Saturday, May 27, 2006


I find it interesting, and instructive, that hate, or, more precisely, hate speech, is an issue that divides cultures as otherwise similar as the United States and Europe.

The image to the right is an example of hate speech, albeit a very old example of hate speech. It is a book (The Way to Victory of Germanicism over Judaism) written by a Wilhelm Marr, a German, and published in 1879. According to one source, Marr "coined the term `anti-Semitism' as a euphenism for the German Judenhaas, or `Jew-hate.'" The same source tells us that Marr's work "was a major link in the evolving chain of German racism that erupted into genocide during the Nazi era."

What, you ask, do hate and a nineteenth century purveyor of racism and hatred have to do with cybercrime in the twenty-first century? On the one hand, not much; on the other hand, maybe quite a lot, at least as the basis of an object lesson.

As I explained in a post last month ("Treaty"), the gaps and inconsistencies that currently exist in national cybercrime law provide a weakness, a vulnerability, cybercriminals can exploit to frustrate investigations and avoid prosecution. Those who are knowledgeable about cybercrime agree that this is a critical issue we must resolve if we are to deal effectively with cybercrime. The difficulty lies in how we resolve it.

One way would be to declare cyberspace to be its "own" jurisdiction -- to make it a "country" that exists separate and apart from the distinct territorial spaces that respectively comprise the nations of the world. This approach would then provide cyberspace with its own set of unitary laws and its own law enforcement agencies; some suggest the United Nations could take over the enforcement role. But while cyberspace might, and I emphasize might, someday become a distinct, sovereign nation, we are a long, long way from that. My sense is that none of the governments of the world are anywhere near ready to cede control of the activities their citizens conduct online to an external entity, regardless of its sovereign status.

So, that approach is not going to work any time in the foreseeable future. The other approach, as I explained in my previous post
("Treaty") is to see that countries of the world harmonize their laws so that (i) there are no gaps in criminalizing, say, hacking or the dissemination of malware and (ii) the laws of each country allow its law enforcement officers to assist officers from other countries in their investigations of cybercrime. This is, as I explained in my earlier post ("Treaty"), the goal of a treaty drafted under the auspices of the Council of Europe: the Convention on Cybercrime. In my earlier post I explained why I have some reservations about the extent to which the Convention on Cybercrime will succeed in harmonizing national cybercrime laws. That is not what I want to talk about today.

Let's go back to Wilhelm Marr and his anti-Semitic publications. The Convention on Cybercrime was drafted by representatives from the Council of Europe and from four other, non-Council of Europe countries: the United States; Canada; Japan and South Africa. See Council of Europe, Explanatory Report for the Convention on Cybercrime para. 304. When the Convention was being drafted, some of the European representatives wanted to include a provision requiring parties to the Convention to criminalize the use of computer technology to disseminate "hate speech," or the kind of "racist propaganda" Marr disseminated via the printing press. See Council of Europe, Explanatory Report for the Protocol to the Convention on Cybercrime para. 4. The rationale was that "
international communication networks like the Internet provide certain persons with modern and powerful means to support racism and xenophobia and enables them to disseminate easily and widely expressions containing such ideas. In order to investigate and prosecute such persons, international co-operation is vital." Council of Europe, Explanatory Report for the Protocol to the Convention on Cybercrime para. 3. The United States, which played an influential role in drafting of the Convention, made it clear that if such a provision was included, the United States would not be able to ratify the Convention. See Council of Europe, Explanatory Report for the Protocol to the Convention on Cybercrime para. 4.

The provision was therefore not included in the Convention on Cybercrime, but it later became part of an addendum to the Convention: the "
Additional Protocol to the Convention on Cybercrime, Concerning the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems" [hereinafter, "Protocol"]. The Protocol essentially requires the nations that sign and ratify it to adopt laws criminalizing the use of computer technology to disseminate "racist and xenophobic" material. Racist and xenophobic material is defined as "any written material, any image or any other representation of ideas or theories, which advocates, promotes or incites hatred, discrimination or violence, against any individual or group of individuals, based on race, colour, descent or national or ethnic origin, as well as religion if used as a pretext for any of these factors." Protocol, Article 2(1).

This brings us back to Wilhelm Marr. The Protocol is specifically designed to prevent the Internet's being used to disseminate ideas such as those Marr put forth in the book noted above and other, similar efforts.

The notion of outlawing racist or hate speech is far from new. The German Penal Code has for years made it a crime to distribute "propaganda" that glorifies or otherwise supports Nazi ideals or the ideals of any other organization that has been declared to be unconstitutional by the German Federal Constitutional Court. German Penal Code Section 86. Other countries have similar laws, though they may differ somewhat in terms of the precise nature of the speech they prohibit.

The United States has never criminalized hate speech and almost certainly could not do so.. The First Amendment states that Congress cannot adopt any law "
abridging the freedom of speech, or of the press". We can, as I have explained elsewhere, criminalize a few, very narrow categories of speech, but those are exceptional circumstances. We cannot outlaw hate speech (the Protocol's racist or xenophobic speech) because doing so would be criminalizing "pure" speech, not, say, the act of victimizing a child to create child pornography and then publishing that material on the web on in print. Child pornography is speech, but it is also something more; it is speech that memoralizes the victimization of a human being, of a child. We can, therefore, constitutionally criminalize child pornography because we are outlawing the infliction of physical and emotional "harms" on a person to create a particular category of speech, not "speech," as such.

I'm writing about this topic today because I'm writing a paper on a related topic (defamation online) and in the course of my research I discovered a provision that was proposed for inclusion in the Model Penal Code. The
Model Penal Code was published in 1962, the product of many years of effort by members of the American Law Institute. It was intended to reform the then-existing state of criminal law in the United States. At that time, our criminal law was based on traditional English common law and was, as a result, antiquated in many respects. The drafters of the Model Penal Code wanted to update our criminal law by simplifying arcane and unnecessarily complicated rules that had evolved over the centures and by addressing issues that had not been a concern at common law. The therefore published a set of model laws -- the Model Penal Code -- that were intended to act as guides primarily for state legislatures, though the Model Penal Code has also had some influence on federal criminal law.

