Cybercrime in the Pandemic Digital Age and Beyond (Palgrave Studies in Cybercrime and Cybersecurity) 9783031291067, 3031291069

Table of contents :
Foreword
Acknowledgements
Contents
Editors and Contributors
About the Editors
Contributors
Abbreviations
List of Figures
List of Tables
1 Introduction: Crime in the Post-pandemic Digital Age
Introduction
Research Questions
Chapter Outline
Learning from the Pandemic
Criminological Lessons
References
2 Pandemics and Illegal Manipulation of Digital Technologies: Examining Cause and Effect in a Time of COVID-19
Introduction
Social Implications of COVID-19
Technological Change and Security Effects Caused by COVID-19
Developments in Cybercrime Recognised During the COVID-19 Pandemic
Emerging Technology, Cybercrime and Cybersecurity Implications in a Pandemic
Future of Illegal Manipulation of Digital Technologies
References
3 Pandemics and Fraud: Learning from the Coronavirus Pandemic and Its Antecedents
Introduction
Measuring Frauds and ‘the Fraud problem’—from Offline to Online?
Digital Fraud in North America
Digital Frauds in Europe
The United Kingdom
The Netherlands
Sweden
Fraud in Asia–Pacific
Hong Kong
Australia
Cryptocurrencies and Crime
Digital Crimes and Policing
Procurement Contracts and Lending Frauds
Learning for Future Pandemics
Discussion
Conclusions
References
4 The Human Element of Online Consumer Scams Arising from the Coronavirus Pandemic
Introduction
Scams Are Not a New Form of Crime
Categorising Consumer Scams
Advance Fee Fraud
Non-Delivery and Defective Products and Services
Unsolicited and Unwanted Goods and Services
Identity Fraud
Other Ways to Classify Consumer Fraud
The Relationship Between the COVID-19 Pandemic and Online Consumer Scams
The Rise of Scams During the COVID-19 Pandemic
Types of Scams During the Pandemic
Theoretical Approaches to Online Consumer Scams
Criminological Theories
Psychological Theories
Individual Differences
Theory of Planned Behaviour
Stress and Coping
Conclusions
References
5 State-Sponsored Economic Espionage in Cyberspace: Risks and Preparedness
Introduction
Remote Work
The Importance of Intellectual Property
Intellectual Property Crimes
Trade Secrets
The Passage of the Economic Espionage Act (EEA) in the United States
Defend Trade Secrets Act of 2016
Automation
Globalization and Competitiveness
Economic Espionage and Cyberspace
Preparedness
The Case of China
Recent Cases of Trade Secret Theft and Economic Espionage in the United States
Sample Cases
Economic Espionage (18 U.S.C. § 1831)
Why Is This Important?
References
6 Virtual Kidnapping: Online Scams with ‘Asian Characteristics’ During the Pandemic
Introduction
What Is Virtual Kidnapping?
Virtual Kidnapping and Other Online and Telecommunications Fraud
The Role of Emotions on Decision-Making
The Evolution of Virtual Kidnapping
First Generation: Phone Scams
Second Generation: Internet Frauds
Third Generation: Targeted Virtual Kidnapping
Theoretical Underpinnings
Challenges Facing Virtual Kidnapping Investigations
Combating Virtual Kidnapping
Ways Forward
Conclusion
References
7 Lessons in a Time of Pestilence: The Relevance of International Cybercrime Conventions to Controlling Post-Pandemic Cybercrime
Introduction
Lessons from COVID-19
Know Your Enemy: Defining the Problem
The Budapest Convention
A Question of Sovereignty
We’re All in This Together (or Are We?): The Fragile Nature of International Cooperation
The Importance of Norms
A Model for the Future?
Conclusion
References
8 Domestic Laws Governing Post-Pandemic Crime and Criminal Justice
Introduction
The Impact of the Pandemic on Society and the Law
New Criminal Laws in Response to the Pandemic
New Court Procedures in Response to the Pandemic
Conclusion
References
9 Perspectives on Policing Post-pandemic Cybercrime
Introduction
The Phenomenon of Cybercrime
Policing Cybercrime
The Private Sector and Cybercrime Prevention
Metadata Retention in Telecommunications 
Surveillance Tools
Concerns Regarding the Tools of Cybercrime Prevention
Getting the Balance Right
Is There a Way Through the Maze?
Policy Option 1
Policy Option 2
Policy Option 3
Policy Option 4
Policy Option 5
Conclusion
References
10 Digital Criminal Courts: The Place or Space of (Post-)pandemic Justice
Introduction
The Significance of ‘Place’ in Law
From Tangible Courtrooms to Disparate Places and Intangible Spaces
Place or Space?
Discussion and Conclusion
References
11 Online Messaging as a Cybercrime Prevention Tool in the Post-pandemic Age
Introduction
Cybercrime, Opportunity and COVID-19
The Case for Prevention
What Makes an Effective Message?
Warning Messages as an Online Crime Prevention Tool
Victim-Focused Messages
Offender-Focused Messages
Deploying Messages
The Account Holder
Internet Search Engine (ISE) Companies
Internet Service Providers (ISPs)
Third Parties
Issues and Opportunities
Conclusion
References
12 Artificial Intelligence, COVID-19, and Crime: Charting the Origins and Expansion of Dystopian and Utopian Narratives
Introduction
Methodological Note
Artificial Intelligence, COVID-19 and Crime: The Dystopian Narratives
Artificial Intelligence, COVID-19 and Crime: The Utopian Narratives
Unpacking the AI-crime Nexus in Risky Times: Knowledge Production and the Aftermath of the Crisis
Conclusion
References
13 Conclusion: Minimizing Crime Risks in Pandemics of the Future
Introduction
What Did the Pandemic Teach Us About Cyber-Vulnerability?
How Have the Authors Addressed These Issues?
So, Where to from Here?
What Next?
In Conclusion
References
Index

Citation preview

PALGRAVE STUDIES IN CYBERCRIME AND CYBERSECURITY

Cybercrime in the Pandemic Digital Age and Beyond Edited by Russell G. Smith · Rick Sarre · Lennon Yao-Chung Chang · Laurie Yiu-Chung Lau

Palgrave Studies in Cybercrime and Cybersecurity

Series Editors Thomas J. Holt, Michigan State University, East Lansing, MI, USA Cassandra Cross, School of Justice, Queensland University of Technology, Brisbane, QLD, Australia

This book series addresses the urgent need to advance knowledge in the fields of cybercrime and cybersecurity. Because the exponential expansion of computer technologies and use of the Internet have greatly increased the access by criminals to people, institutions, and businesses around the globe, the series will be international in scope. It provides a home for cutting-edge long-form research. Further, the series seeks to spur conversation about how traditional criminological theories apply to the online environment. The series welcomes contributions from early career researchers as well as established scholars on a range of topics in the cybercrime and cybersecurity fields. Original series creators and co-founders: Marie-Helen Maras and Thomas J. Holt.

Russell G. Smith · Rick Sarre · Lennon Yao-Chung Chang · Laurie Yiu-Chung Lau Editors

Cybercrime in the Pandemic Digital Age and Beyond

Editors Russell G. Smith College of Business, Government and Law Flinders University Adelaide, SA, Australia

Rick Sarre Justice and Society University of South Australia Adelaide, SA, Australia

Lennon Yao-Chung Chang School of Information Technology Deakin University Melbourne, VIC, Australia

Laurie Yiu-Chung Lau Asia Pacific Association of Technology and Society Hong Kong, People’s Republic of China

Palgrave Studies in Cybercrime and Cybersecurity ISBN 978-3-031-29106-7 ISBN 978-3-031-29107-4 https://doi.org/10.1007/978-3-031-29107-4

(eBook)

© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Palgrave Macmillan imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

To the memory of: The late Lau ‘Yam’ Sang, 1931–2022 (in Hong Kong) The late Bruce William Gardner, 1934–2021 (in Melbourne) The late Professor John Taylor (UNSW Business School), 1952–2023

Foreword

The past half century has seen massive global changes on at least two fronts, one gradual and exponential, and the other more recent, episodic and with an uncertain trajectory. The two are not unrelated, and both have implications for crime and its control. The first is the emergence and growth of digital technology and its criminal applications. Cybercrime was once the work of mischievous youth, who were soon joined by highly skilled and sophisticated technicians with a variety of disreputable motives. Today, not only has cybercrime become extremely widespread and diverse, but digital technology has been weaponised by governments and private actors around the world. The second is the COVID-19 pandemic, a global public health disaster that remains disturbingly persistent. It has cost nearly seven million lives, a scale not seen since the great influenza of 1918. And it is not over yet. This book explores various facets of each of these developments and circumstances of their intersection. Crime follows opportunity, and the COVID-19 pandemic has created new opportunities for motivated offenders. During its course, many individuals were isolated at home for prolonged periods and able to spend extensive time online. More

vii

viii

Foreword

people went shopping remotely, others ‘surfed the Web’, some visiting locations of an unsavoury nature. Individuals reached out electronically for social contact with strangers as well as with friends. Nonchalance has been the rule rather than the exception, and there has been no dearth of individuals capable and willing to take advantage of naïve online users. Unscrupulous denizens of cyberspace have existed since the dawn of the digital age. But the circumstances of COVID-19 brought about the enhancement of online hunting grounds. Most obvious was the flourishing of electronic theft in all its diversity: fraud, extortion, economic espionage, often achieved by means of identity theft. Pandemic-specific variations saw markets in counterfeit ‘vaccines’ and other bogus remedies. In addition, there was considerable exploitation of fear and anxiety for ideological reasons and general mischief, not to mention surveillance by states and by private actors. Among the issues at the nexus of public health and crime control is the potential for over-policing. Particularly in jurisdictions characterised by robust individualism, resistance to lockdowns and mask mandates, despite their obvious merits, has been significant. As is the case with law enforcement in more normal situations, the disadvantaged and marginalised members of society bear disproportionate burdens. What becomes of a homeless person during a pandemic lockdown? Moreover, digital technology has enabled surveillance to a degree that is positively Orwellian. Proposals for the real-time tracing of individuals’ physical location and their proximity to infected persons might appeal to some idealists, but the same application would have been welcomed by the secret police of yesteryear, and indeed, those of today. Whether the COVID-19 pandemic will produce lasting changes in ordinary social activity is not yet clear. The future of ‘working from home’ remains uncertain. So too are the changed working environments of courts and custodial institutions. To the extent that these latter adaptations persist, will the ‘new normal’ enhance or detract from the quality of justice? The old adage that ‘cyberspace knows no borders’ may be trite, but it remains true. The same might be said of contagious disease. The imperatives of international cooperation in a world of shared fate have thus far proven to be seriously challenging.

Foreword

ix

It seems likely that the global take-up of digital technology, and the increasing sophistication and diversity of its applications, will continue apace. So too it appears that climate change increasing urbanisation and population mobility will enhance the risk of future pandemics. One hopes that the excellent contributions to this volume will help mitigate, if not eliminate, the trends that we are witnessing. January 2023

Prof. Emeritus Peter Grabosky School of Regulation and Global Governance The Australian National University Canberra, Australia

Acknowledgements

We are grateful to Josephine Taylor, commissioning Editor in Criminology, and the production staff at Palgrave-Macmillan for providing support during the publication process. The author of Chapter 3, Professor Michael Levi, is grateful to the Australian Institute of Criminology, to the British Academy (SRG20\201612) for funding the research on which his chapter was based, and to Chainalysis for providing 2022 data for Fig. 3.3 in advance of publication.

xi

Contents

1

Introduction: Crime in the Post-pandemic Digital Age Russell G. Smith

2

Pandemics and Illegal Manipulation of Digital Technologies: Examining Cause and Effect in a Time of COVID-19 Jill Slay AM

3

4

5

1

13

Pandemics and Fraud: Learning from the Coronavirus Pandemic and Its Antecedents Michael Levi

31

The Human Element of Online Consumer Scams Arising from the Coronavirus Pandemic Monica T. Whitty

57

State-Sponsored Economic Espionage in Cyberspace: Risks and Preparedness Hedi Nasheri

87

xiii

xiv

6

7

8

Contents

Virtual Kidnapping: Online Scams with ‘Asian Characteristics’ During the Pandemic Lennon Yao-Chung Chang, You Zhou, and Duc Huy Phan Lessons in a Time of Pestilence: The Relevance of International Cybercrime Conventions to Controlling Post-Pandemic Cybercrime Jonathan Clough Domestic Laws Governing Post-Pandemic Crime and Criminal Justice Gregor Urbas and Marcus Smith

109

131

153

9

Perspectives on Policing Post-pandemic Cybercrime Rick Sarre

10

Digital Criminal Courts: The Place or Space of (Post-)pandemic Justice Carolyn McKay and Kristin Macintosh

193

Online Messaging as a Cybercrime Prevention Tool in the Post-pandemic Age Richard Wortley and Jeremy Prichard

209

11

12

13

Artificial Intelligence, COVID-19, and Crime: Charting the Origins and Expansion of Dystopian and Utopian Narratives Sanja Milivojevic Conclusion: Minimizing Crime Risks in Pandemics of the Future Rick Sarre

Index

173

233

253

263

Editors and Contributors

About the Editors Dr. Russell G. Smith has qualifications in law, psychology and criminology from the University of Melbourne and a Ph.D. from the Faculty of Law, King’s College London. He practised as a lawyer in Melbourne and lectured in criminology at the University of Melbourne prior to working at the Australian Institute of Criminology, most recently as Principal Criminologist. Following his retirement in 2020, he is now an Honorary Fellow at the Institute and also holds an Academic Status position of full Professor in the College of Business, Government and Law at Flinders University. He is a Fellow and former President of the Australian and New Zealand Society of Criminology and has published extensively—including Cybercrime Risks and Responses (Palgrave 2015) in addition to over 200 other authored or co-authored publications. Emeritus Prof. Rick Sarre is Adjunct Professor of Law and Criminal Justice at the University of South Australia (Justice and Society). He was head of the School of Law and Legal Practice for 6 years at UniSA and

xv

xvi

Editors and Contributors

retired as the Dean of the UniSA Law School in 2020. He is a Past President of the Australian and New Zealand Society of Criminology, and a Fellow of the Society. He served as Chair of Academic Board of UniSA for six years and on UniSA Council for that period. He enjoyed teaching stints in the US, Hong Kong, and Sweden during his 34 years in the tertiary sector. Dr. Lennon Yao-Chung Chang is Associate Professor in Cyber Risk and Policy, School of Information Technology, Deakin University. He is the President of the Australasian Taiwan Studies Association, the Vice Chairman of the Asia Pacific Association of Technology and Society which he co-founded in 2012. He is also the founder and Director of Cyberbaykin: Myanmar Cyber Security Awareness campaign. He has been appointed as Ambassador for the Cyber Security Capacity Maturity Model for Nations by the Victorian Government-funded Oceania Cyber Security Centre in 2020. He is interested in researching crime and governance of cyberspace—cyber law, cybercrime, public-private collaboration and co-production of cyber security. He is particularly interested in the regulation and governance of cyberspace in the Asia-Pacific region. His research is highly topical and he has been invited by the governments of Australia, Canada, Taiwan, Korea, Myanmar and Hong Kong to discuss his research findings with senior national security, foreign policy and policing staff. His professional interest in cyber security continues and he is currently researching internet vigilantism in Asia. He is also working with governments and NGOs in ASEAN countries on research and training programs to build cyber security capacity and cyber security awareness. Dr. Laurie Yiu-Chung Lau is currently Chair of the Asia Pacific Association of Technology and Society (APATAS) and an active member of IEEE Hong Kong Section and an Executive Committee Member of CAS/COM Joint Chapter. He is an entrepreneur and philanthropist in Hong Kong with a Ph.D. from the University of Glamorgan, UK. He has wide experience in research and has published on policing internetrelated crime, including O2O fraud, technology and society, the Internet of things, and AI and robotics. He is actively involved in mentoring

Editors and Contributors

xvii

students at Wu Yee Sun College, the Chinese University of Hong Kong, as well as taking a leadership role as lead organiser and creator of various cybercrime-related conferences around the globe.

Contributors Dr. Jonathan Clough is a Professor in the Faculty of Law, Monash University, Australia. He teaches and researches in the fields of criminal law and evidence, and is an internationally recognised scholar in the field of Cybercrime, being the author of Principles of Cybercrime (2nd edn, Cambridge University Press, 2015), as well as numerous articles in national and international journals. His research is both comparative and interdisciplinary, with a particular focus on the laws relating to the online exploitation of children, and the challenge of harmonising laws in order to facilitate international enforcement of cybercrimes. He has provided advice to government on cybercrime strategies and in 2012 was appointed to the Commonwealth Working Group of Experts on Cybercrime, the report and recommendations of which were endorsed by the Commonwealth Law Ministers Meeting in Botswana in 2014. He has presented at national and international conferences, including at a cybercrime workshop forming part of the twenty-seventh session of the Commission on Crime Prevention and Criminal Justice hosted by the UNODC in Vienna in May 2018. Prof. Michael Levi has been Professor of Criminology at Cardiff University School of Social Sciences since 1991. His main work has been making sense of the linkages and differences between white-collar and organised crime and their public and private sector controls, intersecting with corruption, money laundering and terrorism locally and transnationally. He has major research prizes from the British and American Societies of Criminology, the Tackling Economic Crime Award in the UK 2019, and the Al Thani Corruption Research and Education Prize 2020. His current projects include the impact of technologies on criminal markets and transnational organised crime; A Public Health

xviii

Editors and Contributors

Approach to Fraud; and cyber-enabled fraud and money laundering projects. Ms. Kristin Macintosh is a Ph.D. Candidate at Sydney Law School and Research Assistant in the Digital Criminal Justice Project: Vulnerability and the Digital Subject at the University of Sydney in Australia. Dr. Carolyn McKay is a Senior Research Fellow at the University of Sydney Law School. She is a recipient of the Australian Research Council’s Discovery Early Career Research Award and is undertaking ‘The Digital Criminal Justice Project: Vulnerability and the Digital Subject’, 2021–2024. She is also co-Director of the Sydney Institute of Criminology and teaches Digital Criminology, Criminal Law and Civil & Criminal Procedure. She currently serves on the NSW Bar Association Innovation & Technology Committee and served on the 2019 NSW Law Society Legal Technologies Committee. She is recognised for her research into technologies in justice, specifically audiovisual links, published in her monograph, The Pixelated Prisoner: Prison video links, court ‘appearance’ and the justice matrix (2018) Routledge. She has researched and published on other technologies in criminal justice including algorithms and Artificial Intelligence, police body-worn cameras and prisoners’ access to technologies. Dr. Sanja Milivojevic is Associate Professor in Digital Futures at Bristol University. She is also Adjunct Associate Professor in Criminology at La Trobe University, Melbourne, Australia and Co-Director of Border Criminologies at Oxford University. She holds LL.B and LL.M degrees from Belgrade University’s Law School, Serbia, and a Ph.D. from Monash University, Australia. Her research interests are borders and mobility, human trafficking, security technologies and surveillance, gender and victimisation, and international criminal justice and human rights. She was a visiting scholar at Oxford University, University of Oslo, University of Belgrade and University of Zagreb, as well as a Public Interest Law Fellow at Columbia University’s Law School in New York. She has published five books and over 50 journal articles and book chapters in English and Serbian. Her latest book Crime and Punishment in the

Editors and Contributors

xix

Future Internet: Digital Frontier Technologies and Criminology in the 21st Century is published by Routledge (2021). Prof. Hedi Nasheri is a Professor of Criminology and Justice Studies & the Director of Graduate Programme in Criminology & Criminal Justice in the Department of Sociology at Kent State University. She is a Visiting Professor in the Faculty of Law at the University of Turku in Finland. Her areas of expertise include intellectual property violations, theft, cybercrime and security, corporate and industrial espionage and trade secret theft and artificial intelligence. She has written and lectured extensively in the areas of intellectual property crimes, cyber & technology crimes and transnational crimes. She is the author of five books, including Economic Espionage and Industrial Spying (Cambridge University Press). She serves on the Scientific Committee of Technology Against Crime Forum and serves on the International Working Group on the Cyber Security and the Law, under the patronage of the Interpol and the French Ministry of the Interior. Mr. Duc Huy Phan is a Ph.D. Candidate in the School of Social Sciences at Monash University in Australia. Dr. Jeremy Prichard is an Associate Professor of Criminal Law at the University of Tasmania. He collaborates with multiple disciplines to develop novel strategies to reduce the harms of crime. He has researched the online market for child sexual abuse material in 2011. He has spent the last six years developing an online environment to ethically conduct experiments with naïve participants. Prof. Jill Slay AM is currently the University of South Australia SmartSat CRC Professorial Chair in Cyber Security. Her work thus focuses on the context of developing the national technical agenda in satellite cybersecurity and resilience with DST, Defence and Defence Industry. She is also the Chair of the Australian Women in Security Network and a Director of the International Information Systems Security Certification Consortium for 2021–2023. She has established an international research reputation in cyber security (particularly Digital Forensics, Cyber Intelligence and Cyberwarfare) and has worked in collaboration with the Australian Federal and State governments and

xx

Editors and Contributors

with many industry partners. She has published more than 140 outputs in information assurance, critical infrastructure protection, security and forensic computing and completed the supervision of 20 PhDs and many Masters and Honours theses. She was made a Member of the Order of Australia (AM) for service to the information technology industry through contributions in the areas of forensic computer science, security, protection of infrastructure and cyber-terrorism Dr. Marcus Smith is an Associate Professor in Law at Charles Sturt University in Canberra, where he undertakes research and teaching in the field of technology law and regulation. His recent publications include Technology Law with Gregor Urbas (Cambridge University Press, 2021); and Biometric Identification, Law and Ethics with Seumas Miller (Springer, 2021). Prior to entering academia, he worked in a range of Australian government agencies. Dr. Gregor Urbas is an Australian Lawyer and academic specialising in cybercrime, criminal law and evidence, with recent publications including Cybercrime: Legislation, Cases and Commentary (LexisNexis, 2nd edition 2020) and Technology Law (Cambridge University Press, 2020). He has been a Researcher at the Australian Institute of Criminology, the Law Council of Australia and IP Australia, has appeared as a barrister in the Australian Capital Territory and New South Wales courts. He is an Adjunct Associate Professor at the Australian National University, teaching Criminal Law and Procedure and Evidence, and also teaches online courses at Charles Sturt University and the University of New Hampshire. Prof. Monica T. Whitty is the Head of Department of Software Systems and Cyber Security and is Professor of Human Factors in Cyber Security at Monash University, Australia. She has been a member of the World Economic Forum Cyber Security Centre and was a member of the WEF Cyber Security Global Futures Committee. She was the Founder and Director of the University of New South Wales Institute for Cyber Security and has worked at the Cyber Security Centre in the UK, at the Oxford Internet Institute and is an honorary Professor at the Institute of Royal Holloway, University of London. She is the author of over

Editors and Contributors

xxi

100 articles and 5 books. She is a leading expert on cyber fraud, especially romance scams, identities created in cyberspace, online security risks, behaviour in cyberspace, insider threats, as well as detecting and preventing deception and scam victimisation. Prof. Richard Wortley has professorial appointments with University College London and the University of Waikato. His research interests centre on the role that immediate environments play in criminal behaviour and the implications this has for situational crime prevention. He has a particular interest in the prevention of child sexual exploitation, both contact and online offending. Mr. You Zhou is a Ph.D. Candidate in the School of Social Sciences at Monash University in Australia.

Abbreviations

ACC ACCC ACCCE ACMA ACS ACSM ADCC AHRC AI(C) AIC AIHW AM API APT ASCS ATA BBC BEC BRICS CCTV

Australian Crime Commission Australian Competition and Consumer Commission Australian Centre to Counter Child Exploitation Australian Communications and Media Authority Australian Computer Society Australian Cyber Security Magazine Antideception Coordination Centre Australian Human Rights Commission Artificial Intelligence (enabled crime) Australian Institute of Criminology Australian Institute of Health and Welfare Member of the Order of Australia Application Programming Interface Advanced Persistent Threat Australian Cyber Security Centre Annual Threat Assessment British Broadcasting Corporation Business Email Compromise Brazil, Russia, India, China and South Africa Closed Circuit Television

xxiii

xxiv

Abbreviations

CMC COVID-19 CSAM CSEW DeFi DDOS DOS ECB EEA EU FBI FTC GI-TOC GPS GRULAC HCA IC3 ICT ILO IP IPEC IOCTA IoT ISP ISR IT KNPA LEO LMCKC MFA MLA MOU MSS NAFTA NAO NAS NATO NCSC NGO

Computer-Mediated Communication SARS-CoV-2 virus Child Sexual Abuse Material Crime Survey England and Wales Decentralised Finance (Protocols used on a blockchain network) Distributed Denial of Service Denial of Service European Central Bank Economic Espionage Act (US) European Union Federal Bureau of Investigation Federal Trade Commission Global Initiative Against Transnational Organized Crime Global Positioning System Latin America and the Caribbean Group High Court of Australia Internet Crime Complaint Center (FBI) Information and Communications Technologies International Labour Organization Internet Protocol Intellectual Property Enforcement Coordinator (US) Internet Organised Crime Threat Assessment Internet of Things Internet Service Provider Intelligence, Surveillance and Reconnaissance Information Technology Korean National Police Agency Low Earth Orbit Satellites Lockheed Martin Cyber Kill Chain Multi-Factor Authentication Mutual Legal Assistance Memorandum of Understanding Ministry of State Security (China) North American Free Trade Agreement National Audit Office (UK) National Academies of Sciences North Atlantic Treaty Organization National Cyber Security Centre (UK) Non-Government Organisation

Abbreviations

NHS NIST n.p. O&T ONS OSN PHEIC PII PNT PPE PRC QR Code SCP SME TJU TOR TRIPS UCR UK UN UNIDR UNODC UNTOC URL US VPN WEF WEOG WHO WIPO

xxv

National Health Service (UK) National Institute of Standards and Technology (US) Unpaginated Online and Telecommunications Office for National Statistics Open Storage Network Public Health Emergency of International Concern Personally Identifiable Information Position, Navigation and Timing Personal Protective Equipment People’s Republic of China Quick Response code Situational Crime Prevention Small to Medium Enterprise Tianjin University The Onion Router Trade-Related Aspects of Intellectual Property Rights Uniform Crime Report United Kingdom United Nations United Nations Institute for Disarmament Research United Nations Office on Drugs and Crime United Nations Convention against Transnational Organized Crime Universal Resource Locator United States Virtual Private Network World Economic Forum Western Europe and Others Group World Health Organization World Intellectual Property Organization

List of Figures

Fig. 2.1 Fig. 3.1 Fig. 3.2 Fig. 3.3

Fig. 4.1 Fig. 7.1

Fig. 7.2

Cyber Kill Chain stages of illegal manipulation of digital technologies (Source Author’s model) Top five crime types compared with the previous five years (Source Derived from FBI [2021, p. 8]) Year-to-year comparison in topical scams’ figures (June) (Source Derived from ADCC [2022]) Total cryptocurrency value received by illicit addresses 2017–2022 (31 December) US$ billion (Source Derived from Chainalysis [2023] published with permission, 24 January 2023) Theory of planned behaviour (Source Ajzen [1991]) Countries ratifying the Budapest Convention by year, 2002–2022 (Source Author’s Figure derived from Council of Europe [2023]) Parties to the Budapest Convention by UN region (Source Author’s Figure derived from Council of Europe [2023])

26 35 38

40 76

137

138

xxvii

List of Tables

Table 3.1

Table 4.1

Number of recorded cases and the financial losses due to reported computer crime in Hong Kong, 2018 to 2020 Classification of consumer fraud

37 62

xxix

1 Introduction: Crime in the Post-pandemic Digital Age Russell G. Smith

Introduction This volume seeks to present current research dealing with crime involving information and communications technologies in the period immediately preceding, during and following the Coronavirus pandemic that was declared a pandemic by the World Health Organization (WHO 2020) on 11 March 2020. Pandemics are, by definition, global in scope and impact, and, accordingly, the current collection of research papers includes perspectives from a variety of continents and a range of disciplines. Although the Coronavirus pandemic has been, and continues to be, an international health problem, its effects have extended far beyond medical concerns, with changes affecting all community members in R. G. Smith (B) College of Business, Government and Law, Flinders University, Adelaide, SA, Australia e-mail: [email protected]

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 R. G. Smith et al. (eds.), Cybercrime in the Pandemic Digital Age and Beyond, Palgrave Studies in Cybercrime and Cybersecurity, https://doi.org/10.1007/978-3-031-29107-4_1

1

2

R. G. Smith

terms of their domestic and social interactions as well as their professional and working activities. The pandemic has also led governments and industry to implement extensive, and novel measures, both legislative and administrative, to address the effects of the pandemic. Some have been successful while others have created problems of uniformity of application, infringement of human rights, cost and regulatory over-reach in some situations. The primary concern of the current volume is whether, and how, the pandemic altered the ways in which crime occurred and how it was dealt with by governments, industry and the community to minimise its harmful consequences. Occurring in the early twenty-first century, with our entrenched reliance on digital technologies, the pandemic provided an environment in which cyber-dependent and cyber-enabled crime could proliferate. It also provided opportunities for digital technologies to be used not only to regulate and control the pandemic itself, but in an attempt to minimise the incidence of crimes facilitated through the use of modern digital technologies. Information and communications technologies have played a pivotal role during the pandemic in communicating information across the globe on the risks and responses to the pandemic, but also in providing opportunities for various forms of illegality—some associated with the pandemic, and others less so. The present volume aims to describe the nature and extent of such illegality, its connection to the pandemic and how digital technologies could assist in solving not only the health crisis, but also the consequential crime problems. The chapters in this edited volume come from established academic scholars and policy practitioners in the fields of cybercrime, computer forensics, the law and criminology who have documented the nature and scale of the problems experienced, the nature of any causal connection to the pandemic and the range of technological, legal and legislative responses employed. Some solutions were designed primarily to address the crimes being committed, while other initiatives sought to improve criminal justice administration during the time of lockdowns, sickness and changing social conditions. Those found to be beneficial are likely to remain in use, while other innovations that have been found to be

1 Introduction: Crime in the Post-pandemic Digital Age

3

problematic may be quietly withdrawn. We also examine the effectiveness of the policy measures developed during the pandemic designed to minimise misuse of technologies created as a result of the health crisis. The aim is to assess how cybercrimes of the future could be contained when the next pandemic inevitably occurs. We also seek to identify and make use of the lessons—both positive and negative—that arose during the time of COVID-19 to improve the global response to cybercrime more generally.

