Photo by Tingey Injury Law Firm on Unsplash
Jasmine Kaur
University of New Haven
Although the increased use of technology has offered numerous benefits in various aspects of human life, its use is not without pitfalls. Increased adoption of technology directly relates to an increased exposure to cybercrime victimization risk. As people across the world switched to online platforms to perform their routine activities, criminals also switched to using technology to commit crimes by exploiting the vulnerabilities in security systems. Given the basic architecture of the Internet, which relies on the connectivity of individuals across the globe, the scope of crimes committed using the Internet is international. Furthermore, the internet offers new ways of engaging in illegal activities, including (but not limited to) users deceiving their identities under the veil of anonymity (Pittaro, 2011). As a result, the identification and prosecution of online and cybercrime perpetrators has become increasingly complicated with the increasing use of cybercrime tools.
The purpose of this brief is to review the nature and extent of cybercrimes and their impacts on individual victims, agencies, and nations. The paper also highlights the multiplicity of complex issues surrounding cybercrime prosecutions. Following a review of existing policies on cybercrimes, this brief makes recommendations for policymakers at a local, state, federal, and international levels for streamlining the prosecution of online crimes in a systematic and coordinated manner.
Statement of the Problem
Cybercrime statistics show a consistent increase in online crimes virtually every year (FBI, 2023). The monetary losses associated with these crimes are also substantial (FBI, 2023). This raises a pressing need for controlling illegal online behaviors. However, the detection of online criminals is a unique challenge, due to the anonymity of offenders in cyberspace. However, there is potential for improvement in legal responses to cybercrime through the streamlining of investigative procedures at different levels of agencies, as well as across agencies at a given level. Moreover, better collaboration and improved communication can not only strengthen the capabilities of agencies in expediting the prosecution of online crimes but can also safeguard nations against future cyberattacks (United States Government Accountability Office, 2023a).
According to a 2023 FBI report, cybercrime complaints have almost doubled from 467,361 in 2019 to 880,418 in 2023 (FBI, 2023). The estimated losses due to cybercrimes increased from $3.5 billion in 2019 to 12.5 billion in 2023 (FBI, 2023). While these estimates already suggest a huge loss to the nationโs economy, the true damage may be much larger, as like many other forms of crime, cybercrimes are largely underreported.
A survey of 400 tech employees revealed that participants did not report 41% of cyberattacks (Keeper Security, 2023, p.6). While individuals from any age group can fall prey to online crimes, elderly individuals aged 60 years and above are most likely to be victimized by cybercrimes (Statista, 2024). This may be due to risk factors such as social isolation and cognitive decline, which affect elderly people at a greater level, especially for financial crimes (Burton et al., 2022). In addition to causing monetary losses, behaviors such as cyberbullying and cyberharassment can have additional unfavorable effects on victims, including feelings of anxiety, depressive symptoms, and even death (Lipton, 2011). These behaviors often disproportionately affect certain groups, such as racial, sexual, and religious minorities (Citron, 2009). This suggests a need to protect victims of online abuse and deter online perpetrators from engaging in illegal behavior.
Issues in the Prosecution of Cybercrimes
The investigation and prosecution of cybercrimes are not always as straightforward as those of other terrestrial offenses. One major factor that complicates the investigation of online crimes is anonymity in cyberspace, which poses a significant challenge in the detection of online perpetrators. The features of certain technologies, such as the Tor browser, allow individuals to surf anonymously by hiding usersโ IP addresses (i.e., Internet Protocol addresses) as their digital identities (Pittaro, 2011).
Another factor that impedes the prosecution of online crimes is the lack of transnational laws and efficient communication mechanisms among different nations (Brown, 2015; United States Government Accountability Office, 2023a). Online criminals can target victims from anywhere across the world, meaning that victims do not need to be in a same geographic area, or even in a same continent (United States Government Accountability Office, 2023b). The prosecution of such cases requires effective cooperation among different states and nations, and that agencies in all jurisdictions agree upon standard definitions of cybercrimes and standard rules for prosecuting cybercrimes (Finklea & Theohary, 2015; United States Government Accountability Office, 2023b).
