What makes cybercrime laws so difficult to enforce

Deb Shinder discusses both the difficulty of enforcing cybercrime laws and of tracking down cybercriminals in the first place.

When the Internet first "went commercial" and became affordable enough and easy enough to access for ordinary people (that is, those outside academia and government), it was a new frontier. Like the Wild West of old, it was mostly unregulated; legislators hadn't anticipated the rapid growth or the types of online behaviors that would require new laws to protect innocent users.

Over the more than two decades since, state and federal governments have passed many statutes to address the problem of criminal activities that take place over the Internet. Cyberbullying, cyberstalking, theft of wireless services, spamming, unauthorized access - most of these laws didn't exist twenty-five years ago.

So now we have plenty of laws on the books, but enforcing them is another matter. It can be frustrating for the victims of such crimes, when the perpetrators are never brought to justice. Some local police departments have set up divisions specifically devoted to computer crimes enforcement, but some shy away from investigating and enforcing these types of crime. That's because, for a number of reasons, enforcing laws governing online behavior is intrinsically more difficult than the enforcement of "traditional" laws. In this article, we'll take a look at those reasons.

Jurisdictional issues

The concept of jurisdiction pertains to which agency or court has the authority to administer justice in a particular matter, and to the scope of those agencies' and courts' authority. Jurisdiction can be based on a number of different things:

Branch of law. In the U.S., there are three broad branches of law: criminal law, civil law, and regulatory law. The criminal (or penal) system deals with offenses that are prosecuted by the government - local, state or federal - and can be punished by monetary fines, loss of liberty (jail or prison), or in extreme cases, even loss of life (death penalty). The civil system deals with disputes between individuals or organizations (including in some cases government agencies), in which the party found liable is ordered to pay monetary damages and/or ordered to do or not do something (injunction). Regulatory agencies have jurisdiction over specific industries or activities and can impose fines and/or take away an individual's or organization's authorization to conduct business or engage in the regulated activity. Type of case. Within each system, there can be different agencies or courts assigned responsibility for different types of cases. For example, within the criminal system, some courts deal exclusively with traffic offenses and some deal with domestic violence and other family law cases. Some law enforcement agencies have jurisdiction only over crimes that violate the state's alcoholic beverage code, or only investigate and prosecute offenses that fall under the parks and wildlife code. Within the civil system, some courts handle only divorce cases, others handle only probate matters, and so forth. Grade of offense. In the criminal justice system, different courts have jurisdiction over different grades of offense, based on severity. Municipal courts may handle only city ordinance violations and/or certain misdemeanor offenses. County courts may handle more serious misdemeanors, while district courts handle felony offenses. Monetary damages. In the civil system, different courts handle cases based on the monetary damages. For example, small claims courts or justice of the peace courts may have jurisdiction over lawsuits up to a few thousand dollars. Level of government. In the U.S., there are separate laws, law enforcement agencies and court systems for different levels of government. In the criminal system, you have municipal police, county sheriffs (and in some states, constables and/or marshals), state police or troopers, and numerous federal agencies such as the FBI, DEA, BATF, etc., enforcing the laws that are passed by the governing bodies at the corresponding levels (city and county ordinances passed by city councils and county commissioners, state statutes passed by state legislative bodies and federal laws passed by the U.S. Congress).

Because these systems are separate, a person can be charged, tried and acquitted under state law, for example, and then charged, tried and convicted under federal law for the same act, without incurring double jeopardy. There are also international law-making bodies such as the EU and the UN; their laws are generally adopted by the member nations via treaties.

Geographic area. Any good real estate agent will tell you it's all about location, location, location - and that's what geographic jurisdiction pertain to. In the case of the courts, it's also referred to as venue. A law enforcement agency or court has jurisdiction only over crimes that take place in the geographic location where that agency or court has authority. That may include the location of the perpetrator, the location of the victim, or the location where the crime actually occurred.

Before a law enforcement agency can investigate a cybercrime case, it has to have jurisdiction. The first thing that must be determine is whether a crime has taken place at all. In some cases, there is no law on the book that covers the particular circumstance. In other cases, the wrongful action that took place is a civil matter, not a criminal one. This might be the case, for instance, if you entrusted your data to a company and that company lost it.