Research Questions The contributors to this volume were asked to address a number of questions relevant to the overall theme of cybercrime during the current pandemic. These were as follows: – What changes occurred in the criminal environment since 2020— which crime types increased, which decreased and what new forms of illegality emerged? – Were any changes in crime caused by the pandemic, or were they simply enabled or facilitated by the circumstances of the pandemic? – What theoretical explanations exist to explain changes in crime during the pandemic, particularly cybercrime? – How were digital technologies used to contain the pandemic and to reduce risks of cybercrime occurring? – What changes took place within criminal justice agencies during the pandemic, and how important were digital technologies in the responses of criminal justice agencies to the pandemic? – What legislative and policy changes were introduced to contain cybercrime during the pandemic, both nationally and internationally, and how effective were they in responding to the criminal environment during the pandemic? – Using knowledge derived from dealing with the current pandemic, how can crime risks be minimised in future pandemics and how can digital technologies be most effectively used to respond to crime and the administration of criminal justice in the future?

4

R. G. Smith

Chapter Outline The volume addresses these questions by initially examining the cybercrime environment that was present during the pandemic. Jill Slay’s opening chapter focuses on how digital technologies were targeted and manipulated during the pandemic due to a range of social changes including—the presence of lockdowns, home-based work, vacant urban centres, the economic downturn, enhanced savings by individuals, increasing online commerce, greater reliance on cloud usage, audio-visual link usage, merging of home and work computing, homeschooling and increased use of telemedicine. She then examines some of the emerging technologies such as the Internet of Things (IoT), quantum computing and the broad usage of satellite services for communications and earth observation that could be targeted during future pandemics or natural or man-made catastrophic events. Consideration is given to conventional cybersecurity techniques such as better training, the use of Virtual Private Networks (VPN) and Multi-factor Authentication (MFA) as well as the need for new policies, better data monitoring, improved identity management and enhanced physical security. In order to spread the losses caused by cybercrime—that currently amount to many billions of dollars annually in countries such as Australia alone (Smith and Hickman 2022; Teunissen et al. 2021), new approaches will be needed, including cyber insurance (see Baker and Shortland 2022; Toh et al. 2022). Michael Levi and Monica Whitty then provide detailed assessments of one of the crime types that has shown the greatest increase in incidence during the pandemic—crimes of dishonesty such as fraud and consumer scams. Lennon Chang also considers the opportunities created by the pandemic for virtual kidnapping—particularly of Asian students in Australia. Hedi Nasheri provides a case study of one of the most sophisticated cyber espionage attacks that occurred in the United States in March 2020—just as the pandemic unfolded. She argues that it came as no surprise that this attack coincided with the lockdowns that were implemented in the United States due to the pandemic and the implementation of remote work for all employees who were not considered as essential workers. These four chapters show how criminological and

1 Introduction: Crime in the Post-pandemic Digital Age

5

psychological theories can be used to explain the changes in victimisation that occurred and whether the pandemic caused such changes or simply provided an altered environment in which such illegality could be enabled and facilitated. Levi and Whitty, however, both note the problems associated with differentiating cyber from non-cybercrime and the paucity of reliable data available to quantify the scale of changes. Jill Slay and Monica Whitty also argue that the pandemic and cybercrime were not causally related but that opportunities for crime were enhanced due to the social changes created by the pandemic. In the case of consumer fraud, Whitty concludes that the pandemic simply increased specific individuals’ susceptibility to becoming scammed due to situational and personality factors. Levi also identifies cryptocurrency fraud as a growing threat that developed during the pandemic but will continue into the post-pandemic period. Jonathan Clough then considers the international normative responses to cybercrime during the pandemic and whether a global treaty such as a United Nations Cybercrime Convention would be effective in dealing with the criminal justice issues that have recently arisen. The Council of Europe’s Budapest Convention is used as a model against which to test whether or not a United Nations Cybercrime Convention should be promulgated. Clearly the global Coronavirus pandemic raised criminal justice questions that stretched beyond national borders, in the same way that cybercrime has called into question single Nation State legal responses. International normative responses could, therefore, provide an effective way to deal with the many legal questions that entail the use of digital technologies both to commit crimes and to investigate and respond to them. Clough approaches this by considering the current state of responses to cybercrime at the international and regional levels, drawing on three key parallels with responses to the pandemic: the ability to cooperate with the private sector, the retreat to sovereignty and the fragile nature of global cooperation. He argues that a framework UN Cybercrime Convention would be appropriate with specific operational matters dealt with in Protocols to any Convention. A UN Convention would, however, be one of the most ambitious instruments in the field of transnational crime to have ever been attempted by the UN. At the time of writing, the formal process

6

R. G. Smith

to negotiate a global cybercrime convention has commenced with meetings having been conducted by stakeholders to determine the purpose and parameters of the proposed convention (see Global Initiative Against Transnational Organized Crime—GI-TOC 2022). Gregor Urbas and Marcus Smith then focus on how domestic legislatures responded to the public health aspects of the pandemic and how some of these responses provided opportunities for cybercrime to occur. Many domestic initiatives involved the collection and use of personal information contained in metadata and although beneficial in tracking the progress of COVID-19, it created risks of data breaches and also potential for misuse by law enforcement in criminal investigations. Problems of this kind were examined in the Australian Human Rights Commission’s Report on Human Rights and Technology (2021) that also considered the potential misuse of Artificial Intelligence by government in its responses to the pandemic. The Australian Institute of Criminology (AIC) has also conducted research into the relationship between data breaches and cybercrime victimisation (Morgan and Voce 2022). In the case of policing, Rick Sarre considers how law enforcement agencies dealt with the changing priorities created by the pandemic— particularly those relating to cybercrime, and how the challenges created by volume cybercrimes need both public sector and private sector collaborative responses. Sarre observes that public sector policing simply cannot handle the workload created by modern forms of cybercrime and that this was exacerbated during the pandemic when police were expected to handle many aspects of public health enforcement while continuing to manage normal caseloads. In the UK, for example, a report by the Police Foundation and Crest Advisory (Aitkenhead et al. 2022, p. 4) noted that ‘the COVID-19 pandemic … presented the police with unprecedented challenges: enforcing previously unthinkable restrictions on the public; protecting its own officers and staff from a potentially deadly virus; and continuing to meet regular demands even as other public services drastically scaled back their own delivery’. One of the major findings was that ‘the pandemic accelerated pre-existing trends of crime moving online and becoming more complex, higher harm and harder to solve’ (p. 5). This occurred at a time when the demands on police increased substantially.

1 Introduction: Crime in the Post-pandemic Digital Age

7

Urbas and Smith also examine the new domestic legislation on restrictions on personal movement and international travel and prevention measures such as mandated mask-wearing that were enforceable through fines and imprisonment. The conduct of legal proceedings was also affected, with an increased use of remote hearings, technological forms of document submission and judge-alone hearings. Bail, trial and sentencing procedures were also modified with such changes potentially lasting beyond the pandemic itself. With respect to judicial proceedings, Carolyn McKay analyses the changes to court procedures that were created by the pandemic such as the use of remote hearings, suspension of jury trials, an increase in judge-alone proceedings and alterations in sentencing and correctional procedures. These changes represent the clearest example of legal changes being caused directly through the circumstances of the pandemic— particularly the need for social distancing. She also examines the large increase in the use of digital communication technologies: audio-visual links as well as third party proprietary platforms for use in judicial proceedings. She then considers whether a ‘courtroom’ includes a network of diverse remote access technologies and whether virtual courtrooms are perhaps a ‘space’, rather than a ‘place’. This question has relevance both to criminal and civil proceedings where the pandemic accelerated the use of digital platforms in the delivery of justice in both contexts. McKay argues that the displacement of the physical courtroom caused by the pandemic actually unravelled some of the foundational concepts and practices of traditional justice—with both benefits and detriments for providers and users of courts. Others have argued that the pandemic has highlighted a more enduring crisis in judicial administration that will extend far into the post-pandemic period (Godfrey et al. 2022). Consideration is then given by Sanja Milivojevic to the crime control uses of Artificial Intelligence (AI) systems that were developed and implemented during the pandemic. She considers whether such technologies have dealt effectively with the ethical and regulatory issues identified in the pre-pandemic age. Artificial Intelligence provided some of the most effective solutions to many of the problems created by attempts to control the virus, including biometric temperature monitoring of airport

8

R. G. Smith

arrivals, tracing of infected people using QR codes and management and monitoring of people in hotel and home quarantine. These solutions, however, raised concerns about privacy, human rights and the ethical application of AI in the communities being regulated. Sanja believes that such concerns will be exacerbated as AI is used more widely to deal with crime—particularly those forms of crime that increased considerably during the pandemic—offences of dishonesty and family violence. Not all technological solutions to crime entail risks of infringement of human rights, and Richard Wortley and Jeremy Prichard provide an example of how one of the most egregious form of criminality that expanded during the pandemic—the creation and use of online child abuse material—could be dealt with through the use of innovative technologies. They show how the use of automated warning messages in online settings can dissuade individuals from activities such as visiting malicious websites, disclosing personal information, gambling online, pirating music, attacking computer servers and accessing indecent images of children. This is one of many solutions to the many problems associated with controlling online child sexual abuse material that Brown (2023) has recently reviewed. As he observes, ‘there is no simple, onesize-fits-all approach to solving child sexual abuse material’ (p. 167), but a series of approaches that involve both government, industry and the community of online users. Wortley and Prichard suggest that the pandemic has merely accelerated an existing upward trajectory of cybercrime that will continue to rise post-COVID-19, albeit perhaps at a slower rate. The same could be said of the other prominent threat that arose during the pandemic, ransomware, that Wall (2021) argues has been driven by enhanced organisation of offenders online, especially during the pandemic.

Learning from the Pandemic After three years of enduring the effects of the Coronavirus pandemic, it is appropriate to assess how the criminal environment changed, what new crime risks emerged, and how effective were the responses introduced to deal with the crime trends that appeared. As the following chapters

1 Introduction: Crime in the Post-pandemic Digital Age

9

will show, it is clear that the incidence of some crime types declined during the pandemic—those involving face-to-face contacts, while others increased—particularly those that were committed online or in closed, domestic environments. It is also clear that the full extent of the changes to the criminal environment introduced during the pandemic will take some considerable time to be reflected in crime statistics—especially those crime types that have low reporting rates and poor levels of law enforcement action. Cyber-fraud is a particular case in point that can take years to emerge. As more precise criminological research emerges, government and business analysts will need to examine the evidence and develop responses for the future so that the lessons of the past are not repeated. As we will see from Michael Levi’s chapter it is clear that the fraud control lessons of the Spanish Flu pandemic were largely forgotten or ignored and that many of the fraud types committed in 1919 were repeated in 2020. Crime prevention specialists should take the opportunity now to assess the nature of the crime risks that have emerged in the 2020s so that control measures can be developed and introduced without delay. The research that has been undertaken already has found, on the whole, that although the pandemic created some new crime opportunities, the bulk of recent crime types involved adaptation of previously known methodologies. In the case of cybercrime, most risks arose because users had not made use of the best security strategies currently available—such a multifactor authentication, encryption, VPNs and wireless security, as Jill Slay noted in her chapter. Other cybercrime controls, such as transaction tracking and GPS monitoring, although effective in reducing cybercrime risks, entailed new risks of information insecurity and privacy infringement—that led to further cyber victimisation. As the Director-General of the WHO noted, this is rapidly becoming an ‘Infodemic’ (cited by Urbas and Smith in their chapter). Information insecurity, however, was well established long before the current pandemic and had only an indirect relationship to the pandemic itself. Clearly, there is a need for further research to be undertaken, particularly comparative research to understand cybercrime risks in the global north and south. Research should also focus on the effects of differing

10

R. G. Smith

forms of social control undertaken during and after lockdowns. Finally, there remains a deficit in knowledge as to the individual deterrent effects that digital tracking during the pandemic had on criminal conduct.

Criminological Lessons A number of the contributors to the current volume explored some of the theoretical approaches used to understand the changing crime landscape during the current pandemic. Monica Whitty, for example, reviewed some of the principal criminological crime prevention theories based on routine activity and opportunity approaches. She found these to be somewhat superficial and not entirely helpful in understanding the crime trends evident in the pandemic—particularly concerning consumer fraud. Instead, she preferred the individually-based psychological theories that, she argued, offered greater benefits in terms of risk reduction. There are, however, a number of gaps in the evidence-base needed to evaluate crime prevention measures more fully. The question of causation still needs further examination and research is needed to understand the processes used by offenders to adapt the crime methodologies that took place so quickly in the area of government pandemic assistance fraud (Levi and Smith 2021). Research is also needed to explore the role of deterrence and why community compliance with public health control measures was high during the pandemic (see Six et al. 2021). Understanding this better could be used to increase compliance with other rules that focus on crime prevention in the future. It is likely that the crime risks of future pandemics will not be able to be avoided in full, but one of the more important lessons of the current pandemic is to ensure that technological solutions to pandemic-related crime are not introduced too quickly and without adequate explanation of their benefits and avoidance of potential counter-productive consequences. The problems created by technological surveillance measures and data sharing between government and the private sector are illustrative of how some crime controls can create unnecessary harms if introduced too quickly, with inadequate monitoring and without adequate

1 Introduction: Crime in the Post-pandemic Digital Age

11

community consultation. Pandemics create an obvious need for prompt action to deal with the public health problems, but excessive zeal and reliance on untested technological solutions can create more problems than benefits. The following chapters provide a compendium of useful strategies that could be adopted to prevent crime in future pandemics, and red-flags of approaches that have failed in the past and should be avoided in the future. We can only hope that the ever-increasing academic literature that has arisen following the current pandemic (see Dawson and McCalman 2021) will be used by policy-makers in the years ahead so that the next pandemic will be less criminogenic than pandemics of the past.

References Aitkenhead, Elisabeth, Clements, Jon, Lumley, Jessica, Muir, Rick, Redgrave, Harvey and Skidmore, Michael. 2022. Policing the pandemic. London: The Police Foundation and Crest Advisory. https://www.police-foundation.org. uk/2017/wp-content/uploads/2010/10/policing_the_pandemic_final.pdf Accessed 24 January 2023. Australian Human Rights Commission (AHRC). 2021. Human rights and technology: Final report. Sydney: AHRC. https://humanrights.gov.au/ourwork/rights-and-freedoms/publications/human-rights-and-technology-finalreport-2021 Accessed 23 January 2023. Baker, Tom and Shortland, Anja. 2022. ‘The government behind insurance governance: Lessons from ransomware’ Regulation and Governance, 22 October. https://doi.org/10.1111/rego.12505. https://onlinelibrary.wiley. com/doi/full/10.1111/rego.12505 Accessed 23 January 2023. Brown, Rick. 2023. Eliminating Online Child Sexual Abuse Material . London: Routledge. Dawson, Emma and McCalman, Janet. 2021. What Happens Next? Reconstructing Australia After COVID-19. Melbourne: Melbourne University Press. Global Initiative Against Transnational Organized Crime. 2022. 2nd guidance note on a draft convention on cybercrime. Geneva: GI-TOC. https://global initiative.net/wp-content/uploads/2022/03/Cybercrime-2nd-guidance-notev2-web.pdf Accessed 24 January 2023.

12

R. G. Smith

Godfrey, Barry, Richardson, Jane C. and Walklate, Sandra. 2022. ‘The crisis in the courts: Before and beyond COVID’ The British Journal of Criminology, 62, 1036–1053. https://doi.org/10.1093/bjc/azab110 Accessed 23 January 2023. Levi, Michael and Smith, Russell G. 2021. ‘Fraud and its relationship to pandemics and economic crises: From Spanish Flu to COVID-19’ Research Report, no. 19, Canberra: Australian Institute of Criminology. Morgan, Anthony and Voce, Isabella. 2022. ‘Data breaches and cybercrime victimisation’ Statistical Bulletin, no. 40, Canberra: Australian Institute of Criminology. https://www.aic.gov.au/publications/sb/sb40 Accessed 24 January 2023. Six, Frédérique, de Vadder, Steven, Glavina, Monika, Verhoest, Koen and Pepermans, Koen. 2021. ‘What drives compliance with COVID-19 measures over time? Explaining changing impacts with Goal Framing Theory’ Regulation and Governance. https://doi.org/10.1111/rego.12440 Accessed 23 January 2023. Smith, Russell G. and Hickman, Amelia. 2022. ‘Estimating the costs of serious and organised crime in Australia, 2020–21’ Statistical Report, no. 38, Canberra: Australian Institute of Criminology. Teunissen, Coen, Voce, Isabella and Smith, Russell G. 2021. ‘Estimating the cost of pure cybercrime to Australian individuals’ Statistical Bulletin, no. 34, Canberra: Australian Institute of Criminology. Toh, Win-Li, Simmonds, Ross and Neary, Michael. 2022. Cyber risk and the role of insurance. Sydney: Institute of Actuaries of Australia. https://act uaries.asn.au/Library/Opinion/2022/CyberRiskGreenPaper.pdf Accessed 24 January 2023. Wall, David S. 2021. ‘The transnational cybercrime extortion landscape and the pandemic: Changes in ransomware offender tactics, attack scalability and the organisation of offending’ European Law Enforcement Research Bulletin, Special Conference Edition, no. 5, pp. 1–16. https://doi.org/10.7725/eul erb.v0iSCE%205.475 Accessed 24 January 2024. World Health Organization (WHO). 2020. ‘WHO Director-General’s opening remarks at the media briefing on COVID-19’ WHO DirectorGeneral Speeches, 11 March. https://www.who.int/director-general/speeches/ detail/who-director-general-s-opening-remarks-at-the-media-briefing-oncovid-19---11-march-2020 Accessed 23 January 2023.

2 Pandemics and Illegal Manipulation of Digital Technologies: Examining Cause and Effect in a Time of COVID-19 Jill Slay AM

Introduction As the COVID-19 pandemic continues into 2023, this chapter offers an opportunity to examine some of the societal changes and disruption which have been caused by the current coronavirus and its variants. It then explores the cybercrime and cybersecurity implications of these transformations, and considers how emerging technologies may then amplify these changes even further. Obvious social changes caused by the current pandemic include multiple lockdowns and curfews compelling the population to stay home or within a limited radius, forced working from home for prolonged periods of time, comprehensive moves of business activity from Central J. Slay AM (B) SmartSat CRC, UniSA STEM, University of South Australia, Adelaide, Australia e-mail: [email protected]

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 R. G. Smith et al. (eds.), Cybercrime in the Pandemic Digital Age and Beyond, Palgrave Studies in Cybercrime and Cybersecurity, https://doi.org/10.1007/978-3-031-29107-4_2

13

14

J. Slay AM

Business District locations to the suburbs and individual homes. One has also seen the escalation of online shopping and large-scale home delivery which have also been accompanied by less visible technological adaptation. These less visible technological developments have included greater business use of the Cloud and other shared network storage, a greater reliance on meeting software such as Zoom, Teams and WebEx, and employees being allowed, or forced, to physically move their work computer and peripherals to their home. Other issues that impact new uses of technology have had to be considered without much recourse to planning and special technical acquisition. These have included asking employees to use their own personal and less-sophisticated computing and networking equipment and internet connections to carry out normal work functionality. The need to develop online home-schooling facilities for potentially a range of children in one family with different computing and networking needs, the widespread use of telemedicine and online medical consultation for COVID diagnosis and more general medical consultation and a basic movement of considerable aspects of ‘normal’ life to a computing and networking environment have also arisen in a very quick fashion. These technological developments have thus caused changes to the way that new operating contexts for existing technology (e.g. broader daily use of the Cloud by inexperienced employees) can be both secured but also made very accessible for staff. These staff members have not had the opportunity to be technically trained on such improved equipment, and perhaps are working in an environment where technical support is not easily supplied. This has been accompanied by a parallel requirement to reconsider the methods by which digital and emerging technologies are, or might be, illegally manipulated because of the opportunities offered by the societal and business changes detailed above. These changes to the security and cybersecurity environment have been providing a context where new manifestations of existing types of cybercrime have emerged. These include new types of cyber-attack, new contexts for online fraud and reimagined scenarios for spamming, social engineering and privacy breaches. Newer technologies continue to emerge and each of these brings new opportunities for illegal manipulation at a time when governments, law

2 Pandemics and Illegal Manipulation of Digital …

15

enforcement, defence and intelligence agencies are being forced to deal with constant ‘grey-zone’ cyber-attack and illegal manipulation of such technologies while they deal with the disruption of a pandemic. At present, it appears that the current pandemic has not finished and is moving through a series of mutations and strains. The future is hard to envisage but with a hope that this pandemic will become endemic. Societies will learn to live with both pandemic and endemic disease on a scale that is much greater than previously expected while dealing with the cybercrime and security issues of emerging technologies. These technologies include a broader dependence on the Internet of Things (IoT) and the implications of developments in IoT which allows industrial control systems to be connected to the Internet and allows industrial development to achieve both technical and social goals.

Social Implications of COVID-19 Given the dynamic nature of a pandemic and, in the case of COVID19, no real understanding of when this pandemic may cease or become endemic, there is still a growing body of academic literature that is examining certain, and very specific, aspects of COVID-19 and their proposed or presumed effect on cybercrime or cybersecurity (Okereafor 2021). While this is to be encouraged, it is probably too early, in this author’s opinion, to develop social or technological policies, or policy changes in an environment where the effect of such a pandemic is very much localised to nation states (with a divide between the developed world and emerging economies) and still unclear. It is also very tempting for individual researchers and commentators to push their own established ideas and agendas and see, for example, cryptography or steganography or new solutions to cyber stalking as major requirements in the solution of potential illegal manipulation of digital technologies. In the work of Okereafor (2021, pp. 139–149), the author has an African focus on this problem. He identifies the COVID-19 lessons learned for cybersecurity as being: remote work, new practices and cybersecurity; data protection and cryptographic solutions; ethical monitoring of employee behaviour; restructured email policies and technologies;

16

J. Slay AM

malware punishment—new legislation; social engineering acculturation via the UN and identity management. Some of the issues raised by Okereafor do not seem relevant in an Australian context but the technological issues of remote work and ID management, discussed below, would be relevant. Other issues are mainstream cybersecurity issues and there is certainly a need to address the issue of social engineering and the prevailing issue of malware attacks. However, it is hard in a westernized economy, to see any large degree of causality between the COVID-19 pandemic and totally unrelated cyber-attack via malware, social engineering or even email as a vector of cyber-attack. Pranggono and Arabo (2020) look at the correlation between the current pandemic and the increase in cyber-attacks targeting sectors that are vulnerable. The work provides examples of targeted cyberattacks on vulnerable sectors of the research and medical community whose work was linked to COVID-19 vaccines, tracing applications or phishing attacks on staff members of companies developing Personal Protective Equipment (PPE). This is perhaps one of the most convincing pieces of current academic literature which is able to link COVID-19, deficient cyber security controls and cybercrime targeting the COVID19 ‘solution development’ sector. Their mitigations are very similar to those discussed below: user training, use of Virtual Private Networks (VPN) and Multi-factor Authentication (MFA), use of anti-malware and patching, strong policies, secure architecture and good physical security. Others have looked at the social implications of COVID-19 on cybercrime and cyber security in their own domain of knowledge. This literature includes issues such as the sale of fake COVID-19 medicine online (Srivastava 2021), the use of Twitter for a Cyber Security Awareness Campaign during a time of COVID-19 (Bahl et al. 2021) and issues that arise in offering medical and paramedical services online during a time of COVID-19 (Ioane et al. 2021). There is a vast range of other literature, not referenced here, trying to link issues such as finance, government, and monetary compliance with the widespread COVID19 pandemic but it is hard to make direct links or to imply causality in terms of cybersecurity breaches and cybercrime.

2 Pandemics and Illegal Manipulation of Digital …

17

Technological Change and Security Effects Caused by COVID-19 COVID-19 was truly unprecedented with no deep government planning to mitigate against the level of disruption experienced by businesses and their employees. It is claimed that ‘everyone successfully shifted to remote work within a few weeks and many of them plan to adopt this permanently. This is the new normal’ (ProQuest 2021). It is questionable whether it is reasonable to assume that everyone ‘shifted’ well and whether, if a new normal is ever established, smaller companies will be satisfied with remote work and data storage in the cloud. One major issue that has arisen is the need for mobility for the usual static small to medium enterprise (SME) employee or even larger business user. Employees from both large and small companies are not (and in some locations this continues) able to go to their places of employment or to meet, either locally, domestically or internationally, with colleagues and potential clients. Thus, they had a need for Cloud or other similar remote storage of data which was no longer accessible on their own premises, their desktop or more local networks. There has also been a growing need for the establishment and large-scale usage of VPNs which allow an employee to connect to his or her employer’s corporate network, where available, and to access data stored on corporate servers or Clouds. If an employee, or their IT team, had planned well, then they might have been able to access their own personal storage areas on a more local network. There has also been a huge growth in the usage of collaboration tools, such as Zoom, Teams and WebEx, and each of these has been enhanced for ease of use, functionality and accessibility during the COVID-19 period. The focus on cloud systems and their adoption by new users for storage in a time of disruption has been the growth of data leakage during COVID-19 because of misconfiguration due to technical staff involved in moving data to the cloud for broad access not having the experience needed to do the job in hand. Examples of the impact of this kind of misconfiguration are more easily accessed from security vendors who have immediate insight on the impact of such misconfigurations,

18

J. Slay AM

rather than from academic literature which is not yet well-developed in this sphere (Trend Micro 2021). In a report by Trend Micro (2021), it is noted that ‘in 2018 and 2019, cloud misconfiguration breaches cost companies almost US$5 trillion’. Examples of losses due to such misconfigurations include reputable companies such as Estee Lauder which lost 440 million customer records and an adult website that lost 10.88 billion records including customers’ personally identifiable information (PII), payment logs and password hashes. This kind of report, while not academic in nature, in generally accepted in technical circles since it gives an indicator of the scale of financial loss and the nature of the technical underpinnings of the security breach. There was also a need for businesses and enterprises to move their security focus to that of endpoint security. While such enterprises could normally protect their servers and desktops within typical fire-walled perimeters and achieve desired level of security with all employees on site, the move to VPNs and the cloud forced organisations to change their security architectures to those focusing on cloud security features. While typical corporate architectures focus on servers, firewalls, proxies and other such tools, the cloud perimeter revolves around identity and trust. Multi-factor Authentication (MFA), where users need more than one method to identify themselves, such as text or call to a phone, before allowing access to such a cloud system, has become well-used and is considered effective. Gartner (2021) also notes the importance of the issues of endpoint security and the security of remote work, but also raises the issue of the security of critical infrastructure and especially its security during a pandemic. Critical infrastructure includes operational and control networks such as that of gas and electricity utilities, and medical and healthcare networks whose security is contingent on isolation from other networks. In the context of COVID-19, these difficult security issues now must be managed remotely with the task of securing often poorly protected networks. In an Australian context, and with the enactment of the Security of Critical Infrastructure Act 2018 (Cth) (as amended in 2021), a focus on the scope of the definition of Critical Infrastructure means that enterprises such as Universities are now considered Critical

2 Pandemics and Illegal Manipulation of Digital …

19

Infrastructure, despite the fact that some of these have not always been afforded a high degree of security. In the context of SMEs, the vulnerability of such small companies is well-noted in a time of Pandemic (Cyber Readiness Institute 2021, n.p.): For malicious actors looking for vulnerable targets, small businesses remain a primary target, particularly during the COVID-19 pandemic, … Small businesses can make themselves resilient against common attacks, such as phishing, by focusing on employee education and awareness and creating a culture of cyber readiness within the organization.

The pandemic has at one level been helpful in identifying the need for training of employees to produce cyber resilience, and anecdotal evidence shows the huge demand for training from entry level cyber security professionals, especially in Amazon Cloud security, as they seek to increase their knowledge, skills and ability at a time when their employer is potentially under increased threat of cyber-attack. There has been a great deal of concern around interruption of unwelcome visitors to Zoom and other collaborative meetings (Projects.iq.harvard.edu 2021). While Microsoft Teams and WebEx may be considered to be more secure because they were developed to replace telephony and other services and were not free, this problem has been largely solved by the addition of security controls to Zoom but this has also required large-scale adaptation and staff training.

Developments in Cybercrime Recognised During the COVID-19 Pandemic As discussed above, there is a tendency in some literature (Okereafor 2021) to try to make causal links between the illegal manipulation of digital technologies and the current COVID-19 pandemic. This is not always convincing since some of the methods by which illegal manipulation has been carried out are long-term problems, well-recognised by the profession and hard to attribute to a pandemic.

20

J. Slay AM

A better approach is provided by Hawdon et al. (2020) who carried out an empirical study relating to how the COVID-19 pandemic influenced cyber-routines and cyber victimization. They were able to collect data before and after the primary COVID-19 pandemic of 2019– 2020 on cyber-routines and cyber victimization. They assumed that the pandemic and increased work from home would result in: increased online presence, an increased level of routine activities online, and, as such, enhanced levels of target suitability and target proximity to motivated offenders. (Hawdon et al. 2020, p. 555)

They expected that observed cybervictimisation would be higher in the post-pandemic sample than what was observed in the pre-pandemic sample. However, their results indicated that they were wrong and essentially: global levels of cyber victimization were nearly identical pre and postpandemic, and only one type of victimization (being informed that your identity or private information had been stolen) changed. Moreover, this victimization decreased in the post-COVID-19 sample. (Hawdon et al. 2020, p. 555)

They also examined whether specific types of online behaviour produced specific types of victimisation and whether this changed after the pandemic. Their work showed dark web use, time spent online reading newspapers and other articles and time using social media significantly increased the likelihood of being a cyber victim. However, they also noted that users were particularly prone to protective behaviours such as avoiding online shopping to ‘protect their bank accounts’. They partially attribute their somewhat surprising results to the fact that experienced users might be protecting themselves in terms of cybersecurity and avoiding contexts where fraud and other illegal activity might be carried out. They also assumed that when inexperienced users were working in their normal job online, they would then be offered sufficient IT support from their employer for them to be able to call on support when it was need in relation to cybersecurity.

2 Pandemics and Illegal Manipulation of Digital …

21

They also question how their results showing reduced cybervictimisation could make sense when cybercrime is reported (in the US) as rising according to the FBI (Hawdon et al. 2020, p. 556). They attribute this to the difference between the experience of cyber victimization and the reporting of cybercrime. They assume that there must be an increase in reporting of cybercrime accompanying the pandemic and enforced work from home. They draw tentative conclusions including wondering whether social distancing has any role to play in their observed lack of change in their measure of cybervictimisation during the current pandemic. However, this is refreshing work since it approaches the issue scientifically and does not try to gloss over the unexpected result. Pranggono and Arabo (2020, n.p.), discussed above, particularly emphasise the type of cyber-attack launched during the pandemic: Cyber criminals and Advanced Persistent Threat (APT) groups are launching cyber-attacks at vulnerable people and organizations via COVID-19 related scams and phishing. They are exploiting the pandemic for various motivations, for instance for commercial gain or to collect information related to COVID-19 vaccines by deploying different techniques such as phishing or ransomware and other malware.

They draw on work by WEF (2020) to show that: There are various phishing attacks (email, SMS, voice) targeting vulnerable people and systems using coronavirus or COVID-19 as a title to entice people.

They also indicate that according to these sources there was an increase of 600 per cent in coronavirus-related phishing email attacks during the first Quarter of 2020. Given that their work is well-referenced to US, UK and other allies and scientifically written, it is then a very convincing argument to counter that presented by Hawdon et al. (2020). It is also interesting that both pieces of research were produced, using very different methodologies, one in the US and one in the UK, at approximately the same time.

22

J. Slay AM

Emerging Technology, Cybercrime and Cybersecurity Implications in a Pandemic To the technical researcher, one of the major methods by which one understands the issue of illegal manipulation of digital technologies is first to understand the technology and the means by which it might come under cyber-attack and be breached. Generally speaking, the earliest work in cybersecurity looked at security of technology and later work look at the process of human and machine interaction within the security of technical processes. In our own work (Van der Watt and Slay 2021), the authors have been exploring the cybersecurity of emerging technology and especially the security of Low Earth Orbit Satellites (LEO) and the Internet of Things (IoT). It is helpful to indicate here that at one level, the same issues as Pranggono and Arabo (2020) and Hawdon et al. (2020) have identified are being explored. Different kinds of digital technology are being examined but with the same inherent vulnerabilities in terms of network security, software and system security, societal security and organisational security. For the emerging technology researcher, there are added issues that live in the realm of Critical Infrastructure Protection such as Control System Security and launch security. While drawing on only two pieces of empirical research may trivialise this issue, it is worth looking at the two alternative scenarios which can be drawn from the discussion above. If one draws on the work of Pranggono and Arabo (2020), one can assume that there will be no change in the level of cybervictimisation caused to those examining the cybersecurity of LEO satellites given that they may be cautiously working from home. This is a very logical conclusion if one follows this pathway. The work of Hawdon et al. (2020) will draw one to a different conclusion and one would then want to cautiously assert that working from home on the cybersecurity of emerging technology would lead one to conclude that we are to be seen as a greater target and need to manage victimisation in terms of Denial of Service (DOS) attack, malware, spamming and email attack. Thus it would seem that the argument regarding the role that a pandemic plays with respect to illegal manipulation of digital technologies is far more complex. One method that can be used to deal with this

2 Pandemics and Illegal Manipulation of Digital …

23

complexity is that of modelling the digital and physical processes that are involved in the illegal manipulation of digital technologies or in hacking of systems leading to cybercrime. In the present author’s work, contemporary cyber-attack vectors and techniques were examined so as to begin to understand the way hackers and criminals might begin to attack emerging technologies. Examples of such technologies under investigation were LEO satellites and the IoT. These data were collected before the current pandemic from sources such as the Australian Cyber Security Centre (ACSC), Australian Computer Society (ACS), Cisco and Trustwave (Van der Watt and Slay 2021). The incidents, issues and trends described within these reports and surveys demonstrate the sophistication of contemporary cyber breaches. This is a sophistication equivalent to those reported in the best attacks of COVID-19. The complexity of these cyber-attacks is evident from the evolving threat landscape detailed within them, which: includes development of hybrid malware variants, padding and obfuscation methods, anti-defence system techniques and multi-faceted cyberattack methodologies that involve phased attacks potentially over a significant time period, advanced hacking toolkits and well-resourced teams, often under the direction of malicious foreign threat actors. (Van der Watt and Slay 2021, p. 473)

Looking retrospectively, therefore, at one’s own collected data, there seems to be no inferable link to a pandemic except in the case where a healthcare provider, COVID-19 researcher might be a preferential target. In this work with data collected between 2018 and 2019, several points of concern were identified from common attack vector elements evident within multiple reports and surveys. These related to the emergence of IoT botnets, Advanced Persistent Threats, insider threats, Supply Chain Vulnerabilities, Business Email Compromise (BEC), cloud computing, ransomware crypto-worms, spyware, Distributed Denial of Service (DDoS) attacks and theft of PII. Detailed discussion of each of these potential attack vector elements is outside the scope of this paper,

24

J. Slay AM

however, these are the same kinds of attacks as identified by Hawdon et al. (2020) and to some measure attributed to a COVID-19 pandemic context. In our work prior to the pandemic, the authors were simply seeking to understand how the illegal manipulation of the digital technologies comprising LEO satellites might be carried out, i.e. how can a satellite be hacked? As part of this research, a comparison of three common attack analysis models was undertaken. The models were chosen based on their widespread use within the cyber security industry for analysis of cyber-attack vectors in a context where we need to understand how an attacker might proceed to attack our technology in our own specific work context. While discussion of these models is out of scope here, the Lockheed Martin Cyber Kill Chain (Kiwia et al. 2017) was our model of choice because of its common usage. It was also considered necessary to investigate the extent to which this commonly used model had been modified beyond its usage in traditional ICT, information, data and network security. Many cyber-attack models involve understanding sequences that progressively assist attacker(s) to achieve their final objectives. The attack sequence defined by the seven Lockheed Martin Cyber Kill Chain stages is briefly described below with examples of malicious activities that may be part of the threat actors modus operandi (Kiwia et al. 2017): Reconnaissance draws on social engineering techniques, monitoring and observation, including vulnerability scanning. Weaponisation involves a choice of malware and hacking tools required to maximise the likelihood of achieving threat actor objectives. Delivery may include provision of malicious code, toolkits or malware. Exploitation refers to the use of technical and non-technical vulnerabilities to the advantage of the threat actor(s) to assist in achieving the attack objectives. Installation may involve loading and installing malware within targeted networks, systems, websites, directories or programmes.

2 Pandemics and Illegal Manipulation of Digital …

25

Command and Control concerns the place and time where a hacker gains control over a targeted system. Action on Objectives concerns achieving attacker goals and objectives, which may include maintaining covert network presence and launching persistent attacks over varying periods of time. In the authors’ work, it was noted that research has previously been undertaken and published within academic journals concerning modification of the Cyber Kill Chain (Kiwia et al. 2017) to understand how multimedia applications might be attacked and also to investigate how e-business applications and banking trojans might also be targeted. Thus it was seen that this model can be used in many contexts. Comments on this include: The existing kill chain model in the information security field is problematic in that it cannot fully express the actions that occur inside an organization. It is important for actions that occur on the inside to be clearly schematized. (Kim et al. 2018, p. 315)

Kiwia et al (2017, p. 395) described how the Cyber Kill Chain can be tailored to assist in defending against banking trojans: Detection of banking trojans remains a challenging task, […]. This threat intelligence-based taxonomy provides a stage-by-stage operational understanding of a cyber-attack and can inform design of computational intelligence on trojans detection and mitigation strategy.

Thus the author’s previous research indicates that a step is missing from the research of both Hawdon et al. (2020) and Pranggono and Arabo (2020) who have not modelled to any sufficient degree the specific pandemic context in which illegal manipulation of digital technologies is being undertaken. An example of our use of this kind of modelling a specific digital technology is available in Van der Watt and Slay (2021) where we investigate

26

J. Slay AM

how LEO satellites might suffer illegal manipulation of their complex technologies in Australia. This is shown below as Fig. 2.1 in which we apply the Cyber Kill Chain in our own research context, drawing on the example of Kiwia et al. (2017).

Fig. 2.1 Cyber Kill Chain stages of illegal manipulation of digital technologies (Source Author’s model)

2 Pandemics and Illegal Manipulation of Digital …

27

Future of Illegal Manipulation of Digital Technologies It is clear that there has been some considerable impact of specific targeted cybercrime and breaches of security during the COVID-19 pandemic. It is also clear that it will be hard to determine whether particular incidents and occurrences are due to COVID-19, future variants or new viruses. Going forward in an era where Australia has an increasing focus on economic development and National Security through the growth of a space industry, then this industry will come under attack regardless of the existence of current or new viruses. For example, space systems provide communications, scientific and national security services globally. These systems provide critical functions at a national and international level, for both military and civilian outcomes. This makes space a contested environment, in an age of increased international competition, providing a grey zone overlapping space and cyber. This cyber and space grey zone provides an attack vector which can maliciously deny and disrupt communications services, in addition to Intelligence, Surveillance and Reconnaissance (ISR) capabilities and Position, Navigation and Timing (PNT). Our work, and the work of Kiwia et al. (2017, 2018), describes how modelling using the Cyber Kill Chain provides a method whereby the technical context can be envisaged within a bank, a satellite or any other institution during, before or after a pandemic. This provides then an extra tool in considering the relationship of cause and effect between pandemics and illegal manipulation of digital technologies.

References Bahl, Aditya, Sharma, Aastha and Asghar, Muhammad. 2021. ‘Vulnerability disclosure and cybersecurity awareness campaigns on twitter during COVID -19’ Security and Privacy, 4 (6), 546–562. Cyber Readiness Institute. 2021. ‘Businesses with fewer than 10 employees continue to underestimate cyber threats even as more work remotely’, New

28

J. Slay AM

Cyber Readiness Institute Survey Find—Cyber Readiness Institute. https:// cyberreadinessinstitute.org/news-and-events/businesses-with-fewer-than10-employees-continue-to-underestimate-cyber-threats-even-as-more-workremotely-new-cyber-readiness-institute-survey-find/ Accessed 30 December 2021. Gartner. 2021. Seven security areas to focus on during COVID-19. https://www. gartner.com/smarterwithgartner/7-security-areas-to-focus-on-during-COV ID-19 Accessed 30 December 2021. Hawdon, James, Parti, Katalin and Dearden, Thomas. 2020. ‘Cybercrime in America amid COVID-19: The initial results from a natural experiment’ American Journal of Criminal Justice, 45 (4), 546–562. Ioane, Julia, Knibbs, Catherine and Tudor, Keith. 2021. ‘The challenge of security and accessibility: Critical perspectives on the rapid move to online therapies in the age of COVID-19’ Psychotherapy and Politics International, 19 (1), 1–15. Kim, Hyeob, Kwon, Hyuk-Jun and Kim, Kyung-Kyu. 2018. ‘Modified cyber kill chain model for multimedia service environments’, Multimedia Tools and Applications, 78(3), 3153–3170. Kiwia, Denis, Dehghantanha, Ali, Choo, Kim-Kwang Raymond and Slaughter, Jim. 2017. ‘A cyber kill-chain based taxonomy of banking Trojans for evolutionary computational intelligence’ Journal of Computational Science, 27 , 394–409. Okereafor, K. 2021. Cybersecurity in the COVID-19 Pandemic (1st ed.), 139– 49. Milton Park: Taylor & Francis Group. Pranggono, Bernadi and Arabo, Abdullahi. 2020. ‘COVID-19 pandemic cybersecurity issues’ Internet Technology Letters, 4, 1–6. Projects.iq.harvard.edu. 2021. What is zoom bombing? https://projects.iq. harvard.edu/user-services/faq/what-zoom-bombing Accessed 30 December 2021. Proquest.com. 2021. What’s in store for businesses in 2021. https://www.pro quest.com/trade-journals/whats-store-businesses-2021-cybersecurity-post/ docview/2479463827/se-2?accountid=14649 Accessed 30 December 2021. Srivastava, K. 2021. ‘Fake COVID vaccines boost the black market for counterfeit medicines’ British Medical Journal, 375, n2754. Trend Micro. 2021. The most common cloud misconfigurations that could lead to security breaches. https://www.trendmicro.com/vinfo/us/security/news/virtua lization-and-cloud/the-most-common-cloud-misconfigurations-that-couldlead-to-security-breaches Accessed 30 December 2021.

2 Pandemics and Illegal Manipulation of Digital …

29

Van der Watt, Robert and Slay, Jill. 2021. ‘Modification of the Lockheed Martin Cyber Kill Chain (LMCKC) for cyber security breaches concerning Low Earth Orbit (LEO) Satellites’ 16th International Conference on Cyber Warfare and Security, 473–476. World Economic Forum (WEF). 2020. COVID-19 risks outlook: A preliminary mapping and its implications. http://www3.weforum.org/docs/WEF_ COVID_19_Risks_Outlook_Special_Edition_Pages.pdf Accessed 9 June 2020.

3 Pandemics and Fraud: Learning from the Coronavirus Pandemic and Its Antecedents Michael Levi

Introduction COVID-19 is the first pandemic of the universal cyber age. This collection is about cybercrimes, and therefore, all previous pandemics are arguably irrelevant except as potential exemplars of what little evidence there is of the impact of previous pandemics on fraud (Levi and Smith 2021). Fraud has not hitherto been a feature of major books on pandemics in general or COVID-19 in particular, though in addition to an array of ‘deep state’ conspiracy texts, there are books with enticing titles like Unraveling the CoVid Con, COVID-19: Exposing The Lies, The Great COVID Deception, Captured by COVID: Deceit, Conspiracy & Death—A True Story, Autopsy of a Pandemic: The Lies, the Gamble, and the COVID-Zero Con and Transcending the COVID-19 Deception—none M. Levi (B) School of Social Sciences, Cardiff University, Cardiff, UK e-mail: [email protected]

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 R. G. Smith et al. (eds.), Cybercrime in the Pandemic Digital Age and Beyond, Palgrave Studies in Cybercrime and Cybersecurity, https://doi.org/10.1007/978-3-031-29107-4_3

31

32

M. Levi

of them about fraud or scams as understood within the framework of this book. Reitano and Shaw (2021) wrote an eloquent popular text— Criminal Contagion: How Mafias, Gangsters and Scammers Profit from a Pandemic —about how organised criminals (but not about how otherwise licit corporations) were exploiting the pandemic, but that was about it. The term ‘major book’ or ‘serious book’ is a contested space, but none of those mainstream texts contain anything about fraud beyond the construct that governments allegedly falsely constructed the risks and harms of COVID-19 (see Dodsworth 2021, for a more sophisticated analysis thereof ). Nevertheless, outside of books, a small cottage industry in tracking the impacts of COVID-19 on crime generally and cyber-enabled fraud in particular has developed in journals and government publications. Risks and threats to current and future processes in the ‘cyber’ world are ubiquitous (as they are to other arenas of ‘transnational’ crime), but there are boundary issues about financial crime and technology going back to the invention of the telegraph, which transmitted money and information almost instantaneously, enabling fraudsters as well as non-fraudsters to send money internationally a great deal faster than by ship or overland. These should be borne in mind when considering the impact of ‘cyber’ on fraud. Many readers coming of age this century may struggle to envisage a cyber-less world, and especially since the COVID-19 pandemic began, the commentariat has been obsessed with online fraud. Online fraud is often presented as a binary opposite to offline fraud but, as we shall see, the two often combine. Except where electronic communications and payments are not used at all, there is very little significant fraud that is not at least cyber-assisted in the late modern era, and routine administrative data collection is unlikely to preserve accurately the distinction between cyber-dependent, cyber-enabled, cyber-assisted and entirely offline fraud (Wall 2007). The law enforcement and media focus are often on ‘organised crime groups’ moving into fraud—principally the scams created from a distance electronically by youths in hoodies operating from their bedrooms or by West African or Eastern European diasporas (Levi 2008; Lusthaus 2018; Whitty 2018; Lusthaus and Varese 2021), plus ransomware and

3 Pandemics and Fraud: Learning …

33

hacking from state-sponsored and state-tolerated groups in China, North Korea or Russia—all of them ‘outsiders’ to their victims. But we must also consider the impact of the pandemic on insider frauds, which involve executives or IT-savvy staff colluding with others or dominating companies they run. In many other fraud cases, especially those committed by insiders, there is a long-elapsed time between the commission of fraud and its detection by the victim or a public or private sector third party. Choice of offender or victim location is determined by other factors (such as the large number of relatively wealthy but still emotionally anxious retired people in West Palm Beach Florida, Bellevue Hill Sydney or in the South East of England). In the larger cases, professional intermediaries and bank accounts are necessary components in presenting a plausible front and in obtaining and laundering the funds; in others, cash may be wired via Money Service Bureaus (like Western Union) or by ‘underground banking’ to foreign or sometimes domestic locations. Do such wire transfers make them all cyber-enabled?

Measuring Frauds and ‘the Fraud problem’—from Offline to Online? How do we know what impact a pandemic has had on fraud? Bentham proposed keeping crime statistics for better administration of changes in (im)moral behaviour, and by this criterion, fraud and cybercrime have not been important indicators to many nations (Aebi et al. 2021). This lack of fraud data may not be surprising in earlier pandemics, since the Web was not established in time for most of them. We might expect the revelations about the harmfulness and prevalence of frauds and cybercrimes to generate or give impetus to a certain ‘moral panic’ and make it hard for politicians and police chiefs to deny resources. But this is an open empirical question, and it also relates to the issue of whether increasing fear of crime is always a bad thing. Without fear, we may not take sufficient precautionary measures, and the suppliers of goods and services may not have sufficient pressure to take security seriously.

34

M. Levi

Digital Fraud in North America The annual reports from the FBI Internet Crime Complaint Center (IC3) are very detailed, with complaints rising from 49,711 complaints in 2001 to over 5 million reports in 2021 of thefts, scams, frauds and other crimes with an online nexus (FBI 2022). The crimes reported to the IC3 also reflect scammers’ willingness to exploit various tragedies and disasters, such as Hurricanes Rita and Katrina as well as after the Boston Marathon bombings. Pandemics, then, may be a special case of life disruptions. During the COVID-19 pandemic, scammers have been hawking fake cures and investments schemes, legally selling personal protective equipment at high profits without having it available at the time of the contracts, and even supplying equipment that is not fit for purpose but for which they have been paid (NAO 2022). They also have been looking to take advantage of a more concentrated online presence during a time of increased teleworking and distance learning (see Levi and Smith 2021). The largest leap in each fraud category in the US was end 2019 to end 2020 (FBI 2021, p. 8). It is not clear what proportion of these scams led to actual financial losses, although irrespective of whether frauds were attempted or were successful, they can lead to emotional or time/repair costs. Note that the last category of phishing, etc. is an offence in itself but is also an act that may be presumed to be preparatory to fraud or other offending: otherwise there would be no point in doing it, other than for economic sabotage for personal or ideological reasons (Fig. 3.1).

Digital Frauds in Europe The Eurobarometer delivers the only cross-national comparative data collection on victimisation of some types of fraud in the EU, showing clear variation in identity theft levels between countries. In 2019, before the pandemic began, half of all respondents knew of someone who had been a victim of one of the cybercrimes asked about, with the most mentioned being receiving fraudulent emails or phone calls asking for personal details (25 per cent) or discovering malicious software on

3 Pandemics and Fraud: Learning …

35

Extortion

Identity theft

Personal data breach

Non-payment / non-delivery

Phishing, vishing,smishing,pharming

0 2021

50,000 2020

100,000 150,000 200,000 250,000 300,000 350,000 2019

2018

2017

Fig. 3.1 Top five crime types compared with the previous five years (Source Derived from FBI [2021, p. 8])

their device (21 per cent) (Eurostat 2019). However, only a minority of respondents have personally been a victim of any of the cybercrimes listed in the questionnaire, with the most common being receiving fraudulent emails or phone calls asking for their personal details (36 per cent) or discovering malicious software on their device (28 per cent). Victims of bank card or online banking fraud (84 per cent), online fraud or identity theft (both 74 per cent) are the most likely to say they took action as a result. In each of these cases respondents most often contacted the police or the website or vendor—they are often encouraged to contact their bank and not to report to the police. There is as yet no postpandemic Eurobarometer cybercrime survey, so it is difficult to infer impacts or even trends across the range of EU countries. Data are best on volume fraud, especially payment card fraud, which worldwide rose from US$17.5 billion to an estimated US$20 billion in 2020–21 (Statista 2022). Most European data are released much later than those in the UK (and were so before the UK left the EU)—for example, a review of EU payment card fraud data in 2019 was released

36

M. Levi

in October 2021 (ECB 2021). It showed that even in 2019—prepandemic—80 per cent of card fraud took place via online and mobile payments, while 15 per cent took place in shops and 5 per cent at ATMs; and cross-border transactions accounted for 65 per cent of the total value of card fraud.

