Yet other reasons are the greater ability to commit crime anonymously in a virtual environment; the technical and legal complexity of many cybercrime cases; and the fact that cybercrime is often international, which means suspects may have to be extradited and/or evidence obtained from another country.
The obvious way to solve this problem is to pour millions (billions?) of dollars into expanding law enforcement’s resources – personnel, technology, etc. That is a logical option but not a practical one; in a world dealing with recession and other problems, countries simply cannot afford to pour massive funds into beefing up law enforcement. And I don’t know if we want countries to massively expand the size and capacities of law enforcement. Although it would be done with the best of motives, you can get mission creep, which can lead to adverse consequences.
The other way to solve the problem is to somehow bring civilians into the process of combating cybercrime. When I speak on this issue, people often suggest using civil liability, as in suing the cybercriminal. That, too, is a logical option but not a practical one. The Computer Fraud and Abuse Act, 18 U.S. Code § 1030(g), creates a civil cause of action for “[a]ny person who suffers damage or loss by reason of a violation” of the CFAA. The injured party can seek “compensatory damages and injunctive relief” from the person responsible for the violation. There are several reasons why this option is not a viable one, at least not in most cases. One is that most cybercriminals are likely to be what the law calls judgment-proof; that is, they won’t have the assets to be able to pay an award of civil damages. This option also suffers from many of the same problems as the law enforcement option: anonymous perpetrators; perpetrators in other countries; cases that are complicated and complex to investigate and litigate. So while this option works sometimes, it’s not likely to be particularly important in combating cybercrime.
I’m in London, and a conversation I recently had with a British lawyer made me think about a third option, one that combines the law enforcement strategy and the notion of private civil litigation against the cybercriminal(s).
England, unlike the United States, allows private prosecutions. As Wikipedia explains, the term “private prosecution” refers to criminal proceedings that are “initiated . . by an individual or private organisation instead of a public prosecutor who represents the Sovereign State”, the U.S. or England or Japan, etc.
Chapter 23, Part I § 6 of the United Kingdom’s Prosecution of Offences Act 1985 authorizes private prosecutions: “Subject to subsection (2) below, nothing in this part [of the Act] shall preclude any person from instituting any criminal proceedings or conducting any criminal proceedings to which the Director [of Public Prosecution]’s duty to take over the conduct of the proceedings does not apply.” Section 6(2) says the Director of Public Prosecutions can take over such proceedings “at any stage.”
According to the guidelines for Private Prosecutions issued by The Crown Prosecution Service, the Crown Prosecution Service “should only take over a private prosecution when there is a particular need to do so on behalf of the public”. The private prosecutor is not under a duty to inform the CPS that he/she has begun a private prosecution. The private prosecutor can, however, ask the CPS to take over the case, which they will do if they think prosecution is warranted. The CPS – represented by the Director of Public Prosecutions – will take over a private prosecution on its own and discontinue it if (i) “[t]here is no case to answer” or (ii) public interest factors against prosecution outweigh those in favor” of prosecution. The CPS guidelines give these examples of cases in which it would be appropriate for the CPS to take over a private prosecution and discontinue it: malicious prosecutions (i.e., prosecutions brought out of spite); a stale minor offense; the defendant is either too ill to stand trial or is terminally ill; or where the defendant has been given immunity from prosecution by the CPS.
As to how someone starts a private prosecution, this is what Wikipedia says:
[T]o initiate a private prosecution an individual or organization other than the state-funded prosecutor goes to the local court of appropriate jurisdiction . . . and gets in line to see a Justice of the Peace or a Judge to swear on oath in an attempt to convince the Justice or Judge that there is enough evidence to demonstrate a reasonable probability of conviction.As to what penalties the defendant gets if he pleads or goes to trial and convicted, they’re the same penalties that are imposed in a prosecution brought by the CPS. I found a news story from 1996 about the first English private prosecution for rape. The defendant was convicted and sentenced to 14 years in prison, which a Court of Appeal later reduced to 11 years. That private prosecution was initiated and conducted by two prostitutes whom the man had raped.