In addition to instituting collaborative arrangements among nations, it is equally important to forge better partnerships with private-sector agencies. Research shows that many law enforcement agencies struggle with prosecuting cases that require cooperation from private sector companies to share information and records within and outside the United States (Moloney et al., 2022). Recognizing the need to prevent increasing cyber-attacks and strengthen the capabilities of intelligence and security agencies, the federal government has made recommendations to increase the information-sharing mechanisms between different sectors (The White House, 2021).
Furthermore, the limited capabilities of detection tools (e.g., anti-malware products) to detect new versions of cyber-attacks poses another challenge in the fight against cybercrime (Vincent, 2014). With advancements in technology, online offenders often evolve and use the most sophisticated and advanced tools to commit crime while removing their digital trails and reducing the likelihood of their detection. Moreover, existing procedures for investigating cybercrimes and the laws governing the prosecution of these cases may not be amended at the same pace (Steinberg, 2022).
An example of a case that required amendments to the existing laws during its prosecution is the Playpen case (Chertoff & Jardine, 2021). Playpen was a pornography website on the darknet that posted child sexual abuse material. The website operated for about 6 months, from August 2014 to March 2015. After the arrest of the website owner, the FBI continued to run the website for several more days to detect consumers of child pornography. The operation resulted in the arrest of users from around the world (FBI, 2017). Since the case involved perpetrators from different parts of the world, the search and seizure were conducted at an international level. However, the lawโRule 41โthat governed the search and seizure of devices allowed the applicability of a warrant only in the warrant-issuing jurisdiction (Chertoff & Jardine, 2021). The warrant was initially issued in the Eastern District of Virginia, which legitimately allowed searches only in this district; any searches outside of this area violated the provisions of Rule 41. Legal issues in the case led to the amendment to Rule 41 to broaden the scope of warrant applications (Federal Rules of Criminal Procedure, 2024).
Another important aspect of successfully solving cybercrimes is that crimes must be defined consistently across states and nations. One critical task of cyber investigators is to identify statutes that are applicable to a given criminal act. The problem arises when cybercrimes are not defined consistently across states, especially in solving transnational and interstate crimes. In such cases, the investigators strive to charge individuals within the existing and predefined categories of cybercrime. At times, law enforcement officers deal with conflicts that exist between state and federal law (Ferraro, 2004). A recent report from the United States Government Accountability Office (2023b) shows that agencies vary in terms of how they define cybercrimes in general, and specific types of cybercrimes in particular. This inconsistency is expected to be even greater for cases that need to be investigated at the international level. The same report shows that agencies vary in the way they collect and report data on cybercrime incidents. These factors limit the ability of federal agencies to keep track of crime data from different states in a consistent manner.
Pre-Existing Policies
Given the escalating incidents of cybercrimes during the past few years, and the emerging challenges in prosecuting these cases, it is imperative to raise the awareness on the gravity of the problem and to bolster the investigative capabilities of the legal framework. There are several policies that govern the prosecution of online crimes at various stages, such as laws governing the information sharing from third parties and sentencing guidelines for unlawful online activities. Moreover, the federal government has established comprehensive guidelines and standards to protect agencies in the United States from online attacks. Despite current efforts to tackle relevant issues in cybercrime prosecution, there seems to be a need to revisit the guidelines and legislations to secure citizens and the nation from potential threats in cyberspace.
Electronic Communications Privacy Act (ECPA)
The ECPA is an updated version of the Federal Wiretap Act of 1968, which provided protection for the interception of hard telephone communications. The ECPA is a federal act enacted in 1986 to provide protection for wire and digital communication. To keep pace with emerging technologies, the act has gone through several amendments in 1994, 2001, 2006, and 2008. The ECPA outlines the procedures for obtaining information from Internet service providers with the help of either a search warrant, a subpoena, or court order (U.S. Department of Justice, n.d.). The Act specifies the type of information that can be obtained from service providers and the period for which the obtained information can be retained (Ferraro, 2004).
