Sunday, July 23, 2006

Automating Law Enforcement in Cyberspace . . .

I’ve written before, here and elsewhere, about how and why our migration into cyberspace challenges law enforcement’s ability to arrest and otherwise discourage criminals.

As I’ve explained, cyberspace introduces various elements (automated crime, anonymity and transborder crime, to note the more important) that make the application of the model of law enforcement we use in the real, physical world problematic for online crime. In law review articles, I’ve explained how I think we can tinker with the model so it becomes a more effective way of dealing with cybercrime.

Having written about all that, I’m not going to belabor the point further in this post. It is about a rather different take on how we can improve law enforcement’s ability to deal with online crime.

In 1997, Kevin Manson presented what I think was a very insightful, very creative paper at a meeting of the Academy of Criminal Justice Science. Entitled “Robots, Wanderers, Spiders and Avatars: The Virtual Investigator and Community Policing Behind the Thin Digital Blue Line,” it said many of the things I would later say about how cyberspace challenges law enforcement. It also, however, speculated a bit on the possibility of automating at least part of law enforcement’s presence online (hence the title).

After tracing the development of intelligent agents, Manson notes that they “give new meaning to how investigations can be conducted on distributed systems like the Internet. Investigative agents could be . . . launched . . . to ferret out information while cybercops are . . . engaged in other activities and have the results of such virtual investigations reported back . . . to the `supervising’ agent on a periodic basis.” He suggests that these agents can become the backbone of a new online enforcement strategy that links a “trans-national virtual network” of intelligent agents, computer forensics experts and “cybercops.”

Manson notes that this approach would have to be implemented cautiously, to avoid a backlash from the public: “If law enforcement rapidly moves to implement the use of robots . . . without an appreciation of the culture within which they are to be used, there is a great risk that the community will move to completely remove such tools from law enforcement's investigative arsenal.” He suggests that “netizen” discomfort with the use of automated policing agents could results in Congress’ taking action to restrict or even outlaw their use.

I don’t mean to be critical of Kevin’s article. I think it was amazingly prescient when it was written, and I think its basic premises are very much still valid. (I do take issue with some of his observations on law, but what can you expect from a law professor?)
I think it is surprising that, as far as I can tell, no one has followed up on Kevin’s ideas. Maybe they are seen as too controversial, or maybe they have just been overlooked as our experience with cyberspace has evolved.

It seems there is absolutely no move to implement automated policing on the Internet. (I distinguish the very active, investigatorial model Kevin outlined from the more passive surveillance technologies that are definitely in use today). On the chance that such a effort may surface (or maybe just because I find this conceptually interesting), I want to speculate a bit about legal issues automated online policing might raise.

The most obvious issue is privacy. How would we feel if we knew automated police agents were cruising the Internet in a fashion analogous to how human officers cruise Interstate highways in police cruisers? Like “regular” officers, the agent-officers would presumably operate only in “public” areas . . . but what would that mean? Obviously, it should be permissible for agent-officers to surf the web, checking out websites, news feeds, etc. . . . most anything that is offered for public viewing and consumption.
I wonder, though, how deeply, how intensely the agent-officers would patrol these public areas of cyberspace?

The issue doesn’t come up in the real-world, because privacy is pretty much a zero-sum notion here: You are either in “public” (e.g., on the street, on a highway, in a public square, in a public establishment like a restaurant or bar, etc.) or in “private” (e.g., in someone’s home, in someone’s “private” office, etc.) Since the agent-officers are software programs, I assume they would have the ability to cruise the public areas of cyberspace with an intensity not possible for humans, or at least for most of us humans. Could they, for example, investigate the code that creates and/or sustains a website? Could they check out its Internet traffic, to see who is visiting, where they are from (IP addresses, etc.)?
If they could do any of this, then I think that would raise some difficult issues about how the Fourth Amendment applies (or not) to their activities.

On the one hand, one might argue that their doing any or all of this is analogous to a police officer’s entering a “public” space (like a bar or restaurant) and walking around to check out how the internal space is configured, who patronizes the place, what they do while they’re there, etc., all of which are clearly “public” activities. The response to this argument would be that all of these are clearly “public” activities because they occur in a public space and because they can be carried out by any member of the public; any of us can go into a restaurant or bar and check out what goes on inside. As I noted before, however, I suspect that these agent-officers would have the capacity to subject a website to a level of technical scrutiny that would be completely beyond me, and beyond most people.

What else might they do? What about online vendors? Vendor sites are obviously “public” places (online analogues of real-world stores), and therefore outside the Fourth Amendment as far as the site itself is concerned. Could the agent-officers monitor traffic to the site, both in terms of who visits the site and what the visitors purchase? If they were to do this, I assume they would do it technologically, by monitoring site traffic and purchases. Could they do this without having obtained a search warrant beforehand? In the real-world a human officer needs a warrant to gain access to a business’ customer records, which would be the best way to track purchases.

What about non-public areas of the Internet? Could the agent-officers create accounts on password-accessible sites and enter the sites to observe what goes on “inside”? If a human officer could do this without violating the Fourth Amendment (which I think he/she could do, at least in most instances) then the agent-officers should be able to do this, as well.

Another interesting issue the use of these agent-officers might raise is, for lack of a better word, the jurisdictional etiquette involved. Could, say, U.S. agent-officers be sent out to “patrol” all areas of cyberspace, including websites maintained in other countries? I assume so; indeed, I assume they would not be of much use if we tried to restrict their use to websites hosted in the U.S. (and also, maybe, websites hosted elsewhere that were created and are maintained by U.S. citizens).

I wonder if that would not give rise to comity issues, i.e., to issues concerning the relationships between different countries. Our agent-officers would, after all, be “spying” on websites and website patrons located in other countries (and vice versa). We are not used to that kind of experience. We tend to assume we will be monitored, if at all, only by U.S. law enforcement officers when we’re in the U.S., only by French officers when we’re in France, only by Dubai officers when we’re in Dubai, and so on. If this approach were to be implemented by many countries, we would have to assume that our online activities were being scrutinized by agent-officers from several countries. (This also gives rise to the rather interesting possibility that agent-officers from, say, the U.S. could be scrutinizing the online activities of agent-officers from Korea.)

I still think it is a very interesting idea. I wonder if it will ever be implemented.

No comments: