1 June 2011

Public policy responses to cybercrime: a new special issue from Policy and Internet

Multidisciplinary approaches on the issues raised by cybercrime are actively being sought by policymaking communities. Stefan Fafinski, Research Fellow at Leeds University, and Guest Editor of Policy & Internet's special issue on cybercrime introduces the papers published in the issue, discussing the problems that the abuse of networked technologies brings to society as a whole, and the range of possible policy approaches and responses.

Cybercrime is just one of many significant and challenging issues of ethics and public policy raised by the Internet. It has policy implications for both national and supra-national legislation, involving, as it may, attacks against the integrity, authenticity, and confidentiality of information systems; content-related crimes, and “traditional”: crimes committed using networked technologies.

While ‘cybercrime’ can be used to describe a wide range of undesirable conduct facilitated by networked technologies, it is not a legal term of art, and many so-called cybercrimes (such as cyber-rape and the virtual vandalism of virtual worlds) are not necessarily crimes as far as the criminal law is concerned. This can give rise to novel situations in which outcomes that feel instinctively wrong do not give rise to criminal liability. Emily Finch discusses the tragic case of Bernard Gilbert: a man whose argument over a disputed parking space led to his death, a police officer having disclosed Gilbert’s home address to his assailant. The officer was charged simply with the offence of disclosing personal data; the particular consequences of such disclosure being immaterial under English criminal law. Finch argues that this is unsatisfactory: as more personal information is gathered and available online, the greater the potential risk to the individual from its unauthorized disclosure. She advocates a two-tier structure for liability in the event that disclosure results in harm.

Clearly, current criminal law often struggles to deal with behaviours that were either not technologically possible at the time that the law was made, or were not within the contemplation of the legislature. Conversely, criminal liability might arise unexpectedly. Sandra Schmitz and Lawrence Siry explore the curious overlap between the nature and motivation of sexting and the possibility that it might fall foul of child pornography laws. They argue that the law as it stands is questionable, as the nature and content of ‘sext’ messages is generally at odds with conceptualizations of child pornography. Given that laws designed to protect children may also be used to criminalize unremarkable adolescent behaviour, this is an example of where the law should clearly be changed.

Simone van der Hof and Bert-Jaap Koops also address the mobile Internet usage of young people, considering the boundaries between freedom and autonomy on the one hand and control and repression on the other, arguing that the criminal law is yet again somewhat inadequate, as its overuse can lead to adolescents relying on legal protection rather than taking more proactive responsibility for their own online safety. The role of policy here should be to stimulate digital literacy in the first instance and, for the graver risks, to foster a co-regulatory regime by the Internet industry; criminalization should only be used as a last resort. However, the technology itself can also be used to assist law enforcement agencies in policing the Internet, for example in identifying and targeting online child exploitation networks. Bryce G. Westlake, Martin Bouchard, and Richard Frank demonstrate the use of an automated tool to provide greater efficiency in target prioritization for policing authorities; also opening the policy discussion surrounding the desirability of augmentation of traditional police procedures by automated software agents.

As well as harm to individuals, misuse of the Internet can also cause immense commercial damage to the creative industries by unlawful copyright infringement. The empirical study by Jonathan Basamanowicz and Martin Bouchard on the policing of copyright piracy rings suggests that increased regulation will only encourage offenders to adapt their behaviour into something less amenable to control. They argue that an effective response must consider the motivations and modus operandi of the offenders, and propose a situational crime prevention framework which may, at the very least, curtail their activities. Finally, again from an economic perspective, Michael R. Hammock considers the economics of website security seals and analyses whether market forces are controlling privacy and security adequately, concluding that unilateral regulation may actually harm those consumers who might not care whether or not they are protected, but who will have to bear the indirect cost in the form of a premium for increased protection.

The spectrum of policy responses can therefore be seen as existing along a continuum, with “top-down” responses originating from state agencies at one extreme, to bottom-up responses originating from private institutions at the other. Malcolm Shore, Yi Du, and Sherali Zeadally apply this public–private model to the regulation of cyber-attacks on critical national infrastructures. They consider the benefits and limitations of the various public and private initiatives designed to implement a national cybersecurity strategy for New Zealand and propose a model of assured public–private partnership based on incentivized adoption as the most effective way forward.

The articles in this special issue show that there can be no single simple policy-based solution to cybercrime, but suggest instead that there is a role for policymakers to introduce multi-tiered responses, involving a mix of the law, education, industry responsibility, and technology. Responses will also often require cooperation between law enforcement organizations, international coordination, and cooperation between the public and private spheres. It is clear that an effective response to cybercrime must therefore be greater than the sum of its parts, and should evolve as part of the diffuse governance network which results from the complex, yet natural, tensions between law, society, and the Internet.


Note: This article gives the views of the authors, and not the position of the Policy and Internet Blog, nor of the Oxford Internet Institute.