Cyberspace
The new frontier for policing?
Abstract
This chapter contains an analysis of some of the practical legal challenges of so-called cyberspace and cybercrime/cyber-enabled crime. In particular, this chapter discusses the difficulties of concepts such as jurisdiction and the ability of domestic legal systems to accommodate the borderlessness of the Internet. This chapter considers the nature, size, shape, and scale of the challenge represented by cyberspace within the context of the UK Cyber Security Strategy and recent developments among public bodies to adapt. This chapter concludes by raising the growing dilemma presented by the need to balance security of citizens and their property within cyberspace against the regulated conduct of state agencies within that setting.
Published in 2011, the UK Cyber Security Strategy states that:
Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society.
That the United Kingdom even has a cyber security strategy is telling. Governments and their agencies—not only in the United Kingdom but worldwide—have struggled to distinguish criminality that specifically relies on the use of the hyper-connectivity of global information technology from “ordinary” crime that is simply enabled by using information and communication technology. Despite legislative interventions such as the Council of Europe Convention on Cybercrime (for an analysis of which see Vatis, 2010, p. 207) in 2001, cyberspace remains a largely unregulated jurisdictional outpost.
The first piece of criminal legislation to address the use—or rather the misuse—of computers in the United Kingdom was enacted in 1990. The recital to the Computer Misuse Act 1990 states that it was an act “to make provision for securing computer material against unauthorized access or modification; and for connected purposes.” This narrow, pre-Internet focus was very much predicated on the concept of a computer as a functional box (or network of boxes) containing “material” that required protection (Sampson 1991a, p. 211). Although the Act addressed unauthorized access, the concept of causing a computer to perform a function in furtherance of other crimes was also a central part of the new legislation (Sampson, 1991b, p. 58) which, for the first time in the United Kingdom, sought to catch up with computer technology that was becoming part of people’s everyday lives—a race in which the legislative process did not stand a chance.
While the legislation was amended in 2006 with the introduction of a new criminal offence of unauthorized acts to impair the operation of a computer or program, etc., looking back through today’s digital prism, the legislation has a decidedly analog look to it. When the legislation came into force we had little idea of the impact the “information super-highway” would have on our everyday lives, still less the engrenage effect of social media.
According to the UK’s 2011 Cyber Security Strategy, at the time of its publication 2 billion people were online and there were over 5 billion Internet-connected devices in existence. During that same year, the number of people being proceeded against for offences under the Computer Misuse Act 1991 in England and Wales, according to a document from the Ministry of Justice, was nine (Canham, 2012) with no people being proceeded against for the two offences under s.1(1) and s.1(3). Perhaps as surprisingly, the records from the Police National Legal Database (PNLD) used by all police forces in England and Wales for offence wordings, charging codes, and legal research show that during two weeks (chosen at random) in 2013 the Computer Misuse Act 1990 and its constituent parts were accessed as follows:
Between 4th and 10th March—907 times
Between 10th and 16th November—750 times
Reconciling these two data sets is difficult. While it is clear from the PNLD access data that law enforcement officials in England and Wales are still interrogating the 1990 legislation frequently (on average, around 825 times per week or 118 times per day or annually 42,900 times), the number of prosecutions for the correlative offences is vanishingly small. One of the many challenges with cybercrime and cyber-enabled criminality is establishing its size and shape.
The Shape of the Challenge
Just as the shape of our technology has changed beyond all recognition since 1990, so too has the shape of the challenge. The almost unconstrained development of Internet-based connectivity can be seen, on one hand, as a phenomenological emancipation of the masses, an extension of the Civil Data Movement and the citizens’ entitlement to publicly held data (see (Sampson and Kinnear, 2010). On the other hand, the empowerment it has given others (particularly sovereign states) to abuse cyberspace has been cast as representing the “end of privacy” prompting a petition to the United Nations for a “bill of digital rights.”
Steering a predictably middle course, the UK strategy sets out the key—and, it is submitted, most elusive—concept within the document: that of a “vibrant, resilient, and secure cyberspace.” The aspiration must surely be right but how can resilience and security be achieved within a vibrant space run by computers? In terms of both computers and our reliance upon them, we have moved so far from the original notion of boxes, functions, commands and programs, along with the consequences that can be brought about by their use, that a fundamental re-think is needed.
