers and corporate investigators, who are not dedicated to this type of investigation, will be in a position to recognise or detect these programs. Not only is information held on a computer becoming more valuable it is becoming more easier to access and to copy. I think there is very little doubt that the theft of information within the commercial environment has risen dramatically in the last five years. Barristers and lawyers are becoming more and more aware of both the requirement for evidence that is based on a computer and the compelling value that it has as forensic evidence. Our computer forensic colleagues and partners in the United States are working less and less for law enforcement but more and more for the Courts. Commerce and Industry will undoubtedly place greater investment on ICT for its infrastructure and supply of critical information. Several weeks ago, at the House of Commons, the All Party Internet Group (APIG) listened to evidence from a number of leading experts in the field of computer crime with a view to establishing whether there is a need to review the Computer Misuse Act. The theft of information does not comfortably sit within the spirit of the Computer Misuse Act, Copyright Designs and Patents Act or even the Data Protection Act. If changes need to be made then, in my opinion, I believe they should be made in an attempt to reduce the threat that commerce in the UK faces through the constant loss and leakage of valuable intellectual property. |