The ECPA has been advantageous in providing protection to service providers against being held liable by the government to provide their customersโ electronic data. This act limits the governmentโs access to confidential communications among customers. However, a disadvantage of this act is that it has created confusion among states about obtaining information from service providers, as states have their own cybercrime processing laws (Ferraro, 2004). As a result, divergent laws among the 50 states may create conflicts between federal and state laws. This divergence warrants a need to revisit these laws and ensure consistency in the cybercrime provisions of the state and federal governments (Ferraro, 2004).
Computer Fraud and Abuse Act (CFAA)
The CFAA was enacted in 1986 and was an amendment to the existing federal legislation for computer fraud, which was computer fraud law. The CFAA was amended several times, in 1989, 1994, 1996, 2001, 2022, and 2008, to broaden the types of misconduct that can be addressed under the provisions of the Act. The CFFA guides prosecutors to address a variety of cybercrime behaviors, such as unauthorized access, exceeding the authorized access term, and sabotaging a computer system (Cornell law school, n.d.).
An advantage of CFFA is that it covers a variety of computer-related illegal behaviors, ranging from extortion and espionage to hacking and password sharing; thus, the scope of the act is quite broad. The Act also provides protection for data and information to individual users, as well as to public and private sector agencies (Cornell Law School, n.d.). Although many individuals have been penalized under the CFAA for decades, there are some issues with penalizing citizens under these acts. For instance, the act lacks in providing specific definitions of certain terms, like โimpairmentโ and โcosts,โ and thus, it leaves room for broad and conflicting interpretations. The provisions in the Act need to be more clearly defined and better specified in certain aspects, such as articulating the possible subcategories of cybercrime behaviors based on the severity of the offense. The penalties specified in the Act can be severe, especially for relatively minor infractions (Sharton et al., 2018). This contradicts the proposition of proportionality in punishment, which essentially suggests that punishments should align with the severity of the transgression.
Federal Information Security Management Act (FISMA)
The FISMA was initially enacted in 2002 and amended in 2014. The act provides a set of regulations and guidelines for protecting the security systems of federal agencies in the country. It also oversees the implementation of recommended policies and requires agencies to share information on security incidents. FISMA manages cybersecurity risks by detailing security standards to prevent unauthorized access, data leaks, and data breach incidents (U.S. Department of Homeland Security, 2023).
An advantage of this Act is that it protects federal agencies from domestic and international cybersecurity threats. However, improper and ineffective implementation of information security standards can weaken the security systems of federal agencies, heightening the risk of unauthorized access. Thus, it is crucial that agencies achieve implementation fidelity; this ensures that their electronic systems are secure from any outside threat. Implementation fidelity can be assessed by conducting periodic evaluations of the agenciesโ implementation standards. However, evidence suggests that there are insufficient efforts to conduct the annual evaluations assessing the agenciesโ security systems (United States Government Accountability Office, 2017). This implies that establishing standards is not enough in safeguarding the nation from data breaches and leaks; proper implementation of those standards is a key to achieving a secure nation.
Recommendations
Nationwide, different jurisdictions have varying standards for collecting cybercrime data and for classifying cybercrimes (United States Government Accountability Office, 2023b). In addition, there are federal laws that also govern these crimes. While some states are lenient and typically agree with federal laws, others are strict and can be in conflict with federal laws for solving cybercrime cases (McNicholas & Angle, 2023). This discrepancy creates conflicts in the resolution of cybercrimes. Based on a review of the extent of the problem, this brief makes recommendations for improving the prosecution of cybercrimes within and outside the United States.