What I found interesting is that in an early draft the authors of the Model Penal Code proposed creating a new crime: "fomenting group hatred." It consisted of disseminating "any derogatory falsehood, with knowledge of the falsity" for the purpose of "fomenting hatred" against "any racial, national, or religious group". I find the provision interesting because it reminds me of the language in the Protocol to the Convention on Cybercrime.

Unlike the Protocol to the Convention on Cybercrime, however, the provision on "fomenting group" hatred" was never adopted . . . by the drafters of the Model Penal Code or by any U.S. state. In the commentary for the proposed provision, the drafters of the Model Penal Code explain why, at this point in time, anyway, they believed it could survive First Amendment challenges. They seem to have changed their minds later, though, and so did not include it in the final version of the Model Penal Code. As far as I can tell, it has gone unremarked and unnoticed ever since.

I mention the provision not because I believe it should have been included in the Model Penal Code. I think it should not because, unlike those who crafted it, I think it clearly could not survive First Amendment challenges. It would criminalize speech, pure speech . . . speech many would find to be hateful, repulsive and with no redeeming social value. The fundamental premise of our First Amendment, however, is that we, in the United States, do not criminalize speech because we do not like it, because it makes us uncomfortable, because it distresses others to the point that it can legitimately be characterized as inflicting a psychic assault on them. As a society, we believe in the "marketplace of ideas," the notion that the best ideas, the best beliefs, will triumph in a free, transparent discourse encompassing all views, however marginal they may seem.

That perspective makes sense to me . . . perhaps because it is the "right" perspective, or perhaps because I am an American and, as such, grew up with the notion that this is how things should be. I know other countries view hate speech differently. I have tried very hard to understand the premise that, for example, hate speech constitutes an assault, a psychic assault of the type I noted above. I have tried to understand the premise that hate-speech-as-psychic-assault is indistinguishable from the physical assaults every society criminalizes . . and I have failed. I am afraid I cannot, and never will be able to, see an equivalence between words -- mere words, mere speech -- and a physical attack on someone.

And that brings me back to the point of this post: The fact that Americans and Europeans (many Europeans, anyway) can view hate speech so differently illustrates the difficulties we will face, I think, in attempting to harmonize national penal laws so they consistently, and globally, address the problem of cybercrime. Law, especially criminal law, is inextricably bound up with culture, which is and will remain -- at least for the foreseeable future -- a parochial phenomenon, a product of local history and experience. I suspect the parochial nature of our national cultures is one reason why no one wants to "internationalize" cyberspace -- to turn it into a separate legal "place." We fear the loss of control, the loss of identity that would ensue.

It will be interesting to see how we work out the difficulties involved in retaining our national cultures while harmonizing our national penal laws to address cybercrime.

Tuesday, May 23, 2006

Fusion centers

Amidst all the furor (justified, I'd say) over the NSA's surveillance of Americans' phone calls, a new measure is being introduced in law enforcement . . . one that, I think, should give rise to concerns analogous to those produced by the NSA's activities.

I refer to "fusion centers," which seem to be a relatively recent development. You can read more about them here, on the U.S. Department of Justice's website. You can also find the newly issued guidelines for fusion centers on this site.

The guidelines will explain what a fusion center is. Basically, it is being cast as a new tool in our battle against terrorism, though it is clear that fusion centers will focus on criminal activity, as well.

What does a fusion center do? What is the point of a fusion center, you ask?

Well, a fusion center is designed to do one thing: aggregate and analyze information. The purpose, according to the USDOJ site, is to establish a "collaborative process to improve intelligence sharing and, ultimately, increase the ability to detect, prevent, and solve crimes while safeguarding our homeland."

What's wrong with that, you ask? Well, I'm not necessarily saying there is anything wrong with it (I'm not saying there isn't either . . . I'm just ruminating, at the moment). What I find particularly interesting at this point is time is that the NSA activities are receiving a lot of attention and generating a lot of furor, while fusion centers seem to have remained totally under the radar even though they have been in existence for at least 3 years.

What, precisely do they do, you ask? They will apparently do many things, but their central function, it seems, is to collect data from public and private sources and "blend" the data together to create "meaningful and actionable intelligence and information." The guidelines and other sources I have found on fusion centers emphasize that they will compile information from both traditional law enforcement sources and from the private sector.

Some of what I have read about fusion centers indicates that they are intended to address extant jurisdictional gaps that undercut law enforcement's ability to share information. So, you might have a fusion center in a state (Texas has one, as does Maryland, Massachusetts and, I believe, 25 other states, with more states preparing to jump on the bandwagon) which would ensure that law enforcement information gathered by, say, the Sheriff's Office in County A was available to law enforcement officers in the other counties in the state. That seems umproblematic. They might also share this information outside the state, with law enforcement officers in other states and with federal agencies. That, too, seems unproblematic.

What I find interesting is the notion of bringing the private sector into the mix. Doing that takes the concept of a fusion center beyond that of simply compiling and sharing a law enforcement data set (or a series of law enforcement data sets) into something . . . different, something that is more reminiscent of what the NSA has been doing. The guidelines for fusion centers don't really tell me how and why the private sector will participate in this.

The two really go together. Start with how: Will private sector entities become part of these fusion centers, so that their data sets automatically become part of the fusion center's data set? Or will the private sectors only provide data that is/could be relevant to particular inquiries?

That takes us to why: Why would private sector entities become involved in this endeavor. Will they be selling data to the fusion centers, in the same way private data aggregators currently sell data to federal and state law enforcement agencies? Will they voluntarily (why?) become part of the fusion centers, collaborators in the process, and contribute the data they hold as part of their oblibation as constituents of the fusion center? Or will they only contribute data in response to whatever legal devices (National Security letters, administrative subpoenas, other subpoenas or court orders) the fusion centers may employ to require them to do so?

Lots of questions. No answers yet. More to come, at some point, when I know more.

Thursday, May 18, 2006


According to a recent article, intelligence "chatter" indicates that criminals, terrorists or both (they can work together) may be contemplating cyberattacks that would, for example, target physical infrastructure capabilities such as power grids or institutions such as hospitals.

