Tuesday, February 21, 2006

Cybercrime and law enforcement

For about the last century and a half, countries have used a particular model of law enforcement to keep crime at manageable levels within their territory. This model relies on a professional police force to keep crime at manageable levels primarily by reacting to completed crimes and apprehending the perpetrators, who are then tried, usually convicted and sanctioned for their misdeeds.

This
model of law enforcement makes some effort to prevent crimes, mostly by interrupting crimes while they are in the planning or preparatory stage. But as we all know from the media, our primary crime control strategy is the reactive police model we have used since Sir Robert Peel invented modern policing in nineteenth century England.

As I have argued elsewhere, I do not think this model can be effective for cybercrime because the model is based on four empirical assumptions, none of which hold for cybercrime.

First, the model assumes physical proximity between perpetrator and victim at the time the crime is committed. Historically, it was not possible to defraud, rob or murder someone without being face-to-face with the victim; the necessity for physical proximity when a crime is committed gave rise to the focus on a physical "crime scene" in the investigation of an offense. With the rise of cyberspace, however, these and other crimes can be committed remotely; people in the U.S. can be defrauded by people physically located in Nigeria (and vice versa). And while we do not have, to the best of my knowledge, a documented instance of remote homicide via cyberspace, I am sure we will see this occur in the not-very-distant future.

Second, because the model assumes physical proximity between perpetrator and victim (and the real-time commission of the offense), it also assumes that crime occurs on a limited scale. In other words, it assumes serial crime: It assumes I defraud A, then move on to defraud B, then to C, and so on; it also assumes a level of preparation and other effort involved in my shift from victim to victim. These assumptions do not hold for online crime: Cyber-fraudsters can send out thousands and thousands and thousands of emails to potential victims, pursue those who "bite" and ultimately commit fraud on a scale that would be impossible in the real, physical world.

Third, the model assumes activity in the real-world that is subject to the physical constraints of the real-world. In the real-world, for example, if I want to rob a bank, and am halfway intelligent, I will have to expend time and effort to investigate the bank so I know when a reasonable amount of money will be there and how bank security operates. The first is to maximize the rewards, the second is to minimize the risk of apprehension. Keeping the second factor in mind, I will have to plan my entry into and exit from the bank, along with orchestrating the robbery once inside. I will have to figure out how to "launder" the proceeds so they do not arouse suspicion, while trying to prevent my becoming the victim of a diepack. All this makes the commission of the crime more difficult (in terms of avoiding apprehension) and more time-consuming. None of these physical constraints apply to unlawfully extracting money from a bank online; someone with the requisite computer skills and, perhaps, some inside information can transfer funds from accounts with relative ease, with little chance of being physically identified and apprehended while committing the crime or "fleeing" the scene.

Fourth, crime in the real-world falls into certain demographic and geographic patterns. As I have explained
elsewhere, law enforcement experts developed crime-mapping techniques that let them identify the areas within a city where crimes of certain types of crime are likely to occur. This lets them concentrate their resources in a way that enhances the efficacy of their ability to respond to crimes when they occur. As I have also explained elsewhere, we cannot identify patterns in cybercrime because we lack the foundational data. We have no good statistics on cybercrime, primarily because it so often goes un-reported. The problem of under-reporting is exacerbated by the fact that agencies which keep crime statistics may not break offenses out into "crimes" and cybercrimes; real-world and online fraud may, for example, be lumped together in a single category.

Because of all this, I have argued
elsewhere that we need to develop new strategies for dealing with cybercrime. This post is a preface: Tomorrow (or maybe the next day, depending on how tomorrow goes), I am going to do a post on the rise of vigilantism as a tactic for dealing with at least certain types of cybercrime.

No comments: