Thursday, 16 October 2014

Virtual homo sapiens

Professor Hargreaves CBE of Cardiff University has recently reviewed Jamie Bartlett's new book The Dark Net: Inside The Digital Underworld.

It's an engaging and critical review, though that's not the real reason for my post today. The following snippet from Hargreaves' review caught my eye:

"Bartlett is an amiable guide. He is not blind to the morally disturbing characteristics of virtual homo sapiens, but he sets out chiefly to report rather than to judge." [my emphasis]
If there are characteristics of 'virtual homo sapiens' that we find morally disturbing – there undoubtedly are, and nowhere more prevalent than beneath the cryptographic shroud of the 'Dark Net' – what does this say about human nature? Internet access is so pervasive that almost all of humanity is in some way connected with virtuality: does Hargreaves mean to indict all of humanity with the sins of the "cypherpunks"?

Even the imagery is emotive: 'the Dark Net' does not sound like a holiday resort. Is the reference to darkness a tribute to privacy by design, or a warning of unrestrained moral turpitude?

What of virtues amongst the virtual? It would be absurd to suggest that there is a child pornographer or drug dealer in each of us, restrained only by the risks of surveillance and detection that are association with today's watched Web.

Wikström's Situational Action Theory (SAT) tells us that actions are a function of 'people in places', and amongst the key factors influencing behaviour are the moral rules of a given setting. These interact with the moral emotions and criminal propensities of the people in that place, whose placement in or exposure to that particular setting is structured by wider social forces.

It appears that the Dark Net can be understood as a criminogenic setting. The heightened sense of privacy and invulnerability that is experienced by those who understand its cryptographic precepts is, in SAT parlance, an 'environmental inducement' that activates latent criminal propensities in those who use the Dark Net.

It seems likely that users of the Dark Net are typically technically able people. If we assume that technical ability can be learned by anyone, we are left with the proposition that everyone has a criminal propensity that is activated by interaction with the Dark Net. It is more likely that the secrecy of cryptography has a lure of its own for those with latent criminal propensities, which may explain a skew amongst users of the Dark Net echoing the old 'white hat, black hat' dichotomy.

There are legitimate uses of the Dark Net but perhaps these are less visible to those outside the cryptographic community because of the same obsession with criminality that drives moral panics in the offline world. However, we know that people will often do things behind a computer screen that they would never follow through in 'real life' or where their real identity is at stake: see the vicious pseudonymous threats in the recent #GamerGate scandal for an example of this. It is likely that those who offend on the Dark Net are likely to have fairly low self control, but not so low that they would necessarily offend in the online environment as well. It may be that we need to develop new measures of self control to capture this phenomenon.

If it true that there are people whose criminal propensities are activated only by the online environment, or by the Dark Net in particular, what are the consequences of this for punishment and rehabilitation? For such a person it may be that disconnecting them from the online world would completely remove their risk of re-offending. Is there scope to rehabilitate such people without sending them to prison?

I shall explore these ideas in a later post, after I have read Bartlett's book!

Thursday, 18 April 2013

Book Review: Localizing the Internet

I recently had the privilege of reviewing John Postill's Localizing the Internet for the LSE Review of Books. It's a fascinating case study conducted in Malaysia, focusing on the way the Internet can shape governance. Postill introduces his concept of the 'field of residential affairs', and explains why the dominant paradigm of 'the community' being impacted upon by 'the network' is less useful than it might appear.

Here's the blurb, written by Managing Editor Amy Mollett:

At a critical time of democratic reform across many parts of Southeast Asia, the suburb of Subang Jaya is regarded as Malaysia’s electronic governance laboratory. The focus of Localizing the Internet is Subang Jaya’s field of residential affairs, a digitally mediated social field in which residents, civil servants, politicians, online journalists, and other social agents struggle over how the locality is to be governed at the dawn of the Information Era. Richard Hanstock finds much of interest for sociologists, media theorists, and anthropologists.

You can read my review here.

Sunday, 10 February 2013

Sentencing cybercriminals: a call for guidelines

Recent news of the sentencing of four men (1, 2) connected with Anonymous DDoS attacks on Visa, PayPal and Mastercard raises questions over the suitability of existing sentencing options and penal practices as a reaction to online offending.

For flooding these payment gateways with bogus requests such that they were no longer able to service legitimate traffic, in connection with the WikiLeaks saga, three of the four men received custodial sentences, one of which is suspended, while a fourth was reluctantly spared custody as he had been 16 at the time of the offences.

Without having read the sentencing remarks, it is difficult to tell on what basis a custodial sentence is said to be justified. Indeed, it is not immediately clear on what basis these acts are deserving of the moral label "criminal" at all. According to the news, these men were co-conspirators in a group responsible for some £3.5mn of lost revenue. A large sum of money, certainly; but, unlike these high-tech bank robbers, the men in this case did not share in £3.5mn of ill-gotten gains. Their motivations, it seems, were political.

Compare this to the financial cost of Occupy London: apparently St. Paul's lost revenue exceeding £16,000 per day, and authorities paid out over £1mn in "legal and monitoring costs". Yet, this was dealt with through the mechanisms of civil trespass. Is this cost any less direct than a loss of revenue caused by DDoS attacks?

Perhaps a line ought to be drawn between acts that result in private criminal gain and those that are motivated by something else. This is not to say that the latter should always be 'allowed' to happen, just that there ought to be a clear distinction between civil nuisance and criminal wrong. As my previous post on this subject argues, there is a moral hazard in overprotecting our interests using the coercive power of the state, in using the sledgehammer of the criminal law to crack the nuisance nut.

Police criticism of current sentencing practice rests on leniency toward cyber criminals relative to offline counterparts. It seems correct to say that, all other things being equal, a fraud committed online should not attract a lesser sentence than an equivalent fraud committed offline. However, these are fundamentally different acts, motivated by fundamentally different aims. Of course, many crimes may be committed in the name of ideology: my point is that the tension between trespass and DDoS calls into question the nature of the harm that the state seeks to condemn, and complicates the task of sentencing. If Parliament is unwilling to revisit the scope of liability, the CPS should draw up a code of practice (just as it is doing for social media prosecutions), and the Sentencing Council should issue guidance to structure judicial reaction to Internet offending.

Perhaps a special blameworthiness in DDoS rests in the typically illicit means by which perpetrators tend to amass the computing power necessary for the success of their attacks. If so, this should explicitly be stated; though this shotgun approach does seem rather at odds with orthodox standards of proof. What is it about DDoS attacks, in your view, that attracts this special blame?

Adding certainty to the criminal law in this area, if not rolling back its scope, ought to be the legacy of Aaron Swartz, the first casualty of overzealous prosecution, who was motivated by a desire to make academic journal articles freely available to all. We need coherent, evidence-based guidance on the proper scope and extent of criminal wrongdoing, on an international level.

The role of criminology and other social sciences in this debate is crucial. Without an empirical basis for the causation of Internet crime, the role of deterrence and other controls, and the extent of any normative framework around Internet crimes, policy risks amounting to little more than reactionary guesswork.

Sunday, 27 November 2011

Cyber Security Strategy 2011

On Friday, the UK government released its latest Cyber Security Strategy. The Strategy sets out three objectives, underpinned by a fourth:

  1. "Tackle" cybercrime.
  2. Build resilience against cybercrime.
  3. Contribute to an "open, stable and vibrant" cyberspace.
  4. Attract & build upon skills to support all of these objectives.
In my view, the fourth is by far the most important of these objectives. There is a great deal that we do not yet know about Internet-mediated harms. Not only is the nature of the threat constantly developing, but so much is still to be learned about the individuals who drive criminality online.

Much of the Strategy is concerned with building defences against such harms. Certainly, resilience is very important, and I am pleased that the Strategy acknowledges that both industry standards and security awareness are important to reducing the opportunities for such harms. However, resilience strategies ultimately amount to nothing more than target hardening, ignoring the underlying issues. No crime, in my view, can adequately be understood as a 'routine activity', and policies which make this mistake can never hope to "tackle" crime.

The Strategy seems to be driven by a belief that it is possible to "design out crime online" (page 30, para. 4.32). Unfortunately, this is simply not possible. As Murray has argued, code-based solutions are ultimately 'worked around' by the active matrix: skilled and motivated users capable, ultimately, of rejecting code-based regulation by subversion. Further, any infrastructure-based solutions (e.g. the 'Internet kill switch', in any case useful only against certain kinds of harm) risk compromising the openness and neutrality of the network (see Carolina on the bordered Internet): an indirectly topical area in light of the Leveson Inquiry into the proper relationship between the state and the free media.

Returning to the question of whether cybercrime can be 'designed out' of the global network, readily manipulable but privatised and decentralised, it will come as no surprise that I prefer an approach that preserves both the neutrality of the network and the "open, stable and vibrant cyberspace" that it is an objective of this government to preserve and to further. Indeed, the two arguably go hand in hand.

I say that the solution demands a better understanding of the social causes of cybercrimes, of all flavours. Tackle these, and we stand a chance of enjoying a network shaped not just by code, but by common norms. Technical resilience is important, but social resilience and Durkheim's "internal policeman" cannot be overlooked, else in my view we risk "liddism" in our policymaking (Rogers 2002, Reiner 2010).

Clearly, achieving an understanding of cybercrimes in all their flavours is a big nut to crack, however I suspect that there are certain commonalities between offenders operating across each 'generation' of cybercrime (Wall 2007). In my dissertation 'Policing the Internet', I relabel Wall's three generations: e-jemmies (crimes committed within discrete computer systems), network crime (crimes exploiting connectedness to inflict harms remotely), and distributed crime (crimes which use networks to distribute and automate the infliction of remote harm). Wall predicts a fourth generation will exploit emerging ambient intelligence technologies as we move towards the 'Internet of Things'. Analysing this tendency in people to exploit new technologies could well reveal something important about the nature of criminality more broadly — especially important in light of this impending fourth generation of cybercrime. While it is likely that offenders for whom the Internet is merely a tool for offending that would happen in a world without the Internet remain the elusive province of ordinary criminologies, research into the nature and degree of social exclusion of other categories of cyber-offenders is desirable to understand what it is about the Internet that fuels offending, and how we can work to address it.

Worryingly, the Report seems to make assumptions about the nature of offending online: the sentence "criminals still regard exploiting cyberspace as a profitable and low-risk option" (emphasis added) marks an assumption that all cybercriminals are rational agents. Perhaps some behaviour can be so explained, but not all, and in any case there seems to be very little evidence (certainly none of which appears in the Strategy) to support this view.

Buried at page 23 of the Strategy is this precious sentence: "We want a UK where[, inter alia, p]eople are clear that, as in the offline world, we are each responsible for our behaviour in cyberspace". How do we (as a society, not just a state) inject this sense of responsibility, this normative code into the disparate and privatised fabric of cyberspace? Certainly not, in my view, by focusing entirely upon "threat management" in a technical sense.

I cannot stress enough that the Strategy certainly has laudable aims, and much is to be said for its content. It pledges to improve the police response to cybercrime and work internationally to deny cybercriminals 'safe havens' where regulation is weak, backed by a timely pledge to reinforce the Convention on Cybercrime as the UK enters its chairmanship of the Council of Europe. The judiciary are to be encouraged to respond to new threats using existing laws, whilst Parliament reviews the fitness for purpose of the Computer Misuse Act (see my earlier post on the risk of moral panic and over-criminalisation). Security agencies are to be encouraged to focus on the disruption of cybercrime even where convictions are unlikely: again, a laudable and realistic view in light of the inevitable jurisdictional issues inherent in e-crime, but one that flirts with defeatist 'liddism' (see above).

Also to be commended is this official recognition of the crucial role of the private sector. But how is this awkward relationship to be managed? Only 2% of the budget is allocated to this project (page 26), the rest being spent mostly on resilience measures. The Strategy mentions a partnership with the private sector to develop "cyber-relevant sanctions": what are these? Mention is made of "online sanctions for online offences" — does this allude to the controversial disconnection rule, or are we talking about something else? How would these sanctions be metered out, and by whom? On what standard of proof? Questions of legitimacy, oppression and subversion seem far too important to be answered by a fraction of a 2% cut of the cyber security budget. (See Laidlaw on the human rights responsibilites of Internet Information Gatekeepers.)

Returning to the fourth and overarching objective, the Strategy strongly encourages "R&D". What is not clear is whether the government had technical or social research in mind. Technical research is of course important to continue to improve resilience. However, we need social research to answer the question of normativity in cyberspace.

In summary, we seem to be focusing too much on target hardening and disruption. The deterrence and prevention of cybercrimes can only be effective in the long run if we understand the threat as necessarily social rather than merely technological. Is it merely opportunity that drives cybercrime? Is it true that those who commit crimes online would just be committing crimes offline anyway? Perhaps not.

As Clemente points out, the extent to which even this Strategy can be delivered in an age of austerity remains to be seen. However, what I am suggesting need not cost any more. I am simply arguing that the policymakers behind the Strategy seem to be making assumptions about the criminologies of cyberspace that could ultimately be the undoing of their otherwise laudable objectives. The involvement of foreign states and the private sector are crucial if we are to build this "open, stable and vibrant cyberspace", and I am pleased that the Strategy recognises this. However, by focusing too much on target hardening and too little on understanding the causes of cybercrime, we risk losing an opportunity to nip cybercriminality in the bud. My plea therefore is to legislators and independent research councils the world over, to fund the social research that these policies so badly need.

Saturday, 5 November 2011

The case for cyber criminology

Dr. Jaishankar, an Indian academic criminologist, is the founder and editor of the open access International Journal of Cyber Criminology. In his latest editorial, Jaishankar pleads the case for an "holistic" approach to the study of cybercrime.

Presently, e-crime seems mostly to be studied, or at least taught, from a 'crime science' perspective. Cybercrime thus seems largely to be understood as a technological phenomenon, rather than a social one. Courses like Murray's and Wall's are rare, exploring both the forensic and the socio-legal aspects of information technology, across several jurisdictions.

One of Jaishankar's contributions to the emergent field of cybercriminology is his "Space Transition" theory of cybercrime, which argues that people behave differently as they move between offline and online 'spaces'. As I pointed out in my previous post, unless the effect of convergence and the deepening pervasion (/ mediation / augmentation) of everyday life by networked technologies is also met with effective normative regulation of online spaces, cyberanomie may prevail.

If this regulation is to be effective in this dynamic new space, it must be evidence-based and research-led. Jaishankar cites a study noting that cybercriminological research, as an emergent discipline, has its fair share of methodological problems to overcome. It is my sincere hope that aspiring cybercriminologists will be increasingly well-received by 'traditional' criminology departments (and those who fund them), so as to nurture a high-quality and interdisciplinary approach to the causes and consequences of cybercrime.

Wednesday, 2 November 2011

"This debate belongs to you": cyberanomie and Internet rights

In the run-up to the London Conference on Cyberspace this week, William Hague again called for states to agree upon the rules of cyberwarfare.

In a world where national infrastructure is increasingly dependent upon networked technologies, the potential remotely to exploit this reliance is enormous. Our increasing dependence on technology places cyberwarfare ever higher up the information warfare agenda. This much is uncontroversial, and as one commentator pointed out, much of what was discussed at #LondonCyber was somewhat banal.

That said, Hague's closing speech summarises the 'best bits', distilling principles which in my view ought to be treated by policymakers the world over as something close to a constitutional model. By adopting this model, national laws will address the needs of a world reliant upon networked technologies. However, more must be said on the content of these laws if regulation on the global network is to be effective against arbitrage. Hague's speech sets the agenda for further international debate on the legislative and judicial development of cyberlaw, but it's up to us all to contribute to that debate.