To address the conflict between state laws and federal laws, as well as the difference in laws across the states, there should be a centralized organization that revisits the existing cyber laws and makes common laws for all states in the United States. The centralized organization that this brief is referring to is the Department of Justice. This may not be practically achievable for certain terrestrial offenses, because of state differences in terms of violence rates and drug abuse. Nonetheless, given the inherent nature of the Internet, which offers connectivity to any individual irrespective of state boundaries, state differences may not pose a significant problem. Thus, common cyber laws for all states may offer a non-conflicting way of solving cybercrimes. In addition, the centralized organization must develop a cybercrime taxonomy and define cybercrimes consistently across states (United States Government Accountability Office, 2023b). Standard definitions of cybercrimes would help in solving cases that involve perpetrators and victims from different parts of the country, as criminal acts would be appropriately and consistently categorized.
Moreover, the centralized organization should establish standards for data collection on cybercrime incidents in all states, so that cybercrimes are reported consistently across agencies. The consistent tracking of cybercrime data would strengthen agencies by providing a central repository of data on cyber threats from all states (United States Government Accountability Office, 2023b). A centralized organization must also develop case-processing procedural standards for the investigation of cybercrimes. This would help facilitate better coordination of services among agencies in different states.
One complication in solving cybercrimes involves the inability of the system to keep pace with advancements in technology. The centralized body should support and fund research on cybercrimes to uncover the evolving patterns and behaviors of online offenders. This will facilitate the amendment of cybercrime laws and policies, which require continuous effort towards conducting research to understand the nuances of an emerging issue.
Lastly, recent research has shown a lack of partnership between public and private sector agencies (Moloney et al., 2022). Since third parties carry important information that is necessary for solving cybercrimes, it is important to increase cooperation between public and private sector companies. This would expedite the acquisition of information and records from private agencies. This can be achieved by enacting provisions that mandate information sharing from third parties (like ECPA), specifying the type of information that would need to be shared with the government.
References
Burton, A., Cooper, C., Dar, A., Mathews, L., & Tripathi, K. (2022). Exploring how, why and in what contexts older adults are at risk of financial cybercrime victimization: A realist review. Experimental Gerontology, 159, 111678.
This article reviews literature investigating key factors that increase the vulnerability of older adults in becoming victims of financial crimes online. The authors develop an initial program theory based on a review of the literature and consultation with experts. The theory suggests how various factors, including non-tech savviness and social isolation, increase the risk of financial crime victimization. The paper makes recommendations for preventing victimization of elderly people, such as enhancing older adultsโ literacy and influencing attitudes towards online crimes.
Cornell law school. (n.d.) 18 U.S. Code ยง 1030 – Fraud and related activity in connection with computers. Legal Information Institute. https://www.law.cornell.edu/uscode/text/18/1030
This source provides detailed information on the Computer Fraud and Abuse Act (CFAA), specifying the sections under which different types of cybercrimes can be penalized under the Act. Examples include unauthorized access, exceeding authorized access, causing damage to a protected computer, and extortion. The source also provides information on penalties for each criminal act.
Chertoff, M., & Jardine, E. (2021). Policing the dark web: Legal challenges in the 2015 playpen case. Center for International Governance Innovation.
The authors describe the playpen case and the legal issues that took place during the prosecution of the case. In addition, the paper discusses the technicalities of Tor browser and explains the mechanisms through which Tor browser offers anonymity in Dark web. Finally, the article details changes in Rule 41, which allowed the applicability of a warrant outside of the jurisdiction limits.
Citron, D. K. (2009). Cyber civil rights. Boston University Law Review, 89, 61.
The paper highlights the rise in the activities of anonymous online mobs who attack certain groups, such as racial, religious, and sexual minorities, on online networking platforms. The authors suggests that online mobs engage in defaming victims and giving them threats of violence. Victims often retreat themselves and hide their true identities on social sites. To address this issue and to promote equality, the article proposes legal recourse and civil rights suits.
FBI. (2023). Federal Bureau of Investigation: Internet crime report. (2023). Internet Crime Complaint Center.
The FBI 2023 report publishes cybercrime complaint statistics and data on losses due to cybercrimes in a period of past five yearsโthat is from 2019 to 2023. The report shows a consistent rise in online crimes in the past years. It also shows a breakdown on different types of cybercrimes and information on specific sectors that are affected by these crimes, such as food and agriculture sector, transportation, and healthcare and public health.