If a criminal offense has occurred, the next step is to determine what law was violated. Was it a city ordinance, a state statute, or a federal law? Local police don't generally pursue a person for federal crimes, and the FBI doesn't generally investigate and arrest for state offenses (although in some serious matters, agencies at different levels come together to form task forces and work together to pursue criminals who commit offenses that are violations at both levels).

The next, and in the case of cybercrime the stickiest point, is to determine the geographic jurisdiction. This is more difficult in cybercrime cases than in other types of crime because often the perpetrator is not in the same city, state or even country as the victim.

Why is geographic jurisdiction such a big problem? There are a couple of important reasons:

Laws differ from state to state and nation to nation. An act that's illegal in one locale may not be against the law in another. This complicates things if the perpetrator is in a location where what he/she is doing isn't even against the law - even though it's a clear-cut crime in the location where the victim is.

Law enforcement agencies are only authorized to enforce the law within their jurisdictions. A police officer commissioned in California has no authority to arrest someone in Florida, the FBI doesn't have the authority to arrest someone in Spain and so forth. Extradition (the process by which a state or nation surrenders a suspect to another) is difficult at best, and often impossible. Under international law, a country has no obligation to turn over a criminal to the requesting entity, although some countries have treaties whereby they agree to do so. Even in those cases, it's usually an expensive and long, drawn-out process.

Thus jurisdictional issues frequently slow down or completely block the enforcement of cybercrime laws. Extradition treaties often require "double criminality," meaning the conduct must be a crime in both the jurisdiction seeking to extradite and in the jurisdiction from which the extradition is sought.

Anonymity and identity

Before jurisdiction even comes into play, it's necessary to discover where - and who - the criminal is before you can think about making an arrest. This is a problem with online crime because there are so many ways to hide one's identity. There are numerous services that will mask a user's IP address by routing traffic through various servers, usually for a fee. This makes it difficult to track down the criminal.

In 2009, Eugene Kaspersky identified the relative anonymity of Internet users as a key issue that enables cybercrime and proposed Internet "passports" for individuals and accreditation for businesses to help combat the problem.

Some studies have shown that people are more likely to engage in offensive and/or illegal behavior online because of the perception of anonymity.

However, attempts to better track online identity raise serious issues for privacy advocates and result in political backlash. And end to anonymity on the Internet could have serious consequences in countries where the government punishes dissenters, so even if the technological challenge of identifying every online user could be overcome, many lawmakers would be hesitant to mandate it. Cybercriminals exploit the rights and privileges of a free society, including anonymity, to benefit themselves.

Nature of the evidence

Yet another thing that makes cybercrime more difficult to investigate and prosecute in comparison to most "real world" crimes, is the nature of the evidence. The problem with digital evidence is that, after all, it is actually just a collection of ones and zeros represented by magnetization, light pulses, radio signals or other means. This type of information is fragile and can be easily lost or changed.

Protecting the integrity of evidence and maintaining a clear chain of custody is always important in a criminal case, but the nature of the evidence in a cybercrime case makes that job far more difficult. An investigator can contaminate the evidence simply by examining it, and sophisticated cybercriminals may set up their computers to automatically destroy the evidence when accessed by anyone other than themselves.

In cases such as child pornography, it can be difficult to determine or prove that a person downloaded the illegal material knowingly, since someone else can hack into a system and store data on its drive without the user's knowledge or permission if the system isn't adequately secured.

In cases of intrusion or cybervandalism, the bad guy often erases all logs that show what happened, so that there is no evidence to prove that a crime even occurred, much less where the attack came from.

The good news

The news isn't all bad. Computer forensics has come a long way, and there are tools available to investigators that allow them to examine digital evidence without tampering with it. Trained forensics examiners can reliably preserve data for presentation in court and even recover deleted data, and the legal system is evolving and new procedures being adopted to deal with the special challenges presented by the nature of digital evidence.

While anonymity online is still achievable, it's getting more difficult. With diligent work, it's often possible to track down criminals by IP and by clues that they may leave within the content of data. Many cybercriminals are not particularly technically savvy, such as those who use the Internet to commit fraud or cyberstalking. Many of those who are more knowledgeable about technology still leave clues because they get careless or are arrogant and overly confident.

Jurisdictional issues still present a challenge, particularly when the criminal is in another country, but more and more governmental entities are recognizing the harm that cybercrime does to their citizens and are working together. Countries (and states within the U.S.) are cooperating to adopt consistent laws, and forming interjurisdictional task forces to deal with cybercrime that crosses state and national boundaries.


Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

Editor's Picks