Once the Justice or Judge has been convinced of such, he or she will issue an `information’ which is a form telling the name and occupation of the informant (the person swearing to the Justice or the Judge) the name and address of the alleged offender, and the description of the alleged Offence.
The Justice or Judge will sign the `information’ form and issue a summons to the defendant with a date to appear in court. The informant then delivers the summons to the defendant in the prescribed manner and court proceedings are commenced.
The date of First Appearance the defendant is to plead guilty or not guilty and the trial date is set if the defendant pleads not guilty, or if a plea of guilty is given the courts can deal with the matter right away by registering a conviction and sentence.
I’d heard of private prosecution before, but it wasn’t until I chatted with this British lawyer that it occurred to me this might (and I emphasize “might”) be an option for dealing with cybercrime. Since law enforcement and prosecutors’ offices simply don’t have the resources to deal with all (or even most) cybercrimes, we could (again, I emphasize “could”) create the possibility of bringing private prosecutions in at least some cybercrime cases. The option would, of course, only be available if the official, public prosecutor who would have jurisdiction to pursue the case chose not to do so.
Since I, as an American, find the whole motion of private prosecution to be more than a little scary, I don’t think we would want to go down this path unless we determine that using private prosecutions could really be an effective way to supplement our ability to pursue cybercriminals. And that brings us back to the same issues that arise with regard to public prosecutions and private civil suits against cybercriminals.
Private prosecutions of cybercriminals would still present the legal and logistical issues I noted above, i.e., extraditing foreign defendants and/or obtaining evidence from abroad, investigating and litigating cases that can be factually and legally complex, etc. They might be a useful alternative in cases in which both the defendant and the victim(s) are in the same jurisdiction – the United States, say – and the effects of the cybercrime (the “harm” inflicted) occurred in the U.S. If we decided private prosecution might be a useful alternative in domestic cybercrime cases, we could implement it – subject to strict requirements and standards – and perhaps use it to ease some of the burden on law enforcement officers, freeing them to concentrate more on the legally and/or logistically challenging cases.
One advantage private prosecution offers over the option of bringing a civil suit against a cybercriminal is that success is not predicated on the plaintiff’s/prosecutor’s being able to recover damages from the defendant. In a private prosecution, the private prosecutor – as I understand it – recovers nothing but the satisfaction of seeing the defendant held liable for his/her crimes and punished for them by being fined and/or incarcerated.
As I said, I’m not arguing for instituting a system of private prosecution of cybercrimes. The notion of private prosecution is so strange to me I tend to be very leery about adding it to the repertoire of actions available in the United States. I’m also concerned that if we were to do so, it might produce an explosion or frivolous or otherwise untenable cases, which would only further burden the court system. And I can see another problem with pursuing this so-far purely hypothetical strategy: If we went down this path, we’d have to have someone – U.S. versions of the Crown Prosecution Service – would be able to intervene when a private prosecution is malicious or otherwise unjustifiable. That, in turn, would mean we would either have to add a lot of prosecutors who would be assigned to this task or we would have to divert time from people who are already overworked so they can review prosecutions brought by people who are not trained in law and litigation.
There’s also yet another problem: Who would arrest the defendant and see that he/she remains in the jurisdiction while the private prosecution works its way toward a plea or a trial and conviction? It looks like the English system works because the defendants tend to hang around to plead or go to trial, but that very well might not be true when it came to private cybercrime prosecutions. The perpetrators might take off for Canada or Mexico or other points abroad. And we absolutely cannot – IMHO – give private citizens or any private agency the authority to arrest and detain suspected cybercriminals. That opens up many opportunities for abuse.
Overall, I think private prosecution is probably not a viable way to improve our ability to apprehend and sanction cybercriminals. . . . but maybe some version of it might be useful.