FBI. (2017, May 5). โPlaypenโ creator sentenced to 30 years. Retrieved 05/08/2024, from https://www.fbi.gov/news/stories/playpen-creator-sentenced-to-30-years
This source is a news piece from FBI that provides data on the number of arrests that took play in the playpen case. There were arrests of U.S. producers of child pornography, U.S. based hands-on abusers, U.S. users, and international users. The international arrests were made in countries like Ukraine, Israel, Chile, and Malaysia. The website owner was imprisoned for 30 years.
Federal Rules of Criminal Procedure. (2024). Rule 41. Search and seizure. Retrieved 04/22/2024 from https://www.federalrulesofcriminalprocedure.org/title-viii/rule-41-search-and-seizure/
This is a legal source that details scope and definitions under Rule 41 search and seizure, information on warrant application venue, rules governing obtaining, issuing, execution, and returning of warrant, and persons or property that can be subject to search and seizure.
Finklea, K. M., & Theohary, C. A. (2015, January). Cybercrime: conceptual issues for congress and US law enforcement. Washington: Congressional Research Service, Library of Congress.
The report outlines the key concepts of cybercrime and details distinctions between certain types of cyber threats. The authors also discuss the current strategies of the federal government for addressing cybercrimes and the issues regarding the lack of consistency in recording and tracking of cybercrimes.
Ferraro, M. M. (2003). The states and the electronic communications privacy act: The need for legal processes that keep up with the times. J. Marshall J. Computer & Info. L., 22, 695.
The article outlines the Electronic Communications Privacy Act (ECPA) that provides guidelines for obtaining information from Internet service providers (ISPs). Further, the author reviews limitations of the Act that concerns primarily with the conflict that exists between the state provisions and the federal provisions.
Keeper Security. (2023). Password management report: Unifying perception with reality.
The report provides descriptive analysis on online behaviors of individuals, such as reporting of data breaches, choosing strong passwords, sharing personal information on online platforms, updating software, and purchasing anti-virus software. The report compares these behaviors across different age groups. Moreover, it reports the participantsโ understanding on cybersecurity.
Lipton, J. D. (2011). Combating cyber-victimization. Berkeley Tech. LJ, 26, 1103.
The author discusses categories of abusive online conduct: cyber-bullying, cyber-harassment, and cyber-stalking. It also identifies issues in the legal framework that pose a challenge in the prevention of these online behaviors. Lastly, the paper makes suggestions for addressing these issues and empowering the victims of online abuse.
Moloney, C. J., Unnithan, N. P., & Zhang, W. (2022). Assessing law enforcementโs cybercrime capacity and capability. FBI, Law Enforcement Bulletin. Retrieved April 22, 2024.
This article from FBI reports research findings of a study that assesses the cybercrime capacities and capabilities of law enforcement. The study explores several areas, such as agency culture and leadership, technological resources, communicative procedures, and partnerships with other agencies and companies. The authors report a significant lack of partnerships with private sector agencies that suggests a need for developing effective communication mechanisms and cooperation between agencies.
McNicholas, E. R., & Angle, K. J. (2023). Cybersecurity laws and regulations USA 2024. ICLG.com. https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/usa
This source discusses issues in the legal system for prosecuting cybercrimes. It also specifies the crimes that can be prosecuted under CFAA and the penalties for those crimes. In addition, the authors review cybersecurity laws and regulations in the United States.
Pittaro, M. L. (2011). Cyber stalking: Typology, etiology, and victims. In K. Jaishankar (Ed.), Cyber Criminology (pp. 277-297). CRC Press.
The paper suggests that there is a lack of context for defining stalking and cyberstalking behaviors. Moreover, it highlights a lack of empirical evidence for understanding cyberstalking behaviors. It explains cyberstalking which essentially involves intimidating, harassing, and threatening victims online. The article also explains the nature of Dark web and Tow browser and how it allows individuals to hide their identities online.
Sharton, B. R., Gould, G. L., Pierce, J. C.& Procter, G. (2018). Key issues in computer fraud and abuse act (CFAA) civil litigation. Thomson Reuters.