So what—and where—is cyberspace? Much has been written recently on the threat, risk and harm posed by “cybercrime,” “e-crime,” “cyber-enabled” criminality but the legislation has been left a long way behind. The EU has a substantial number of workstreams around its “Cybersecurity Strategy” and its own working definition of “cyberspace” though its own proposed Directive has no legal definition but rather one for Network and Information Security to match the agency established in 2004 with the same name. In the United Kingdom, a parliamentary question in 2012 asked the Secretary of State for Justice how many prosecutions there had been for “e-crime” in the past 5 years. In response, the Parliamentary Under Secretary of State gave statistics for ss 1(4), 2 and 3(5) of the Computer Misuse Act while the correlative Hansard entry uses the expression “cybercrime” in its heading.
Wherever it is, constitutional lawyers around the world have wrestled with the applicability of their countries’ legislation with the borderlessness of the virtual word of the Internet; the application of “analog” territorial laws to the indeterminable digital boundaries of the infinite global communications network is, it seems, proving to be too much for our conventional legal systems. Here is why.
When it comes to interpreting and applying law across our own administrative jurisdictional boundaries, an established body of internationally agreed principles, behavior, and jurisprudence has developed over time. Some attempts have been made to apply these legal norms to cyberspace. For example, the International Covenant on Civil and Political Rights sets out some key obligations of signatory states. In addition, activities executed within or via cyberspace should not be beyond the reach of other community protections such as those enshrined in the European Convention of Human Rights or the EU Charter of Fundamental Rights, particularly where issues such as online child sexual exploitation are involved. The first basic challenge that this brings however, is that of jurisdiction.
Cottim has identified five jurisdictional theories and approaches in this context, namely (Cottim A. 2010):
1. Territoriality theory: The theory that jurisdiction is determined by the place where the offence is committed, in whole or in part. This “territoriality theory” has its roots in the Westphalian Peace model of state sovereignty that has been in place since 1684 (see Beaulac, 2004, p. 181). This approach has at its heart the presumption that the State has sovereignty over the territory under discussion, a presumption that is manifestly and easily rebuttable in most “cyberspace” cases.
2. Nationality (or active personality) theory: Based primarily on the nationality of the person who committed the offence (see United States of America v. Jay Cohen; Docket No. 00-1574, 260 F.3d 68 (2d Cir., July 31, 2001) where World Sports Exchange, together with its President, were defendants in an FBI prosecution for conspiracy to use communications facilities to transmit wagers in interstate or foreign commerce. The defendants were charged with targeting customers in the United States inviting them to place bets with the company by toll-free telephone call or over the Internet). While the Antiguan Company was beyond the jurisdiction of the court, the President was a US citizen and could, therefore, be arraigned before an American criminal court.
3. Passive personality theory: While the “nationality theory” deals with the nationality of the offender, the “passive personality theory” is concerned with the nationality of the victim.
In what Cottim calls “the field of cybercriminology,” a good example of this jurisdiction assumption can be seen in a case where a Russian citizen who lived in Chelyabinsk, Russia was sentenced by a court in Hartford Connecticut for hacking into computers in the United States.
4. Protective theory: Cottim’s “protective theory” (also called “security principle” and “injured forum theory”) deals with the national or international interest injured, assigning jurisdiction to the State that sees its interest—whether national or international—in jeopardy because of an offensive action. Cottim sees this rarely used theory as applying principally to crimes like counterfeiting of money and securities.
5. Universality theory: In his final theory, Cottim identifies the approach of universality based on the international character of the offence allowing (unlike the others) every State to claim of jurisdiction over offences, even if those offences have no direct effect on the asserting State. While this theory seems to have the most potential for applicability to cyberspace, there are two key constraints in the way it has been developed thus far. The first constraint is that the State assuming jurisdiction must have the defendant in custody; the second is that the crime is “particularly offensive to the international community.” While this approach has, Cottim advises, been used for piracy and slave trafficking there is considerable practical difficulty in defining the parameters of the universality approach even in a conventional context and the possibility of extending it to cover cyberspace offending and activity is as yet unexplored.
When it comes to conventional extra-territorial challenges, the device of focusing on key elements such as the nationality of the offender and the geographical location of the causal conduct or consequent harm has produced some successful prosecutions for (and perhaps thereby deterred) some conventional cyber-enabled offending. For example, Cottim cites a case where the Managing Director of CompuServe Information Services GmbH, a Swiss national, was charged in Germany with being responsible for the access—in Germany—to violent, child, and animal pornographic representations stored on the CompuServe’s server in the United States. The German court considered it had jurisdiction over the defendant, although he was Swiss, he lived in Germany at the time. The Amtsgericht court’s approach has been criticized as not only unduly harsh but as unsustainable and it is difficult to argue with Bender who says “it must be noted that the ‘law-free zones’ on the Internet cannot be filled by a ruling like this, but need a new self-regulatory approach” (Bender, 1998).
In some cases litigants also use the jurisdictional differences to argue down the gravity of the sanction or the extent of their liability, particularly where the perpetrator from one jurisdiction brings about consequence in another. A good recent example is Klemis v Government of the United States of America [2013] All ER (D) 287 where the UK defendant allegedly sold heroin to two men in Illinois, USA. One of the men subsequently died and raised questions at the point of sentencing as to how the different legislatures in the two jurisdictions had set the requirements for the relevant actus reus (criminal act) and the mens rea (culpable state of mind) differently. Another recent example of trans-jurisdictional friction is Bloy and Another v Motor Insurers’ Bureau [2013] EWCA Civ 1543. In that case a road traffic collision in the United Kingdom had been caused by a Lithuanian national who had been uninsured at the time. The Motor Insurers’ Bureau is the UK compensation body for the purposes of the relevant EU Directive and was obliged to pay compensation where a UK resident had been injured in a collision in another Member State caused by an uninsured driver. In such cases, the Directive enabled the Bureau to claim reimbursement from the respective compensatory body in the other Member State. However, under the domestic law of Lithuania the liability of the compensatory body was capped at €500 k. The Bureau argued that its liability to pay the victim should be capped by Lithuanian domestic law even though the collision happened on an English road.
Clearly the challenges of unauthorized access and use of data obtain; so too do the jurisdictional challenges of locus of initiators and consequences. However, these have to be understood in the context of the much more pernicious and truly viral threats such as denial of service attacks, malware, data espionage and what Cottim calls the scareword of “cyber-terrorism” which has now become formally adopted by many law enforcement agencies, politicians and commentators. The reality is that, with the requisite knowledge and motivation, a teen with a laptop can alter the “use by” dates on food products in a packing plant on the other side of the world, or command the central heating system of a neighbor’s Internet-connected home to overheat, or send the traffic lights in a far away city into a frenzy. The further reality is that the wattle-and-daub constructs of conventional law making in common law countries, along with their correlative law enforcement practices, will not provide the answer to these threats and risks and even staples such as “crime scenes” and “perpetrators” are no longer adequate within the new frontier of cyberspace.
However, it is not just the domination and manipulation of cyberspace by criminals that has caused public concern. The aftermath of the Edward Snowden revelations about intrusive governmental espionage demonstrated that cyberspace is regarded as a potentially perilous place by private users not just in fear of becoming victims of remote criminality. There is also a real fear that the technological environment allows state agencies to operate in highly intrusive yet anonymous and unaccountable ways, prompting the CEOs of some of the world’s leading IT companies to write an open letter to the President of the United States demanding reform of cyberspace surveillance based on a series of overarching principles that guarantee the free flow of information yet limit governmental authority and impose a substantial degree of oversight (Armstrong et al., 2013).
What then is the size of the challenge presented by this amorphous construct of cyberspace?
The Size of the Challenge
The population of cyberspace is estimated by the UK government to be > 2 billion. While we do not accurately know the frequency or longevity, this means that one-third of Earth’s population visit cyberspace and billions more are anticipated to join them over the next decade, exchanging over $8 trillion in online commerce. According to the Commissioner of the City of London Police, “cyber” fraud (broadly offences of dishonesty committed by use of computer networks) costs the UK £27 billion per year while “cyber breaches” (presumably involving the unauthorized infiltration of a private or public computer network) have been recorded by 93% of small and medium businesses in the United Kingdom in 2013, an increase of 87% on the previous year.