The United Kingdom UK data on payment card fraud have always this century been much better and more detailed, and more up to date than in other regions (UK Finance 2021, 2022). In recent years, the largest fraud losses have been unauthorised frauds, mainly committed using payment cards, in which people were lured into transferring funds, sometimes by romance and online ‘investment’ scammers, on the phone or via the Internet. There was some question whether offline traditional crime was merely displaced by less well-measured online crimes. Differently expressed, the risks of crime in the UK vary considerably by crime type, and both fraud and non-fraud computer misuse offences outstrip all other property crime risks that directly affected individuals (ONS 2022). This was so before the pandemic, but the trend increased during it, as more people of all ages migrated their legal (and a little of their illegal) consumption online and spent far more time on it.

The Netherlands The recent Dutch Safety Monitor (2022) shows that by 2021, 10 per cent of the Dutch population had become a victim of online scams and fraud, 7 per cent of hacking, 2 per cent of online threats and intimidation and 1 per cent of other online crimes. In 2021, more than two in three (68 per cent) of all Dutch people aged 15 and older say that they have received a phone call, email or other messages at least once in the past 12 months that (probably) was from a scammer. Some 2 per cent indicate that they have fallen for this at some point. Almost half of these (0.8 per cent) eventually lost money.

3 Pandemics and Fraud: Learning …

37

Sweden Of the Swedish population (aged 16–84), 5.5 per cent state that they were victims of sales fraud in 2020 (Bra 2021). This was a rise from 2019 (5.1 per cent), and an increasing trend can be seen since 2016 when the percentage of self-reported victimisation was 4.5 per cent. Card fraud victimisation affected 4.1 per cent of the population in 2020, compared with 5.3 per cent in 2019, perhaps because people went less to risky places during the pandemic and/or perhaps because of greater prevention efforts.

Fraud in Asia–Pacific For illustrative purposes, I select two jurisdictions in Asia–Pacific, although very good detailed police-recorded cybercrime and arrests data are available for South Korea (KNPA 2022), which show variations in rising cybercrimes and arrests 2014–2020: cyberfraud has more than doubled in that time.

Hong Kong The Hong Kong police was an early convert to the importance of cybercrime, and in 2014, it was made a priority for the police Cyber Security and Technology Crime Bureau. Table 3.1 shows the boom in the number of cases (but not financial losses) 2019–20. It is not known how accurately the financial losses are calculated. Table 3.1 Number of recorded cases and the financial losses due to reported computer crime in Hong Kong, 2018 to 2020 Year

Financial loss (HK$ million)

Number of cases

2020 2019 2018

2,964 2,907 2,771

12,916 8,322 7,838

Source InfoSec (2022)

38

M. Levi

Telephone deception

Email scam (corporate level)

Online romance scam

Investment fraud

Financial intermediaries deception

0 HK$m June 2021

50

HK$m June 2022

100

150

N-June 2021

200

250

N-June 2022

Fig. 3.2 Year-to-year comparison in topical scams’ figures (June) (Source Derived from ADCC [2022])

Other data shown in Fig. 3.2 reveal the rise in some particular forms of scam in Hong Kong between 2021 and 2022.

Australia Australian data are available from the ACCC (2022), which stated that the cost of scams in Australia was over A$324 million in 2021—a rise of 84 per cent since 2019—by far the largest component being investment scams, followed by dating/romance scams and false billings. Their Scamwatch reporting system noted that phone (voice) continued to be the most common contact method, with half of all reports and 31 per cent of all losses. Text message was the second most common contact method with 23 per cent of reports but more modest percentage of losses. The second highest contact method in terms of loss was social media with 17 per cent of total losses. Emails represented only 14 per cent of contacts but the third highest source of losses. This presents a more nuanced picture of fraud and digital society. McAllister and Franks’s

3 Pandemics and Fraud: Learning …

39

(2021) national representative survey of identity theft in March 2021 found that 19 per cent of respondents had experienced misuse of their personal information in their lifetime and 7 per cent experienced it in the past year—a decline from 11.4 per cent in 2019. A total of 78 per cent of victims in the past year experienced a financial loss as a result.

Cryptocurrencies and Crime The relationship between cryptocurrencies and crime is complex. In addition to the licit uses, it impacts on the supply of illicit goods and services on semi-open and dark markets, fraud on crypto-holders, market manipulation and money laundering, a process that applies to all crimes where proceeds are stored, saved and hidden or transformed (Levi and Soudijn 2020). All of these appear to have accelerated during the COVID-19 pandemic (Bergeron et al. 2022; Buil-Gil and SaldañaTaboadav 2021; Chainalysis 2023; Gundur et al. 2021; Levi and Smith 2021), although the money laundering component of cryptocurrencies is always controversial to determine, as is the case with money laundering volumes and illicit finance flows generally (Levi, 2021; Reuter, 2013). There is little doubt that cryptocurrencies make it easier to transact on dark markets, giving the illusion of safety to vendors and purchasers, except when being run by covert law enforcement. Price fluctuations in Bitcoin and other cryptocurrencies are heavy, and whether or not (like real estate) cryptocurrency is seen—rightly or wrongly—as an investment that will almost always yield a profit over time, it is an asset that has no objective traded value. Insider knowledge ahead of price-sensitive movements in crypto can enable what would otherwise be insider trading profits. Exchanges and some wallets can be the subject of large frauds, most often by owner/managers (Zandt 2022 and see also Comparitech 2022). Indeed, the ‘crypto-Queen’ achieved the distinction of being on the FBI’s ‘Most Wanted’ list (FBI 2022), though her gigantic alleged fraud had nothing to do with COVID-19. Cryptocurrency theft grew, with roughly US$3.2 billion worth of cryptocurrency stolen in 2021—a 516 per cent increase compared to 2020, though we should try to take into account the elapsed time from

40

M. Levi

fraud commission to fraud discovery before attributing this to shifts happening in the pandemic. Roughly US$2.2 billion of those funds—72 per cent of the 2021 total—were stolen from DeFi protocols (Chainalysis 2023, p. 6). Cryptocurrency-based crime hit an all-time high in 2022, with illicit addresses receiving US$20.1 billion over the course of the year, up from US$18 billion in 2021 (Fig. 3.3). However, if we take the data as a proportion of rapidly increasing crypto transactions, transactions involving identified illicit addresses represented 0.24 per cent of cryptocurrency transaction volume in 2022, double the percentage in 2021 but dramatically lower than the 1.9 per cent in 2019. The proportion of cryptocurrency funds that are from criminal sources and the proportion of total proceeds of crime that takes the form of cryptocurrency at any stage of the money laundering cycle are very different and unresolved issues, nor is there any reason to expect that they will be constant over time. Is cryptocurrency a criminological game-changer for pandemic-related fraud now and in the future? Perhaps, as it offers better routine privacy $25.0

$20.0

$15.0

$10.0

$5.0

$0.0 2017

2018

2019

2020

2021

2022

Fig. 3.3 Total cryptocurrency value received by illicit addresses 2017–2022 (31 December) US$ billion (Source Derived from Chainalysis [2023] published with permission, 24 January 2023)

3 Pandemics and Fraud: Learning …

41

than other media of exchange. But although tumblers and other mechanisms can make it hard to follow the ownership trail, the point of blockchain is to provide a rigorous record, and Chainalysis (2023) and others such as Elliptic (2022) have methods of tracking. Moreover, unless it can be spent directly on things criminals want to buy, it currently has to be cashed out before it can be saved or spent easily. This is a shifting ground, as greater regulation is being introduced in the Global North countries to control the market better and reduce scams.

Digital Crimes and Policing All fraud, whether digital or offline, is relatively difficult to police and is marked by attrition, although the extent of that attrition varies between countries and over time, depending partly on the policing resources devoted to it. Those resources have to be fought for against the range of priorities for other—usually more immediately popular—crimes, and the temperaments and skill sets of those recruited to policing (for which, see Bossler et al. 2020). Although (at least until impacted by rising energy prices post-sanctions against Russia in 2022) ‘traditional crimes’ have fallen in many countries, policing has found it difficult to adapt, and political pressures remain to focus on urban insecurity (often a code word for ethnic and religious conflicts). Attrition should be thought about in terms of processes (including elapsed time). Specifically: awareness of victimisation; decisions about what to do about the experience; reporting to (which?) enforcement/intelligence agency and/or civil litigation; investigation (or no investigation in most cases in most countries); levels of domestic and international cooperation applied for and received; decision of authorities to aim for prosecution, disruption or other intervention (or no further action); criminal trial; or conviction and collateral impacts. Thus, in England in the pre-pandemic year ending March 2020, out of 403,237 police-recorded frauds, of which 36,836 had been referred for investigation, there were 5,782 judicial outcomes (Levi et al. 2023). Without a better understanding of the specifics of criminal investigation, it is difficult to be ‘realistic’, but although digital evidence sometimes

42

M. Levi

leaves a better trace, it often requires assistance from private sector third parties—ISPs, card issuers and merchant acquirers and mobile phone companies, for whom such preventative and criminal justice work is lossmaking—and sometimes from countries abroad. International mutual legal assistance was designed for relatively rare cases, and with the exception of the EU, which the UK has left, it is a clunky and laborious process in most parts of the world, especially for those lacking detailed knowledge and the competence/imagination to frame letters of request in the language and legal format of other countries. These problems should be eroded by electronic translation, templates and artificial intelligence. However, though non-digital frauds did require elements of these, the sheer scale of cyber-enabled and cyber-dependent crimes makes it harder, even given the support of the requested law enforcement bodies and prosecutors, which has to take its place among other demands on them. One way of thinking about it is how much time does it take to process one case, and therefore given the amount of digital crime investigators available, how many such cases may be managed annually with a given set of resources. Unsurprisingly, annual reports and other datasets do not make it easy to work out the level of this attrition. It can take years for cases to work their way through. IC3 (2022) received a record number of complaints (847,376) from the American public in 2021, up more than two-thirds from 2019, with what are referred to as potential losses exceeding US$6.9 billion, five times greater than in 2017. Business E-mail Compromise (BEC) schemes continued to be by far the costliest, followed by romance fraud. Phishing scams were also prominent and ransomware cases have risen substantially over time. This sort of attrition from fraud to criminal justice and asset recovery outcome happens in every country where there has been research (Cross, 2020; Levi et al. 2023; Scholes 2018). The Crime Survey of England and Wales (CSEW)(ONS 2022) suggests 5 million fraud offences in England and Wales, while over approximately the same period, the central fraud-recording body, Action Fraud, received over 420,000 reports of digital and non-digital frauds (a reporting rate of 8.4 per cent), few of which will be investigated and even fewer brought to justice.

3 Pandemics and Fraud: Learning …

43

Reports from many countries indicate how modest a resource is devoted to criminal investigation of both digital and non-digital frauds (or cyber-dependent crimes) unless they are a major threat individually to business or ‘society’, an exception being South Korea. This is beginning to change in the UK and the US, among others, with significant attacks by consumer and victim representatives and in newspapers from all sides of the political spectrum on the under-policing of (mainly consumer) frauds, but it remains to be seen whether this will result in major sustained increases in police or non-police resources, and what the impacts on different frauds of that will be. Issues of resourcing of these forms of digital crime management within the public and private sectors remain controversial, and shifting resources from other areas of crime control has not happened hitherto.

Procurement Contracts and Lending Frauds If we reflect on what crimes have occurred during the recent pandemic, the focus has been on consumer-facing fraud. However, frauds against the taxpayer and frauds/corruption in the award of public contracts remain important. In financial terms, in those countries like the UK, the US and Australia which spent large sums on subsidies and loans to business, they may dwarf the costs of direct fraud on consumers and financial institutions. In other countries, that might not be the case, but the by-passing of normal public expenditure protocols may still have occurred, as COVID-19 created opportunities for rent-seeking in apparently confronting novel urgent demands for health-related products. It is moot whether these should be properly considered as cybercrimes, however, though it is rare for any economic crime not have any element of electronic ordering, emails or financial transfers in it. Under such circumstances, almost all ‘significant’ frauds are cyber-assisted or cyberenabled, to the extent that the distinctions lose their meaning.

44

M. Levi

Learning for Future Pandemics What sorts of lessons should we be learning and what plausibly are these? Pandemic-related frauds take several key forms: 1. Frauds against government procurement, loans and benefits schemes 2. Frauds against members of the public, connected directly to health risks, real and perceived (including falsification of vaccination records, putting public health at risk) 3. Frauds against members of the public, connected to isolation, shopping or work risks resulting from responses to the pandemic 4. Frauds against business. Not all of these are online or purely online: some are ‘affinity frauds’, stimulated by social/alternative health/religious networks of various kinds, which have become increasingly hybrid since COVID-19 and are likely to continue to be so. Stereotypically, it is often assumed that ‘new’ cyber-risks have their most significant effects upon older people, who found themselves unable to shop or bank offline in the way that they were able to do pre-pandemic. However, this is to disregard the way in which changes in social media offered new mechanisms for scamming younger people: this may have accelerated during the pandemic but were not caused by it. It is more arguable to focus on the ways in which the pandemic generated particular fears and misplaced ‘cures’, and altered the routine activities of different sectors of the population. Health quackery existed before the pandemic, but desperation and false hopes highlighted the endemic problem of legitimacy in sources of knowledge and belief about ‘valid’ sources of information. Attacking sources of disinformation—whether health or investment products—is a significant challenge for all contemporary societies and will remain so before, during and after any pandemic. In most countries, medical procurement was chaotic and stocks of Personal Protection Equipment were searched for in a manner that violates normal procurement principles and raised reasonable suspicions of corrupt collusion between officials and brokers. Large loan and support schemes were developed by many governments for the first time

3 Pandemics and Fraud: Learning …

45

during a pandemic, but to different degrees of generosity: these, language and a reservoir of entrepreneurial criminals may account for differential fraud rates and fraud levels, but the data are not available to test that proposition. What is clear is that there needs to be greater preparedness, centralised information sharing within government and both courage and power to order greater transparency of PPE purchases, recipients of government grants/loans and other ways of enhancing civil society’s ability to check the appropriateness of the funding. There is a strong argument for the kinds of data linking analysis being done in real time, so that any relationships between business and personal addresses, telephone numbers, IP addresses, etc. between borrowers and contractors can be used to work out organised crime exploitation of fraud opportunities. The increasing number of beneficial ownership registries (for home as well as foreign ultimate beneficial owners) promoted by the Financial Action Task Force can also be constructively used, having actively looked for gaps and problems in implementation. Where such opportunities are connected to political leadership, greater independent investigation and audit coverage will be needed. Frauds against the public present a different set of learning opportunities. The pandemic was a time of many warnings about websites and products, and public health agencies need to be proactive in monitoring abuses and seeking to address them, with messages such as the one below. However, we have little public idea about the impacts of many of these advertising campaigns, whether by public or private sectors. In the UK, the NHS issued various warnings: ‘we are aware of an email scam circulating about COVID-19 vaccinations that claim to be from the NHS. COVID-19 vaccines currently can’t be bought privately in the UK and vaccinations are free of charge. Please be vigilant to potential scams about the COVID-19 Mass Vaccination Programme and do not share any personal information’ (NHS 2022). Issues of the limits of advertising controls are important but they certainly need to include social media mechanisms that are increasingly used to market goods and services, including financial services. It is a political as well as scientific question what sorts of adverts should be permitted to make health claims, but the rapid government response mechanism that one normally would recommend needs to try to handle

46

M. Levi

both the virulence of disinformation and misinformation, and also the general distrust of ‘experts’ and ‘government’ in some countries. Other reform proposals are part of more general cybersecurity and fraud controls, though enhanced by the risks arising from physical ‘offline’ social and commercial interaction. The ease of simulation of phone numbers is already a national variable, being better controlled in countries such as China and South Korea.

Discussion A focus on cybercrime for financial gain—and indeed, on volume fraud generally—may unintentionally shift focus away from, on the one hand, frauds committed by elites and others without the need for any special cyber-skills and/or, on the other hand, from frauds and commercial espionage by foreign organised or state-sponsored criminals. Where cyber-attacks are aimed internationally, then using the individual nation state as the denominator of harm, risk or threat unintentionally breaks up the collective data-integration efforts and may reduce focus on some important attack vectors and prevention/pursuit opportunities. Nevertheless, historically, national victim-centric counting has been the focus for all forms of crime, and national data are considered below. There are other ways of looking at trends. Note, however, that threats are comprised by the motives, capacities and capabilities of attackers, as well as conscious and unselfconscious victim and third-party defensive behaviour: victim survey and reported crime data merely reflect the outcome of those routine activity ‘crime triangle’ activities at a point in time. The primary focus of this chapter has been on cybercrime for financial gain (cyberfraud) against individuals, but some of these are facilitated by intentionally (with insider help) or negligently caused data breaches involving business and government records. There are now many national strategies and a large number of global, regional and national commercial victimisation surveys—mostly by vendors and financial advisory firms, but a few by governments—but there is no space

3 Pandemics and Fraud: Learning …

47

to review these here. We have examined some relevant data from developed countries on trends in cyberfraud victimisation as far as they exist, using both official recorded data and victimisation surveys. Although these are not altogether comparable, it is hoped that these will be useful in considering the scale of some components of these problems in what might be termed ‘human security’: the national security aspects of cyberfrauds depend on how we construct that term, but negative events in trust, hacking and insider theft in commerce seep into national (in)security, making the distinction between national and human security overlap, in addition to the fact that national security is fundamentally about people who live in or are citizens of the nation. ‘Threat assessments’ add to the ‘awareness-raising’ process that may reduce substantially our risks—both probabilities and impacts—of victimisation; action (pre-and post-victimisation) increases the profits of the cybersecurity businesses that have been spawned by the rise of e-commerce and social media. In this market characterised by diverse sources of assertion, information and ‘intelligence’, it is difficult for most consumers, businesses, government organisations and commentators to work out a ‘rational’ response, and there may be significant ‘market failure’, as what analytical basis would the relatively or wholly inexpert have for assessing and purchasing these competing interpretations of ‘solutions’ to their ill-understood problems? The emotional costs of actual cyber-related economic crimes and of the fear thereof have not been properly costed to date (Anderson et al. 2019; Levi 2009). Some of that fear has been amplified by software sales firms and by public and private security agencies seeking more resources, but it would be too difficult to separate out these from ‘true’ costs. Besides, even manufactured fears become real costs for citizens, whether private individuals or businesspeople. We should also acknowledge the paradox that many who become victims are not fearful enough, or anyway that their fears are ill-directed towards mistaken problems and solutions.

48

M. Levi

Conclusions This chapter dealt with different dimensions of cyber-enabled crime and issues concerning the focus and the effectiveness of law enforcement responses. The activities against which they can be measured are reasonably knowable from public sources and sometimes even published. However, for others, the error margins in the data (if there are any data at all) are often too great to know whether ‘the problem(s)’ is getting better or worse. The relationship between levels of crime and anxiety about crime is a further important dimension that has been studied more offline than online, and more for individuals than for businesspeople. Perfect knowledge is implausible in fraud, as there will always be interpretation tensions and victim/bystander ignorance of deception: but we can and should do better in raising our understanding, not just because social harm statistics are good in themselves but also because of the need to assess the performance of crime reduction and criminal justice efforts. The national security aspects of cyber-risk are more tortuous and even harder to evaluate, but cybersecurity is in the highest category, and that somewhat opaque construct ‘transnational organised crime’ is in the second highest category in several national risk assessments (see ATA 2021; Europol 2016, 2021). In the UK National Security Risk Assessment (2021), ‘hostile attacks upon UK cyber space by other states and large scale cyber crime’ is in Tier 1, ‘a significant increase in the level of organised crime affecting the UK’ is in Tier 2. As to the linkage between these and economic cybercrimes, it should be noted that there is not a sharp division between these larger national security issues and cyber-attacks (for fraud and intellectual property theft) on banks, businesses and the spear phishing of individuals with important knowledge of system vulnerabilities in the public or the private sector. Rather, there is a punctuated continuum in the interplay between private, corporate governmental and wider social risks. The measurement of direct and indirect intellectual property losses and even of fraud has been the subject of much dispute but in particular, the attribution of such losses to state-sponsored or state-tolerated attackers is often immensely difficult and hotly debated. As Sparrow (2008) argues, it makes a difference to our conception of harm and threat

3 Pandemics and Fraud: Learning …

49

whether people are ‘conscious opponents’ and, by extension, what sort of conscious opponents they are. We may need to clarify conceptually the terminology that we apply to this field, a clarity that is needed in dealing with that amorphous mess of poly-criminal enterprises involved in the organisation of serious crimes (Greenfield and Paoli 2022; Levi 2012; van Duyne and van Dijck 2007; von Lampe 2016). Finally, we might reconsider some of the overlaps that exist between online and offline crimes, and think through the ways in which online is transformative either for levels and organisation of crime commission or for the balance between disruption (another ambiguous term) and the traditional detection, investigation and prosecution processes that constitute a criminal justice response. In doing so, we should not ignore the fact that even when economic crimes were mostly or (40 years ago) entirely offline, we knew very little about their cost, incidence and prevalence, or about how effective were the modest control efforts the Global North and South made to combat some of them. Nor should we think that anxiety about fraud is merely a feature of the rise of the internet: the Metropolitan and City of London Police Fraud Squad was formed as a response to the risks of fraud facing those demobilised after the Second World War, and early crime surveys showed substantial anxieties about identity theft and card theft even before data breach and hacking scandals reached their recent levels and concern about cybercrime in Europe became so high (Cook et al. 2022; Levi 2009). Measuring the impact of ICT on volume frauds is valuable, and countries that are serious about evaluating the risks that face their citizens, denizens, businesses and governments need to upgrade their statistical efforts. However, these should not be mistaken for measures of the influence of ICT on management frauds or on more general corporate crime. Whatever data we are using, our societies and law enforcement agencies need to face up to significant challenges in how to respond to the flood of cases about which—even in the comparatively well-resourced US—very little reactive enforcement follow-up normally happens and what does is often expensive and laborious to follow through. This includes responding to the crimes, promoting cyberfraud prevention and resilience and more general ‘reassurance policing’ (Levi et al. 2023).

50

M. Levi

We cannot escape the difficulties in enhancing our awareness and getting a ‘truer’ picture of ‘what happened’ in cyber-enabled frauds— from the perspectives of offenders, victims, third parties or law enforcement. But the aim has been analogous to that of Becker (1974) in his needlessly apologetic comments in his reconsideration of labelling theory: ‘a perspective whose value will appear, if at all, in increased understanding of things formerly obscure’. Acknowledgements The author wishes to thank the British Academy for funding Frauds, Economic Crises and Epidemics/ Pandemics since 1850: What Can We Learn for Responses to Frauds? (SRG20\201612) upon which this chapter is based, the Australian Institute of Criminology and Chainalysis for providing 2022 data for Fig. 3.3 in advance of publication.

References Aebi, Marcelo F., Stefano Caneppele and Molnar, Lorena (eds.). 2021. Measuring cybercrime in the time of COVID19: The role of crime and criminal justice statistics, Strasbourg, Council of Europe. Anderson, Ross, Barton, C., Böhme, R., Clayton, R., Van Eeten, M. J., Levi, Michael, Moore, T. and Savage, S. 2012. ‘Measuring the cost of cybercrime’. http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf Accessed 24 September 2022. Anderson, Ross, Barton, C., Böhme, R., Clayton, R., Van Eeten, M. J., Levi, Michael, Moore, T. and Vlasek, M. 2019. ‘Measuring the changing cost of cybercrime’. https://informationsecurity.uibk.ac.at/pdfs/ABBCGGLMV 2019_Measuring_the_Changing_Cost_of_Cybercrime_WEIS.pdf Accessed 24 September 2022. Antideception Coordination Centre (ADCC). 2022. ‘Scam statistics, Hong Kong 2021 to 2022’, Hong Kong: ADCC https://www.adcc.gov.hk/en-hk/ statistic.html Accessed 24 September 2022. ATA. 2021. Annual Threat Assessment of the Intelligence Community, 2021. Office of the Director of National Intelligence, Washington, DC.

3 Pandemics and Fraud: Learning …

51

Australian Competition and Consumer Commission. 2022. Targeting Scams: Report of the ACCC on scams activity 2021. Canberra: ACCC. https:// www.accc.gov.au/system/files/Targeting%20scams%20-%20report%20of% 20the%20ACCC%20on%20scams%20activity%202021.pdf Balleisen, Edward. 2018. Fraud: An American History from Barnum to Madoff . Princeton, NJ: Princeton University Press. Barnett, Cynthia. 2002. ‘The measurement of white-collar crime using uniform crime reporting (UCR) data’. https://ucr.fbi.gov/nibrs/nibrs_wcc. pdf Accessed 24 September 2022. Beck, Ulrich. 1992. Risk Society: Towards a New Modernity. Thousand Oaks, CA: Sage. Becker, Howard. 1974. Labelling Theory Reconsidered: Deviance and Social Control. London: Tavistock. pp. 4166. Bergeron, Andréanne, Décary-Hétu, David, Giommoni and VilleneuveDubuc, M.P. 2022. ‘The success rate of online illicit drug transactions during a global pandemic’, International Journal of Drug Policy, 99, 103452. Bossler, Adam M., Holt, Thomas J., Cross, Cassandra and Burruss, George W. 2020. ‘Policing fraud in England and Wales: Examining constables’ and sergeants’ online fraud preparedness’, Security Journal , 33(2), 311–328. Bra. 2021. Swedish Crime Survey, Stockholm: Bra (Swedish Council for Crime Prevention). Buil-Gil, David and Saldaña-Taboada, Patricia. 2021. ‘Offending concentration on the internet: An exploratory analysis of bitcoin-related cybercrime’, Deviant Behavior, 1–18. Cassella, Stefan D. 2021. Asset Forfeiture Law in the United States (3rd edn), Huntingdon, PA: Juris. Chainalysis. 2023. 2023 Crypto Crime Trends: Illicit Cryptocurrency Volumes Reach All-Time Highs Amid Surge in Sanctions Designations and Hacking, https://blog.chainalysis.com/reports/2023-crypto-crime-report-int roduction/ Accessed: 24 January 2023. Comparitech. 2022. Worldwide Cryptocurrency Heists Tracker https://www. comparitech.com/crypto/biggest-cryptocurrency-heists/ Accessed: 6 January 2023. Cook, Steve, Giommoni, Luca, Trajtenberg, Nico, Levi, Mike and Williams, Matt. 2022. ‘Fear of economic cybercrime across Europe: A multilevel application of Routine Activity Theory’, British Journal of Criminology, azac021, https://doi.org/10.1093/bjc/azac021 Accessed 11 October 2022. Cross, Cassandra. 2020. ‘Reflections on the reporting of fraud in Australia’, Policing: An International Journal, 43(1), 49–61.