I've been interested in cyberterrorism for years. A friend and I published an article on it (In Defense of Cyberterrorism), in which we analyzed some of the scenarios that appear in the article I noted above, along with others. So I thought this would be a good time to opine about cyberterrorism -- Brenner on cyberterrorism, as it were.

There are two diametrically opposed schools of thought among computer security professionals, law enforcement officers, lawyers and others who think about cyberterrorism.

One is the FUD (fear, uncertainty and doubt) school: Those who take this view believe cyberterrorism is a myth. They argue that our computer systems are robust enough to resist any attempt to compromise them from the outside (more on this in a minute). Some claim that computer security firms hype the notion of cyberterrorism in order to frighten businesses and other entities into buying their services, services the companies say are essential to preserve computer systems from online analogues of the 911 attacks on the World Trade Center. Others who take this view suggest that government agencies do something similar, i.e., exaggerate the threat of cyberterrorism to maximize their funding.

The other school of thought is the Digital Pearl Harbor school: Those who take this view believe cyberterrorism represents a threat that is not merely analogous to the attacks on the World Trade Center, but that may pose a threat comparable to the Japanese attacks on Pearl Harbor. They contend that outside attackers could shut down power grids, disrupt communications and/or other essential services, cripple our economy and wreak various other kinds of havoc.

Before I proceed with Brenner-on-cyberterrorism, I want to note a caveat: Both schools tend to focus on "outside" threats, i.e., on terrorists who, working alone or in association with hired hackers, mount an external assault on domestic computer systems in an effort to shut them down, corrupt their operations or otherwise interfere with their proper functioning. This is the "purest," most obvious cyberterrorism scenario; it tracks much of what we have seen with cybercrime (hacking, cracking, viruses, etc. -- all external attacks). Since this is the primary focus of these two competing schools of thought, I am going to limit my comments to this scenario.

Before I proceed to those comments, however, I want to point out that there is another, actually more frightening cyberterrorism scenario: the "inside" threat. In this version, the terrorists plant someone inside a domestic operation -- a power company, a hospital, a financial institution, whatever seems a likely target. The "mole" may be in place for some time; there may, in fact, be multiple "moles," each located in a strategic position. These "moles" are in a position to have legitimate access to the computer systems which will be used in the attack. They are a virtual Fifth Column, seemingly trusted insiders who are actually rogue operatives. I fear that focusing too much on the external threat will lead us to underestimate the potential harms that can result from this inside threat.

But I digress. Time for Brenner-on-cyberterrorism.

I agree and disagree with both schools. I think the Digital Pearl Harbor conceptualization of cyberterrorism is simplistic and misses the point: I believe computer technology can be used effectively by terrorists, but not to achieve the same effects they accomplish with bombs and hijacked airplanes. I do not believe any cyberterrorist attack could ever have the visceral, awful impact of seeing those planes fly into the World Trade Center. That was a classic, perhaps the classic terrorist attack, because it not only produced the demoralizing effects associated with realizing that we can be physically attacked, it also showed how implements and incidents of everyday life can be turned against us. The mundane became awful -- we identified with the people in the WTC and with the people in the airplanes. And, unlike terrorist attacks in which we view the carnage after it has been inflicted, we were able to monitor the infliction of much of the carnage as it happened . . . which exacerbated our helplessness and horror.

I think cyberterrorism can have a similar impact insofar, and only insofar, as it disrupts the ordinary. I doubt, seriously, whether cyberterrorism could ever product (forgive me) the body count associated with the WTC or the Bali attacks, but I do not think that is the point of cyberterrorism. I think cyberterrorism is more about mind games than it is about carnage.

I think cyberterrorism could be used very effectively to undermine our sense of security, physical and/or financial. Take a simple example: Assume that ATM machines began to malfunction . . . first in Chicago, then in Seattle, then in Miami, then in Atlanta, then in Oklahoma City, then in Portland, then . . . . and on and on and on. The malfunctioning occurs in each city sequentially; perhaps it last basically the same period of time in each city . . . all of which makes it very clear that this is no accident. It seems to me that would be a dreadfully marvelous cyberterrorist mind game: We would not know if we could trust ATM's and, perhaps, the financial institutions that provide them.

Cyberterrorism to me is undermining our sense of security . . . undermining our trust in the things we take for granted. It could take more dramatic forms, such as shutting down power to the northeast states in January; that might, as I have been told, well result in many deaths. That would certainly be demoralizing. But a focused attack like that, and like the WTC, actually, I think, restricts the demoralizing effects of the attack. I can feel sorry for the people in the NE states, and I can fear that something similar might happen to me, but the harm, the carnage, is limited in scope.

If cyberterrorists were to mount something like my hypothetical ATM attacks, then follow that or combine that with other, similar attacks, it would have a very interesting effect, I think, on all of us. We would not confront carnage; we would confront the reality that our world was out of control.

Monday, May 15, 2006

NSA monitoring of telephone calls

A lot has been written about whether the NSA monitoring of the phone numbers Americans call is unconstitutional or otherwise illegal.

As I have explained elsewhere, monitoring of the numbers we call (and the addresses to which we send emails) is not unconstitutional but should be unconstitutional.

I analyze this issue in The Fourth Amendment in an Era of Ubiquitous Technology, an article I presented at a Fourth Amendment symposium last year. The bottom line is that the Supreme Court inexplicably got all this wrong almost 30 years ago, when it held that the Fourth Amendment does not apply to the use of a pen register to track the numbers dialed from a telephone, even a telephone in someone's home. The Court held, basically, that because we know the phone company gathers this information, we have no right to expect that it will not be given to police.

As many recognized at the time, the decision was wrong when it was issued. The Justices who signed on to the decision concluded that we know we are exposing "private" information to the phone company and, in so doing, assume the risk that it will voluntarily share this information with law enforcement. The Justices who dissented, notably Justice Marshall, pointed out the fallacy in this conclusion: The notion that we assume a risk is based on the premise that we have a choice -- here, to share or not to share this information with the phone company.

As Justice Marshall pointed out, we really have no choice. Our only options are (i) to use technology and run the risk that information about our use will be shared with the government or (ii) to become a Unibomber-style Luddite who does not use telephones . . . or email and other technologies, because the decision applies to any information we share with third-parties.

