In the days before Web addresses were
as ubiquitous as McDonald's, the Internet was imagined as a
lawless badlands. Rogues and bandits would soon terrorize cyberspace
as hapless sheriffs struggled to turn on their computers. And
as promised, cybercrime has presented novel challenges to law-enforcement
Fraud has gone online in multiple forms. Auction sites such
as eBay have proved fertile hunting ground. Some sellers make
fake bids on their own merchandise to inflate its price, while
others simply take the money and run. That is, they never send
the buyer the promised item. Not the most sophisticated gambit,
but surprisingly effective.
More ambitious scam artists have targeted the growing population
of stock traders that gather information on the Internet. Even
improbable claims can fuel an effective "pump and dump" scheme.
Two California men were arrested after spreading a rumor that
a small, publicly traded car dealership had acquired another
company that just happened to possess a cure for AIDS. The stock
shot up, proving that people will believe anything.
Then there are the purveyors of illegal items - everything
from alcohol to prescription drugs to firearms. If you want
it, you can probably get it via the Net. Online gambling sites
have created a global floating craps game that would make Nathan
Detroit green with envy.
And then there is perhaps the most sinister class of criminal
Web denizens: sexual predators. There are pedophiles that troll
the Internet looking for children. There are sociopaths who
take advantage of the Internet's culture of trust to lure unsuspecting
victims of all ages into vulnerable positions.
Here's the surprising thing. The spate of horror stories and
the dire predictions of uncontrolled mayhem on the Internet
obscure reality. Law enforcement is holding its own against
scam artists, malevolent hackers, snake-oil salesmen and violent
criminals who use the Internet. Does crime exist on the Web?
Of course. But there isn't any evidence that Internet criminals
are less likely to be caught than their unwired colleagues.
It turns out that law enforcement agencies have been (surprisingly?)
skillful in responding to cybercrime. Police departments have
used data-mining techniques to track down drug traffickers.
Hackers have been busted through invisible backup monitoring
systems. Pedophiles have been snared by agents posing as kids
in chat rooms. And law enforcement agencies are just getting
started. There are increasing numbers of personnel devoted to
cybercrime at the FBI, Federal Trade Commission, Securities
and Exchange Commission and just about every other agency in
Washington. State and local agencies are ramping up their capacity
as well. One could cynically harrumph and say, "These bureaucrats
are just trying to protect their budget!" I would respond with
an emphatic "So what?" Government is responding to the "market
demand" for more law enforcement on the Internet. That is, for
many, the essence of reinventing government.
I do not want to suggest that there is no crime on the Internet
or that law enforcement has fully adapted to the changes wrought
by the proliferation of information technology. It has not.
There will always be new scams and new technologies to be exposed,
understood and addressed. Moreover, the shape of law enforcement
will evolve. As I have argued before, the Internet will require
the centralization of law enforcement in order to combat cross-jurisdictional
The point is that the good guys have not been overwhelmed by
the bad guys. Indeed, one of the biggest unmet challenges for
Internet crime-fighting is the establishment of what we might
call "norms of proportionality" to keep law enforcement from
doing too much.
In the world of "real" crime, we have developed shared standards
of the appropriate behavior of police that relate to the seriousness
of crimes. This is most obvious in terms of sentencing; jaywalkers
are punished less severely than murderers. But the same logic
carries over to the realm of enforcement.
We think police should distinguish between crimes based on
the severity and behave accordingly. First, there is a sense
that resources should be deployed based on the nature of criminal
activity. Police are expected to spend more time and energy
stopping thieves than tracking mattress retailers who illegally
cut off the tags. Second, we tolerate more intrusive police
behavior when it is intended to stop more serious crimes. Thus
wiretaps are acceptable in the pursuit of a kidnapper but perhaps
not as a means of apprehending a juvenile shoplifter.
Are such norms of proportionality iron-clad and universal?
Absolutely not. Some police behavior is held to be unacceptable
regardless of the ends (such as torture of suspects). Some people
would argue that criminals are targeted because of their race
without regard to the severity of their alleged crime. Moreover,
the "seriousness" of crimes may be related to the race of the
person committing the offense (for example, possession of crack
is punished more severely than possession of powder cocaine,
disproportionately affecting minority populations). An alternative
critique of the "proportionality" approach is that minor crimes
must be addressed or they will grow into more serious crimes.
This theory, espoused by James Q. Wilson and implemented by
New York Mayor Rudolph Giuliani and his first police chief William
Bratton, is widely used to explain the reduced crime rates in
The point is that we do not have any sense of the proportionality
of Internet crime. What is a serious crime? Denial-of-service
attacks? Is that a worse crime than creating the I Love You
virus? How does that compare with the transgressions of Napsterites?
And how do all of these crimes rank relative to more traditional
crimes that have migrated onto the Web?
Thus when the FBI unveils Carnivore, we're left to wonder who
it will devour. (Who came up with the name Carnivore, anyway?
Stephen King? Hey, FBI! Call the next big surveillance proposal
"Cuddly Bunny" and I guarantee it will go over much better.)
Are the feds going to use Carnivore to go after scheming terrorists?
That might be OK. Or are they going to hunt down the next "Coolio"
who shuts down E-Trade for an hour? Doesn't it make a difference?
Even if we decide, as in New York, that the police must punish
quality-of-life crimes, it must be determined what constitutes
such a crime. Is "shouting" someone down in a chat room such
a crime? Few would say so. How about sending spam? That seems
to make people upset, but is it criminal? How about vandalizing
a Web site? How about sending pornographic instant messages
to unsuspecting computer users (including children)?
The point is clear enough. Currently, we have no means of distinguishing
among Internet crimes and thus reaction to Carnivore, Digital
Storm, Echelon and future crime-fighting technologies are bound
to be decidedly mixed. Law enforcement agencies will understandably
see these technologies as the required tools to combat cybercrime
in the 21st century. Civil-liberties advocates will see police
officers chasing after juvenile pranksters with elephant guns.
And both sides will be right.
We need to figure out what types of cybercrime constitute the
greatest threat to the Internet and society as a whole. Then
we can work on determining the appropriate responses to different
offenses. Until then, Internet cops will keep coming up with
ever-scarier names for their software and cruising the Internet
in search of criminals without distinguishing between the digital
equivalents of scofflaws and serial killers.