Consistent regulation is important to guard against cyberanomie: the perception of lawlessness that underpinned the faulty perception of borderlessness (per Carolina) and anonymity that inspired JP Barlow to declare cyberspace a self-governing extraterritory. In the face of consistent and effective regulation, users will never forget that their actions are ultimately grounded by and effective within the physical world, creating a sense of accountability that will remind users to consult what Durkheim called their "internal policeman" when deciding how to conduct themselves online, applying the same standards online and offline. Users seeking to escape normative accountability by commenting anonymously or under a pseudonym will be caught by a cultural tendency to ignore, prohibit or deny weight to such comments.

The case for effective normative regulation is not only grounded in the defence of national interests and the preservation of our infrastructures, but in the defence of the modern self. Turkle identifies a heavy degree of investment of the self in technology. Bernal writes extensively on privacy and identifies an undervalued currency of personal data, and Laidlaw considers what responsibilities ought to be embraced by the gatekeepers controlling this data. On the topic of cybercrime specifically, Hague acknowledges that younger generations growing up in a world pervaded by technology increasingly do not draw a distinction between online and offline spaces. Because of our degree of self-investment in technology, criminality is as much a threat to autonomy (see my previous post) and individual interests online as it is offline  including in virtual worlds (see my essay proposing a right virtuālis, link to follow).

It is my hope that the growing threat of cyberwarfare and cyberterrorism, together with the awareness raised by and discussions begun at #LondonCyber, will lead to debate on the broader norms of interaction online. Murray describes users as interacting within an 'active matrix' of connected Lessigian dots: this matrix must publicly discuss and decide upon what behaviours are and are not acceptable within international communities of users, and states must consider this when agreeing upon policy. #LondonCyber is a model forum in this respect, encompassing matters between states, between state and citizen, and between citizens, interacting with each other on a global scale.

The threshold between criminality and abnormality ought thus to be determined in the public sphere, and states ought further to facilitate and encourage this debate. Kaspersky's provocative remarks at #LondonCyber serve as a reminder that the 'war on terror' rhetoric situates terrorism somewhere between war and crime: a debate on Internet rights (per Murray) would clarify where acts of cyberterrorism, and harmful online behaviour more broadly, ought to fit within the law.

Later posts on this blog will contribute to this debate by discussing specific harms mediated wholly or partly by technology. In the meantime, whether here or elsewhere, do share your thoughts. In the words of William Hague, "this debate belongs to you".

Sunday, 30 October 2011

Vulnerable cyberautonomy

As respected legal writer @davidallengreen points out, perhaps the most remarkable thing about the Occupy London protest movement has been the unexpected scale of its impact.

One of the consequences of this movement has been, quite by accident, a serious impact on St. Paul's Cathedral. St. Paul's is an icon of the City, but is not connected to the capitalist civic that the City is said to represent. It is, to that extent, an innocent bystander. Does this make the effect it suffers more deserving of intervention? Does the fact that these consequences were not intended by the protestors affect their level of responsibility for them?

Any pro-social creature is mindful of the impact of his actions and inactions on others. Social norms evolve around consideration for others: standing on the right on the escalators to the tube, saying 'please' and 'thank you', not playing loud music at night. To renege on this mindfulness is considered antisocial, even criminal.

Peaceful protest, however, is not a criminal act. Neither is trespass, generally speaking. Yet, section 3 of the Computer Misuse Act 1990 criminalises the now commonplace 'distributed denial of service' (DDoS) attack: an act which might be described as digital trespass, and is often politically motivated, causing a website or other service temporarily to close its doors.

The parallel with the Occupy London movement is clear. Under the Computer Misuse Act, a digital Occupy movement which made use of DDoS would be a criminal act: rather than facilitating peaceful protest, the police would no doubt use their newly-expedited powers to 'seize' domains to hamper the movement and criminal prosecutions might follow, carrying the possibility of considerable custodial sentences. No digital 'ring of prayer' could hope to interfere with this process. How can this inconsistency be explained?

Ramsay applies his 'theory of vulnerable autonomy' to explain the expansion of criminalisation inherent in civil preventative orders such as the ASBO. He suggests that a state-level concern for 'vulnerable autonomy' demands 'liability for failure to reassure' others of a disposition to observe social norms, to be considerate of others' needs.