History is vindicating Justice Marshall and the other dissenters. Unfortunately, I fear it will be a very long time before the Supreme Court re-considers this issue (and, one hopes, gets it right this time).

Saturday, May 13, 2006

Virtual property, virtual crime

When property law -- civil and criminal-- evolved, "property" consisted only of tangible items like the land the farm depicted in this photograph occupied, the farm buildings and their contents.

This zero-sum conceptualization of property (i.e., property as real, tangible "things," animate and inanimate) prevailed essentially unchallenged until twentieth-century technologies began to make intangible property a socially and legally significant commodity.

The notion of intangible property was not entirely new. In Europe, the principle that one could hold an ownership interest in an intangible such as the ideas recorded in a printed volume of text or the principles underlying a new mechanical or other invention originated in the fifteenth century, the product, I would argue, of a new technology: the printing press. While one could always use handwriting to record ideas and mechanical principles, printing introduced a new possibility; one could produce many, many copies of such a record, copies that could be distributed throughout the country, throughout the Continent and even beyond.

The concept of intangible property -- specifically, the law of copyright and patents -- evolved to give the "owner" of original ideas some way to control the dissemination and use of those ideas. Controlling dissemination and use had become important because the ideas themselves now had "value;" they could be sold directly (books and, eventually, other works of art/entertainment) or could be used to produce revenue (inventions such as the automobile, telephone, etc.).

The law of copyright, patent and related intellectual property doctrines is now well-established (some, including me, would say too well established with regard to statutes like the DMCA). I am not particularly interested in that law or in the activities it is designed to protect.

What I am becoming interested in, and am writing about today, is a broader notion of intangible property -- something I will call "virtual property" to distinguish it from the more traditional types of intangible property to which we, and the law, are accustomed. Unlike these traditional types of intangible property, "virtual property" has not been incorporated into the law, civil or criminal. I want to speculate about how criminal law should deal with "virtual property."

The first thing I need to do is to define "virtual property," which is not easy. I cannot simply define it as property that exists only in digital form, because this would encompass a great deal of conventional intangible property that is protected by the patents, copyrights or other intellectual property law doctrines which I find uninteresting. But while I cannot base my definition entirely upon this asepct of "virtual property, I can incoporate it into my definition of "virtual property."

The first component of my definition, therefore, is that "virtual property" exists only in digital form. It differs from conventional intangible property, I think, in that its value derives entirely, or almost entirely, from activities that are conducted in the virtual world of cyberspace. As I noted above, the value of conventional intangible property lies in activities conducted in the real-world: We buy a book (printed or on tape) to read (listen to) it in the real-world; the same is true of music; and the same is true of the myriad of inventions (cars, refrigerators, TV's, hair-dryers, elevators, etc.) that have altered the way we conduct our lives in the real-world.

(I know stories and music can crossover from the real-world to the virtual world of cyberspace, but I am using rather broad strokes in this analysis . . . product of its being my first cut at the topic plus space limitations that do not let me use footnotes for lengthy asides.)

The ultimate example of "virtual property" as I define it is property that exists and is utilized in an online environment, such as a massively multiplayer online game or a virtual world like Second Life. Unlike stories (books, movies) or music, this type of intangible property is not transportable; it has value only within the online context. If this "virtual property" could be transported to the real, physical world, it would be meaningless; it would have no use and therefore no value.

So, we now have the notion of a specialized type of intangible property; property that only exists and has value in the context of online activities. From a legal perspective, this notion gives rise to two issues: (1) Do we recognize ownership and other traditional property rights in this "virtual property"? and (2) If so, how do we deal with those who infringe upon these property rights?

The first issue has been analyzed by scholars who specialize in civil property law, about which I know very little (what I vaguely recall from my first year Property class, plus buying a house). I will leave that issue to them. Basically, though, I believe -- and many agree -- there is no reason why we cannot recognize property rights in what I am defining as "virtual property" just as we recognize rights in tangible, real-world property and in conventional intangible property.

I think this recognition is already well on its way; a couple of weeks ago, Business Week had a story on entrepreneurs who earn money (good money) by selling goods that exist and are useful only within the confines of Second Life. These and other "virtual property" entrepreneurs operate on the assumption that they "own" the goods they sell, just as real-world entrepreneurs own what they purvey. And the legal validity of that assumption has been upheld in court; a couple of years ago, for example, a Chinese court held that a gamer "owned" the "virtual property" he had amassed while playing the online game Hongyue.

So I think we can justifiably assume the law protects/will protect ownership interests in "virtual" property just as it does in tangible and conventional intangible property. This first step is not conceptually difficult because it basically requires recognizing, and enforcing, contractual rights among people who are engaging in legitimate activities and are, therefore, likely to be obey the dictates of the law. We see this in the Chinese case I noted above.

The difficulty arises, as it always does, with the outlaws . . . with the people who reject legitimate activity and contumaciously violate contractual and other rights. How do we deal with those who steal or destroy "virtual property"? Do we make this a real-world crime and assign real-world law enforcement officers to apprehend the perpetrators, who are then, presumably, sanctioned in the real-world?

This has been done. Last year, Japanese police arrested a Chinese exchange student who was suspected of participating in "onine mugging" and theft that targeted gamers playing Lineage II. As far as I can tell, the Chinese student was arrested for theft -- for using bots to "run virtual stick-ups" in the game. This seems to be very unusual, though. The Hong Kong Police seem to have a special unit that deals with "virtual property" thefts in online games, but this is clearly the exception. My sense is that most law enforcement agencies would not see this type of theft as a matter they should pursue. I think there are several reasons for this.