Aside from some of the peculiar criminological features unique to crime committed in cyberspace (such as the absence of any real motive for anyone—individual or corporate victims or their Internet Service Providers—to report crimes involving fraud) the basic challenge facing us now seems to be how to get to grips with the concept of cyberspace—vibrant, resilient, secure or otherwise. Having separated cybercrime from cyber-enabled crime in the same way we might separate crime within a transport network from crime where the transport network is merely an enabler, surely we need to begin to treat cyberspace for what it is: a separate socio-spatial dimension in which people choose not only to communicate, but also to dwell, trade, socialize and cultivate; to create intellectual property, generate economic wealth, to begin and end relationships; to forage, feud and thrive; to heal and harm. Viewed in this way cyberspace is another continent, vast, viable and virtual, a distinct jurisdiction requiring its own constitution and legal system, its own law enforcement agents and practices. The Director of Operational Policing Support for Interpol’s General Secretariat, Michael O’Connell, has compared the movement across cyberspace with “the 2 billion passenger movements across the world.” The reality is that cyber travelers move around the borderless virtual globe with almost immeasurable speed, almost zero cost and almost total anonymity.
The challenge of tackling cyber security stretches way beyond simply standardizing our legal frameworks. The UK Government has also recognized that “Without effective cyber security, we place our ability to do business and to protect valuable assets such as our intellectual property at unacceptable risk.” In the report commissioned by the UK Government, Price Waterhouse Coopers estimate that there are over 1000 different global publications setting out cyber standards. Moreover, their assessment of the standards situation across organizations looked patchy and incomplete.
While the awareness of cyber security threats and the importance placed on them was generally found to be high, the efforts to mitigate cyber security risk differ significantly with the size of the organization and its sector. The report found that only 48% of organizations implemented new policies to mitigate cyber security risks and only 43% conducted cyber security risk assessments and impact analysis to quantify these risks. The report also found that 34% of organizations who purchased certified products or services did so purely to achieve compliance as an outcome.
Although the authors are clear in pointing out that the online survey reached an audience of ~ 30,000 organizations, it produced around 500 responses, not all of them complete. Nevertheless, the picture that emerges from the report is one of a fragmented and nonstandardized response to a global threat.
The Response
Aside from stretching and reworking legal principles such as jurisdiction and issuing strategies, there have been several key responses to the challenges of cybercrime and cyber-enabled criminality. For example, the Metropolitan Police Service was recently reported as having substantially expanded its E-crime unit to a reported 500 officers in response to the threat of “cybercrime” having become a Tier One National Security threat. This is consistent with the responses having effect across the UK law enforcement community. The Police Reform and Social Responsibility Act 2011—the legislation that created elected police and crime commissioners—also introduced the concept of the Strategic Policing Requirement (SPR). The SPR is published by the Home Secretary and sets out those national threats that require a coordinated or aggregated response in which resources are brought together from a number of police forces; it applies to all police forces in England and Wales and is referred to by other law enforcement agencies throughout the United Kingdom.
The SPR identifies how police forces and their governance bodies often need to work collaboratively inter se, and with other partners, national agencies or national arrangements, to ensure such threats are tackled efficiently and effectively.
The SPR contains five areas of activity and threat that are, if at a Tier One or Tier Two risk level in the National Security Risk Assessment, covered. These are:
• Other civil emergencies requiring an aggregated response across police force boundaries
• Organized crime (Tier Two)
• Threats to public order or public safety that cannot be managed by a single police force acting alone
• A large-scale cyber incident (Tier One) including the risk of a hostile attack upon cyberspace by other states
The SPR recognizes that there may be considerable overlap between these areas. For example, there may be a substantial organized crime element involved in a cyber incident and vice versa. All elected police and crime commissioners and their respective chief police officers must have regard to the SPR in their planning and operational arrangements. This is an important legal obligation for reasons that are discussed below.
Having set out these key risks to national security, the SPR requires policing bodies to have adequate arrangements in place to ensure that their local resources can deliver the requisite:
Capability
Consistency
Connectivity and
Contribution
to the national effort (the five “‘Cs”).
Given the legal and practical difficulties that are explored infra, the extent to which local policing bodies are in a position to meet these criteria in a meaningful way in relation to “cyber incidents”—whether “upon” or within cyberspace is questionable. For example, while it is a relatively simple task to assess the capacity and capability of a group of local police force (even a large one such as the Metropolitan Police) to tackle large-scale public disorder, and to measure the connectivity of their resources in preparing for such an event, it is far harder to demonstrate that the same forces meet the five C requirements (capability, connectivity, and so on) required to understand and respond to even a highly localized cyber incident, still less a cyber attack sponsored by another state. This too is important because the courts in the United Kingdom have interpreted the expression “have regard to” a government policy as meaning that public bodies fixed with such a duty must above all properly understand that policy. If a government policy to which a public body must have regard is not properly understood by that body this has the same legal effect as if that body had paid no regard to it at all. Further, if a public body is going to depart from a government policy to which it must “have regard,” that body has to give clear reasons for doing so, such that people know why and on what grounds it is being departed from. While the EU might have a series of arrangements in place which require Member States to notify them of “incidents” that “seem to relate to cyber espionage or a state-sponsored attack” and invoke the relevant parts of the EU Solidarity Clause, there is little evidence that most police areas would be in a position confidently to make that assertion, promptly or at all.
Quaere: how well are all affected police agencies in England and Wales able to demonstrate that they have properly understood the threat of a cyber attack in the context of the SPR? If the answer to this is anything other than an unqualified “yes,” then they might do well to issue a notification to that effect to their respective communities and stakeholders.
Conclusion
Tackling computer-enabled criminality has generally focused on the physical presence of those controlling, benefiting, or suffering from the remote activity—it has been concerned with input and output. The European Union has a proposed Directive to require Member States to ensure they have minimum levels of capability in place, along with Computer Emergency Response Teams (CERTs) and arrangements for effective coordination of “network and information systems.” At the same time the Budapest Convention has been in force for almost a decade to provide a model for the many signatory nations (including the United States) to draft their domestic “cybercrime” legislation and the correlative cyber security industry is vast and burgeoning. But is there not a pressing need to tackle what is taking place in cyberspace itself? Using existing jurisdictional theories is arguably not enough; what is needed is not a partial application of some extra-cyberspace laws adapted to suit some extra-cyberspace consequences. Continuing to apply the traditional criminological approaches to technological innovation in the context of cyberspace is, it is submitted, rather like separating criminality that takes place within an underground transport network from that where the offender uses the London Underground to facilitate their offending. In the first situation the setting is a key component of the offending while, in the second, it is a chosen part of the wider modus operandi and the offender might just as easily have chosen to take the bus, a taxi or to walk to and from the locus of their crime. This is the fundamental difference between cyber-enabled offending and offending within cyberspace. Policing the exits and entrances is never going to be a complete or even satisfactory answer to the latter. Aside from the practical and jurisprudential reasons, there are also important political imperatives beginning to emerge. For example India’s Telecom and IT Minister Kapil Sibal asserted recently that there should be “accountability and responsibility” in the cyberspace in the same way as in diplomatic relations:
If there is a cyberspace violation and the subject matter is India because it impacts India, then India should have jurisdiction. For example, if I have an embassy in New York, then anything that happens in that embassy is Indian territory and there applies Indian Law.
For this approach to go beyond the conventional jurisdictional approaches considered supra would require a whole new set of processes, procedures and skills; it would take more than the publication of a set of agreed standards or an agreed recipe for domestic legislation. There needs, it is submitted, to be a new presence in cyberspace, a dedicated cyber force to tackle what the Director-General of the National Crime Agency, Keith Bristow, calls “digital criminality.” Perhaps what is needed is not a new way of overlaying our conventional law enforcement assets and techniques on cyberspace or a new way of extending our two-dimensional constructs of jurisdiction to fit a multi-dimensional world, but a new wave of cyber assets—“cyber constables” as it were—to patrol and police the cyber communities of the future. However, given our global experience of the ways in which some state agencies have operated within cyberspace, in the post-Snowden era that perennial question of democratic law enforcement “quis cusodiet” sits just as fixedly above cyber policing as it has in every analog setting to date.