This article reviews CFAA and details crimes that can be prosecuted under the provisions of the ACT and the penalties for these crimes. In addition, the article discusses key issues in the CFAA, including a lack of specific and clear definitions of several terms like impairment and costs. The Act also has limitations in specifying penalties for minor transgressions.
Statista. (2024). Number of cybercrime victims in the United States in 2023, by age group. https://www.statista.com/statistics/1390164/us-victims-cyber-crime-by-age/
Statista provides data on the number of victims of online crimes by age groups. The data suggests that 60 years and older are most vulnerable to cybercrimes and victims under the age of 20 years are least vulnerable to cybercrimes.
Steinberg. (2022, Jun 20). Regulation can keep pace with changing tech. Hereโs how. Secure Futures. https://www.kaspersky.com/blog/secure-futures-magazine/regulation-keeping-pace-technology/44644/
The article discusses the issues behind the slow pace of the amendment of cyber laws compared to the advancements in technology. It suggests strategies that can be used for matching up the pace. This includes adopting new standards for information sharing, forging partnerships between public agencies and private companies, and implementing screening processes and periodic training of employees.
The White House. (2021, May 12). Executive order on improving the nationโs cybersecurity. Retrieved 04/22/2024 from https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
The executive order from White House are the policy guidelines by the President of the United States. Recognizing the increase in cybercrimes, they make recommendations for preventing, identifying, and assessing incidents of online crimes. It also provides a timeline by which the agencies would need to adopt these recommendations. Moreover, the article discusses the need for increasing information sharing by agencies.
U.S. Department of Homeland Security. (2023). FY 2024 CIO FISMA metrics. https://www.cisa.gov/resources-tools/resources/fy-2024-cio-fisma-metrics
This legal source provides detailed guidelines for federal agencies to safeguard their security systems. The guidelines include instructions for diverse aspects of security systems, ranging from multifactor authentication and encryption to ground truth testing, and vulnerability disclosures.
U.S. Department of Justice. (n.d.). Electronic communications privacy act of 1986 (ECPA). Retrieved 04/22/2024 from https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1285#:~:text=The%20ECPA%2C%20as%20amended%2C%20protects,conversations%2C%20and%20data%20stored%20electronically.
This source details ECPAโ its background, general provisions of the Act, civil rights and civil liberties, and the specific provisions. In addition, it discusses the information on the amendment of the ACT, which took place in 1994, 2001, 2006, and 2008.
United States Government Accountability office. (2023a). Critical infrastructure protection: National cybersecurity strategy needs to address information sharing performance measures and methods. GAO-23-105468.
This legal source highlights a need for increasing coordination of services among agencies to enhance the security of nationโs critical infrastructure from outside threats. It discusses the information sharing methods that different agencies use and reports inconsistencies in the methods used by these agencies.
United States Government Accountability office. (2023b). Cybercrime: Reporting mechanisms vary, and agencies face challenges in developing metrics
This source highlights findings from a research study and reports that states vary in defining, reporting, and tracking of cybercrime incidents information. The paper makes recommendations for the Department of Justice for developing a taxonomy of cybercrime and for developing guidelines for tracking cybercrime consistently.
United States Government Accountability office. (2017). Federal information security: Weaknesses continue to indicate need for effective implementation of policies and practices. GAO-17-549
The report highlights findings from a study that showed the weaknesses experienced by federal agencies due to ineffective implementation of information security policies (provided by FISMA). The report makes recommendations for supporting the implementation of security policies to protect the nation from cyber-attacks.
Vincent, J. (2014). “Antivirus is dead” says maker of Norton Software Suite. Retrieved 11/14/2020, from https://www.independent.co.uk/life-style/gadgets-and-tech/antivirus-is- dead-says-makers-of-norton-software-suite-9329492.html
This is a brief article that discusses the limitations of antivirus software. It suggests that antivirus systems have limited capabilities, as they detect only 45 percent of cyberattack incidents.