One is, I suspect, the unstated but prevalent assumption that, after all, "it's just a game" and an online one at that. I think this assumption undercuts the possibility that law enforcement officers (and, no doubt, legislators and others involved in the articulation and enforcement of the law) will take online theft of "virtual property" seriously in two ways:
  • It reflects the view that the gamer-victims assumed the risk of being victimized by playing the game; many online games, after all, routinely feature various forms of mayhem and other antisocial activity. I imagine law enforcers would tend to see this as an anticipated consequence of participating in an optional endeavor and, as such, something that is not their responsibility; they would probably not regard this as "real crime." ("Real crime" being a phenomenon unique to the real, physical world in which our participation and the risks it engenders are distinctly not optional.) It is not, in other words, serious crime in the way real-world crime.
  • It reflects the view that "virtual property" is not really property (i) because it does not "really" exist (i.e., exists only online, not in the real, physical world) and/or (ii) because its value, if any, is unstable and therefore insignificant. (In a tragic case last year, a Shanghai gamer reported the theft of a virtual sword he used in Legends of Mir 3 to police, who said there was nothing they could do because the sword was not real property.)
Another reason law enforcement officers (and law-makers) are not inclined to take online crimes involving "virtual property" seriously is an issue I have written about before: There are simply not enough law enforcement resources to deal with cybercrime in any of its incarnations; police therfore tend to triage -- to prioritize the application of the resources that are available to online crimes. This prioritization emphasizes (i) crimes that "harm" individuals, such as cyberstalking, luring children for sexual encounters and child pornography; and (ii) crimes that target "real" property, such as identity theft, extorting money from businesses and the misappropriation of intellectual property.

Yet another reason may be that, as many have suggested, law enforcers and law-makers tend to see this as a matter that should be handled internally, by the operator of the game or those who participate in it. This does happen and can take either of two forms.
  • One is vigilantism: When law enforcement does not intervene, gamers have been known to take the law into their own hands. Earlier this year, for example, South Korean Lineage players were massacring Chinese players because they believed Chinese players were stealing "virtual property" from Korean players. (And, on another note, some citizens of Second Life crucified a game player who had been repreatedly killing other players.)
  • The other approach is initiated by the operator of the game, and reflects the emergence of customary norms online. Some games, for example, banish griefers (disruptive players) from the game.
Many who have examined the problem of online crime believe "internal" solutions such as these are the appropriate way to deal with online crimes that target "virtual property." Those who take this position tend to assume, I think, that there will always be a clear, radical distinction between "online life" and "real life." They tend to regard "online life" as more analogous to a hobby than to "real life." They therefore conclude that it would be unreasonable to extrapolate the laws and institutions we use to structure "real life" to the unreal, transient, less-than-serious life online.

I think they are wrong. I think we will see -- are in fact already seeing -- the distinction between "online life" and "real life" blur. I think this is evident in the Business Week article I mentioned earlier, the one that focuses on the entrepreneurs in Second Life. We will, for the foreseeable future, continue to live physically in the "real," empirical world, but I think more and more of our activities -- "serious" activities as well as activities some may dismiss as frivolous -- will migrate online.

The production of physical goods and the achievement of physical tasks (e.g., building houses and roads) will necessarily occur primarily in the empirical world. Other endeavors, however, can migrate substantially online; individuals, companies and agencies that provide services can operate substantially online. (Think of what this would do to alleviate the problems we currently experience with commuting to real-world working spaces and the pollution that causes). We will eventually inhabit both the offline and worlds, moving back and forth between them routinely and unconsciously. Earlier this year, a conference was held simultaneously at a site in Cambridge and in the virtual environs of Second Life. And this month the BBC held a virtual music festival that took place simultaneously in the real-world and in Second life.

I'm on the brink of digressing into another topic. What I really want to say is that the "internal" solutions I outlined above are a viable way of dealing with transgressions against "virtual property" as long as it remains a specialized, "lesser" species of property. Entrepreneurs like those described in the Business Week article noted above are already using commerce based upon "virtual property" to support themselves and their families. The trade in "virtual property" does, concedely, seem to be little more than a cottage industry at this point, but it will certainly grow. As it grows, "virtual property" will become more common, will come to play a greater role in our economies (the fused economies that derive from our simultaneously inhabiting the "real" and "virtual" worlds) and will markedly increase in value.

As "virtual property" moves into the mainstream and ceases to be a specialized, "lesser" species of property, we will no longer be able to rely on boutique measures like the internal solutions outlined above to protect it. We will, I believe, have to incorporate it into our legal system, just as we have incorporated the conventional intangible property I mentioned earlier.

Wednesday, May 10, 2006

Blaming the victim . . . ?

I'm in a hotel, having gotten on a plane a few hours ago to come to DC for business.

On the plane I read the May 15 issue of
The New Yorker, which has an article by Mitchell Zuckoff called "The Perfect Mark." It's about John Worley, Vietnam veteran, ordained minister and former caretaker of a mansion in Groton, Massachusetts. It's really about how Mr. Worley became a victim of Nigerian 419 scammers, Worley seems to have lost around $80,000 to the Nigerian scammers, but the problems they caused him did not end there.

Zuckoff's account of what happened to Worley is old news to anyone who is familiar with the online 419 scams or with the venerable face-to-face cons they derive from. As Zuckoff notes, the dynamic of these cons is based on a greedy victim who is willing to bend the rules (at least) to enrich himself at, he thinks, the expense of someone else. Worley fits that picture; according to the article, he knowingly passed bad checks, posed as an aviator contractor, filed false documents, plotted to avoid paying taxes on the ill-gotten gains he expected to receive and agreed to bribe officials whose cooperation he believed was essential to the successful completion of the endeavor that would enrich him. All of that is typical of those who become embroiled in 419 schemes; I have heard similar -- though less extreme -- stories myself.

What I find interesting about the article is not Worley's entanglements with the Nigerian scammers. It is what happened to him at the hands of the U.S. Department of Justice: His involvement with the scammers led to his being indicted -- and ultimately convicted -- on various counts of bank fraud, money laundering and possession of counterfeit checks. He was tried in a U.S. District Court in Boston and convicted on October 15, 2005. The judge sentenced Worley to serve two years in prison and to make restitution of approximately $600,000 to those he victmized in the course of his entanglement with the 419 scammers (who were, it seems, really from Nigeria).

Why was Worley prosecuted when he seems to have been a victim? That is what I find interesting about Zuckoff's article. He cites statistics gathered from the U.S. Secret Service and other groups for the proposition that 419 scammers take in hundreds of millions of dollars each year (at least, this figure not including losses by those who are too embarrassed to admit their victimization). I agree with his statistics; 419 scamming is a huge problem for countries -- like the U.S. and many European countries -- whose citizens are victimized by the scammers. It's a very good source of revenue for the scammers in Nigeria and elsewhere (low overhead, no risk of being caught and prosecuted unless you're really, really foolish), which is why it is flourishing.

All of that really was not a digression . . . maybe. It may go to the reason why Worley, who would seem to have been a victim of the scammers he encountered, was prosecuted and convicted of violating federal criminal law.

At the end of the article Zuckoff quotes Barbara Worley, John's wife, as saying that the federal prosecutors "knew they couldn't go after the Nigerians, so they just get the person they can reach." She apparently also said that the prosecutors were "trying to stop people in America from getting involved in it (the 419 scam) by making an example" of her husband. I find that contention very intriguing.

It may simply be the rationalization of a woman whose life has effectively been dismantled by the prosecution of her spouse. I can't tell from this article if her comments are merely this or if she hit the nail on the head . . . if Worley really was made a scapegoat in an effort to deter others from following his lead.

I tend to be a little dubious about the proposition that Worley was prosecuted merely to set an example the rest of us should not follow. For one thing, I never heard of the case until I picked up this issue of the New Yorker, quite by chance. That is surprising since I troll for stories like this and have a number of resources that should bring it to my attention. But, hey, maybe I simply missed it.

But if the purpose were to use Worley as a scapegoat, you would think the case would somehow have gotten more publicity . . . publicity beyond the rather specialized cybercrime-geek circles in which I move. But, again, maybe it was an incremental step, a first effort in a strategy precisely of the type Mrs. Worley posits.

Let's go with that theory, because that is what interests me.

I have written articles in which I argue that we should use selected principles of criminal liability -- including the principle that holds one who aids and abets the commission of a crime guilty as if he had committed the crime himself -- to develop a climate in which citizens resist cybercrime, of all types. My articles focus more on encouraging citizens to secure their computers and resist social engineering in an effort to shore up our defenses against "true" cybercrime, i.e., crimes in which the computer plays a central role and may, indeed, be the target of the crime. My concern has been more with shoring up our computerized infrastructure than with preventing more conventional crimes like the 419 scam. What happened to Worley is simply a twenty-first century version of what has been happening to real-world victims for centuries.

But, as the sources cited in Zuckoff's article note, Worley was the target of activity that is taking millions and millions of dollars out of the U.S., Europe and other "victim" countries. The magnitude of that activity may also warrant new and drastic measures . . . such as holding the victim liable for his victimization plus the incidental victimization he inflicted on others he exploited in his efforts to enrich himself.

If the federal prosecutors in Boston were, indeed, using this theory in their prosecution of Worley, then I find that very interesting. In my articles I argue that this phenomonon of "consequent victimization" -- instances in which John Doe causes "harm" to others by his reckless or knowing conduct -- warrants the imposition of accomplice liability upon Doe because he is not merely a victim. He is a victim because in my scenarios his computer has been taken over by hackers who turn it into a zombie in a botnet of thousands; he is a victim in the Worley scenario (if, indeed, this theory was used in the case) because he was exploited by the scammers who took money from him. In both scenarios, however, the "victim" is also a contributor to the victimization of others, an accomplice in their injury. I see no reason why we cannot hold these consequent victimizers liable for the harm they inflict on others.

The only other instance in which I have heard of something simliar's being proposed involves online gambling. The Bush administration has not made any serious effort to criminalize online gambling at the federal level, but there continue to be rumblings -- at both the state and federal levels -- about the desirability of doing so. The problem is that no one can figure out how to make it work: If an online casino located in, say, Antigua is operating legally under Antiguan law, we could not prosecute the operators of the casino, even if we were to make online gambling a federal crime.

The traditional approach to outlawing gambling has been to target those who provide the opportunities to gamble -- the casino operators. That approach works if the casino operators are operating within the territory of the legal system that has outlawed gambling; it does not work if the casino is in the territory of a country that has legalized gambling. It is a basic principle of criminal law that one cannot be extradited from Country A to face prosecution in C for doing something that is legal in Country A but illegal in Country C. The unfairness is evident.

But I have heard suggestions that we could deal with online gambling by prosecuting the gamblers . . . who are here in the U.S. I have always found that an interesting suggestion, as it, too, involves the prosecution of the victim . . . presumably on the theory that the victim is aiding and abetting the illegal activity, gambling.

Tuesday, May 09, 2006


Last Friday
("Organization," May 5) I explained why cyberspace will alter the structure of illegitimate organizations: gangs and other illicit coalitions.

Today I want to discuss a related issue: why cyberspace will also alter the structure of legitimate organzations, such as corporations, government agencies and the like.

My expertise in crime and criminal law lets me speak with assurance -- and, I think, accuracy -- about the structure and evolution of illegitimate organizations. I am not an expert on
non-criminal groups but I have what I think is good reason to believe that cyberspace will also, must also, affect the structure of non-criminal groups, notably, private groupings used to carry out commercial and other types of activity.

Everything I am going to say today derives from (a) extrapolations based upon my analysis of how cyberspace will affect illegitmate organizational structures and (b) anecdotal evidence, the product of my observations of how legitimate organizations function today.

As I explained in my earlier post, hierarchical organization evolved, and triumphed, in the real, physical world because it is a superior way to orchestrate collaborative human effort toward the achievement of various goals: military action; commercial production; large-scale educational activity; government affairs; etc. I explained that criminal groups began to adopt hierarchical organizational forms as they moved from "simple" criminal activity (serial robbery, extortion, and the like) into "complex" criminal activity (bootlegging in the 1920's, large-scale drug production and distribution, etc.). While simple hierarchies suffice for simple tasks (hunting and gathering, robbery), more complex tasks require a more sophisticated division of labor.