It is argued that a concern for vulnerable cyberautonomy can explain the breadth of the net cast by section 3. Given the inconsistency with the comparable law of trespass, the criminalisation of 'digital trespass' seems to be a legislative over-reaction to a new kind of threat. Could it be that there exists a 'right to access' other websites, and a de facto duty on Internet users to reassure each other of a disposition not to interfere with this right?

One of the key differences between offline and online protest is the visibility of the cause: offline visitors to the cathedral are met by protestors with their tents and placards, and can even visit the 'information tent' to find out more about the cause. A digital 'occupation' in the form of a DDoS attack would simply deny access to the would-be user, without any explanation  unless the website had been hijacked and replaced with another bearing a particular message, which is more akin to vandalism than trespass.

Indeed, those engaging in a denial of service attack intend to block access to the affected service by legitimate users. The same cannot be said of the Occupy protestors, as the effect upon St. Paul's was quite unintended. However, it is not necessarily the case that DDoS attacks are malicious per se. Indeed, that the Occupy movement would cause some kind of disruption to the City was plainly foreseeable. Would a digital 'occupation', in the form of a DDoS attack, really be so markedly different from an 'occupation' or picket line to justify criminal regulation?

The differences between the worlds of atoms and bits then stretch the 'trespass' analogy  but, it is argued, not fatally so. Notwithstanding these differences, it is argued that the over-broad applicability of section 3 is the result of a catch-all approach on the part of the draftsmen, placing the onus of fairness in its application in the hands of the discretion of public prosecutors and the interpretive powers of the courts. The trial of Paul Chambers ought to be a warning against trusting either of these safeguards when dealing with so-called cybercrime.

This overreaction might be explained by the fact that the effectiveness of many DDoS attacks is bolstered by the expansion of 'botnets' by unlawful means: unsuspecting users are infected with viruses or duped into downloading infected software, causing their computers to join the botnet without the user's knowledge or consent. This is a criminal wrong which ought to be dealt with separately, rather than relying on a catch-all section 3.

An amended section 3 could build in an exception to reassure peaceful protestors that they will not face prosecution for seeking to bolster their cause with technology; or perhaps limit the offence to DDoS against 'protected sites', mirroring the criminalisation of trespass at sections 128-131 of the Serious Organised Crime and Police Act 2005. DDoS ought to be treated as a civil wrong, like its trespass cousin, with the possibility of claims for damages for loss of revenue. States, it is argued, have no business criminalising the peaceful use of technology to draw attention to a particular cause. A compromise could be drawn by issuing cyber-ASBOs against the most prolific orchestrators of malicious DDoS attacks.

It is at least arguable that section 3 is an example of what Husak called overcriminalisation. The novelty and complexity of cybercriminality, and the importance of tech-neutral drafting in a society in which technologies evolve more quickly than statutes (@AndrewDMurray), creates a dangerous temptation for Parliament to over-react to new threats.

We — the community of users and lawyers — must be vigilant in our scrutiny and prolific in our discourse if we are to mitigate against this risk. The extent of the 'right to access' is something we all ought to be discussing as part of Murray's call for an Internet Bill of Rights. In this spirit, comments are very welcome indeed.

Image courtesy of

Saturday, 29 October 2011

Welcome to

If you're interested in technology, society and law, you're in the right place!

I'm fascinated by the ways in which technology shapes our interactions, and what changes this could bring to our collective sense of right and wrong. So, on this blog I'm going to post occasional reflections on topics relating to law and technology, with a special focus on e-crime and policing.

I'm an LSE graduate with an interest in IT law, and my hope is to stimulate debate amongst an audience of interested laypersons, lawyers, technical experts, criminologists, sociologists and academics from other disciplines. Whether technophobe or technophile, your contributions are welcome here!

The first post will be along in the next couple of weeks. In the meantime, you can follow this blog and its author on Twitter: @ecrimeblog and @rhanstock respectively. If there's anything in particular you'd like to see featured on this blog, please let me know.

Stay tuned...