52

M. Levi

Domenic, Miranda, Leukfeldt, R., van Wilsem, Johan, Jansen, Juejen and Stol, Wouter. 2013. Victimisation in a Digitised Society. The Hague: Eleven International Publishing. Dodsworth, Laura. 2021. A State of Fear: How the UK Government Weaponised Fear During the COVID-19 Pandemic. London: Pinter & Martin. Dutch Safety Monitor. 2022. Safety Monitor 2021. www.cbs.nl/nl-nl/lon gread/rapportages/2022/veiligheidsmonitor-2021?onepage=true Accessed 24 September 2022. ECB. 2021. Seventh Report on Card Fraud . Frankfurt: European Central Bank. Elison, A. 2022. ‘Banks return less than half of cash lost to fraud despite pledge’, The Times, 9 March. Elliptic. 2022. Elliptic Typologies Report 2022 Edition, Elliptic. Emami, Catherine, Smith, Russell G. and Jorna, Penny. 2019. Online Fraud Victimisation in Australia: Risks and Protective Factors, AIC Research Report no. 16, Canberra: Australian Institute of Criminology. Europol. 2021. Internet Organised Crime Threat Assessment (IOCTA) 2021. Publications Office of the European Union, Luxembourg Union, Luxembourg Europol. 2016. IOCTA 2016: Internet Organised Crime Threat Assessment. The Hague: Europol. Eurostat. 2019. Special Eurobarometer 499: Europeans’ Attitudes Towards Cyber Security (Cybercrime). https://europa.eu/eurobarometer/surveys/detail/2249 Accessed 24 September 2022. Eurostat. 2015. Special Eurobarometer 423: Cybersecurity Report. https://op.eur opa.eu/en/publication-detail/-/publication/910d76f6-0c77-4ea6-b9eb-fd8 54fc6c3ac/language-en Accessed 24 September 2022. FBI. 2022. ‘Internet Crime Complaint Center marks 20 years’, https://www. fbi.gov/news/stories/ic3-20th-anniversary-050820 Accessed 23 September 2022. FBI. 2021. Internet Crime Report 2021, Washington: FBI. https://www.ic3.gov/ Media/PDF/AnnualReport/2021_IC3Report.pdf Accessed 23 September 2022. Felson, Marcus. 2003. ‘The process of co-offending’, In Martha J. Smith and Derek B. Cornish (eds). Theory for Practice in Situational Crime Prevention, Crime Prevention Studies, 16 , 149–67. Mounsey, NJ: Criminal Justice Press. FTC. 2022. Consumer Sentinel Network Data Book 2021. www.ftc.gov/system/ files/ftc_gov/pdf/CSN%20Annual%20Data%20Book%202021%20Final% 20PDF.pdf Accessed 24 September 2022.

3 Pandemics and Fraud: Learning …

53

Gee, Jim and Button, Mark. 2019. The Financial Cost of Fraud 2019. www.crowe.ie/wp-content/uploads/2019/08/The-Financial-Cost-ofFraud-2019.pdf Accessed 24 September 2022. Greenfield, Victoria A. and Paoli, Letizia. 2022. Assessing the Harms of Crime: A New Framework for Criminal Policy. Oxford: Oxford University Press. Harrell, Erica. 2021. Victims of Identity Theft, 2018. Washington DC: Government Printing Office. www.bjs.gov/content/pub/pdf/vit18.pdf Accessed 24 September 2022. IC3. 2022. 2021 Internet Crime Report. Washington: Internet Crime Complaint Center. IC3. 2010. 2010 Internet Crime Report. Washington: Internet Crime Complaint Center. InfoSec (Office of the Government Chief Information Officer). 2022. Computer Crime Cases in Hong Kong. Hong Kong: InfoSec. https:// www.infosec.gov.hk/en/knowledge-centre/computer-related-crime Accessed 24 September 2022 Kloosterman, Rianne. 2015. ‘Slachtofferschap cybercrime en internetgebruik’, Sociaaleconomische Trends, 9, 1–18. Korean National Police Agency (KNPA). 2022. Cyber Investigation Statistics Seoul: Ministry of the Interior and Safety. https://www.police.go.kr/eng/sta tistics/statisticsSm/statistics04.jsp Accessed 24 September 2022. Leger. 2016. Financial Fraud Survey. Montreal: Select PR/Equifax. Leukfeldt, E. Rutger, Kleemans, Edward R. and Stol, Wouter P. 2017. ‘Cybercriminal networks, social ties and online forums: Social ties versus digital ties within phishing and malware networks’, The British Journal of Criminology, 57 (3), 704–722. Levi, Michael. 2021. ‘Evaluating the control of money laundering and its underlying offences: The search for meaningful data’, Asian Journal of Criminology¸ 15 (4), 301–320. Levi, Michael. 2012. ‘The organisation of serious crimes for gain’, in Mike Maguire, Rod Morgan and Robert Reiner (eds.) The Oxford Handbook of Criminology (5th edn).Oxford: Oxford University Press. pp. 595–622. Levi, Michael. 2009. ‘Fear of fraud and fear of crime: A review,’ in Sally Simpson and David Weisburd (eds.), The Criminology of White-Collar Crime. New York: Springer. Levi, Michael. 2008a. The Phantom Capitalists: the Organisation and Control of Long-Firm Fraud (2nd edn). Andover: Ashgate. Levi, Michael. 2008b. ‘“Organised fraud”: Unpacking research on networks and organisation’, Criminology and Criminal Justice, 8(4), 389–420.

54

M. Levi

Levi, Michael. 2008c. ‘White-collar, organised and cyber crimes in the media: some contrasts and similarities’, Crime, Law and Social Change, 49, 365– 377. Levi, Michael and Burrows, John. 2008. ‘Measuring the impact of fraud: A conceptual and empirical journey, British Journal of Criminology, 48(3), 293–318. Levi, Michael and Smith, Russell G. 2021. ‘Fraud and its Relationship to Pandemics and Economic Crises: From Spanish Flu to COVID-19’ Research Report no. 19, Canberra: Australian Institute of Criminology, www.aic.gov. au/publications/rr/rr19 Accessed 24 September 2022. Levi, Michael and Soudijn, Melvin. 2020. ‘Understanding the laundering of organized crime money’, in Peter Reuter and Michael Tonry (eds) Organizing Crime: Mafias, Markets, and Networks, Crime and Justice: an Annual Review of Research, 49, 579–631. Levi, Michael, Doig, Alan, Luker, Jodie, Williams, Matthew and Shepherd, Jonathan. 2023. Towards a Public Health Approach to Frauds, West Midlands Police and Crime Commissioner. https://www.westmidlands-pcc.gov.uk/ fraud/ Accessed 11 May 2023. Lusthaus, Jonathan. 2018. Industry of Anonymity: Inside the Business of Cybercrime. Cambridge, MA: Harvard University Press. Lusthaus, Jonathan, and Federico Varese. 2021. Offline and local: The hidden face of cybercrime. Policing: A Journal of Policy and Practice, 15 (1), 4–14. Lusthaus, Jonathan, Van Oss, Jaap & Amann, Phillipp. 2022. ’The Gozi group: A criminal firm in cyberspace?’, European Journal of Criminology, Online First: 14773708221077615. McAlister, Merran and Franks, Christie. 2021. ‘Identity crime and misuse in Australia: Results of the 2021 online survey’, AIC Statistical Bulletin no. 37. Canberra: Australian Institute of Criminology. Morgan, Rachel E. 2021. Financial Fraud in the United States, 2017 . Washington, DC: Government Printing Office. NAO. 2022. Investigation into the Management of PPE Contracts. London: National Audit Office. NAS. 2016. Modernizing Crime Statistics: Report 1: Defining and Classifying Crime. National Academies of Sciences, Engineering, and Medicine. Washington, DC: The National Academies Press. https://doi.org/10.17226/2349 2 Accessed 24 September 2022. NHS. 2022. ‘Please watch out for scams around COVID-19 vaccines’. https:// cavuhb.nhs.wales/covid-19/cavuhb-covid-19-mass-vaccination-programme/ Accessed 9 October 2022.

3 Pandemics and Fraud: Learning …

55

ONS. 2022. Crime in England and Wales: Year Ending September 2021. www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bullet ins/crimeinenglandandwales/yearendingseptember2021#fraud Accessed 24 September 2022. Reitano, Tuesday, and Mark Shaw. 2021. Criminal Contagion: How Mafias, Gangsters and Scammers Profit from a Pandemic. London: Hurst. Reuter, Peter. 2013. ‘Are estimates of the volume of money laundering either feasible or useful?’, in Brigitte Unger and Daan van der Linde (eds.), Research Handbook on Money Laundering. Cheltenham: Edward Elgar. Scholes, Angie. 2018. The Scale and Drivers of Attrition in Reported Fraud and Cyber Crime, Research Report 97, London: Home Office. Sparrow, Malcolm. 2008. The Character of Harms. Cambridge, MA: Harvard University Press. Statista. 2022. ‘Key Figures of E-Commerce’ New York: Satista Inc. https:// www.statista.com/statistics/1273177/ecommerce-payment-fraud-losses-glo bally/ Accessed 24 September 2022. Statistics Canada. 2011. Self-reported Internet Victimization in Canada, 2009. Ottawa: Statistics Canada. UK Finance. 2022. Annual Fraud Report. https://www.ukfinance.org.uk/sys tem/files/2022-06/Annual%20Fraud%20Report%202022_FINAL_.pdf Accessed 11 May 2023. UK Finance. 2021. Fraud—the Facts 2021. London: UK Finance. https:// www.ukfinance.org.uk/system/files/Fraud%20The%20Facts%202021-% 20FINAL.pdf Accessed 11 May 2023. UK National Security Risk Assessment 2021. 2021. Factsheet 2. https://ass ets.publishing.service.gov.uk/government/uploads/system/uploads/attach ment_data/file/62484/Factsheet2-National-Security-Risk-Assessment.pdf Accessed 24 September 2022. Van Duyne, Petrus C. and Van Dijck, Maarten. 2007. ‘Assessing organised crime: The sad state of an impossible art’, In Frank Bovenkerk and Michael Levi (eds.) The Organized Crime Community. New York: Springer: pp. 101– 24. Von Lampe, Klaus. 2016. Organized Crime: Analyzing Illegal Activities, Criminal Structures, and Extra-legal Governance. Thousand Oaks, CA: Sage. Wall, David S. 2007. Cyber Crime. Cambridge: Polity Press. Wallis, Nick. 2021. The Great Post Office Scandal . Bath: Bath Publishing. Which? and Simertrica-Jacobs. 2021. Scams and Subjective Wellbeing: Evidence from the Crime Survey for England and Wales, Which? and Simetrica-Jacobs.

56

M. Levi

https://media.product.which.co.uk/prod/files/file/gm-e6cd8e2d-afd0-4e93b1df-f95bdfb42ca2-618a9277c9439-scams-and-wellbeing-report-v2-2.pdf Accessed 11 May 2023. Whitty, Monica T. 2018. ‘419 – It’s just a game: Pathways to cyber-fraud criminality emanating from West Africa’, International Journal of Cyber Criminology, 12(1), 97–114. Wilson, Sarah. 2014. The Origins of Modern Financial Crime: Historical Foundations and Current Problems in Britain. London: Routledge. Zandt, Florian. 2022. The Biggest Crypto Heists. Statista. New York: Statista Inc. www.statista.com/chart/12707/largest-known-crypto-currencythefts/ Accessed 27 July 2022.

4 The Human Element of Online Consumer Scams Arising from the Coronavirus Pandemic Monica T. Whitty

Introduction In March 2020, the World Health Organization declared that the COVID-19 outbreak was a pandemic. In a short period, the lives of many people across the globe dramatically changed. During this time, we experienced many changes, including abruptly moving the workforce from the office to working from home (International Labour Organization 2020), and online shopping became the status quo (Guthrie et al. 2021; Kim 2020). There was a mingling of personal (e.g., homeschooling, multiple household members at home, etc.) and work lives, often under highly stressful circumstances. During such difficult times, M. T. Whitty (B) Department of Software Systems & Cybersecurity, Faculty of Information Technology, Monash University, Melbourne, VIC, Australia e-mail: [email protected]

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 R. G. Smith et al. (eds.), Cybercrime in the Pandemic Digital Age and Beyond, Palgrave Studies in Cybercrime and Cybersecurity, https://doi.org/10.1007/978-3-031-29107-4_4

57

58

M. T. Whitty

we witnessed cybercriminals take advantage of already vulnerable individuals. In Australia, it was recorded that A$851 million was lost to scams (ACCC 2020). The most frequently reported scams included phishing, superannuation and online shopping. Throughout this chapter, the terms fraud and scams are used interchangeably. This chapter considers the rise of consumer scams during the pandemic and poses two questions: a) Did the pandemic cause an increase in the number of consumer scam victims; and b) Did the pandemic change the landscape for online consumer scams? The chapter begins by providing a background to the history of scams and recalling that scams (including consumer scams) existed long before the advent of the Internet. It then draws from previous scholars’ work to categorise consumer scams and consider examples of cyber consumer scams, especially those witnessed during the pandemic. From here, the posed questions are addressed, and theoretical lenses are applied to help explain the rise in consumer scams during the pandemic. It is argued that criminological theories are not adequate lenses through which to view the posed questions. Instead, there is a need to draw on psychological theories (e.g., individual differences, social psychological theories, theories on stress and coping) to explain criminal behaviour and the victimisation of consumer scams and, indeed, scams in general. Drawing from these theories, it is argued that the social and psychological conditions were, during the height of the pandemic, very different to pre-COVID-19 times. It is most likely that these conditions account for some of the increase in the number of consumer scam victimisation.

Scams Are Not a New Form of Crime The Internet has increased the number of people who have encountered and been tricked by scams; however, we should be mindful that confidence tricks, also referred to as scams and fraud, existed long before the Internet. Victor Lustig was one of the more infamous confidence

4 The Human Element of Online Consumer Scams …

59

artists of the early twentieth century. His most well-known scam was tricking people into believing they were buying the Eiffel Tower. In 1925, Lustig learned that the maintenance and repairs of the Eiffel Tower were becoming expensive, and that Parisians were divided in opinion as to whether this structure should remain. Lustig believed this allowed him to scam metal-scrap dealers out of a large sum of money. He sent letters to metal-scrap detailers on fake stationery, claiming to be the Deputy Director of the Ministere de Postes et Telegraphes. He set up meetings in the Hotel de Crillon, one of Paris’ most upscale hotels and rented limousines—to give the impression that he was a successful businessman. Lustig scammed Possion by making the false promise that should Possion pay him, and he would ensure that Possion would hold the winning contract to demolish the Eiffel Tower. He managed to secure over US$70,000 in less than an hour, and his victim, fearing embarrassment, chose not to report the scam. Lustig played on the victim’s desire to make easy money from what appeared to be a good investment opportunity (Lewis 2013). Other scams play on people’s sense of urgency to avoid situations where they believe they could be in trouble. For example, the ‘Melon Drop Scam’ is an old scam that originated in Japan when melons were very expensive. The fraudster bumps into the victim and drops and breaks the melon, claiming it has high value and blaming the victim for the accident. Threats of calling the police might also be mentioned until the victim pays up to get the incident quickly cleared up (Alt and Wells 2004). There are many other versions of this scam: for example, smashing a bottle of expensive champagne (a bottle stolen from a garbage bin filled with water). One of the more well-known scams these days is the Nigerian email scam, also known as the ‘Advance Fee Fraud’ or the ‘419 Scam’ (so named after the section number of Nigerian criminal law that applies to it). This scam began as postal mail (see Whitty and Joison 2009) with the mail appearing to be from an African, typically Nigerian. However, other letters are sent from other African countries and, in recent years, from Asia and Eastern European countries. Advance Fee frauds often refer to substantial funds trapped or frozen for various reasons (e.g., unclaimed estate, corrupt executive, dying Samaritan). In each case, they

60

M. T. Whitty

offer the recipient rich rewards for helping government officials or family members out of an embarrassing or legal problem. Those who respond to such an email gradually experience financial transaction problems. The scam only ends when the victim has learnt and accepted that they have been conned and that it is doubtful that they will ever see their money again or that the criminal will be caught and arrested. Romance scams (researched by Buchanan and Whitty 2014; Walther and Whitty 2021; Whitty 2013, 2015, 2018a, 2019a, 2021a, Whitty and Buchanan 2012, 2014, 2016, Whitty and Joinson 2009), like the Nigerian scam, originated as a scam where fraudulent profiles were created in magazines to target heterosexual men, inviting them to write to the ‘female persona’. When these scams moved online, they targeted men and women, heterosexuals and homosexuals of all ages. They became one of the most frequently reported scams in many countries. Unlike the types of scams outlined above, romance scams play on individuals’ desire to maintain a relationship—often resulting in high financial and emotional costs to an individual (a double-hit, as described by Whitty and Buchanan 2016). As illustrated above, fraudsters create scams that target different types of people—who hope to gain something from the transaction, for example, love, wealth and avoiding trouble. Whilst scams existed long before there was the Internet, arguably, the Internet opened the floodgates to scams—not only because criminals had access to many more victims but also because of the form of communication offered by the Internet. As Walther and Whitty (2021) explain, drawing from Walther’s hypersonal theory (1996, 2007), ‘receivers’ (those who receive/read the online message) of reviews, dating profiles and so forth, who make the judgement that a profile (which presents little information) is homophilous to themselves develop a heightened sense of trust (stronger than had they met in the physical realm). In other words, in the absence of information, they read between the lines and develop an idealisation of the person behind the profile. Moreover, because the profile is recorded and the online communication that extends from initial contact is also recorded (via texts, emails, messenger, etc.), these messages are often reread by the receiver (in the case of scams, the victim), which thickens

4 The Human Element of Online Consumer Scams …

61

this sense of trust. Walther was the first to note the hypersonal relationships, which he first identified in very basic CMC (Computer-mediated communication) (Walther 1996, 2007). Subsequently, Whitty (2013, 2015) recognised this phenomenon when studying dating scams.

Categorising Consumer Scams There are many types of consumer scams—some involve a quick hit (e.g., shopping scams), whilst others, such as the investment scam, involve repeated payments over a long period (sometimes years). A potentially helpful classification scheme of consumer scams has been developed by Grabosky et al. (2001), who acknowledge that such scams existed long before there was the Internet. They set out four types of consumer scams, including advance fee schemes, non-delivery and defective products and services, unsolicited and unwanted goods and services and identity fraud (see Table 4.1). Although definitions of consumer scams may vary and the categories below overlap with other types of scams (e.g., romance and employment scams are examples of advanced fee frauds), Grabosky et al.’s (2001) descriptions provide a helpful schema. I turn to discuss each of these categories below.

Advance Fee Fraud As already highlighted in this chapter, the Nigerian scam is an excellent example of an advance fee fraud. However, other scams, such as Pyramid and Ponzi schemes, have been highly lucrative for criminals in the physical realm. These scams trick victims into believing they will have extraordinary returns on their investments. With the Ponzi scheme, unsuspecting investors give money to a portfolio manager, and when they want their payouts, the money comes from later investors. Bernie Madoff was responsible for the largest Ponzi scheme in history, defrauding 4,800 investors out of US$40 billion over 17 years. He was sentenced to 150 years for his crimes and died in prison (Balleisen 2017). In contrast, with the pyramid scheme, the initial schemer recruits other investors,

62

M. T. Whitty

Table 4.1 Classification of consumer fraud Category

Subcategories

Advance fee schemes (pretending to sell something you do not have while taking money in advance)

Pyramid schemes, Ponzi schemes, chain letters, ‘Nigerian’ emails, business opportunities, prizes and lotteries Online auctions, provision of internet services, cable decryption kits, computer products and services, sexual services, misleading credit and loan facilities, health and remedial products, educational qualifications Unsolicited advertising (spam), securities and investment fraud, bait advertising, inertia selling

Non-delivery and defective products and services (supplying goods or services of a lower quality than the goods or services paid for, or failing to supply the goods and services at all) Unsolicited and unwanted goods and services (persuading consumers to buy something they do not really want through oppressive or deceptive marketing techniques) Identity fraud (gaining money, goods, services, or other benefits, or the avoidance of obligations through the use of a fabricated, manipulated, or stolen/assumed identity)

Phishing, plastic card fraud, card skimming, unauthorised transactions, online banking fraud

Source Grabosky et al. (2001: 105–129)

who in turn recruit other investors. The later-joining investors pay the person who recruited them into the scheme. In the cyber realm, Ponzi schemes have been used by cybercriminals using Blockchain. The criminals disguise the Ponzi scheme under the veil of smart contracts. As Chen et al. (2019) explain, these smart contracts appeal to criminals as they do not have a maintenance fee, continuous payment is continuous as smart contracts cannot be terminated and the criminals can stay anonymous. They provide the following example of an online Ponzi scheme: Hello! My name is Rubixi! I’m new and verified pyramid smart contract on the Ethereum blockchain. When you send me 1 ether, I will multiply the amount and send it back to your address when the balance is sufficient. My multiplier factor is dynamic. (min x1.2 max x3)… (p. 1)

There are, of course, many other types of advance fee frauds, including romance scams, described earlier in this chapter. An advance fee fraud

4 The Human Element of Online Consumer Scams …

63

is essentially any scam that involves paying up-front money with the promise never delivered. Investment fraud is another frequently reported scam. In mid-2022, the ACCC reported that investment scams continue to rise, with over A$200 million, which was a 166 per cent increase from January to May 2022 compared to the same period the previous year (ACCC 2022a). Interestingly, the majority of losses involved cryptocurrencies.

Non-Delivery and Defective Products and Services The non-delivery and/or the receipt of defective products and services, in part, arguably overlaps with advance fee fraud. Purchasing items online, which involves paying money up-front (advance fee), would be an example of a scam that could fit into either category. Of course, these actions are only scams if money is not returned to the consumer (noting that non-delivery or sending defective products and services are not always intentional). During lockdowns across the world, consumers turned to online shopping, which created more significant opportunities for criminals to carry out these types of scams. Evidence suggests that criminals did take advantage of this opportunity. Action Fraud (2020)in the UK, reported in June 2020, from when shops were forced to close until the time of reporting, victims had lost over £16.5 million. Victims reported buying mobile phones (19%), motor vehicles (22%), electronics (10%) and footwear (4%) that never arrived. Interestingly, about a quarter of victims were younger people aged between 18 and 16 years.

Unsolicited and Unwanted Goods and Services When a consumer or business receives a product or service they did not request, they are not required to pay for this ‘unsolicited supply’ (ACCC 2022b). A fraudster might attempt to persuade customers to purchase items through deception. A more contemporary example of this would be job and employment scams. In this scam, the fraudster might create a false advertisement that a victim believes to be accurate. The position is

64

M. T. Whitty

often menial, such as stuffing envelopes or data entry work. The victim is promised relatively high sums of money for the work but first must purchase the materials or equipment for the creation or pay up-front for training. They are scammed into paying money for materials and training they will not receive and for a job where ultimately, a salary is not forthcoming. As with online shopping scams, these scams might also be classified as an advance fee fraud. It also must be highlighted that the example of spam and bait given by Grabosky et al. (2001) are not necessarily scams, even if they might be illegal to propagate. Some spam messages and clickbait might contain scams (Steyerl 2011), but they should not all be classified as such.

Identity Fraud The final scam category identified by Grabosky et al. (2001) is identity fraud, also commonly referred to as identity theft in the US. This type of fraud is when a criminal steals a victim’s personal information to use it for their benefit, such as setting up a credit card or loan account, or ordering a passport, and so forth. Of course, identity theft existed before the Internet—the methods previously used included the theft of wallets and ‘dumpster diving’ (where criminals went through victims’ rubbish bins to obtain paperwork, such as bills, and bank statements, which could be used to steal their identity—White and Fisher 2008). Gupta and Kumar (2020) have more recently highlighted that these fraudsters have refined their skills, stating that this is critical to increase their chances of money generation and avoid being caught. Given the number of hacks we have been experiencing during the pandemic, we may be concerned that we are about to witness a tsunami of these types of consumer fraud.

Other Ways to Classify Consumer Fraud Although, as already pointed out, Grabosky et al.’s (2001) classification of consumer fraud has its limitations, with many of the scams overlapping across categories, they nonetheless provide the reader with a clearer understanding of the gamut of consumer frauds in existence—both

4 The Human Element of Online Consumer Scams …

65

before and since the advent of the Internet. Other ways to classify these scams include ‘relationship’ compared with ‘non-relationship’ scams. Examples of consumer fraud types involving the fabrication of a fake relationship to enable the crime include investment and employee scams. In many investment scams, the criminal develops a strong relationship (romance, friendship, business colleague) and, once trust and a bond are established, begin to request money to invest. Likewise, with the employee scam, the criminal sets up fake interviews with the victim and spends some time establishing their trust to believe they are in a working relationship with the criminal. It is after the trust is found that the criminal then makes requests for money. In general, Levi’s (2008) categorisation of fraud may also be applied to consumer fraud. He argues that there are three types of fraud, pre-planned, intermediate and slippery slope fraud. As the research and the technology to enable these scams to develop continues to evolve, the classification of these types of scams is likely to require reassessment; however, for now, they serve to point out that there is not a ‘one size fits all’ to define consumer scams and the methods used by fraudsters.

The Relationship Between the COVID-19 Pandemic and Online Consumer Scams This chapter now moves to address the questions raised in the introduction: a) Did the pandemic cause an increase in the number of consumer scam victims? b) Did the pandemic change the landscape for online consumer scams? To do so, consideration needs to be given to the volume and types of scams reported during the pandemic, with particular attention to consumer scams, as well as theoretical frameworks that may help explain any differences in scam activity before and during the COVID-19 pandemic.

66

M. T. Whitty

The Rise of Scams During the COVID-19 Pandemic We know, at least, that the number of scams reported whilst people across the globe was in lockdowns dramatically increased. However, it does not necessarily follow that the pandemic ‘caused’ this increase. Moreover, given that, at the time of writing this chapter, we were not yet at the end of the pandemic, it is impossible to compare past numbers reported with those post-COVID-19. Across the UK, Australia, and the US, there has been a notable international increase in reported online scams (ACCC 2021; CNBC 2021; UK finance 2021). The ACCC reported a record amount of A$851 million for Australians in losses to scams in 2020. These numbers are, however, of considerable concern, not only because of the financial loss to individuals and organisations but also because of the psychological harm potentially suffered by victims (see Whitty and Buchanan 2016). Evidence suggests that criminals did take advantage of this opportunity. Action Fraud (2020) in the UK, reported in June 2020, from when shops were forced to close until the time of reporting, victims had lost over £16.5 million. The top ten scams included across these countries were investment scams, dating and romance scams, false billing, threats to life or arrest, remote access scams, online shopping scams, classified scams, health and medical products and random prize and lottery scams. In the US in 2021, online shopping scams, a form of consumer fraud, amounted to US$7.4 million. CNBC (2021) reported that in the US, scams linked to the COVID-19 pandemic cost Americans US$856 million, with online shopping scams being the most prolific type of fraud. In the UK, the three main scams were impersonation, romance and investment. Impersonation scams are consumer scams where criminals impersonate organisations, such as shopping sites and delivery companies, to trick consumers out of money. The evidence, therefore, overwhelmingly supports the notion that the number of reported scams markedly increased during the COVID-19 pandemic. This also reflects the actual number of scams rising during this time, given that there were no dramatic interventions to prompt higher reporting. The ACCC (2020) attributes this high number to scammers taking advantage of the pandemic to trick unsuspecting people.

