Government

What makes cybercrime laws so difficult to enforce

Deb Shinder discusses both the difficulty of enforcing cybercrime laws and of tracking down cybercriminals in the first place.

When the Internet first "went commercial" and became affordable enough and easy enough to access for ordinary people (that is, those outside academia and government), it was a new frontier. Like the Wild West of old, it was mostly unregulated; legislators hadn't anticipated the rapid growth or the types of online behaviors that would require new laws to protect innocent users.

Over the more than two decades since, state and federal governments have passed many statutes to address the problem of criminal activities that take place over the Internet. Cyberbullying, cyberstalking, theft of wireless services, spamming, unauthorized access - most of these laws didn't exist twenty-five years ago.

So now we have plenty of laws on the books, but enforcing them is another matter. It can be frustrating for the victims of such crimes, when the perpetrators are never brought to justice. Some local police departments have set up divisions specifically devoted to computer crimes enforcement, but some shy away from investigating and enforcing these types of crime. That's because, for a number of reasons, enforcing laws governing online behavior is intrinsically more difficult than the enforcement of "traditional" laws. In this article, we'll take a look at those reasons.

Jurisdictional issues

The concept of jurisdiction pertains to which agency or court has the authority to administer justice in a particular matter, and to the scope of those agencies' and courts' authority. Jurisdiction can be based on a number of different things:

Branch of law. In the U.S., there are three broad branches of law: criminal law, civil law, and regulatory law. The criminal (or penal) system deals with offenses that are prosecuted by the government - local, state or federal - and can be punished by monetary fines, loss of liberty (jail or prison), or in extreme cases, even loss of life (death penalty). The civil system deals with disputes between individuals or organizations (including in some cases government agencies), in which the party found liable is ordered to pay monetary damages and/or ordered to do or not do something (injunction). Regulatory agencies have jurisdiction over specific industries or activities and can impose fines and/or take away an individual's or organization's authorization to conduct business or engage in the regulated activity. Type of case. Within each system, there can be different agencies or courts assigned responsibility for different types of cases. For example, within the criminal system, some courts deal exclusively with traffic offenses and some deal with domestic violence and other family law cases. Some law enforcement agencies have jurisdiction only over crimes that violate the state's alcoholic beverage code, or only investigate and prosecute offenses that fall under the parks and wildlife code. Within the civil system, some courts handle only divorce cases, others handle only probate matters, and so forth. Grade of offense. In the criminal justice system, different courts have jurisdiction over different grades of offense, based on severity. Municipal courts may handle only city ordinance violations and/or certain misdemeanor offenses. County courts may handle more serious misdemeanors, while district courts handle felony offenses. Monetary damages. In the civil system, different courts handle cases based on the monetary damages. For example, small claims courts or justice of the peace courts may have jurisdiction over lawsuits up to a few thousand dollars. Level of government. In the U.S., there are separate laws, law enforcement agencies and court systems for different levels of government. In the criminal system, you have municipal police, county sheriffs (and in some states, constables and/or marshals), state police or troopers, and numerous federal agencies such as the FBI, DEA, BATF, etc., enforcing the laws that are passed by the governing bodies at the corresponding levels (city and county ordinances passed by city councils and county commissioners, state statutes passed by state legislative bodies and federal laws passed by the U.S. Congress).

Because these systems are separate, a person can be charged, tried and acquitted under state law, for example, and then charged, tried and convicted under federal law for the same act, without incurring double jeopardy. There are also international law-making bodies such as the EU and the UN; their laws are generally adopted by the member nations via treaties.

Geographic area. Any good real estate agent will tell you it's all about location, location, location - and that's what geographic jurisdiction pertain to. In the case of the courts, it's also referred to as venue. A law enforcement agency or court has jurisdiction only over crimes that take place in the geographic location where that agency or court has authority. That may include the location of the perpetrator, the location of the victim, or the location where the crime actually occurred.

Before a law enforcement agency can investigate a cybercrime case, it has to have jurisdiction. The first thing that must be determine is whether a crime has taken place at all. In some cases, there is no law on the book that covers the particular circumstance. In other cases, the wrongful action that took place is a civil matter, not a criminal one. This might be the case, for instance, if you entrusted your data to a company and that company lost it.

If a criminal offense has occurred, the next step is to determine what law was violated. Was it a city ordinance, a state statute, or a federal law? Local police don't generally pursue a person for federal crimes, and the FBI doesn't generally investigate and arrest for state offenses (although in some serious matters, agencies at different levels come together to form task forces and work together to pursue criminals who commit offenses that are violations at both levels).

