Monday, June 26, 2006


I live in Dayton, Ohio, and because of that I read the local paper: the Dayton Daily News.

A day or so ago, the DDN had a story on identity theft, a version of which is available online. The hard-copy version was longer than the online one and included a photograph of a local prosecutor. The prosecutor, who will remain nameless here, has headed the fraud unit of the Montgomery County Prosecutor's Office for ten years (or so the DDN says), and I'm sure he is very experienced, very knowledgable about white-collar crime. Indeed, I believe I've heard anecdotal evidence to that effect, though I don't know the man myself.

Most of the hard-copy version of the article seemed to be an Associated Press-style story about identity theft, one with lots and lots of statistics . . . the gist of which is that we really don't have to worry much about identity theft because it's happening in the real-world more than it's happening online. The premise seemed to be that we don't need to worry that much about it because, since it's happening primarily in the real-world, it's nothing new.

Now, I had some problems with that part of the article because it seemed to be saying that online identity theft is not a problem since only a small percentage of identity theft can be attributed to commercial data breaches, that is, to companies' allowingconsumer data to be compromised. I have some reservations about that contention, and I also have some problems with equating online identity theft to compromised commercial databases. The article did not deal much with phishing or the other "personalized" types of identity theft, which I think was a shame. IMHO, it is important to educate people as much as possible about the various kinds of threats that exist online.

But all of that is minor carping on my part -- none of it is what prompted me to write this post. What prompted me to write this post was the role the local fraud prosecutor played in the (much longer hard-copy) version of the article. What was his role, you ask?

You might assume that, as a clearly-experienced and no doubt very-talented fraud prosecutor, his role would be that of a prosecutor who is handling/has handled identity theft cases. Nope -- his role in the article was as victim. It explains how he had his identity stolen.

Now, I find that peculiar, especially given the article's overall tone (don't worry about identity theft, it's nothing new, nothing strange). First of all, I suspect most prosecutors would not fall for real-world fraud schemes -- their experience and expertise would protect them. Here, though, we have not just a run of the mill prosecutor but the head of the local county prosecutor's fraud unit becoming a victim of identity theft. Doesn't that undercut the whole, "don't worry, identity theft is really not anything to be concerned about" tenor of the article?

Second, I found it interesting, given that tenor, that the article did not say anything about how the local prosecutor's office is handling, would handle or hypothetically might handle identity theft cases (whichever applies . . . though my pick would be the last alternative). The article doesn't say anything about that (presumably because I'm right and the last alternative, the hypothetical, is the correct choice) or even tell us if the identity theft who victimized the career prosecutor was ever prosecuted. Continuing it's reassuring tone, it tells us that the identity theft who picked on this prosecutor did so by running up charges on his credit card. The prosecutor noticed the charges, called the credit card company and had the charges removed so, as the article notes, the identity theft "didn't cost him a cent."

Well, that's reassuring, isn't it?

I''m sorry -- I'm venting a bit here and, in so doing, I really, really do not mean to be harsh with the DDN reporter who wrote the article or in any way be disrespectful to the prosecutor. It's just that they hit a nerve, as far as I am concerned.

See, I have spent a lot of time working with state and local law enforcement officers and with local prosecutors. From that experience, I know that cybercrime poses many, many challenges for prosecutors. I have often had police officers tell me they investigated a cybercrime case (one that was local enough it could be prosecuted in their state/county), put a good case together and then took the results of their investigation to a local prosecutor . . . who didn't want to touch the case, because cybercrime cases are "different," complex and time-consuming.

They're "different" because, as I have written about before, the law used to charge the person may be new, may be non-existent (which requires some creative extrapolation on the part of the prosecutor) or may raise difficult constitutional or other issues. They're complex for that reason, too. They're also complex because they can involve difficult issues concerning the intersection of law and technology.

These issues can arise with regard to charges against the defendant If, say, the defendant was an employee of a company and used her legisimate, employee access to its computer system to, say, delete files she was not supposed to delete, copy files she was not supposed to copy or browse through files she was not supposed to see, then the prosecutor will have to figure out what to charge her with. He cannot charge her with gaining "unauthorized access" to (hacking) the system because her employment gave her the right to access part of the system or to access all of the system for certain uses. So the prosecutor will have to figure out if he can legitimately charge her with "exceeding authorized access" (whatever that means) to the system, knowing that her lawyer will no doubt claim that everything she did was authorized. Trying to figure that out takes time (one reason why these cases are also time-consuming) and can be very difficult, especially if one has little or no understanding of computer systems.

If the prosecutor gets over that hurdle, there can be constitutional issues -- Fourth Amendment challenges to how the evidence was gathered -- and digital evidence issues -- challenges to the accuracy of the data being used as evidence against her. All of those issues can raise difficult questions about how law intersects with evolving technology.

So cybercrime cases can be a burden for prosecutors (just as they can be a burden for police officers) . . . which means prosecutors often may not want to deal with them. That is unfortunate. I can understand why prosecutors shy away from these cases, given everything I've just oulined plus the heavy caseloads they already have (involving real-world crimes, which are sometimes regarded as "realer" than cybercrimes).

The problem is that they're not going to go away, they're only going to increase in number, in the extent of the damage they do and in complexity. Not prosecuting these cases is only going to encourage more people to commit cybercrimes.

I remember a conversation I had a year ago with an economic crime detective in a major US city. He told me he keeps "catching" the same cybercrime perpetrators, putting together cases, taking the cases to prosecutors who decline to prosecute. He keeps trying, but is obviously becoming discouraged.

My point here is not to pick on the DDN or on the Dayton prosecutor whose identity was stolen. My point here, insofar as I really have one, is to point out that here, as well as in other areas, we are not doing a good job of dealing with cybercrime. I am not sure what the answer is, since it will take a lot of resources (money, personnel, expertise) to deal with this problem, and counties and parishes and states all do have other priorities. Real-world crimes -- blowing people up, killing them by other means, harming them by other means -- are an obvious and compelling priority.

I guess I just do not understand why we cannot do both.

No comments: