6 January 2014

The Internet Police Force

During a conference discussion panel on global cyber threats, a delegate asked if maybe it was time to start an "Internet Police Force". My response? It's already here.

The Internet Police today

We already have Internet police forces. In London we have two. The City of London Police are responsible for most criminal investigations in the relatively small business district known as the City of London. The much larger Metropolitan Police Service (popularly known as "Scotland Yard") is responsible for everyplace else in Greater London. Both of these excellent police services have undertaken numerous criminal investigations, and made many arrests, with respect to perpetrators who used the Internet in the commission of crime.

Looking to the United States, most of the police forces of individual cities, counties, and states, conduct investigations of crimes that - one way or another - involve the use of the Internet. At the US national government level, the FBI investigates crimes falling within their special jurisdiction that might involve use of the Internet, as do the Secret Service, NCIS, etc, etc.

Two decades ago when I first started in this field, most of these police services had no clue what the Internet was or how to go about investigating a crime that made use of it. These days, they all know what the Internet is, and they all have a pretty good understanding of what they are supposed to do about crimes that make use of the Internet.

The main complaints I hear from police officers usually concerns the shortage of specialist forensic support to gather and present evidence, and a lack of cooperation from "foreign" police officers when investigating activity that takes place outside of their jurisdiction.

The problems of jurisdiction and extradition

A similar picture emerges around the world. Police officers, acting under the authority of the sovereign state that empowers them, investigate crimes that have an impact on people and property within their jurisdiction.

Jurisdiction is where things get difficult.

What options are available to a police officer in the sovereign country where victims of crime are located (let's call it "Freedonia") when he discovers that the perpetrator of the crime is not within his jurisdiction, but instead is located within another sovereign country (let's call it "Ruritania")?

Counties in the position of Freedonia normally do not load up a double-decker bus filled with Freedonia police officers, drive them into Ruritania, and start making arrests. This type of action is frowned-upon in the international community and can provoke open warfare.

The Freedonia officer instead requests assistance from the police of Ruritania. It is then Ruritania's choice how to respond to such requests. Where global cybercrime is concerned we have seen a wide variety of responses from countries in the position of Ruritania.
  • In some versions of "Ruritania", the police provide full cooperation, assist with the investigation, and make arrests. The authorities might choose to prosecute the accused under the law of Ruritania (if laws of both countries have been broken). Sometime the courts respond favourably to a request for extradition, sending the accused to Freedonia face justice in Freedonian courts.
  • In cases, the police of Ruritania would be happy to help but the complained-of "crime" in Freedonia does not break the law of Ruritania. The Ruritanian police (and courts) are unable to assist.
  • In some cases, the police and judicial authorities in Ruritania choose not to cooperate (or they make cooperation very slow and ineffective) due to local Ruritanian public policy concerns. Some countries, for example, refuse to extradite (especially for "lesser" crimes) if the accused has established roots in the community or otherwise evokes sympathy from the local community.  
  • And in some versions of "Ruritania", the police are badly underfunded and undertrained. They complain (with justification) that they have more important things to do protecting the citizens of Ruritania from "real" crime (murder, burglary, assault, etc) - and have little or no time to assist Freedonia with the investigation of a crime that seems less tangible (e.g., computer intrusion, business fraud, etc).

What is different about the Internet

Of course, nearly everything written above about jurisdiction, cooperation with investigation, and extradition, could have been written 50 years ago. But much of our understanding of criminal jurisdiction and extradition is based on one un-stated assumption: that the accused took criminal action while physically located in Freedonia - the requesting country. To take a famous example from British history, the Great Train Robbers stopped a train, assaulted a guard, and stole large amounts of money, while physically present in Britain. Only later did some of them flee to a second country thus prompting many years of (fruitless) requests for extradition.

The Internet (as it exists today) has allowed for massive growth in a type of criminal and a type of crime that was once very rare: a person who steals from victims in Country A without leaving the comfort of his home in Country B. This new reality has put a tremendous strain on traditional mechanisms of international police cooperation.

This has also created the emergence of a new category of response when the police of any given "Freedonia" ask for cooperation from the police of any given "Ruritania". In some modern cases of Internet-enabled crime, the police in Ruritania have no interest in arresting their local cyber criminal. The accused is physically in Ruritania, but steals money by remote control from rich foreigners outside of Ruritania and spreads the wealth among his neighbours inside Ruritania. The criminal is not perceived as a threat to the people of Ruritania. The crime does not have any impact on Ruritania's crime statistics. And nobody wants to arrest the local Robin Hood.

What this means for the future of the Internet

Each community and sovereign state will continue to police Internet-related threats. Their effectiveness will be higher where the accused lives within their jurisdiction. Although the criminal threat may be global in nature, it is impossible to insure global cooperation for criminal investigation and enforcement.

Sovereign states (represented by their various police forces) face a difficult task. They are supposed to protect the lives and the property of the citizens of their community. Historically, they do this by exercising direct physical intervention within their jurisdiction. They find criminal suspects, arrest them, and bring them before local magistrates.

The current architecture of the Internet causes serious problems with this model, as police increasingly face the challenge of finding, investigating, and arresting, suspects outside their physical jurisdiction.

I can imagine (in theory) two different types of changes that would reduce this problem.

Scenario 1: the World comes closer together to form a Single Community

We could, as a human race, establish a more unified and deeper set of global community standards. This would lead to better cooperation among sovereign states. It might lead to the establishment of a true "global" police force with powers to investigate and arrest globally.

Scenario 2: people in multiple communities push for increased Internet Border enforcement

Community leaders, businesses, content providers, governments, courts, police, and many others, could continue to exert pressure that has the effect of ratcheting up enforcement of Internet Borders.

Which scenario? My prediction

I doubt Scenario 1 will happen in my lifetime. For that matter, I have little faith that it will happen in the lifetime of anyone who is alive today. We have more than six decades of experience with various global governance bodies. Some are more effective than others. Many do good work. A few exist as nearly-global prosecutors of in the specialist field of crimes against humanity. None of them would claim to be a world government, and all of them face serious constraints as their member states grapple with multiple subjects of continuing disagreement.

I predict instead that we will continue to race down the path described in Scenario 2.

Of course the two scenarios are not mutually exclusive. We may well see a hybrid of the two. But my guess is that 90% or more of the changes we witness in the next few decades will be of the "Scenario 2" variety.

Why? Because I suspect that communities will have more impact on the shape and operation of the Internet, than the (current) shape and operation of the Internet will have on communities.