The next, and in the case of cybercrime the stickiest point, is to determine the geographic jurisdiction. This is more difficult in cybercrime cases than in other types of crime because often the perpetrator is not in the same city, state or even country as the victim.

Why is geographic jurisdiction such a big problem? There are a couple of important reasons:

Laws differ from state to state and nation to nation. An act that's illegal in one locale may not be against the law in another. This complicates things if the perpetrator is in a location where what he/she is doing isn't even against the law - even though it's a clear-cut crime in the location where the victim is.

Law enforcement agencies are only authorized to enforce the law within their jurisdictions. A police officer commissioned in California has no authority to arrest someone in Florida, the FBI doesn't have the authority to arrest someone in Spain and so forth. Extradition (the process by which a state or nation surrenders a suspect to another) is difficult at best, and often impossible. Under international law, a country has no obligation to turn over a criminal to the requesting entity, although some countries have treaties whereby they agree to do so. Even in those cases, it's usually an expensive and long, drawn-out process.

Thus jurisdictional issues frequently slow down or completely block the enforcement of cybercrime laws. Extradition treaties often require "double criminality," meaning the conduct must be a crime in both the jurisdiction seeking to extradite and in the jurisdiction from which the extradition is sought.

Anonymity and identity

Before jurisdiction even comes into play, it's necessary to discover where - and who - the criminal is before you can think about making an arrest. This is a problem with online crime because there are so many ways to hide one's identity. There are numerous services that will mask a user's IP address by routing traffic through various servers, usually for a fee. This makes it difficult to track down the criminal.

In 2009, Eugene Kaspersky identified the relative anonymity of Internet users as a key issue that enables cybercrime and proposed Internet "passports" for individuals and accreditation for businesses to help combat the problem.

Some studies have shown that people are more likely to engage in offensive and/or illegal behavior online because of the perception of anonymity.

However, attempts to better track online identity raise serious issues for privacy advocates and result in political backlash. And end to anonymity on the Internet could have serious consequences in countries where the government punishes dissenters, so even if the technological challenge of identifying every online user could be overcome, many lawmakers would be hesitant to mandate it. Cybercriminals exploit the rights and privileges of a free society, including anonymity, to benefit themselves.

Nature of the evidence

Yet another thing that makes cybercrime more difficult to investigate and prosecute in comparison to most "real world" crimes, is the nature of the evidence. The problem with digital evidence is that, after all, it is actually just a collection of ones and zeros represented by magnetization, light pulses, radio signals or other means. This type of information is fragile and can be easily lost or changed.

Protecting the integrity of evidence and maintaining a clear chain of custody is always important in a criminal case, but the nature of the evidence in a cybercrime case makes that job far more difficult. An investigator can contaminate the evidence simply by examining it, and sophisticated cybercriminals may set up their computers to automatically destroy the evidence when accessed by anyone other than themselves.

In cases such as child pornography, it can be difficult to determine or prove that a person downloaded the illegal material knowingly, since someone else can hack into a system and store data on its drive without the user's knowledge or permission if the system isn't adequately secured.

In cases of intrusion or cybervandalism, the bad guy often erases all logs that show what happened, so that there is no evidence to prove that a crime even occurred, much less where the attack came from.

The good news

The news isn't all bad. Computer forensics has come a long way, and there are tools available to investigators that allow them to examine digital evidence without tampering with it. Trained forensics examiners can reliably preserve data for presentation in court and even recover deleted data, and the legal system is evolving and new procedures being adopted to deal with the special challenges presented by the nature of digital evidence.

While anonymity online is still achievable, it's getting more difficult. With diligent work, it's often possible to track down criminals by IP and by clues that they may leave within the content of data. Many cybercriminals are not particularly technically savvy, such as those who use the Internet to commit fraud or cyberstalking. Many of those who are more knowledgeable about technology still leave clues because they get careless or are arrogant and overly confident.

Jurisdictional issues still present a challenge, particularly when the criminal is in another country, but more and more governmental entities are recognizing the harm that cybercrime does to their citizens and are working together. Countries (and states within the U.S.) are cooperating to adopt consistent laws, and forming interjurisdictional task forces to deal with cybercrime that crosses state and national boundaries.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

9 comments
Aramel
Aramel

Cybercrime law is very difficult to enforce because there are many ways of hiding your identity.I was talking to a New Orleans injury lawyer few days ago and he told me he has a new case which involved a 16 years old teenager who admitted unofficial that he was stalking a girl online.But they can put all things together because he used some softwares which helped him to remain unknown.