In my earlier post I explained that cyberspace will alter this, with regard to criminal organizations, because activity in cyberspace is not subject to the physical constraints we must deal with in the real-world. Cyberspace is, as a result, a much more fluid environment . . . a conceptual, not a physical environment. It is, as many have noted, an environment in which lateral organizational structures are more effective than are hierarchical organizational structures. And that is why, as I explained in my earlier post, I believe we will see different modes of organization emerge for criminal activity in cyberspace; I believe we will see hierarchical structures like the U.S. Mafia families replaced by fluid, lateral, "situational"organizational structures. I think cybercriminals will come together when and as necessary for the collaborative achievement of certain ends, and then go their separate ways, all of which, as I said earlier, will make law enforcement's job that much more difficult.

But I am not talking about criminal organizational structures today. I want to speculate a bit about how cyberspace will (should) impact on legitimate organizational structures, such as the commercial, for-profit corporation. (I could just as easily talk about government agencies, but I am going to pick on commerce today, instead.)

I titled this post "Dinosaurs" because I think the huge, hierarchical organizational structures that are characteristic of the modern commercial corporation are, or soon will become, as antiquated as the erstwhile Brontosaurus (now Apatosaurus) depicted above. The Brontosaurus was one of the largest land animals that ever existed; it was, as a result, exceedingly slow and cumbersome in its movements. Now, that is not a particular disadvantage for a species that exists in an environment in which predators are few and can be effectively discouraged by the animal's size. It would be a significant disadvantage for the species if the environment were to be invaded by predators who were numerous and who were not in the least intimidated by the animal's bulk.

I think this latter scenario is beginning to evolve today, in the clash between cybercriminals and conventional hierarchical organizations. Over the last century or so, corporate and government entities have evolved into huge, unwieldy entities . . . the modern organizational analogue of the Brontosaurus. The increasing size of these entities conferred certain advantages with regard to the conduct of their real-world activities and created no significant disadvantages as long as they, like the Brontosaurus, existed in an environment in which predators were relatively scarce and were disinclined to challenge such large and powerful targets. It was, aside from anything else, difficult for individual criminals or criminal groups to mount a successful physical attack on a multinational corporation. What was there to attack? The entity may have enormous wealth, but where was it and how did one access it? The entity's resources were not concentrated in a specific location in a suitably portable, fungible form. Robbers could rob a local bank, but could do little with the Ford Motor Company or American Express. The size differential protected the larger entities; robbers could figure out where the bank's resources were, but could not begin to penetrate the structure of a multinational corporation.

Cyberspace alters the environment in which corporate (and government) organizations function. Large, powerful and slowmoving, these organizations are no match for online attackers who are already utilizing the more fluid organizational forms I wrote about in my last post.

The analogy that comes to mind (my mind, anyway) is that of a Brontosaurus being attacked by evolved velociraptors armed with a submachine gun and expertise in using it. The velociraptors cannot summon the physical resources the Brontosaurus can, but they are much more nimble, can attack while evading counterattack and can, courtesy of the submachine guns, attack remotely. The size that was once the Brontosaurus' advantage has become its Achilles heel.

I think of this analogy when I hear/read about/otherwise encounter instances in which corporate and other large, legitimate entities are attacked by cybercriminals. From what I see (IMHO), their size and the complexity of their organizational structure is counterproductive in this context. Any effort to respond to cyberattacks by reacting to completed attacks and/or deterring future attacks must proceed through a large, complex institutional hierarchy . . . which means that the effort will move very slowly. Along the way, the effort may be further delayed and/or sabotaged by internal political and other operationally irrelevant motivations. The outcome is likely to be a failure to respond or a response that is ineffectual.

What should we do? How do we modernize our Brontosaurian organizations so they can deal effectively with the challenges emerging in the online environment?

I really don't know. I imagine we will, for a long time, anyway, need hierarchical organizations to carry out certain tasks in the real-world, tasks involving large-scale collaborative human effort. I suspect, though, that we will begin to see hierarchical organization decline in popularity as other types of human endeavor migrate wholly or substantially online where they are conducted by non-hierarchically structured entities.

Sunday, May 07, 2006


I watch CBS' NUMB3RS because I find its integration of math and police work interesting, though the stories do tend to be simplistic.

I tivo'd the episode ("Backscatter") that was on this past Friday and sat down to watch it last night. I made it through the first 15 minutes before I gave up, in aggravation.

I was pleased, at first, to see that it focused on cybercrime -- phishing, to be precise. As I have mentioned on this blog, I think that we need to effect a cultural change in order to be able to deal effectively with cybercrime. More specifically, I think we need to make the public aware of the dangers that can lurk online and encourage them to protect themselves from those dangers.

So, I was interested to see that this episode dealt with phishing, which essentially consists of sending emails that are designed to elicit personal/financial information from unwary citizens of cyberspace. The emails usually tell the recipient that his/her bank/credit card account has been compromised and that he/she must contact the institution in question and "reconfirm" their personal information. The emails send the recipient to a fake website that masquerades as a site created by their financial/other institution. The information they provide to the fake website goes directly to cybercriminals who have successfully "phished" for it.

As this episode began, two "hackers" were wardriving to locate an unsecured wireless network that would give them access to credit card numbers. Sure enough, just before they were nabbed they logged into one -- "David's network" -- and began downloading a database of credit card numbers. I have two problems with this, so far: First, it's not phishing; it's hacking, pure and simple. That is, instead of tricking someone out of their credit card information, these guys simply "broke into" a database and attempted to steal the information it contained. My other problem with this part of the portion of the episode I stuck with is the name of the network: Do we really believe that, say, Citigroup or AmEx calls the databases in which they store credit card data by someone's given name? I may be way off base here, but somehow I find that very hard to believe.

But that's only the beginning. The two "hackers," clean-cut American youths, are interrogated and quickly give up the people they're working for . . . who are members of the Russian mob. The American "hackers" got involved with the Russian mob when Russians approached them in a cybercafe located in, I guess, LA, since that is where the show takes place. This is about the point at which I bailed and erased the episode.