4 The Human Element of Online Consumer Scams …

67

However, increased scams during the pandemic cannot prove causation. Perhaps the increase is due to criminals’ improved technical savviness and knowledge. Therefore, the numbers might have increased to the extent they did, even if there had not been a pandemic. In a report written for the Australian Institute of Criminology, Levi and Smith (2021) set out the common characteristics of fraud associated with pandemics. Their investigation found that ‘many frauds occur whatever the state of the economy, but some specific frauds occur during pandemics, especially online fraud’ (p. vi). Drawing from Clarke’s (1995) ‘opportunity theory’, a variation of the fraud triangle, they point out that situational changes (e.g., government stimulus packages with lack of fraud controls) may have led to increased fraud. They also summarise, whilst admitting they lacked the empirical evidence to support their views, that fraudsters may have employed more rationalisations for fraud during this time. Their work suggests that the actions taken by governments and others may have enabled an increase in fraud during the pandemic. The argument over whether the rise in fraud during the pandemic was due to the pandemic itself, or other factors will be considered later in this chapter, after consideration is given to the second research question: Did the pandemic change the landscape for online consumer scams?

Types of Scams During the Pandemic Notably, there are many types of consumer scams (as detailed earlier and later in this chapter), some of which increased substantially during the pandemic. The ACCC (2020) reported that Australia’s most common consumer scams were phishing, superannuation and online shopping-related scams. Considering Grabosky et al.’s (2001) classification, as highlighted earlier in this chapter, the most frequently reported consumer frauds across Australia, the UK and the US were shopping scams; more specifically, the non-delivery of orders and the receipt of defective products and services. In particular, we saw products related to the pandemic, such as fake medicines, hygiene products and test kits all being used in connection with consumer frauds (Chawla et al. 2021).

68

M. T. Whitty

For some, the notion of a puppy scam, another online shopping scam, might seem preposterous. However, these scams existed well before the pandemic and increased dramatically during the pandemic. In Australia, reports of the puppy scam quadrupled between 2019 and 2021 (ACCC 2021). As with hygiene products, puppies were especially sought out during this time; puppies were in high demand, particularly for those experiencing loneliness during this time (Packer et al. 2021). Puppies purchased at this time were nicknamed the COVID-19 or pandemic puppy. Packer et al. (2021) found that over 1 in 10 pandemic puppy owners had not considered purchasing a puppy before the pandemic and 2 in 5 believed that their decision to buy a puppy was influenced by the pandemic (e.g., having more time for a pet, loneliness). During the pandemic, in New South Wales, Australia, the RSPCA became inundated with requests for adopting or fostering a puppy (Selinger-Morris 2020). Losses to the puppy scam were not necessarily small amounts, and these crimes involve intricate planning. Geldart (2022) found that individuals lost up to between US$10,000 and US$12,000 for a puppy purchased online. In this scam, criminals set up fake websites, fake advertisements on genuine websites (e.g., gumtree) or social networking profiles posing as breeders. Consumers saw a cute puppy online and were keen to obtain a specific breed, believing that the person at the end of the email was genuine. As with other advance fee frauds, in addition to the initial payment, excuses were made as to why additional money was needed. For example, the criminal might say that because of border closures or because of COVID-19, a particular COVID-19-safe case was required for transportation. The victim might receive a panicky email saying that the puppy was stuck on the tarmac and needed a special airconditioned crate for $1,000s, or the animal might die. At this point, the victim was already emotionally and financially invested in what they believed to be their pet and did not wish to risk having their pet die. In addressing our second research question regarding whether the pandemic changed the landscape for online consumer scams, the evidence suggests that the types of consumer scams that were more frequently reported at this time did change focus. Arguably, the types of scams shifted partly because people’s behaviour was driven by their situation.

4 The Human Element of Online Consumer Scams …

69

Citizens under lockdowns where only essential shops were open were forced to shop for any other items online. Criminals were gifted with the opportunity to scam many citizens, many of whom, especially in Australia, experienced extensive lockdowns.

Theoretical Approaches to Online Consumer Scams A number of theoretical approaches have been used to explain the conditions under which fraud is more likely to occur. Notably, the theories utilised to examine online consumer scams have, in the main, been models developed to explain fraud (offline or online) in general. Criminologists have been the main instigators in developing frameworks to explain the enablers of fraud and the ways to prevent fraud. As detailed below, there is some support for their theories. However, psychologists have also made significant contributions—recognising the complexity of human nature, the interaction of personal and situational factors and how behaviour can differ in online environments. As set out later in this chapter, the latter theories provide a more detailed understanding of the relationship between the rise of online consumer scams during the pandemic and give a more helpful framework for developing methods to prevent these crimes.

Criminological Theories Cressey’s (1953) ‘Fraud Triangle’, a popular framework used by criminologists, sets out three conditions that lead to an increased chance that fraud will occur. In this model, three factors are present in every instance of fraud: the presence of a motivated offender, a rationalisation (the fraudster’s ability to justify the act) and an opportunity (the situation that enables fraud to occur). According to the theory, the individual first has a financial problem, which is non-shareable, and they become motivated to commit fraud. Second, they perceive an opportunity to commit

70

M. T. Whitty

fraud and have the skills to do so. Third, individuals employ rationalisations to address the presence of any inhibitions for acting illegally. This theory has been applied to explain online consumer fraud. Smaili and de Rancourt-Raymond (2022), for example, conducted a systematic review and drew on the fraud triangle to explain the fraud risks of the metaverse ecosystem, some of which are consumer frauds. They identified opportunities such as a lack of regulation, platforms, blockchain and cryptocurrencies, etc., and financial and social pressures. The rationalisations, they argued, were aimed at normalising the crime, a lack of awareness of potentially harmful consequences and a failure of deterrence. However, as with so many studies that apply the fraud triangle, this study lacked empirical rigour. Suppose, we apply this to online consumer scams during the pandemic. In that case, it is a defensible argument that there was a more apparent opportunity for criminals to scam victims, especially concerning consumer fraud during rather than prior to the pandemic. Across the globe, more people were online for longer hours and had no option but to shop for non-essential items on the Internet. The criminals, therefore, had a larger number of individuals to scam who were more likely to be online consumers. Concerning motivation and rationalisation, however, it is difficult to make the case that conditions changed during the pandemic to increase motivation or rationalisations for these criminal behaviours. The types of criminals who commit these types of cyber scams are very different to ‘white collar fraudsters’ given they often come from poor backgrounds, work as organised networks and focus all their time on these crimes, rather than working in organisations that they defraud (Whitty 2018b). Their economic circumstances are, therefore, less likely to have changed during the pandemic. With respect to rationalisations, this is a defence mechanism, amongst many others, that most people employ (Whitty 2003). Claiming that this is something unique to fraudsters is a fundamental flaw with the fraud triangle theory. Notably, although this theory has been popular amongst criminologists, it does have its critics. It has been criticised for being too simplistic (Huber 2016, Whitty 2021b). Moreover, not every occurrence of fraud can be explained by this theory (Dorminey et al. 2012; McMahon et al. 2016). Lokanan (2015) has argued that fraud is a multifaceted

4 The Human Element of Online Consumer Scams …

71

phenomenon ‘whose contextual factors may not fit into a particular framework’ (p. 201). Given this, they contend that the fraud triangle is not a sufficiently reliable theory for antifraud practitioners. In addition, motivation, rationalisation and opportunity are arguably conditions of a multitude of crimes. As a further, non-trivial point, returning to the argument that the fraud triangle is too simplistic, the model does not consider the extensive theories and empirical research in psychology that examines the prediction of behaviour. Motivation, for example, might be broken down into intrinsic and extrinsic rewards. Various motivational theories have been developed throughout the history of psychology to explain human behaviour—from Maslow’s hierarchy of needs, reinforcement theory (with extrinsic and intrinsic rewards), McClelland’s motivational theory, self-determination theory, self-actualisation, self-regulation, self-control theory and so forth (McClelland 1985). Moreover, psychological theories contend that motivation and opportunity are insufficient to predict behaviour. Instead, attitudes, subjective norms, perceived control, intentions and individual characteristics, to name just a few variables, are considered by many psychologists to be critical to explain the prediction of behaviour. In contrast to the Fraud triangle, which focuses on the behaviours of the criminal, ‘Routine Activity Theory’ focuses on the behaviours of the potential victims that lead them to become more vulnerable to fraud. This theory has been developed for crimes, in general, and has been used as a lens to examine online consumer scams. The premise of this theory, first proposed by Cohen and Felson (1979), is that crime is unaffected by social causes, such as poverty and inequality. Proponents of this theory argue that individuals become victims of crime because they participate in ‘high risk’ activities or behaviours without capable guardianship and in the company of motivated offenders (Farrell et al. 1995; Turanovic and Pratt 2014). Akin to the fraud triangle, according to routine activity, proponents of this theory argue that opportunity is the root cause of victimisation. Victims of burglary, for instance, are encouraged to change their locks and add alarm systems to decrease their chances of becoming repeat victims of burglary.

72

M. T. Whitty

Some studies have examined the relationship between online activities and cyber fraud. Pratt, Hotfreter and Reisig (2010), for example, examined whether demographic characteristics (e.g., age, gender, education, marital status) and online routines (hours spent online and Internet website purchases) increase people’s exposure to scams. They found that demographic characteristics shape routine online activities and that indicators of everyday online activities fully mediate the effect of demographic factors on the likelihood of being targeted online for fraud. Reyns (2015) conducted a study that examined whether online exposure placed users at more risk of online victimisation (phishing, hacking and malware infection) and if online guardianship helped prevent this form of victimisation. He found that individuals who were more likely to make online purchases engage in social networking and post information online were more likely to be victimised. He also found that online guardianship was positively related to victimisation but in the opposite direction to what he predicted. For example, Reyns found that individuals who installed anti-virus software were more likely to become a victim of a phishing attack. However, he suspected that this finding demonstrated a temporal ordering problem (i.e., the participants in his sample may have installed the software due to being phished). Drawing from Routine Activity Theory, Whitty (2019b), found that younger people were more likely to engage in routine activities that potentially exposed them to cyber frauds than older people who were more likely to engage in online guardianship behaviours. Educated people were more likely to engage in routine activities that potentially exposed them to cyber fraud and were also more likely to engage in online guardianship behaviours than less educated people. In line with the argument proposed in this chapter, this work revealed that criminological theories, such as routine activities theory, are insufficient to explain why individuals are scammed. In addition to problematic behaviours, Whitty (2019b) showed that individual differences were critical in determining who was protected and who was scammed. In this research, cyber fraud victims were found to be more likely to score high on impulsivity measures of urgency, sensation seeking and addictive behaviours than non-victims.

4 The Human Element of Online Consumer Scams …

73

Arguably, Routine Activity Theory may be helpful in the examination of the rise in online consumer scam victimisation during the pandemic. This might be explained by the change in people’s behaviours and circumstances. Those in lockdown spent significantly more time on their digital devices (Salfi et al. 2021), and as noted earlier, individuals were shopping more online. Individuals were thereby exposed more to these types of scams and consequently placed themselves at greater risk of victimisation. Moreover, although people’s shopping behaviours changed, there was little support from governments or industry in providing new online shoppers with information on how to remain safe in these new consumer spaces. Although it can be demonstrated that Routine Activity Theory can help explain the increase in consumer scam victimisation during the pandemic, it is essential to question whether it is sufficient. This will be addressed further in the following section. In brief, the fraud triangle and routine activities Theory can explain some aspects of the rise in scams during the pandemic, but as already highlighted, there are numerous problems with these theories on their own, and there may be other hypotheses to account for this increase in consumer fraud victimisation. This chapter now turns to offer different explanations, drawing from psychological theories.

Psychological Theories Numerous psychological theories may be helpful in explaining fraud victimisation. The foci here are on individual differences (such as personality differences, change behaviour theories (with a specific focus on the Theory of Planned Behaviour) and theories of stress and coping. It is argued that these theories provide more salient insights into explaining why there was a dramatic increase in consumer scams during the pandemic. These theories should be considered more often by scholars who research scams/fraud.

74

M. T. Whitty

Individual Differences The science around individual differences has interested psychologists for over a century. Psychologists have learnt that individuals demonstrate consistent behaviours across different situations. In particular, they have focused on personality and intelligence and examined how these interact with emotional states and motivation. Understanding a person’s personality and intelligence can help predict an individual’s behaviours. The Big 5, which includes openness, conscientiousness, extroversion, agreeableness and neuroticism, are perhaps some of the more well-known personality traits. There has been some speculation about the distinctive psychological characteristics of fraud victims. For example, Titus and Gover (2001) believe that fraud victims are more likely to be: cooperative, greedy, gullible/uncritical, careless, susceptible to flattery, easily intimidated, risk takers, generous, hold respect for authority and are good citizens. Fischer et al. (2013) found in their empirical survey research that scam victims or near scam victims were more affected by the high values offered in scams and displayed a high degree of trust in the scammers. Holtfreter et al. (2008) found that self-control is a significant predictor of victimisation. Research on romance scams, by Buchanan and Whitty (2014), found that individuals with a higher tendency towards idealising romantic partners were more likely to be scammed than those who did not idealise romantic partners. The research conducted by psychologists regarding scam victimisation is overwhelming, demonstrating the importance of considering individual differences, especially personality. Moreover, it has been found that certain dispositions and behaviours are associated with specific types of scams (emphasising that prediction of likelihood of scam victimisation is complex and more sophisticated theories than offered by criminologists are required. For example, in more recent research, Whitty (2019b) found that personality traits, such as urgency and sensation seeking (which are subcategories of impulsivity), addictive personality and internal locus of control, were all predictors of scam victimisation. Importantly, however, this work found that a combination of dispositional behaviours (routine activities) was essential. In another recent

4 The Human Element of Online Consumer Scams …

75

study, Whitty (2020) found that more impulsive and neurotic individuals were more likely to be tricked by cyberscams. In that same study, it was found that investment scam victims were more likely to be older men who scored higher on internal locus of control and shopping scam victims were more likely to be less educated women. Particularly relevant to this chapter is that this study demonstrated that certain individual differences could predict the likelihood of being scammed by consumer scams. Of course, individual differences could also be applied to determine who will likely become a fraudster. For example, it might be reasonable to hypothesise that fraudsters will score higher on the dark triad— Narcissism, Psychopathy and Machiavellianism. These characteristics are evident in some of the well-known fraudsters, Victor Lustig and Bernie Madoff mentioned earlier in this chapter. Arguably, dispositional factors may not be enough on their own to predict fraud; however, it may narrow the field of possibilities (see Whitty 2021b for a more detailed discussion).

Theory of Planned Behaviour Another theory that Whitty and Joinson (2009) have found to be helpful in understanding cyber secure behaviours is the Theory of Planned Behaviour. This theory is valid, amongst others in psychology, to predict behaviour as well as to apply to change behaviour. As shown in Fig. 4.1 below, according to the Theory of Planned Behaviour, attitudes, subjective norms and perceived behavioural control shape an individual’s behavioural intentions and actual behaviours (Ajzen 1991). Concerning cybersecurity, it may be that some young people’s attitudes are incorrect (e.g., about potential harms), or subjective norms (e.g., everyone shops online) or perceived behavioural control (e.g., they can spot a scam/online criminal behaviour). Incorrect perceptions may lead to weak motivations to protect themselves online and, consequently, to poor choices in passwords. Whilst this theory has limitations (e.g., it ignores individual differences, such as personality), it potentially offers a valuable lens to explain

76

M. T. Whitty

Fig. 4.1 Theory of planned behaviour (Source Ajzen [1991])

the increase in consumer scams during the pandemic. It also adds another dimension of complexity lacking in criminological theories. For example, during the pandemic, individuals’ living arrangements (e.g., working from home, how they shopped/purchased items and financial security) altered dramatically and abruptly. Out of necessity, it may have meant that people’s attitudes towards being a consumer may have changed (needing to purchase online, desire to invest due to financial risks of losing work, etc.). Moreover, the perceptions of the normative behaviours may have been that most others were engaging in these new behaviours. The perception may be that these new sites they were shopping on were authentic and secure, especially if everyone else was shopping online. These changes in behaviours and perceptions may have led to increased risk-taking and scam victimisation. As with the other theories in this chapter, these hypotheses require rigorous empirical testing. Nonetheless, the Theory of Planned Behaviour arguably offers a viable lens to help explain the increase in scams during the pandemic. The Theory of Planned Behaviour may also be an aid in explaining some types of fraudsters, particularly those in organised gangs who

4 The Human Element of Online Consumer Scams …

77

commit cyberscams (see Whitty 2018b). For example, fraudsters living in, or ex-pats from, East African countries (especially Nigeria and Ghana) live in a culture where fraud is illegal but more socially acceptable compared with other criminals. In addition, working closely with other cybercriminals (e.g., in cafes), the subjective norm could easily be held that this is acceptable behaviour amongst one’s peers and that it is a behaviour that is within their control as they witness other successes around them.

Stress and Coping Psychology proposes various models to account for effective coping with stress. However, the theory that is, arguably, most applicable here is Larazus and Folkman’s theory on stress and coping. Lazarus and Folkman (1984) have defined coping as ‘constantly changing and behavioural effects to manage specific external and/or internal demands that are appraised as taxing or exceeding the resources of the person’ (p. 141). One of the core concepts of Lazarus’ theoretical formulation of coping involves cognitive appraisal. Lazarus et al. (1985) model of stress and coping argues that there are primary and secondary appraisals involved in coping. Primary appraisal includes what is at stake for the person, whether the individual assesses the stressful situation as harmful, threatening or challenging. Secondary appraisal involves the individual’s coping resources and options. These theorists maintain that there are two main types of coping functions: problem-focused, which is directed at managing or altering the problem causing distress, and emotion-focused, which is directed at regulating the emotional response to the problem. The literature suggests that emotion-focused forms of coping are more likely to be effective when there has been an appraisal that nothing can be done to modify harmful, threatening or challenging environmental conditions. On the other hand, problem-focused forms of coping are more effective when such conditions are amenable to change (Folkman and Lazarus 1980). Many psychological studies have shown that stress impedes learning and memory abilities (Callary et al. 2015). For example, a person might

78

M. T. Whitty

forget the names associated with faces when attending a social event which induces social anxiety for that person. Bangasser and Shors (2010) report that ‘stressful experience directly impacts the circuits used for learning’ (pp. 1230–1231). Lamba et al. (2020) found that individuals who were less tolerant of uncertainty and experienced anxiety found it more challenging to learn in uncertain social contexts. If individuals cannot effectively cope with stress, then the knock-on effects are poor decision-making and an inability to learn new knowledge. It is well-documented that stress and anxiety levels were raised for a prolonged period during the pandemic (Boals and Banks 2020). As Boals and Banks point out, stress and anxiety can lead to ‘mind wandering’, consequently limiting cognitive resources. Considering Lazarus and Folkman’s theory of stress and coping, the pandemic led to events one could not change (e.g., probably catching a virus that could kill you, lockdowns, home-schooling, etc.), which would have required effective emotional coping strategies. However, perhaps unusually, the pandemic also brought about a new set of potential stresses which required needing to behave differently in novel environments (e.g., working from home, navigating the Internet to purchase items, etc.). Some may have construed these as challenging or benign, but for those who appraised these new events as stressful and could not employ effective coping strategies, the end result may have led them to be prone to events that required new knowledge to be safe, such as scams. Consumer scams may have been the more frequently occurring scams as online shopping and investments may have been the types of new activities individuals engaged in that required the development of new skills to protect them from potential victimisation.

Conclusions In conclusion, this chapter began by considering two research questions: did the pandemic cause an increase in the number of consumer scam victims; and did the pandemic change the landscape for online consumer scams? It was demonstrated that there was an increase in the number

4 The Human Element of Online Consumer Scams …

79

of consumer scam victims and that the pandemic did change the landscape for online consumer scams. However, whether or not the pandemic caused the increase requires empirical evidence that currently does not exist. The theories proposed here helped provide a lens for potential explanations for an increase in consumer scam victimisation; however, empirical evidence would be needed to support or reject the hypotheses arising from each proposed theory. This chapter also critiqued the criminological theories often applied to explain the conditions that lead to an increased chance that fraud will occur. The ‘Fraud Triangle’ was especially criticised for its simplicity and inability to consider fraud as a multifaceted phenomenon. Whilst holding some promise, Routine Activity Theory lacked the understanding of human nature’s complexity. Perhaps the combination of these theories and psychological theories will pave the way for new insights into fraudsters’ behaviours and the understanding of victimhood. The psychological theories focused on here were individual differences, the Theory of Planned Behaviour and Lazarus and Folkman’s (1984) theory of Stress and Coping. In short, it was concluded that the social conditions created by the response to the pandemic may have increased specific individuals’ susceptibility to being scammed, in particular, to online consumer scams. Forced lockdowns, financial concerns about the future and the closure of non-essential physical shops may have driven individuals to seek out investments (or be tempted by scammers approaching them with investment opportunities) and shop online in ways that they had not in the past. Those with more impulsive personalities (and potentially other dispositions) may have moved on too quickly to accept these new opportunities. Importantly, however, is the point that people potentially did not know how to act safely in these new environments and were simultaneously attempting to cope with these stressors. If individuals’ peers and colleagues were engaging in similar behaviours, they might have falsely believed that these environments were safe. In addition, the conditions people were living in were not conducive to the development of new fraud-prevention skills, which required them to recognise scams and understand how to shop and invest safely in online environments. Future work is needed in this area; however, this chapter encourages researchers

80

M. T. Whitty

in other disciplines to consider these problems using different lenses beyond the typical criminological theories applied to examine online consumer fraud and fraud more generally.

References ACCC. 2022a. Australians are losing more money to investment scams. https:// www.accc.gov.au/media-release/australians-are-losing-more-money-to-invest ment-scams Accessed 15 December 2022a ACCC. 2022b. Receiving unrequested products or services. https://www.accc. gov.au/consumers/buying-products-and-services/receiving-unrequested-pro ducts-or-services Accessed 15 December 2022b ACCC. 2021. Scammers capitalize on pandemic as Australians lose record $851 million to scams. https://www.accc.gov.au/media-release/scammers-capitaliseon-pandemic-as-australians-lose-record-851-million-to-scams Accessed 15 December 2022 ACCC. 2020. Current COVID-19 (coronavirus) scams. https://www.accc.gov. au/system/files/English%20-%20COVID-19%20scams%20fact%20sheet. pdf Accessed 15 December 2022 Action Fraud. 2020. Over £16 million lost to online shopping fraud during lockdown, with people aged 18–26 most at risk. https://www.actionfraud. police.uk/alert/over-16-million-lost-to-online-shopping-fraud-during-loc kdown-with-people-aged-18-26-most-at-risk Accessed 15 December 2022 Ajzen, Icek. 1991. ‘The theory of planned behaviour’ Organizational Behavior and Human Decision Processes, 50 (2), 179–211. Alt, Betty L. and Wells, Sandra K. 2004. Fleecing Grandma and Grandpa: Protecting Against Scams, Cons, and Frauds London: Praeger. Balleisen, Edward. 2017. Fraud: An American History from Barnum to Madoff . Princeton: Princeton University Press. Bangasser, Debra. A. and Shors, Tracy J. 2010. ‘Critical brain circuits at the intersection between stress and learning’ Neuroscience and Biobehavioral Reviews, 34, 1223–1233. Boals, Adriel and Banks, Jonathan. B. 2020. ‘Stress and cognitive functioning during a pandemic: Thoughts from stress researchers’ Psychological Trauma: Theory, Research, Practice, and Policy, 12(1), 255–257.

4 The Human Element of Online Consumer Scams …

81

Buchanan, Tom and Whitty, Monica, T. 2014. ‘The online dating romance scam: Causes and consequences of victimhood’ Psychology, Crime and Law, 20 (3), 261–283. Callary Bettina, Rathwell Scott, and Young Bradley, W. 2015. ‘Insights on the process of using Interpretative Phenomenological Analysis in a Sport Coaching Research Project’ The Qualitative Report, 20 (2), 63–75. Chawla, Afreen. Yu, John and Ng, Shannon. 2021. ‘Cybercrime and scams amidst COVID-19: A review of the human vulnerabilities exploited during a global pandemic’. In Majeed Khader, Whistine, X. T. Chai and Loo S. Neo (eds). Cyber Forensic Psychology. Singapore: World Scientific. Chen, Weili, Zheng, Zibin, Ngai, Edith C.-H., and Zheng, Peilin. 2019. ‘Exploiting blockchain data to detect smart Ponzi schemes on Ethereum’. IEEE Access, 1–1. Clarke, Ronald V. 1995. ‘Building a safer society: Strategic approaches to crime prevention’ Crime and Justice, 19, 91–150. CNBC. 2021. Covid-related scams have bilked Americans out of $586 million. https://www.cnbc.com/2021/10/18/covid-related-scams-have-bilked-americ ans-out-of-586-million.html Accessed 15 December 2022 Cohen, Lawrence and Felson, Marcus. 1979. ‘Social change and crime rate trends: A routine activity approach’ American Sociological Review, 44 (4), 88– 608. Cressey, Donald R. 1953. Other People’s Money: A Study of the Social Psychology of Embezzlement. Washington: Free Press. Dorminey Jack, Fleming A. Scott, Kranacher Mary-Jo, and Riley Jr Richard A. 2012. ‘The evolution of fraud theory’ Issues in Accounting Education, 27 (2), 555–579. Farrell, Graham, Phillips, Coretta, and Pease, Ken. 1995. ‘Like taking candy: Why does repeat victimization occur?’ The British Journal of Criminology, 35 (3), 384–399. Fischer, Peter, Lea, Stephen, E.G. and Evans, Kath, M. 2013. ‘Why do individuals respond to fraudulent scam communication and lose money? The psychological determinants of scam compliance’ Journal of Applied Social Psychology, 43(10), 2060–2072. Folkman Susan and Lazarus Richard S. 1980. ‘An analysis of coping in middleaged community sample’ Journal of Health and Social Behaviour, 21, 219– 239.

