Private-Public Sector Cooperation in Combating Cybercrime: In Search of a Model
| Author | Susan W. Brenner |
| Position | NCR Distinguished Professor of Law & Technology University of Dayton School of Law Dayton, Ohio USA |
| Pages | 58-67 |
-
A version of this paper was published in Kierkegaard, S. (2006) Business Law and Technology Vol. 1 and presented in the 2006 IBLT Conference , Denmark.
Page 58
As I have explained elsewhere, the model of law enforcement we currently rely upon is not effective in dealing with cybercrime, at least, is not as effective as it needs to be to control the incidence of cybercrime (Brenner, 2004).
The current model is not effective because, reasonably enough, it was developed to deal with real-world crime. As a result, it incorporates (i) certain assumptions about crime and (ii) correlative assumptions about how law enforcement reacts to completed crimes in a manner that sustains the level of deterrence needed to keep crime under control. The model is not effective against cybercrime because the assumptions it makes about crime do not hold for cybercrime: Unlike crime, cybercrime is routinely transborder/transnational in nature, which means there is usually not a single, localized crime scene that becomes the focus of an investigation; and because it is automated, cybercrime is routinely committed on a scale vastly exceeding the scale on which it is possible to commit crimes. Singly and in combination, these factors create challenges for law enforcement's investigatory procedures and resources. (Brenner, 2004)
For these and other reasons, the current law enforcement model - which makes the process of reacting to crimes (or cybercrimes) the exclusive province of a cadre of government-sponsored, professional law enforcement agents - is not, and will never be, adequate to keep cybercrime and related evils such as cyberterrorism within acceptable bounds. Indeed, the problems we see with the current model will only be exacerbated as computer technology migrates from the "boxes" we currently use and embed itself into our environments and, perhaps, into ourselves.
In the early nineteenth century, Sir Robert Peel invented a new approach to crime control because the strategies being used were simply not effective. He gave us the model we currently use, which is still effective for traditional crime.(Brenner 2004) We, though, face challenges Sir Robert could not have imagined, challenges that erode the efficacy of the model he created. We must, therefore, devise a new approach for the new problems we face.
Since the current model is adequate for real-world crime, and since much of the crime societies confront is still real-world crime, we should not discard the current model. The prudent course, instead, is to modify the current model in a way that enhances its ability to react effectively to cybercrime and related evils. This paper analyzes how we might go about doing this. It is very much on the order of a speculation - an effort to parse the conceptual and legal issues that would arise from what seem to be the most viable options for modifying the current model.
The sections below undertake this process. They focus on two fundamental modifications of the current model, both of which entail expanding the pool of citizens who participate in the reacting-to-cybercrime process and changing how they participate. The first modification incorporates civilian participation and civilian Page 59 resources into this process; this approach in a sense "deputizes" the civilian participants, because their participation becomes a formal component of the process. The other modification tolerates independent, idiosyncratic civilian efforts to react to cybercrime; this approach represents the legitimization of vigilante action, at least in the cyberworld.
Before I proceed with the analysis, I should note that my focus in this paper is very different from the focus I have brought to bear on this issue in prior papers. I have argued, elsewhere, for using criminal liability to encourage civilians - individual and corporate civilians alike - to prevent cybercrime. My focus in those papers was on using criminal liability to effect a change in culture - moving us from a culture in which we regard cybercrime as the sole province of law enforcement to one in which we assume a measure of responsibility for protecting ourselves from online miscreants. Such a shift in culture, of course, also represents a modification to the current law enforcement model.
I see that modification, though, as a much more informal process, even though it is instituted via the selective use of the criminal sanction. While civilians play a de facto role in the current law enforcement model under that proposed modification, they do so while remaining outside the formal law enforcement structure. Under that modification, they function as ad hoc adjuncts to professional law enforcement efforts. They have no official status, and they play no role in the formal law enforcement process. Their only role - their only contribution - is to reduce the incidence of cybercrime by taking certain prophylactic measures to secure their activities and their computers. Their participation is, in a sense, passive; they try to block cybercrime, rather than investigate it.
I see the modifications I explore in the sections below as a more radical step, since both actively involve civilians in the process of reacting to completed cybercrimes. In these modifications civilians do not function merely as adjuncts to professional law enforcement officers; instead, they effectively step into law enforcement's shoes and actively participate in the process of pursuing cybercriminals. The modifications we examine below are therefore structural - rather than cultural -modifications. As such, they raise difficult questions about the proper relationship between civilians and their government, as personified by the officers charged with enforcing the criminal laws. We will return to this issue at the end of the paper.
We begin by analyzing the permissibility and practicality of incorporating formalized civilian participation into the reacting-to-cybercrime process. We will then do the same for the vigilante modification.
This analysis involves two distinct dichotomies. The first goes to how civilians participate in the reacting-tocybercrime process - the role(s) they play in the process. Our approach to law enforcement encompasses two phases: (i) investigatory, in which agents of the state identify and apprehend offenders; and (ii) prosecutorial, in which the offenders are tried and, optimally, convicted and sanctioned for their transgressions. Logically, civilians can participate at either or both levels; that is, they can participate in the process of investigating cybercrime and/or in the process of prosecuting cybercrime.
We explore both options in the sections below. But each option also presents a secondary dichotomy: What are the conceptual issues involved in implementing this version of the formalized civilian participation modification? And what are the practical issues involved in doing so? We also address these issues below.
Our analysis of the formalized civilian participation modification follows the first dichotomy: The initial section below examines the conceptual and practical issues involved in incorporating formalized civilian participation into the process of investigating cybercrime. The next section examines the conceptual and practical issues involved in incorporating formalized civilian participation in to the process of prosecuting cybercrime.
Unlike prosecution, which has (at least in the United States) included a measure of civilian participation, the investigation of crime has been exclusively reserved for law enforcement officers since the model developed by Sir Robert Peel became entrenched in societies toward the end of the nineteenth century Brenner 2004). Civilians' only roles in the model devised by Sir Robert are to act as (i) the complainant, whose information often initiates an investigation and (ii) a witness if and when the matter goes to trial.
This approach is not historically inevitable; civilians played an active role in the investigation of crime prior to Sir Robert's innovations. Citizens of most pre-nineteenth century societies would find our limiting Page 60 investigatory efforts to professionalized officers peculiar, as their societies relied upon a mix of public and private efforts.
We cannot, however, simply go backwards, even in the face of evidence that our current approach is not satisfactory. When the prospect of incorporating active civilian participation into the battle against cybercrime has been raised - and it has come up in several, somewhat limited contexts, as we see in a moment - it has been met with some resistance, resistance based on issues that may or may not be serious and that may or may not be merely the product of our discomfort with deviating from the law enforcement model to which we are accustomed.
Before we analyze the arguments for and against active civilian participation in the investigatory process, we need to parse out the forms that participation might take. Overall, the most substantial (and therefore most useful) participation would come from corporate civilians, because they generally have the most resources to draw upon. Basically, a corporation can participate in two, non-exclusive ways: It can supplement the non- personnel resources available to law enforcement by contributing materiél - hardware, software and other items needed in the investigatory process - to the officers charged with pursuing cybercriminals. This has been, and is being, done in the...
To continue reading
Request your trial