I was, at first, pleased to see that a TV show, a network series, was focusing on cybercrime. I was extremely aggravated when it became apparent that the treatment of cybercrime was going to be indistinguishable from the treatment of the other types of crime the show deals with; that is, the indefatigable FBI agents and their clever-albeit-quirky academic support staff were going to be dealing with bad guys who were physically located in their "neighborhood" (LA, California). So instead of having to deal with nameless, faceless cybercriminals who operate remotely from, say, Moscow, the agents and their supporters could deal with these phishers (I assume we got to that point, somewhen) as they deal with all the other bad guys who are featured in the various episodes of the series: They use good old fashioned police work plus a soupcon of advanced math/other scientific knowledge to track them down, probably have a shoot-out or some other physical confrontation, then haul them off, making the world (and cyberspace) secure, once again.

I know I should have stuck with the show, but it was aggravating me and I had something else I wanted to do. Maybe I'll watch it when it's on again, sometimes . . . maybe not.

Seems to me that the message this show sent about cyberspace and the miscreants who lurk there is directly counterproductive: An uninformed viewer who watched the episode would get the distinct impression that, while we do need to be careful when we're online, especially with our personal/financial information, cybercriminals are basically like any other type of criminals. They hang around our neighborhoods, especially cybercafes, and can therefore be identified and apprehended like any other criminal. Bottom line: Don't worry about cybercrime; the FBI has it covered.

That just ain't so.

Friday, May 05, 2006


In an article published several years ago, I argued that cyberspace will change the existing structure of criminal groups. (Organized Cybercrime: How Cyberspace May Affect the Structure of Criminal Relationships, 4 North Carolina Journal of Law & Technology 1 (2002)).

We have had criminal groupings for millennia, but as I explain in the article, the last century saw the emergence of a specialized type of criminal organization: the hierarchically organized gang.

The hierarchically organized criminal gang was developed in the United States in the first several decades of the twentieth century. It was the product of several interacting forces, one of which was the Mafia. As everyone knows from The Godfather, the Mafia is a criminal group that evolved in Sicily in the nineteenth century; Sicilian immigrants brought the Mafia to the United States, and it became particularly influential in New York. Another interacting force was the Volstead Act, which outlawed the production and sale of alcohol in the United States. As many have noted, the Volstead Act actually made alcohol much more popular than it had been before; this, in turn, created new opportunities for those who were willing to defy the law and supply the public with the liquor it demanded. The Mafia quickly took advantage of these opportunities, especially in cities like New York and Chicago; Mafiosi like Al Capone and Lucky Luciano (and independents like Roy Olmstead in Seattle) became leaders of large-scale bootlegging operations that manufactured (or imported) liquor and distributed it to speakeasies and other illegal outlets.

The large-scale bootlegging these operations carried out resembled the activities of legitimate business more than it did that of the criminal activities the Mafia and other criminal groups had traditionally carried out. As I explain in the article cited above, criminal groupings -- gangs -- had historically focused on rather basic criminal activity: robbery, murder for hire, extortion, etc. Aggregating several/many criminal together into a single group could increase the efficacy with which these crimes were committed by bringing more manpower to bear and, perhaps, allowing for a rudimentary division of labor among robbers, extortionists and the like. But these crimes, and the groups that carried them out, were very much focused on crimes of the moment -- single criminal episodes that were carried out, after which the perpetrators moved on to other similar or dissimilar episodes. There was, as I explain in the article, a basic division of labor between leader and his followers; in larger groupings, there could be a division of labor between a leader, one or more subordinate leaders and their followers, but the organizational structure remained rudimentary, since that sufficed.

As I explain in the article, alcohol prohibition caused an empirical shift in certain criminal groups, most notably the Mafia. Large-scale bootlegging required a much more sophisticated division of labor, essentially a corporate division of labor. As military and government groups have known for a long time, hierarchical organizational structures are an effective way to mobilize personnel for the accomplishment of tasks in the real, physical world. A hierarchical structure therefore evolved in groups that were involved in bootlegging; as some have noted, the structure of these groups eventually came to resemble the organizational model found in modern corporations. Because this hierarchical structure proved advantageous for the American Mafia, it persisted and spread to other emerging groups, such as the Yakuza and drug cartels.

Hierarchical, pseudo-corporate organizational patterns have consequently become a defining characteristic of modern "organized" crime. And I am sure these patterns will persist for criminal groups that continue to engage in illicit activities in the real-world. I do not, however, think they will be characteristics of criminal groupings that engage in illicit activities in the virtual world of cyberspace as we know it or as it will presumably evolve over the next centuries. As I explain in the article cited above, hierarchical organizational structures are not adaptive for activities that are carried out online. Hierarchical structures are essential for concentrating human and other resources to overcome the constraints of the real-world to pursue activities such as constructing buildings, manufacturing goods (legal and illegal) and waging war; hierarchical structures are not particularly useful when the physical constraints of the real-world become irrelevant.

In the article I cited at the beginning of this post, I explain in more detail why that is true and I speculate as to how criminal organizations will adapt to this new environment. I postulate that we will see new, lateral modes of criminal organization evolve to conduct crime online. One thing that I think will differentiate these new modes of criminal organization from the hierarchical model of "organized" crime that emerged in the last century is the continuity of personnel: As we all probably know from The Godfather and The Sopranos, continuity of personnel is an essential characteristic of Mafia-style criminal organizations; aside from being the product of familial ties, continuity ensures stability and helps maintain loyalty to the organization and prevent its being infiltrated by law enforcement. I do not think continuity will be an aspect of online criminal organization because I do not think it will focus on the kind of territorially-based criminal activity that is an essential characteristic of real-world organized crime.

I think online criminal organization will be much more situational. Criminal groupings will come into existence for the purpose of carrying out particular criminal activity and disband once the activity is complete. I think online criminal organization will be lateral rather than hierarchical in nature; it will represent a collaboration among equals instead of being based on a hierarchical chain of command.

If I am right about these and other aspects of online criminal organization I outline in the article cited above, then law enforcement's task will become much more difficult. The hierarachical organizational structure common to Mafia-style criminal organizations may make it difficult for law enforcement officers to infiltrate those organizations, but it also makes the organizations and their membership easy targets for law enforcement. Aside from John Gotti--like flamboyance, the permanence of the organizations and the stability of their membership makes it relatively easy for law enforcement officers to track their activities in the real-world. This, in turn, makes them more vulnerable, which no doubt accounts for what seems to be a decline in the influence of the Mafia and similar groups.