82

M. T. Whitty

Geldart, Kate. 2022. WA pet lovers lose $90,000 to online puppy scams in just four months. WAtoday, April 26, 2022. https://www.watoday.com. au/national/western-australia/wa-pet-lovers-lose-90-000-to-online-puppyscams-in-just-four-months-20220422-p5afet.html Accessed 15 December 2022 Grabosky, Peter, Dempsey, Gillian and Smith, Russell G. 2001. Electronic Theft: Unlawful Acquisition in Cyberspace. Cambridge: Cambridge University Press. Gupta, Mohan Chander and Kumar, Devesh. 2020. ‘Creative accounting a tool for financial crime: a review of the techniques and its effects’ Journal of Financial Crime, 27 (2), 397–411. Gurthrie, Cameron, Fosso-Wamba, Samuel and Arnaud, Jean B. 2021. ‘Online consumer resilience during a pandemic: An exploratory study of e-commerce behavior before, during and after a COVID-19 lockdown’ Journal of Retailing and Consumer Services, 61, 102570. Holtfreter, Kristy, Reisig, Michael, D. and Pratt, Travis C. 2008. ‘Low selfcontrol, routine activities, and fraud victimization’ Criminology, 46 (1), 189– 220. Huber, Wm. Dennis. 2016. ‘Forensic accounting, fraud theory, and the end of the fraud triangle’ Journal of Theoretical Accounting Research, 12(2), 28–48. International Labour Organization (ILO). 2020. ‘ILO Monitor: COVID19 and the world of work. Second edition’ NY: International Labour Organization (ILO). Kim, Rae Y. 2020. ‘The impact of COVID-19 on consumers: Preparing for digital sales’ IEEE Engineering Management Review, 1, 1. Lamba, Amrita, Frank, Michael J. and Feldman Hall, Oriel. 2020. ‘Anxiety impedes adaptive social learning under uncertainty’ Psychological Science, 31(5), 592–603. Lazarus, Richard S and Folkman, Susan. 1984. Stress, Appraisal and Coping. New York: Springer Publishing. Larzarus, Richard S., DeLongis, Anita, Folkman, Susan and Gruen, Rand. 1985. ‘Stress and adaptional outcomes: The problem of confounded measures’ American Psychologist, 40, 770–779. Levi, Michael. 2008. The Phantom Capitalists: The Organisation and Control of Long-firm Fraud, 2nd ed. Andover: Ashgate. Levi, Michael and Smith, Russell G. 2021. ‘Fraud and its relationship to pandemics and economic crises: From Spanish flu to COVID-19’ Research Report no. 19 Canberra: Australian Institute of Criminology. https://www. aic.gov.au/sites/default/files/2021-04/rr19_fraud_and_its_relationship_to_ pandemics_and_economic_crises.pdf Accessed 15 December 2022

4 The Human Element of Online Consumer Scams …

83

Lewis, Lionel S. 2013. ‘The confidence game: Madoff and the 17th floor ensemble’ Society, 50, 493–502. Lokanan, Mark. E. 2015. ‘Challenges to the fraud triangle: Questions on its usefulness’ Accounting Forum, 39 (3), 201–224. McClelland, David Clarence. 1985. Human Motivation, Glenview Ill: Scott, Foresman and Company. McMahon, Richard, Pence, Diana, Bressler, Linda and Bressler, Martin S. 2016. ‘New tactic in fighting financial crimes: Moving beyond the fraud triangle’ Journal of Legal, Ethical and Regulatory Issues, 19 (1), 16–37. Packer, Rowena M. A., Brand, Claire L., Belshaw, Zoe, Pegram, Camilla. L., Stevens, Kim. B. and O’Neill, Dan G. 2021. ‘Pandemic puppies: Characterising motivations and behaviours of UK owners who purchased puppies during the 2020 COVID-19 pandemic’ Animals (Basel), 11(9), 2500. Pratt, Travis C., Holtfreter, Kirsty and Reisig, Michael D. 2010. ‘Routine online activity and internet fraud targeting: Extending the generality of routine activity theory’ Journal of Research in Crime and Delinquency, 47 (3), 267–296. Reyns, Bradford W. 2015. ‘A routine activity perspective on online victimisation: Results from the canadian general social survey’ Journal of Financial Crime, 22(4), 396–411. Salfi, Federico, Amicucci, Giulia, Corigliano, Domenico, D’Atri, Aurora, Viselli, Lorenzo, Tempesta, Daniela and Ferrara, Michele. 2021. ‘Changes of evening exposure to electronic devices during the COVID-19 lockdown affect the time course of sleep disturbances’ Sleep Research Society, 44 (9), 1–9. Selinger-Morris, Samantha. 2020. ‘They’ve wanted a dog for years. Lockdown has finally made it happen’ The Sydney Morning Herald , April 26, 2020. https://www.smh.com.au/lifestyle/life-and-relationships/they-ve-wanteda-dog-for-years-lockdown-has-finally-made-it-happen-20200424-p54n0n. html Accessed 15 December 2022 Smaili, Nadia and de Rancourt-Raymond, Audrey. 2022. ‘Metaverse: Welcome to the new fraud marketplace’ Journal of Financial Crime, 29 (4). https://doi. org/10.1108/JFC-06-2022-0124 Accessed 16 January 2023. Steyerl, Hito. 2011. ‘Digital debris: Spam and Scam’ October 138, 70–80. Titus, Richard M. and Gover, Angela A. 2001. ‘Personal fraud: The victims and the scams’ Crime Prevention Studies, 12, 133–151.

84

M. T. Whitty

UK Finance. 2021. Criminals exploit COVID-19 Pandemic with rise in scams targeting victims online. https://www.ukfinance.org.uk/press/press-releases/ criminals-exploit-covid-19-pandemic-rise-scams-targeting-victims-online Accessed 15 December 2022 Turanovic, Jillian J. and Pratt, Travis C. 2014. ‘Can’t stop, won’t stop: Selfcontrol, risky lifestyles, and repeat victimization’ Journal of Quantitative Criminology, 30 (1), 29–56. Walther, Joseph B. 2007. ‘Selective self-presentation in computer-mediated communication: Hyperpersonal dimensions of technology language, and cognition’ Computers in Human Behavior, 23(5), 2538–2557. Walther, Joseph B. 1996. ‘Computer-mediated communication: Impersonal, interpersonal, and hyperpersonal interaction’ Communication Research, 23(1), 3–43. Walther, Joseph B. and Whitty, Monica T. 2021. ‘Language, psychology, and new new Media: The hyperpersonal model of mediated communication at twenty-five years’ Journal of Language and Social Psychology, 40 (1), 120–135. White, Michael D. and Fisher, Christopher. 2008. ‘Assessing our knowledge of identity theft: The challenges to effective prevention and control efforts’ Criminal Justice Policy Review, 19 (1), 3–24. Whitty, Monica T. 2021a. ‘Drug mule for love’ Journal of Financial Crime, in press. https://doi.org/10.1108/JFC-11-2019-0149 Accessed 19 December 2022. Whitty, Monica T. 2021b. ‘Developing a conceptual model for insider threat’ Journal of Management & Organization, 27 (5), 911–929. Whitty, Monica T. 2020. ‘Is there a scam for everyone? Psychologically profiling cyberscam victims’ European Journal on Criminal Policy and Research, 26 (3), 399–409. Whitty, Monica T. 2019a. ‘Who can spot a romance scam?’ Journal of Financial Crime, 26 (2), 623–633. Whitty, Monica T. 2019b. ‘Predicting susceptibility to cyber-fraud victimhood’ Journal of Financial Crime, 26 (1), 277–292. Whitty, Monica T. 2018a. ‘Do you love me? Psychological characteristics of romance scam victims’ Cyberpsychology, Behavior and Social Networking, 21(2), 105–109. Whitty, Monica T. 2018b. ‘It’s just a game: Developing a framework to understand cyberfraud from a Nigerian cultural perspective’ International Journal of Cyber Criminology, 12(1), 97–114. Whitty, Monica T. 2015. ‘Anatomy of the Online Dating Romance Scam’ Security Journal, 28, 443–455.

4 The Human Element of Online Consumer Scams …

85

Whitty, Monica T. 2013. ‘The Scammers Persuasive Techniques Model: Development of a stage model to explain the online dating romance scam’ British Journal of Criminology, 53(4), 665–684. Whitty, Monica T. 2003. ‘Coping and defending: Age differences in maturity of defense mechanisms and coping strategies’ Aging & Mental Health: An International Journal, 7 (2), 123–132. Whitty, Monica T. and Buchanan, Tom. 2016. ‘The online dating romance scam: The psychological impact on victims—Both financial and nonfinancial’ Criminology & Criminal Justice, 16 (2) 176–194. Whitty, Monica T. and Buchanan, Tom. 2012. ‘The online romance scam: A serious crime’ Cyberpsychology’ Behavior, and Social Networking, 15 (3), 181– 183. Whitty, Monica T. and Joinson, Adam N. 2009. Truth, Lies, and Trust on Internet London: Routledge, Psychology Press. Zeng, Eric, Kohno, Tadayoshi, Roesner, Franziska and Allen, Paul. G. 2020. ‘Bad news: Clickbait and deceptive Ads on News and Misinformation Websites’ Workshop on Technology and Consumer Protection (ConPro ’20).

5 State-Sponsored Economic Espionage in Cyberspace: Risks and Preparedness Hedi Nasheri

Introduction In the face of global insecurity and technological change, advanced industrialized nations face higher risks of state-sponsored cyberespionage than ever before against their networks, communications systems and workforces. With attacks on everything from data hubs and servers to critical infrastructure and citizen services, government institutions are increasingly looking beyond their own borders in order to build better protections against these threats. State-sponsored economic espionage against the technological sectors in the United States pose a significant risk to the US national and economic security. The COVID19 pandemic lockdowns added a new level of uncertainty, vulnerabilities H. Nasheri (B) Department of Sociology and Criminology, Kent State University, Kent, OH, USA e-mail: [email protected]

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 R. G. Smith et al. (eds.), Cybercrime in the Pandemic Digital Age and Beyond, Palgrave Studies in Cybercrime and Cybersecurity, https://doi.org/10.1007/978-3-031-29107-4_5

87

88

H. Nasheri

and national security challenges in the cyber domain. In order for the United States to be able to mitigate additional threats in times of pandemic, the government, the public and the private sector must be able to respond with a certain level of preparedness. This chapter attempts to provide a better understanding of a complex topic that has a deep impact on national security in extra ordinary times. It is intended to provide an overall understanding of risks associated with state-sponsored economic espionage in cyberspace. It is necessary for the United States and its allies in advanced industrialized countries to become aware of the consequences of the state-sponsored economic espionage which for the most part is conducted in the cyber domain. Furthermore, it is imperative to be prepared during times of a pandemic in order to be able to respond to layers of threats including the preexisting as well as the new threats. Given the sensitive nature of this topic, risk assessment and preparedness have to be proactive not reactive. The general public needs to be aware of risks associated with connectivity and technological tools utilized in their daily lives. The risks extend to products used and found at homes, such as networked applications, doorbell cameras, thermostats, smart speakers and televisions, further expanding the opportunities for attacks. A common awareness of this topic provides a framework for the development and deployment of prevention plans and preparedness measures that can be put in place in a timely fashion. Only through collaboration, cooperation and innovative solutions, the United States and its allies can mitigate the security threats from state-sponsored espionage

Remote Work It is important to note that, even prior to the COVID-19 pandemic, remote work was already a component of a workweek for some businesses. The implementation of remote work added a new layer to the preexisting security risks. For example, with the rise of the freelance/contract worker some organizations became more vulnerable and susceptible to unknown security risks. Government agencies and the corporations for decades have been attempting to prevent security threats such as

5 State-Sponsored Economic Espionage in Cyberspace …

89

theft of proprietary information and data breaches that results in trade secret theft. Remote work increases the opportunity for state-sponsored espionage. A sudden implementation of remote work across a wide range of industries without prior planning for a pandemic provided an unprecedented opportunity for state-sponsored espionage targeting the US strategic sectors in emerging industries. The industries targeted include, but are not limited to, artificial intelligence, electronics, telecommunications, robotics, data services, pharmaceuticals, mobile phone services, satellite communications and imagery and business application software. One of the most difficult challenges for any advanced industrialized nation like the United States is how to prevent becoming a victim of these attacks. The failure to have appropriate detection mechanism, prevention and preparedness measures in place results in theft of sensitive proprietary information. Furthermore, such attacks result in a disadvantage in an electronically connected and internationally integrated commercial world.

The Importance of Intellectual Property In order to understand the significance of state-sponsored espionage, we must first recognize the importance of intellectual property (IP) in today’s global economy. Owning property is a fundamental right that people are entitled to under most legal systems. The World Intellectual Property Organization (WIPO 2022b) defines IP as creations of the mind, such as inventions; literary and artistic works; designs; and symbols, names and images used in commerce. In reality, intellectual property theft should not be treated any differently than the theft of physical property but yet it is. Advanced economies in industrialized nations around the world devote tremendous resources, time, money and energy toward research and product development. The research and development of proprietary economic information forms the core of a nation’s economic and national security infrastructure. Misappropriation of proprietary information has a devastating impact on the well-being

90

H. Nasheri

of any economy that heavily relies on innovations for their economic sustainability (Nasheri 2005). Intellectual property is one of the most valuable assets for any competing economy across the world markets. Trade secrets are the groundbreaking ideas that give businesses a competitive advantage. This critical form of intellectual property is not only invaluable to individual business owners; it is also directly responsible for creating millions of jobs. When trade secrets are stolen it results in destabilizing legitimate markets and goods (Nasheri 2012). Furthermore, it threatens the competitiveness of the global markets. The theft of trade secrets and proprietary information weakens nations’ economic power and sustainability by negatively impacting the job market, work force, the critical infrastructure and poses a serious risk to safety of the consumers. When more advanced nations such as US national security is threatened, it creates a serious threat to the geopolitical landscape around the world and provides limitless opportunities for criminals and rogue states to carry out their agenda at any cost (Nasheri 2005).

Intellectual Property Crimes The United States is the number one producer of intellectual property, ideas and products thus-far in the world. It has adopted relevant legislation and has an established legal framework to address intellectual property crimes such as theft of trade secrets. Unfortunately, the same does not apply to other advanced industrialized nations. Often times, the existing laws and legislation lag behind the speed with which the technological changes are taking place. Lack of an appropriate and effective legal framework further complicates matters for the legislative bodies and law enforcement agencies around the world.

5 State-Sponsored Economic Espionage in Cyberspace …

91

Trade Secrets While violations of patents, copyrights and trademarks are easier concepts to understand, detect, investigate and prosecute, misappropriation of trade secrets is far more complicated and challenging. The World Intellectual Property Organization broadly defines trade secrets as any confidential business information which provides an enterprise a competitive edge (WIPO 2022a). Trade secrets encompass manufacturing or industrial secrets and commercial secrets. The unauthorized use of such information by persons other than the rights holder is regarded as an unfair practice and a violation of the trade secret (WIPO 2022a). Trade secrets are a form of intellectual property that are of increasing importance to manufacturers for a variety of reasons. A trade secret can be any information that is: valuable to a company; not generally known and not readily ascertainable through lawful means, as long as the trade secret holder has taken reasonable precautions to protect it (Congress.gov 2016). A classic example of a trade secret is the formula for Coca-Cola. The formula has maintained its secrecy and to this day the secret formula is what makes this product unique in the world. With the technological advances for the past several decades, protection of intellectual property has become a challenging task for all law enforcement agencies worldwide. In recent decades, we have witnessed a change in the nature of crime and an increase in the use of technology and cyberspace for the theft of intellectual property. Again, the task of investigation and prosecution of those who commit these crimes has become a major challenge for law enforcement agencies. At times, it is impossible to be able to identify the responsible parties for the trade secret theft and misappropriation of proprietary information. While protection of all types of intellectual property is imperative, the protection of trade secrets which forms the core of a nation’s economic security is the most complicated and challenging task for businesses, governments and the law enforcement agencies (Nasheri 2005). The United States is currently the biggest stakeholder with respect to trade secrets. Whether it is an adhesive formula owned by a US company

92

H. Nasheri

or proprietary information on nuclear technology owned by the government, the theft of such information has major consequences for the economic prosperity which in turn impacts its national security.

The Passage of the Economic Espionage Act (EEA) in the United States In contrast to other types of intellectual property, which are primarily protected under federal law, trade secrets have previously been protected under a patchwork of federal and state laws. Historically, there were no criminal provisions in the law in the United States to make the theft of proprietary information a crime. Theft of trade secrets usually was addressed by the civil law system and at the state level each state had its own set of laws to address this type of theft. In 1996, the legal landscape changed with the passage of the Economic Espionage Act (EEA) under President Clinton (U.S. Code 18-1-90). For the first time in the history of US law, trade secret theft became a federal crime. Congress enacted the EEA in October 1996 in response to the growing efforts by foreign governments to misappropriate the trade secrets of US companies (U.S. Code 18-1-90). The statute is not limited to prosecuting the theft of trade secrets by foreign governments or foreign companies. The EEA established two prosecutable offenses regarding the theft of trade secrets. The first offense, ‘economic espionage’ (§ 1831), arises only when the theft benefits a foreign government, and it thus carries higher penalties than the second offense. The second, ‘theft of trade secrets’ (§ 1832), concerns theft benefiting any person who is not the true owner. Over the years under the new legislation, the Department of Justice prosecuted hundreds of cases against companies, individuals, foreign national and nation-states.

5 State-Sponsored Economic Espionage in Cyberspace …

93

Defend Trade Secrets Act of 2016 Both the North American Free Trade Agreement (NAFTA) and the Trade-related Aspects of Intellectual Property Rights (TRIPS) Agreements, as international treaties, require national standards for trade secret protection. However, the United States did not have a federal statute to protect trade secrets until May of 2016. In 2016 under President Obama, new legislation was introduced as an amendment to the 1996 passage of the EEA. The Defend Trade Secrets Act was passed to further help protect companies from theft of trade secrets and make them more competitive in the global economy (Congress.gov 2016).

Automation Increasingly, people want to have an easier access to digital information. Over the last several decades, the acceleration of technological advances has facilitated easy access to proprietary information, i.e., trade secrets. Inevitably with increased demands come increased vulnerabilities and risks. Proprietary information is a growing object of economic espionage. To improve business performance and efficiency, companies across the globe engaged in comprehensive automation of all their business operations to enhance and maximize their profitability. The wide spectrum of automation ranged from secretarial and clerical tasks such as contact logs, telephone operations, calendar updates, bookkeeping, accounting and other financial tasks to name a few examples. Some of these industries that implemented automation included the manufacturing, trade, mining, utilities, construction, travel, banking and finance, automotive, technology, software, biotechnology, pharmaceuticals and healthcare. An important aspect of the industry-wide automation was the fact that most design, research and development, formulas, business processes, customer lists and product information were all computerized from hard copy format to electronic data files. The digital files then were stored on systems networks and via cloud computing. Businesses turned to

94

H. Nasheri

technological solutions for their data storage and retrieval. Retrieving information no longer required sifting through boxes of documents (Nasheri 2018).

Globalization and Competitiveness Globalization has had a tremendous impact on businesses worldwide with loosening restrictions and trade barriers on capital markets. It further has facilitated the acceleration of the movement of markets and people around the world. With the rapid changes taking place in communication and transportation sectors, corporation and businesses expanded their operations creating multinational companies around the world, making it more difficult to distinguish between a US company and a foreign company. Most corporations have subsidiaries around the world and hire foreign nationals to operate their businesses in foreign countries. This rapid transformation makes it harder for countries and companies to protect their intellectual property, particularly when it comes to trade secrets and proprietary information. Research and development for new products and technologies requires tremendous time and resources. While stealing proprietary information is nothing new, and dates back centuries from the beginning of civilization, the tools for stealing have changed. The same technological developments that have helped advanced nations to obtain a certain economic status have also created an environment in which the theft of proprietary information can be achieved with maximum speed and little effort on the part of the perpetrator. While much cooperation among nations occurs on areas of mutual interests, the same does not apply when it comes to trade secrets and proprietary information. The fact that advanced nations compete with one another for economic superiority also prevents them from cooperating and collaborating in regard to trade secrets which in turn impacts their competitive economic status (Nasheri 2005).

5 State-Sponsored Economic Espionage in Cyberspace …

95

Economic Espionage and Cyberspace Today’s cybersecurity threats, risks and vulnerabilities arose from the development of the Internet. Every business is vulnerable to Internetbased attacks because they increasingly rely on the digital infrastructure. Additionally, an increasing quantity of data about organizations is stored online and transmitted online. Governments struggle to articulate the importance of maintaining a proactive posture in securing their cyber operations, especially with respect to data and systems with national security implications. The advent of the Internet brought about a societal transformation that created an information society. As part of this transformation, E-commerce came into existence resulting in fundamental changes in business practices worldwide, creating an environment in which technology was at the core of all corporate transactions. Mobility among employees gave rise to the remote work environment and the advent of virtual offices. While groundbreaking rapid progress was made with connectivity of networks and communications technologies, existing laws and regulations were still not sufficient to catch up with the rapid technological changes (Nasheri 2018). The revolutionary advances in technological solutions provided so many advantages to businesses that expanded their operations globally and increased their productivity and output. The impact of automation efforts such as these provided for a better and faster access to goods and products for the consumer. These technological advances created new opportunities for those who target proprietary information. Historically to steal proprietary information, one would have to physically access the documents and physically remove boxes of documents and would probably need a truck to move the boxes to a different location. With the acceleration of information technology, all that is required is to have a computer or a thumb drive. If the theft is being carried out by someone who is acting as an agent and has inside access, the thumb drive alone is sufficient to steal thousands of electronic data files. If the theft is being carried out by an outside group, all that is required is a computer.

96

H. Nasheri

Nation-states that steal proprietary information often possess all the necessary tools to carry out their attacks. These organizations depend on highly skilled and computer-savvy individuals as part of their organizational network or they contract out to obtain the skills needed to steal the desired data. The Dark Web provides a host of resources to these groups; anything from malware, specific software for configuration to contracting individuals with the desired skills. The technological innovations and the impact of globalization on the business sector worldwide have created a platform of interdependence through the connectivity of global social networks. The threats and risks from cyber-espionage are increasing due to the connectivity growth between physical and digital systems. These threats can compromise critical information, disrupt operations and undermine national security. The nature of entrepreneurship has changed forever and has adapted to a new set of rules in a borderless cyberspace of commerce. At the same time that businesses across the world are making the necessary adjustments to be able to operate globally, the criminal enterprises are also making the same adjustments in order to conduct their operations globally (Nasheri 2018).

Preparedness Security breaches are inevitable when society is confronted with a sudden crisis, such as the most recent pandemic, resulting in drastic changes to the traditional work environment. Data can become an easy prey for the bad actors due to the fact that data resides everywhere, in the cloud, in Internet applications, on mobile devices and across desktops. With fluid data environments, governments and the private sector are required to take a proactive approach for prevention and detection. The preventive measures must ensure that proprietary information and data are safe from compromise. Protecting, detecting and responding to threats means securing everything from the desktop and network to applications and storage.

5 State-Sponsored Economic Espionage in Cyberspace …

97

The rapid shift from traditional office to remote work from homes posed a new set of security challenges that will continue into the foreseeable future. COVID-19 created new opportunities for state-sponsored espionage, with daily transmission of sensitive information back and forth between businesses, employees and employers working remotely on large scale. The virus forced an unprecedented number of leaders and managers to work from home without the traditional security measures that they had benefited from in their traditional office work settings. Most organizations have a disaster recovery plan and a business continuity strategy in place to respond to predictable catastrophes; however, the majority of organizations are not prepared for a crisis requiring working from home for a long period on a large scale (Ranger 2020). Gaps in security and new ways of working from home led to unanticipated data breaches and security problems. Longer-term remote work which now has become the norm for many organizations presents major concerns with respect to state-sponsored espionage. Each new threat develops in different ways over different time frames; malware might hit an entity immediately, but phishing campaigns can evolve into email compromise scams and ransomware demands over days or weeks. It may take years before the impact of the recent pandemic can be assessed (Greig 2020). The United States’ adversaries throughout history have routinely taken their competitive efforts beyond the battlefield. Today, foreign intelligence services, criminals and the private sector spies are focused on American industries. These adversaries use traditional intelligence tradecraft against American companies, and they increasingly view the cyber environment, where nearly all-important business and technology information now resides, as a safe and efficient way to penetrate the desired target. Their efforts compromise intellectual property, trade secrets and technological developments that are critical to economic prosperity and national security.

98

H. Nasheri

The Case of China China has rapidly transformed its economy to become a global leader in advanced technologies. It is interesting to note that China’s economy grew in 2020 during the pandemic while the rest of the world struggled (Cheng 2020). Disruptive cyberattacks by the People’s Republic of China (PRC) are a serious threat to US national security (BoozAllenHamilton 2022). A new report from Booz Allen Hamilton analyzed more than a dozen Chinese government-sponsored cyberattacks over the past decade. Chinese government-sponsored cyberattacks pose not only a national security challenge to the US national security interests but to the allied countries as well. By using a variety of PRC organizations and state aligned actors to carry out its cyber activities, the Chinese government targets countries and companies with global interests. A decade-long quest to become a cyber superpower is paying off for China. China has been characterized as one of the most aggressive and capable adversaries using economic espionage for the theft of sensitive proprietary information and technology. According to the intelligence agencies in the United States and allied countries, Chinese actors are the world’s most active and persistent perpetrators of economic espionage. China is consistently targeting the US strategic sectors in emerging industries. Remote work during the pandemic cleared the path for the Chinese state-sponsored espionage against US technologies. The United States, NATO and other allies collectively have called on China as being the responsible nation for the malicious cyberattacks, including the 2021 Microsoft’s Exchange Server attacks. For the first time in 2022, NATO formally condemned China’s cyber activities (Neuman 2021). According to the intelligence agencies in the United States and allied nations, China’s Ministry of State Security used contract hackers to conduct a number of high profile attacks, many of which were done for profit using ransomware attacks. The United States, NATO, EU, UK, Australia, Canada, New Zealand and Japan collectively attributed the 2021 attacks to the China’s State Security Ministry (Fried 2021). China’s cyberattacks can affect government agencies, global corporations and small businesses directly. China is capable of cyber-enabled

5 State-Sponsored Economic Espionage in Cyberspace …

99

espionage, influence operations and cyberattacks that can cause disruption and destruction. China uses cyber operations to pursue its national goals by engaging with rivals below the threshold of war (BoozAllenHamilton 2022). As tensions rise between China and Taiwan, it becomes more imperative to understand when, where and how these attacks occur and how they might affect national and global security. Since the 2021 attacks, the United States began working with the European Union and the G7 countries to develop a new set of rules for resources pipelines and other critical infrastructure providers (IPEC 2021).

Recent Cases of Trade Secret Theft and Economic Espionage in the United States In 2020, the Department of Justice and the Federal Bureau of Investigation (FBI) continued their investigation and prosecution of commercial and state-sponsored trade secret theft incidents. This focus led to the investigation and prosecution of numerous trade secret theft and economic espionage cases. The case examples shed light on the frequency and the nature of espionage activities.

