Swire on Cybercrime Underenforcement

Peter Swire of the Center for American Progress has a paper out called “No Cop on the Beat: Underenforcement in E-Commerce and Cybercrime.” He identifies how local law enforcement lacks the ability and incentive to address various wrongs done on the Internet because of their complexity and their multi-jurisdictional nature.

Swire has identified a real problem. Just like everyone else, law enforcement struggles to keep up in the changing online environment. And it’s true that local law enforcement lacks incentive to expend efforts going after a distant cybercrime ring for the benefit of one local complainant and thousands of strangers.

(He calls this a “commons problem” and I understand how he means it to illustrate that law enforcement personnel and organizations are economic actors. Crime victims are a sort of public good to those organizations and they can’t enjoy the benefits of caring for most of those who would benefit from their work. I think this fits more neatly in the public choice box: local law enforcement in one jurisdiction doesn’t get any benefit — budgetary, political, or otherwise — from helping strangers, so they’re less inclined to do so.)

Swire’s conclusion is that there should be more federal law enforcement — such as by the Federal Trade Commission and the the Justice Department — or “federated” law enforcement, combining state and federal authorities: “A more federated approach recognizes the usefulness of enforcement task forces that draw on multiple jurisdictions. Federal‐state task forces, for instance, have been used widely for drug prosecutions and, more recently, in fighting terrorism.”

While these are logical conclusions, I would be reluctant to call for greater federal law enforcement. There isn’t authority for it in the Constitution, and the uses of “federated” law enforcement he identifies — in the “War on Drugs” and the “War on Terror“ — have not been shining examples we ought to follow.

I suspect that Swire would class this as an objection he calls “We Don’t Want Enforcement,” of which he identifies two strains. One is the extent to which some of these “harms” are worthy of enforcement. This is a strong objection, not so much to Swire’s thesis, but to a second one that’s implicit. Swire is not just calling for federal or federated law enforcement aimed at protecting the public from violations of their rights (which manifest themselves as legally cognizable “harms”); he’s classing all kinds of mischief as “harms” to dramatically broaden the sweep of the federal law enforcement task.

Consider this strange circumlocution: “The focus here is on online fraud, malicious software, and other harms that are carried out through the Internet.” In the world of natural language “harms” are “caused,” not “carried out.” Malicious software is “distributed” or “propagated,” not “carried out.” Fraud and malicious software often cause harm, but sometimes do not.

Classing malicious software as a “harm” would make it actionable in the abstract, such as through prescriptive software regulation. If this is what he’s talking about, Swire should surface it and talk about it rather than wedging bad behavior with potential harmful results into the term “harm.” (He’s not alone — see this post and the resulting comments discussing whether increased exposure to risk is a “harm.”)

A second strain of the “We Don’t Want Enforcement” objection is a melange of privacy concerns that Swire would address with due process and privacy rules.

A third strain (with some relation to the privacy concern) emerges from the “commons”/public choice dynamic that Swire identified so astutely as part of the cause of the problem. Bureaucracies and their members are economic actors, and a greater federal law enforcement regime would naturally begin to seek greater powers from the moment it came into existence. This is very much at play in the “wars” on drugs and terror, where federal law enforcement agencies seek much more to promote their institutional interests in growth than the safety, freedom, and prosperity of the people. “We Don’t Want Federal Bureaucracies Doing Law Enforcement” is a much stronger objection than Swire recognizes.

My main concern, though, sounds in moral hazard. Should a federal law enforcement apparatus emerge too early, or occupy fields where it is not absolutely essential, people and organizations that should be responsible for their own security will shunt that responsibility off to the government. Supine and seemingly incompetent, they will fall victim to many crimes and harms that they would otherwise have defended themselves against.

I often analogize the development of security in the online environment to security in the offline environment. Imagine if you were building streets, houses, and buildings from scratch, never having seen such things before. It would take some time to recognize the value of doors, windows, and walls in preventing crime. When you’ve got that window in place, you also need to close the latch, etc.

An alternative to all this distributed learning is to post law enforcement on every corner of every street, or in front of every house. But having a cop on every corner is expensive and hard to administer. There’s risk of corruption, and laziness, and so on. The best security is provided by the most interested actors, and I’d be loathe to have federal law enforcement communicate that there is anyone more responsible than software companies, online service providers, payment systems, and individuals for securing the online environment.

There is some role for the federal government in preventing and detecting multi-jurisdictional and international crimes. I wouldn’t rush to embrace it, or to class a broad array of behaviors as “harms” so that the federal law enforcement role mushrooms into an ineffective and costly “War on Cybercrime.”