Bad Boys

By Jonathan Koppell

The Industry Standard
October 23, 2000

In the days before Web addresses were as ubiquitous as McDonald's, the Internet was imagined as a lawless badlands. Rogues and bandits would soon terrorize cyberspace as hapless sheriffs struggled to turn on their computers. And as promised, cybercrime has presented novel challenges to law-enforcement agencies.

Fraud has gone online in multiple forms. Auction sites such as eBay have proved fertile hunting ground. Some sellers make fake bids on their own merchandise to inflate its price, while others simply take the money and run. That is, they never send the buyer the promised item. Not the most sophisticated gambit, but surprisingly effective.

More ambitious scam artists have targeted the growing population of stock traders that gather information on the Internet. Even improbable claims can fuel an effective "pump and dump" scheme. Two California men were arrested after spreading a rumor that a small, publicly traded car dealership had acquired another company that just happened to possess a cure for AIDS. The stock shot up, proving that people will believe anything.

Then there are the purveyors of illegal items - everything from alcohol to prescription drugs to firearms. If you want it, you can probably get it via the Net. Online gambling sites have created a global floating craps game that would make Nathan Detroit green with envy.

And then there is perhaps the most sinister class of criminal Web denizens: sexual predators. There are pedophiles that troll the Internet looking for children. There are sociopaths who take advantage of the Internet's culture of trust to lure unsuspecting victims of all ages into vulnerable positions.

Here's the surprising thing. The spate of horror stories and the dire predictions of uncontrolled mayhem on the Internet obscure reality. Law enforcement is holding its own against scam artists, malevolent hackers, snake-oil salesmen and violent criminals who use the Internet. Does crime exist on the Web? Of course. But there isn't any evidence that Internet criminals are less likely to be caught than their unwired colleagues.

It turns out that law enforcement agencies have been (surprisingly?) skillful in responding to cybercrime. Police departments have used data-mining techniques to track down drug traffickers. Hackers have been busted through invisible backup monitoring systems. Pedophiles have been snared by agents posing as kids in chat rooms. And law enforcement agencies are just getting started. There are increasing numbers of personnel devoted to cybercrime at the FBI, Federal Trade Commission, Securities and Exchange Commission and just about every other agency in Washington. State and local agencies are ramping up their capacity as well. One could cynically harrumph and say, "These bureaucrats are just trying to protect their budget!" I would respond with an emphatic "So what?" Government is responding to the "market demand" for more law enforcement on the Internet. That is, for many, the essence of reinventing government.

I do not want to suggest that there is no crime on the Internet or that law enforcement has fully adapted to the changes wrought by the proliferation of information technology. It has not. There will always be new scams and new technologies to be exposed, understood and addressed. Moreover, the shape of law enforcement will evolve. As I have argued before, the Internet will require the centralization of law enforcement in order to combat cross-jurisdictional crime.

The point is that the good guys have not been overwhelmed by the bad guys. Indeed, one of the biggest unmet challenges for Internet crime-fighting is the establishment of what we might call "norms of proportionality" to keep law enforcement from doing too much.

In the world of "real" crime, we have developed shared standards of the appropriate behavior of police that relate to the seriousness of crimes. This is most obvious in terms of sentencing; jaywalkers are punished less severely than murderers. But the same logic carries over to the realm of enforcement.

We think police should distinguish between crimes based on the severity and behave accordingly. First, there is a sense that resources should be deployed based on the nature of criminal activity. Police are expected to spend more time and energy stopping thieves than tracking mattress retailers who illegally cut off the tags. Second, we tolerate more intrusive police behavior when it is intended to stop more serious crimes. Thus wiretaps are acceptable in the pursuit of a kidnapper but perhaps not as a means of apprehending a juvenile shoplifter.

Are such norms of proportionality iron-clad and universal? Absolutely not. Some police behavior is held to be unacceptable regardless of the ends (such as torture of suspects). Some people would argue that criminals are targeted because of their race without regard to the severity of their alleged crime. Moreover, the "seriousness" of crimes may be related to the race of the person committing the offense (for example, possession of crack is punished more severely than possession of powder cocaine, disproportionately affecting minority populations). An alternative critique of the "proportionality" approach is that minor crimes must be addressed or they will grow into more serious crimes. This theory, espoused by James Q. Wilson and implemented by New York Mayor Rudolph Giuliani and his first police chief William Bratton, is widely used to explain the reduced crime rates in New York.

The point is that we do not have any sense of the proportionality of Internet crime. What is a serious crime? Denial-of-service attacks? Is that a worse crime than creating the I Love You virus? How does that compare with the transgressions of Napsterites? And how do all of these crimes rank relative to more traditional crimes that have migrated onto the Web?

Thus when the FBI unveils Carnivore, we're left to wonder who it will devour. (Who came up with the name Carnivore, anyway? Stephen King? Hey, FBI! Call the next big surveillance proposal "Cuddly Bunny" and I guarantee it will go over much better.) Are the feds going to use Carnivore to go after scheming terrorists? That might be OK. Or are they going to hunt down the next "Coolio" who shuts down E-Trade for an hour? Doesn't it make a difference?

Even if we decide, as in New York, that the police must punish quality-of-life crimes, it must be determined what constitutes such a crime. Is "shouting" someone down in a chat room such a crime? Few would say so. How about sending spam? That seems to make people upset, but is it criminal? How about vandalizing a Web site? How about sending pornographic instant messages to unsuspecting computer users (including children)?

The point is clear enough. Currently, we have no means of distinguishing among Internet crimes and thus reaction to Carnivore, Digital Storm, Echelon and future crime-fighting technologies are bound to be decidedly mixed. Law enforcement agencies will understandably see these technologies as the required tools to combat cybercrime in the 21st century. Civil-liberties advocates will see police officers chasing after juvenile pranksters with elephant guns. And both sides will be right.

We need to figure out what types of cybercrime constitute the greatest threat to the Internet and society as a whole. Then we can work on determining the appropriate responses to different offenses. Until then, Internet cops will keep coming up with ever-scarier names for their software and cruising the Internet in search of criminals without distinguishing between the digital equivalents of scofflaws and serial killers.

Copyright: 2000 The Industry Standard

Top of Article
Other articles by Jonathan Koppell
Printable Article
E-Mail This Article