RU7
RU7

Imagine stationing a guard at every USPS mail box who would verify your ID, address, and the letter's return address, before allowing you to mail a letter. Then imagine that guard opening and reading every letter in order to certify that there is no criminal stuff in it. Now imagine that guard and the USPS being held legally responsible for any letter that it delivered that ended up containing criminal stuff, even if the stuff wasn't criminal at the point of origin.

Rowfus
Rowfus

Imagine the state of medicine if uncounted thousands or tens of thousands of the most advanced people in that field didn't practice medicine in anything like the usual way (no office, no patients, etc.), didn't work for or answer to anyone, weren't affiliated with any company, corporation, or institution of any kind. Imagine all these people out there, changing our future, because they can. Now imagine trying to enforce laws upon them.

GreyTech
GreyTech

Food for thought Deb. One of the problems you didn't mention, is the cost of investigation. Many cases would not justify the cost because even if they resulted in a successful prosecution, the cost of investigation would far outweigh the damage caused to the victim and may cause the victim more harm than the crime did. One of the outcomes of the difficulty in enforcing cybercrime law is that more people take extra precautions to prevent themselves becoming victims. There will always be many who fail to use any common sense just as with non-cybercrime. People will still leave passwords on post-it notes on the screen, just as they will leave door keys under the flowerpot outside the door. Some of the crimes could easily be prevented with better implementation of technology. For example, improving email protocols to enforce matching of senders address with originating server clients. ISPs improving validation of smtp clients. Kapersky's idea of passports is still valid, not every country has to adopt it, not every individual has to adopt it but you would perhaps be more willing to trust those with a passport than those without if it proved who you were and where you were from. The problem would be how to prevent forgeries as it is with paper ones. I've been using the internet for more than 15 years (I just found my 1994 copy of Mosaic) without anything more harmful than spam actually affecting me. I have and continue to block spyware and root out viruses and similar nasties, I take care on the internet by using Comodos DNS servers and WOT. Most of all I use common sense to keep me out of trouble and prevent me becoming a victim of cybercrime as I do when I walk in the city where I keep my eyes open to avoid speeding motorists and choose my time and means of transport when going to some areas that are not in my comfort zone.

santeewelding
santeewelding

In that last paragraph. You are touching on forces that do not admit of careless speech. Your contention, for instance, about "the" Muslims: strike "the" and leave it at, "Muslims", unless you have a private line to an anthropomorphic God -- your other questionable figure of speech, [b]erik[/b].

eriksank
eriksank

When they really or urgently need to, they can effectively track cybercriminals or other criminals. There are also enough treaties that allow international co-operation between law enforcement agencies. What you are advocating, is to make it easier for them. However, at the moment, we have much more trouble with government power being excessive already, rather than with cybercrime. So, instead of looking for ways to increase government power, we should rather focus on ways to reduce it. Instead of advocating new laws, we should ask ourselves the question how many new laws we need, before all our needs for new laws are entirely satisfied? So, indeed, how can we finally put a stop to this avalanche of ever more new laws, restricting our freedom, again and again? The solution to this problem is actually already quite old: There cannot be any new laws, because God has made all the laws already. Yes, all of them. This is the solution advocated by the Muslims, and they religiously insist on it. With every new law restricting our freedom, their solution starts sounding better and better ...

santeewelding
santeewelding

Except for those two gaffes at the git-go: "protect innocent users" and "the problem of criminal activities". As to the latter, with "criminal" you invalidate the entire criminal justice system, that system which has been established precisely for that -- to adjudicate what is "crime" through due process, only then to (merit) the name, "criminal". You do it without benefit. As to the former, to "protect": do you contemplate a run for office? Take a hike.

Excelerator
Excelerator

If I lend my car to someone, my car is involved in an accident and I am unable or unwilling to identify the driver I am deemed to be responsible for the damage. If my car is stolen I am off the hook. What chance will there ever be of identifying the driver of a borrowed IP address? Perhaps those the do the re-routing should be charged before an 'accident' occurs.

GreyTech
GreyTech

I think it would be difficult for a Russian or Polish spammer to put a couple of million letters into a USPS mailbox. The comparison is not valid.