The internet has undoubtedly created a new dimension of human activity and given birth to a new social typology. Cyberspace and the information society are no longer an abstract impression of a distant future. On the contrary, these phenomena tend to prevail in our everyday lives and change the way we live, think and communicate. Nevertheless, antisocial behaviour, an enduring pattern in the evolution of human societies, has not left the information society untouched. In its infancy, inhabitants of cyberspace were predominantly members of the prudent academic community and deviant behaviour was rare. Hence, the internet was structured according to the particularities of that community. Much has changed since then. Information has gradually become the wealth and power of our age, money has been digitized to overcome spatial and temporal difficulties of conveyance and intellectual as opposed to tangible products have acquired the greatest value. This unprecedented accumulation of power and capital, perpetually flowing through the modern pipelines of communication with incredible speed, has given rise to cybercrime.
The controversy over whether the internet should be left alone has been no doubt negatively answered. Regulation of the information society is crucial for its survival and well-being. But with regard to cybercrime, many questions still remain unanswered: how will it be tackled, by whom and how will the existing status of the information society be preserved? It would be erroneous to attempt to confine our approach solely within the realm of law. The complexity of the phenomenon requires the synthesis of multiple scientific fields, ranging from philosophy to informatics and from law to economics.
The Nature of Cybercrime
Cybercrime is defined in legal science as any crime which involves the use of information technology. The terms “computer crime,” “computer-related crime” and “high-tech crime” are alternately used to describe much the same thing.
The constant flux of the phenomenon renders the scientific categorization of cybercrimes a very difficult task and aggravates our ability to comprehend it. Nevertheless, computer crimes can be generally divided into two main categories: crimes in which the computer is the object of the attack or crimes in which the computer functions as the instrument of crime. A further classification of cybercrimes from a criminological aspect, taking into account the type of channels used, the type of damage imposed, the nature of the acts committed and the motives of the criminal, constructs four separate categories: Cyber-trespass (hacking for political or personal purposes, malicious code spreading), Cyber-deception/theft (computer-related fraud or piracy, identity theft, credit theft, e-money theft), Cyber-obscenity (pornography) and Cyber-violence (Denial of Service attacks, cyber-stalking, hate-speech).
The importance of cybercrime cannot be underestimated. Recent surveys demonstrate that, due to its menacing proliferation and the wider professional use of broadband internet connection, the threat that it poses to electronic commerce has never been greater. It is almost certain that the intensifying commercialisation of the internet and the rapid convergence of ICT will serve to further facilitate criminal behaviour, eventually increase risk and undermine trustworthiness in the information society.
The Current Order of Cyberspace
The idea of the internet as a lawless environment belongs to the past. The increasing influence of states and the market is gradually transforming cyberspace from a self and under-regulated into a highly-regulated space. Four models of restraint form the current order of cyberspace: Social Norms – Market – Law – Architectureiii. They create a multi-layered structure of governance, which involves all stakeholders, the civil society, businesses and states.
The aforementioned layers of governance form the current order of the information society and act as the barrier to cybercrime. In the communities of internet-users, behaviour is shaped by means of community rules, ethics (e.g. hacker ethics), codes of conduct (e.g. netiquette) and other socially arising norms. In the market community, stakeholders protect their legitimate interests by utilising crime prevention mechanisms, such as information security systems and digital rights management. Higher in the hierarchy are the internet service providers and the telecommunications industry, due to their capacity of controlling the content of the internet. They cooperate with law enforcement authorities, report crimes, retain data, provide evidence and are able to enforce court decisions. All of the above interest holders also react collectively to cybercrime by forming national and transnational institutions to fight against it.
States and the international community stand at the top of internet governance as the ultimate regulating force of cyberspace. State response to cybercrime has evolved through time towards certain legal, organisational and technological dimensionsv. Firstly, laws have been enacted both at national and international level. Furthermore, nationally-based special law enforcement agencies have been formed and international cooperation has been established in the fields of detection and prosecution. Finally, advanced technology for the surveillance, detection and collection of evidence has been employed to crack hi-tech crimevi.
Tackling Cybercrime : A Socio-Legal Approach
The task of tackling cybercrime is often viewed primarily as a legal issue, conceptually linked with the enaction of criminal laws. But the application of criminal law to the information society has proven highly controversial. The debate of “cyberlaw versus traditional law” is ever-present in the discussion of cybercrime. Advocates of the “traditional” law approach argue that cybercrimes are “new wines in old bottles”, effectively dealt with existing legal tools. Conversely, proponents of the “cyberlaw” approach regard computer crimes as “new wine in new bottles”, thus requiring special treatment. A thorough approach to the problem can be adopted only by striking a balance between these two divergent paradigms and by adapting traditional legal doctrines to the novel environment of the information society.
Through the process of enacting adequate and effective laws against computer crime, legislators have thereby found themselves compelled to take into account all the unique characteristics of this phenomenon. Contrary to “real world” crimes, the object of attack in cybercrimes is of an intangible nature, putting traditional ideas of ownership and property to test. Cybercrimes are also committed in a “sui generis” environment, where adherence of acts to spatial-temporal circumstances or to the identity of the perpetrator is particularly hard to be defined or proven. In addition, the cross-border nature of hi-tech crime, the constant flux of the phenomenon and the rapid technological developments of information and communication technologies make an effective legal response to cybercrime even more difficult to obtain.
The most earnest attempt at an international level to unravel the Gordian knot of cybercrime was the Council of Europe Convention on Cybercrime (2001). The treaty contains 48 articles and is structured into four chapters, dedicated correspondingly to terms and definitions, substantive and procedural measures, provisions for international cooperation and final or other miscellaneous provisions. The substantive criminal law provisions criminalise certain types of pathogenic behaviour in cyberspace, namely acts against the confidentiality, integrity and availability of computer data and systems, computer-related offences, content-related offences, copyright offences and ancillary acts.
The CoE Cybercrime Convention is at present the most coherent and holistic response of the international community to the cybercrime phenomenon. It serves as a widely accepted minimum set of rules and as an essential tool for the unification of national laws and international cooperation in the global fight against cybercrime. The current UK legal framework is considered to meet the standards of the convention, requiring only minor changes mainly on the clarification of the “denial of service attack” types of offences.
Nevertheless, the contemporary legal framework designed to tackle cybercrime is not flawless and is anticipated to be rapidly outmoded. Commentators have asserted that the CoE Convention excessively criminalises behaviour in cyberspaceviii while it does not provide the appropriate safeguards for human rights or procedural due process. Moreover, it fails to address the current hot legal issue of the cybercriminal debate: the criminalisation of information theft. Lastly, the CoE Cybercrime Convention appears to be inadequate with regard to the rapidly evolving techniques of cybercriminals and to deal with cyberterrorism in the post 9/11 global environment.
Beyond the Realm of Law
Policy making on cybercrime cannot be confined only under the premises of law. The major problem of tackling cybercrime through law is that enforcement becomes a posteriori. The future of policing the net is essentially based on a multi-tiered policing system orientated mainly towards crime prevention (a priori) through technology and through intervention in the architecture of cyberspace. In such a system, the role of policing the information society cannot be viewed as a state monopoly but rather as a task involving all its interest holders, users, private entities and states.
The highly precarious environment of cyberspace, where state power and law enforcement tend to be diminished, inevitably creates a pressing need for self protection. However, stakeholders are not left unprotected at the mercy of cybercriminals. On the contrary, prevention of harmful and damaging behaviour can be avoided to a great extent by the utilisation of technology in the form of information security mechanisms. It is beyond any doubt that future strategies on cybercrime will essentially focus on information security and increasingly sophisticated and efficient systems will be developed as a means of self protection.
A more drastic technique of crime prevention is the intervention with the code and the architecture of cyberspace. Intervention is possible at multiple levels. Internet protocols can be changed in order to facilitate traceability or identification or even to create digital identities for users. Alternatively, traffic and content data can be retained to monitor activities in cyberspace. Furthermore, ISP’s could employ drastic policies against cybercrime by enabling filters, firewalls or identity systems and by excluding offenders from the use of the web. In addition, crime prevention and surveillance technologies could be integrated into hardware and software products. Such structures of control will enhance accountability and deterrence in the information society but will change its character in a fundamental way. In principle, therefore, these should be openly determined by all interest holders and ultimately regulated by states, in order to ensure the democratic governance of cyberspace.
Shaping the Ιnternet of Τomorrow
In the paragraphs above an attempt was made to describe possible strategies to effectively tackle the phenomenon of cybercrime. By and large, these strategies are characterised neither by neutrality nor deregulation in their principles, nor are they left without antilogy in the field of law. On the contrary, they represent a path which, if implemented, will completely revolutionise cyberspace, with the potential to convert it from a space of relative freedom to a space of absolute control. These policies of control are widely advocated by states and market representatives in order to preserve and expand their influence in the information society, but they undisputedly create tensions with basic legal concepts, put the democratic function of our societies into question and are ultimately at odds with the societal interest.
In shaping the internet of tomorrow policy makers can deal adequately with the challenge of cybercrime only by avoiding the pitfall of excessive regulation, by respecting the openness of the internet and by safeguarding human rights. Chief amongst these are the rights to privacy and informational self-determination, freedom of speech, information and communication. In addition, possible consequences of crime prevention technologies, which have the potential to slow down the internet, challenge its integrity or hinder its technological progress, should also be taken into account.
The commoditisation of information and its conversion into the main source of wealth in contemporary society creates a new economy of information capital. The battle against cybercrime is essential for the continued prosperity of such an economy. As has been shown above, tackling cybercrime is not solely a legal issue but rather involves policy choices that stretch far beyond the realm of law. And these choices have to be made by open democratic participation of all interest holders of the information society with respect to human rights and the public good.