Sample Cases A Chinese national who worked at Monsanto was indicted on Economic Espionage charges (IPEC 2022). On 21 November 2019, Haitao Xiang, formerly of Chesterfield, Missouri, was indicted by a federal grand jury on one count of conspiracy to commit economic espionage, three counts of economic espionage, one count of conspiracy to commit theft of trade secrets and three counts of theft of trade secrets. According to the indictment, Xiang was employed by Monsanto and its subsidiary, the Climate Corporation, from 2008 to 2017, where he worked as an imaging scientist. Monsanto and the Climate Corporation developed a digital, online farming software platform that was used by farmers to collect, store and visualize critical agricultural field data and increase and improve

100

H. Nasheri

agricultural productivity for farmers. A critical component to the platform was a proprietary predictive algorithm referred to as the Nutrient Optimizer, which Monsanto and the Climate Corporation considered a valuable trade secret and their intellectual property. In June 2017, the day after leaving employment with Monsanto and the Climate Corporation, Xiang bought a one-way plane ticket to China. Before he could board his flight, federal officials intercepted Xiang at the airport and seized copies of the Nutrient Optimizer (IPEC 2022). Chinese military personnel were charged with Computer Fraud, Economic Espionage and Wire Fraud for hacking into credit reporting agency Equifax. On 10 February 2020, a federal grand jury returned an indictment charging four members of the Chinese People’s Liberation Army with hacking into the computer systems of the credit reporting agency Equifax and stealing personal data and Equifax’s valuable trade secrets. The nine-count indictment alleges that Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei were members of the People’s Liberation Army’s 54th Research Institute, a component of the Chinese military. They allegedly conspired to hack into Equifax’s computer networks, maintain unauthorized access to those computers and steal sensitive, personally identifiable information of approximately millions of US victims. According to the charges, the defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal. They used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network. The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system. The conspirators ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States. In total, the attackers obtained names, birth dates and social security numbers for nearly half of all US citizens. The indictment also charges the defendants with stealing trade secret information, namely Equifax’s data compilations and database designs. The defendants routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location, used encrypted communication channels within Equifax’s network to blend in with normal network activity and deleted

5 State-Sponsored Economic Espionage in Cyberspace …

101

compressed files and wiped log files on a daily basis in an effort to eliminate records of their activity (IPEC 2022). Two Chinese hackers working with the Ministry of State Security charged with Global Computer Intrusion campaign targeting intellectual property and confidential business information, including COVID-19 research. On 7 July 2020, a federal grand jury in Washington returned an 11-count indictment charging Li Xiaoyu and Dong Jiazhi, both nationals and residents of China, with hacking into the computer systems of hundreds of victim companies, governments, non-governmental organizations and individual dissidents, clergy and democratic and human rights activists in the United States and abroad. The defendants in some instances acted for their own personal financial gain, and in others for the benefit of the Ministry of State Security or other Chinese government agencies. The hackers stole terabytes of data which comprised a sophisticated and prolific threat to US networks. The indictment alleges that Li and Dong, who were trained in computer applications technologies at the same Chinese university, conducted a hacking campaign that began more than ten years ago and lasted until the present, targeting companies in countries with high technology industries. Targeted industries included high-tech manufacturing; medical device, civil and industrial engineering; business, educational and gaming software; solar energy; pharmaceuticals; and defense. More recently, the defendants probed for vulnerabilities in computer networks of companies developing COVID19 vaccines, testing technology and treatments (IPEC 2022). On 30 July 2020, former Ohio woman Li Chen pleaded guilty to conspiring to steal scientific trade secrets and conspiring to commit wire fraud concerning the research, identification and treatment of a range of pediatric medical conditions. Chen admitted to stealing scientific trade secrets related to exosomes and exosome isolation from Nationwide Children’s Hospital’s Research Institute for her own personal financial gain. Chen worked in a medical research laboratory at the Research Institute for 10 years, from 2008 until 2018. According to her plea agreement, Chen conspired to steal and then monetize one of the trade secrets by creating and selling exosome ‘isolation kits.’ Chen admitted to starting a company in China to sell the kits. Chen received benefits from the Chinese government, including the State Administration

102

H. Nasheri

of Foreign Expert Affairs and the National Natural Science Foundation of China. Chen also applied to multiple Chinese government talent plans, a method used by China to transfer foreign research and technology to the Chinese government. As part of her plea, Chen has agreed to forfeit approximately US$1.4 million, 500,000 shares of common stock of Avalon GloboCare Corp., and 400 shares of common stock of GenExosome Technologies Inc (IPEC 2022). On 31 August 2020, Hao Zhang, of China, was sentenced to 18 months in federal prison and ordered to pay US$476,835 in restitution following his conviction at trial on charges of economic espionage, theft of trade secrets and conspiring to commit both offenses. Evidence submitted during the course of the four-day bench trial demonstrated that, from 2010 to 2015, Zhang conspired to and did steal trade secrets from two companies: Avago, a designer, developer and global supplier of a broad range of analog, digital, mixed signal and optoelectronics components and subsystems with a focus in semiconductor design and processing, headquartered in San Jose, California and Singapore; and Skyworks, an innovator of high-performance analog semiconductors headquartered in Woburn, Massachusetts. The district court found that Zhang intended to steal the trade secrets for the benefit of China. Evidence further showed that, in October 2006, Zhang and his coconspirators started a business in China to compete with Avago and Skyworks. Zhang and Wei Pang, one of Zhang’s co-conspirators, illicitly shared trade secrets with each other and with co-conspirators in China while they worked for the US companies. Zhang and Pang then connected their venture to Tianjin University (TJU) in China, an instrumentality of the Chinese government. By 2009, they left their work in the United States to relocate to China, following a plan laid out by TJU officials to form another company, Novana, in the Cayman Islands. During that time, Zhang obtained patents in his own name using trade secret information stolen from Avago. Additional evidence demonstrated that Zhang engaged in economic espionage to help TJU and Zhang’s Chinese company unfairly compete in the multi-billion-dollar global market for cell phone RF filters (IPEC 2022).

5 State-Sponsored Economic Espionage in Cyberspace …

103

Economic Espionage (18 U.S.C. § 1831) On 28 May 2021, four nationals and residents of the People’s Republic of China were charged with a campaign to hack into the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018. The indictment, which was unsealed on 16 July 2021, alleges that much of the conspiracy’s theft was focused on information that was of significant economic benefit to China’s companies and commercial sectors, including information that would allow the circumvention of lengthy and resource-intensive research and development processes. The defendants and their Hainan State Security Department (HSSD) conspirators sought to obfuscate the Chinese government’s role in such theft by establishing a front company, Hainan Xiandun Technology Development Co., Ltd. (Hainan Xiandun), since disbanded, to operate out of Haikou, Hainan Province. The two-count indictment alleges that Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin were HSSD officers responsible for coordinating, facilitating and managing computer hackers and linguists at Hainan Xiandun and other China Ministry of State Security (MSS) front companies to conduct hacking for the benefit of China and its state-owned and sponsored instrumentalities. The indictment alleges that Wu Shurong was a computer hacker who, as part of his job duties at Hainan Xiandun, created malware, hacked into computer systems operated by foreign governments, companies and universities and supervised other Hainan Xiandun hackers. The conspiracy’s hacking campaign targeted victims across the world. Targeted industries included, among others, aviation, defense, education, government, health care, biopharmaceutical and maritime. Stolen trade secrets and confidential business information included sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country (e.g., large-scale high-speed railway development projects). As alleged, the charged MSS Officers coordinated with staff and professors at various universities in Hainan and elsewhere in China to

104

H. Nasheri

further the conspiracy’s goals. Not only did such universities assist the MSS in identifying and recruiting hackers and linguists to penetrate and steal from the computer networks of targeted entities, including peers at many foreign universities, but personnel at one identified Hainanbased university also helped support and manage Hainan Xiandun as a front company, including through payroll, benefits and a mailing address. According to the indictment, to gain initial access to victim networks, the conspiracy sent fraudulent spear phishing emails that were buttressed by fictitious online profiles and contained links to doppelgänger domain names, which were created to mimic or resemble the domains of legitimate companies. In some instances, the conspiracy used hijacked credentials, and the access they provided, to launch spear phishing campaigns against other users within the same victim entity or at other targeted entities. The conspiracy also used multiple and evolving sets of sophisticated malwares, including both publicly available and customized malware, to obtain, expand and maintain unauthorized access to victim computers and networks. The conspiracy’s malware included those identified by security researchers as BADFLICK, aka GreenCrash; PHOTO, aka Derusbi; MURKYTOP, aka mt.exe; and HOMEFRY, aka dp.dll. Such malware allowed for initial and continued intrusions into victim systems, lateral movement within a system, and theft of credentials, including administrator passwords. The conspiracy often used anonymizer services, such as The Onion Router (TOR), to access malware on victim networks and manage their hacking infrastructure, including servers, domains and email accounts. The conspiracy further attempted to obscure its hacking activities through other third-party services. For example, the conspiracy used GitHub to both store malware and stolen data, which was concealed using steganography. The conspiracy also used Dropbox Application Programming Interface (API) keys in commands to upload stolen data directly to conspiracy-controlled Dropbox accounts to make it appear to network defenders that such data exfiltration was an employee’s legitimate use of the Dropbox service (SDCA, NSD, FBI) (The United States Department of Justice 2021).

5 State-Sponsored Economic Espionage in Cyberspace …

105

Why Is This Important? Businesses and governments have increasingly moved toward digital infrastructure in their operational activities resulting in employees’ access to more endpoints from more locations than ever before. In a world of connectivity, when everything is linked, security is critical. Automation, globalization, connectivity and the pandemic have accelerated the speed and frequency of economic espionage in cyberspace. COVID-19 created a double-disruption scenario for employees and employers that had never been experienced prior to the pandemic. The pandemic has created a window of unique opportunity for state-sponsored espionage due to security gaps. A stronger collaboration among the allies on the overall security of the cyberspace is much needed. The ability to anticipate and identify unknown risks and uncertainties becomes an absolute necessity in order to craft a multilateral strategy. There is a need to disrupt and deter statesponsored espionage and to understand the sensitive nature of this threat. Prevention can only work when the necessary defense mechanisms are in place. Lessons learned from the most recent pandemic can provide a better understanding the security risks that results in economic espionage in cyberspace. China has successfully penetrated the US technological sectors through backdoor and hidden data collection mechanisms. There is no clear borderline between competition versus espionage and competition versus confrontation. Advanced allied nations must work together on disruption tactics in order to prevent the threat campaign of the state-sponsored economic espionage and protect their economic superiority and competitiveness. Law enforcement alone cannot keep up or adequately deter state-sponsored espionage. In order to protect and defend against state-sponsored economic espionage advanced nations need to be proactive and act and react quickly and creatively.

106

H. Nasheri

References BoozAllenHamilton. 2022. ‘China’s cyberattack strategy explained’. https:// www.boozallen.com/insights/cyber/chinas-cyberattack-strategy-explained. html#report Accessed 15 December 2022. Cheng, Jonathan. 2020. ‘MarketWatch: China’s economy actually grew in 2020’ Wall Street Journal . https://www.wsj.com/articles/china-is-theonly-major-economy-to-report-economic-growth-for-2020-11610936187 Accessed 21 January 2023. Congress.gov. 2016. ‘S.1890—Defend Trade Secrets Act of 2016: 114th Congress’. https://www.congress.gov/bill/114th-congress/senate-bill/1890 Accessed 15 December 2022. Defend Trade Secrets Act of 2016. https://www.congress.gov/114/plaws/pub l153/PLAW-114publ153.pdf Accessed 15 December 2022. Fried, Ina. 2021. ‘U.S. and key allies accuse China of Microsoft Exchange cyberattacks’ AXIOS. https://www.axios.com/2021/07/19/china-cyberatta cks-nato?stream=top&utm_source=alert&utm_medium=email&utm_cam paign=alerts_all Accessed 15 December 2022. Greig, Jonathan. 2020. ‘Cybersecurity risk grows as thousands of federal employees shift to telecommuting’ TechRepublic. https://www.techrepub lic.com/article/cybersecurity-risks-grow-as-thousands-of-federal-employeesshift-to-telecommuting/?ftag=CMG-01-10aaa1b&ftag=TRE-03-10aaa6b& bhid=28036118512285295119801408296132 Accessed 15 December 2022. Intellectual Property Enforcement Coordinator (IPEC). 2022. ‘Trade secret theft protecting American business from commercial and statesponsored trade secret theft’ Annual Intellectual Property Report to Congress. https://www.whitehouse.gov/wp-content/uploads/2022/09/2021IPEC-Annual-Report-April-2022.pdf Accessed 21 January 2023. Intellectual Property Enforcement Coordinator (IPEC). 2021. Annual Intellectual Property Report to Congress: Technology. https://www.whitehouse.gov/ wp-content/uploads/2022/04/FY21 Accessed 15 December 2022. Nasheri, Hedi. 2018. ‘The impact of intellectual property theft on national and global security’ in Reichel, Philip & Randa, Ryan (eds.) Transnational Crime and Global Security (1st ed.), 73–76. Westport, CT: Praeger. Nasheri, Hedi. 2012. ‘New developments in intelligence and espionage’ World Politics Review.

5 State-Sponsored Economic Espionage in Cyberspace …

107

Nasheri, Hedi. 2005. Economic Espionage and Industrial Spying. Cambridge: Cambridge University Press. Neuman, Scott. 2021. ‘The U.S. has formally accused China of a massive cyberattack on Microsoft’ NPR. https://www.npr.org/2021/07/19/101784 4801/biden-administration-accuses-china-microsoft-hack Ranger, Steve. 2020. ‘The remote-working rush is creating a playground for spies and cybercrooks’ ZDNET . https://www.zdnet.com/article/the-rem ote-working-rush-is-creating-a-playground-for-spies-and-cybercrooks/?ftag= TRE-03-10aaa6b&bhid=28036118512285295119801408296132&mid= 12777543 Accessed 15 December 2022. The United States Department of Justice. 2021. ‘Four Chinese nationals working with the ministry of state security charged with global computer intrusion campaign targeting intellectual property and confidential business information, including infectious disease research’ Washington: Department of Justice Office of Public Affairs. https://www.justice.gov/opa/pr/four-chi nese-nationals-working-ministry-state-security-charged-global-computer-int rusion Accessed 15 December 2022. United States Intellectual Property Enforcement Coordinator. 2019. Annual Intellectual Property Report to Congress. https://www.whitehouse.gov/wp-con tent/uploads/2022/04/FY21-IPEC Accessed 15 December 2022. White House Office of Trade and Manufacturing Policy. 2018. ‘How China’s economic aggression threatens the technologies and intellectual property of the United States and the world’. https://trumpwhitehouse.archives.gov/ briefings-statements/office-trade-manufacturing-policy-report-chinas-eco nomic-aggression-threatens-technologies-intellectual-property-united-statesworld/ Accessed 21 January 2023. World Intellectual Property Organization (WIPO). 2022a. ‘Trade secrets’. http://www.wipo.int/sme/en/ip_business/trade_secrets/trade_secrets.htm Accessed 15 December 2022. World Intellectual Property Organization (WIPO). 2022b. ‘What is intellectual property’ https://www.wipo.int/about-ip/en/ Accessed 11 January 2023. Yeh, Brian T. 2016. ‘Protection of trade secrets: Overview of current law and legislation’ Congressional Research Service (7-5700). https://crsreports.con gress.gov/product/details?prodcode=R43714 Accessed 15 December 2022.

6 Virtual Kidnapping: Online Scams with ‘Asian Characteristics’ During the Pandemic Lennon Yao-Chung Chang, You Zhou, and Duc Huy Phan

Introduction The development of modern digital technologies has made communication easier. For people who are overseas, they can communicate with their family and friends back in their hometown at very low cost. However, the L. Y.-C. Chang (B) School of Information Technology, Deakin University, Melbourne, VIC, Australia e-mail: [email protected] Y. Zhou · D. H. Phan School of Social Sciences, Monash University, Melbourne, VIC, Australia e-mail: [email protected] D. H. Phan e-mail: [email protected]

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 R. G. Smith et al. (eds.), Cybercrime in the Pandemic Digital Age and Beyond, Palgrave Studies in Cybercrime and Cybersecurity, https://doi.org/10.1007/978-3-031-29107-4_6

109

110

L. Y.-C. Chang et al.

convenience has also been exploited by cybercriminals. We see the emergence of online scams using new technologies and the internet. While romance scams and advance fee scams are still popular, new scams are designed to target specific groups. The modus operandi of these scams is designed to take into consideration the background, culture and other circumstances related to the victim, thereby making it easier for the scammer to gain trust of their victims and even their family members, thereby making the scam more likely to be successful. Virtual kidnapping is a recent example of this type of well-crafted scam. Virtual kidnapping, as its name suggests, is not real kidnapping. The ‘kidnapper’ has no intention of physically harming the ‘kidnapped’ person and most of the time there is no actual kidnapping involved. It is a type of online scam that originally targets the family of the target by telling them that their child has been kidnapped and demanding that a ransom be paid. Evolving from telecommunications fraud, virtual kidnappers are now targeting the family or friends of international students and travellers. In Australia, several media releases have been issued warning people about this type of fraud which especially targets international students from China. New South Wales Police has observed an increase in reports of virtual kidnapping during the COVID-19 pandemic, believing this to be an operation on an industrial scale (BBC 2020). Challenges exist in investigating such crimes making them profitable for offenders with less risk of detection. Despite the increasing seriousness of virtual kidnapping globally, and especially during the COVID-19 pandemic, academic researchers have paid little attention to it, including to its conceptualisation, developmental trajectory, characteristics and impacts. This chapter focuses on virtual kidnapping that occurred during the COVID-19 pandemic. It introduces virtual kidnapping and the evolution of virtual kidnapping targeting international students. A comparison between virtual kidnapping and traditional online and telecommunications (O&T) fraud and the challenges facing police investigation are also discussed.

6 Virtual Kidnapping: Online Scams with ‘Asian …

111

What Is Virtual Kidnapping? As a crime type that emerged after the development of telecommunication technologies, virtual kidnapping has not been given a uniform definition by scholars. Given the development of various forms of virtual kidnapping around the world, it has been described in different ways. In this chapter, we adopt the definition that mass media and governmental institutions have used over recent decades (e.g. FBI 2022; Matthews 2021; Mallick 2020; NIH 2022). We have used an inclusive definition of virtual kidnapping as ‘an online fraud scheme in which scammers manipulate fake kidnapping for “ransom” through non-contact ways’. These ways include phones, social media and other online platforms. Normally, in the case of virtual kidnapping, there are two types of victim: On the one hand are victims who are ‘virtually kidnapped’ themselves. This is usually the child or student. In some recent cases, travellers have also been targeted. Although we say they are victims, some of them might not even know that they have been ‘kidnapped’. In virtual kidnapping targeting international students, some students might become involved through a process of complying with so called ‘authorities’. In one Australian case, for example, scammers pretended to be officials from the Chinese Embassy and told students that they had been caught up in organised crime. The Embassy imposter asked them for their cooperation in the crime investigation. Some students were accommodated in a ‘safe place’ during the process of the crime investigation ostensibly for their own protection. They were isolated without connectivity and asked not to contact any person in accordance with the investigation procedure. As Chen et al. (2018) argued, Chinese students are normally educated to be obedient and to follow the instructions of the authorities such as teachers and government officials. Accordingly, when a student receives a phone call from a ‘government official’, they tend to believe the narrative and follow what the ‘official’ tells them to do. On the other hand are victims who receive a demand to pay a ‘ransom’ for the release of a ‘virtually kidnapped’ person. In this scenario, the students are isolated or asked not to get in contact with anyone. The scammers call their parents back in China, telling them that their child

112

L. Y.-C. Chang et al.

has been kidnapped and asking them to pay a ransom. By keeping the student incommunicado, family members are not able to get in contact with their children overseas and this adds to their anxiety. Sometimes scammers will send fake photos to parents to show that their child has been kidnapped, making the virtual kidnapping appear more real. And as most parents might not know any of their children’s friends and classmates overseas, there are limited ways for the parents to get in touch with their children or to verify whether the kidnapping is real. Consequently, some parents consider this to be a real event and pay the ransom to secure the release of their children. This is a critical tactic utilised by scammers to gain trust from parents in China (Chang 2018). Strictly enforced COVID-19-related travel restrictions might further contribute to this communication barrier and make it even more difficult for parents in China to verify whether their child had been kidnapped. According to New South Wales Police, there were at least eight cases in 2020 in New South Wales alone, including one case in which a ransom of A$2 million was paid (BBC 2020).

Virtual Kidnapping and Other Online and Telecommunications Fraud Virtual kidnapping is a specific type of online and telecommunications (O&T) fraud, which shares some similarity with other O&T fraud but also has its own characteristics. Similar to other O&T fraud, virtual kidnapping’s central objective is to obtain a financial benefit fraudulently. Technology is used to perpetrate the scam and its manipulative nature is the key to achieve the fraudulent objectives. It does not usually involve any physical harm, as the criminals do not want to draw unnecessary attention from law enforcement agencies. However, the financial loss and psychological distress can cause considerable suffering for all victims. Most O&T fraud and traditional fraud, such as romance scams, tend to manipulate victims’ positive desires (e.g. monetary gain, relationships, sexual needs and other physical and psychological desires) and avoidance of low-valence negative factors (e.g. authority checks, fear of crime and avoidance of illness or threats of harm of death). Thus, it is conceivable

6 Virtual Kidnapping: Online Scams with ‘Asian …

113

that virtual kidnapping might cause more psychological stress compared with other O&T fraud. The whole process of virtual kidnapping also tends to be more intensive than other O&T fraud which build trust through manipulation of long-term relationships (e.g. romance fraud, investment fraud and health fraud). One salient reason for the crime’s aggravated intensity is its fragility—the fraudulent nature will be recognised at the moment when later contact has been made between the virtually kidnapped and family members. Virtual kidnapping also differs through its use of selective targeting. Due to the absence of a support network, international and compliant students from China make good targets for scammers to manipulate.

The Role of Emotions on Decision-Making Creating immediate and intense fear and horror are common tactics of virtual kidnapping scammers. The effects of immediate emotions on decision-making (Loewenstein and Lerner 2003) may provide the theoretical underpinnings for understanding virtual kidnapping. Loewenstein and Lerner (2003) suggested that the emotions experienced at the time of making decisions (immediate emotions) can exert a different spectrum of effects on decision-making, which may lead to behaviours that are opposed to self-interest. Immediate emotions can alter an individual’s perceptions of the probability and outcomes of the expected choices or alter the quantity and quality of decision-related cues (Loewenstein and Lerner 2003). With increasing intensity of a decision-maker’s immediate emotions, these emotions will progressively take control of cognitive functioning and generate attachment to relieve or acquire the stimulations caused by immediate emotions (Loewenstein 1996). The larger the extent to which emotions work as the determinants of decision-making, the more susceptible the target will be to virtual kidnapping scams. Different strategies have been used by virtual kidnapping scammers to create immediate and intensive fears. For example, the claim of ‘kidnapping’ (e.g. your son is in my hands) and the demand for ransom (e.g. money or body) are enough to induce immediate fear, though the emotion can be instantly eliminated after discovering that it is a

114

L. Y.-C. Chang et al.

scam. However, if contact between family members and the virtually kidnapped cannot be achieved (communication disconnection), then the family member’s immediate level of fear tends to grow. In many cases, the virtual kidnapping scammers add the sounds of crying and yelling in the background (GKIS 2022), utilising the low acoustic quality of telecommunication devices to create the illusion of kidnapping, exacerbating the target’s immediate fear and horror. In some recent cases in Chinese communities, virtual kidnapping scammers have even managed to force the virtually kidnapped to film a fake kidnapping video (BBC 2020), generating among family members a heightened level of immediate negative emotions. The immediate negative emotions can be further intensified by the threat of a deadline for the ‘ransom’—another strategy used to arouse emotions to achieve the goals of the scam.

The Evolution of Virtual Kidnapping Based on the methods used by virtual kidnapping scammers, virtual kidnapping can be categorised into three generations.

First Generation: Phone Scams The first generation of virtual kidnapping started in the early 1990s when mobile phones were not prevalent, especially for children. During that phase, virtual kidnapping scammers usually acquired contact details and identity information through labour-intensive methods, such as stalking and purchasing personal data (Adams 2007), or making calls to selected groups such as individuals in the age range of 30 to 55 years whose children or partners were assumed to be out of the reach of telecommunications devices. The absence of telecommunications devices was used by scammers to establish communication disconnection, thus manipulating the family member’s perception that the loved one has been kidnapped. Due to the fact that communication disconnection could not last for long, scammers asked for a small amount of ransom to achieve a quick result In first-generation virtual kidnapping, the deception strategies

6 Virtual Kidnapping: Online Scams with ‘Asian …

115

mainly targeted family members without directly involving the virtually kidnapped. Southeast Asia and South America were the areas that experienced most of the first-generation virtual kidnapping cases (Chang 2018; ThreatRate 2008).

Second Generation: Internet Frauds Stepping into the twenty-first century, the international pervasiveness of the internet facilitated the evolution of virtual kidnapping. Internet infrastructure became part of the process of virtual kidnapping, whereas labour-involved methods became marginalised. Hacking and online stalking became the common ways to obtain personal details and travel plans (Baidu 2020; Tuohy 2019). Individuals who had long-stay journey travel plans and whose destinations were out of signal coverage were more likely to be targeted. In these cases, the spatial and temporal distance between the virtually kidnapped and their family members were used to create and maintain communication disconnection. Due to the increased richness of personal information collected by scammers, the storytelling of virtual kidnapping became more convincing to family members, with the amount of ransom rising at the same time, ranging from US$1,000 to $2,000 (Drake 2021). Nevertheless, one similarity between the firstgeneration and the second-generation scams is that family members are the principal targets in second-generation scams. Based on current observations, this form of virtual kidnapping remains the dominant status in many regions today.

Third Generation: Targeted Virtual Kidnapping With the industrialisation of the black market in identity crime in recent years (especially during the COVID-19 pandemic), third-generation virtual kidnapping emerged, showing features of systematic filtering, accurate targeting and tailored manipulation of scams. With the abundance of identity crime in China, fraud gangs now prefer purchasing stolen identity information to collecting victims’ information by themselves (Baidu 2020). Based on the richness of personal information that

116

L. Y.-C. Chang et al.

can be acquired, scammers can conduct systematic filtering to target individuals more accurately than in the past, making them more vulnerable to virtual kidnapping. Tailored stories that incorporate manipulative strategies and deceptive tactics are then designed in accordance with the target’s vulnerabilities (Baidu 2020), with the aim of improving the success rate of scams. In the case of third-generation virtual kidnapping, the virtually kidnapped and family members are both manipulated and defrauded. In general, scammers first use deceptive tactics to keep the virtually kidnapped socially disconnected for a fixed time, such as by requiring them to turn off mobile phones, hide in hotel rooms and stay disconnected from others. During this time, scammers will contact their family members and demand the ransom. Since this generation involves manipulation of both types of victims, it is more complicated to meet the fraudulent goals than with former methods. However, once the goals are met, the loss is considerably higher than in previous generations of virtual kidnapping. International Chinese communities have suffered the most from third-generation virtual kidnapping (Bucci 2020; University of Victoria 2020; Xiao 2020).

Theoretical Underpinnings Since 2020, people throughout the world have been confronting the challenges of the life-changing public health crisis—the Coronavirus (COVID-19) pandemic. The emergence and persistence of COVID-19 not only pose threats to physical and psychological well-being but have also led to multi-faceted alterations in routine life. Travel restrictions and quarantine policies limited mobility, creating physical distance between individuals. Online routine activities and work/study from home then became more popular amid COVID-19 (ACMA, 2021). According to the International Telecommunication Union (2022), under the influence of COVID-19, global internet users increased substantially from 4.1 billion in 2019 to 4.6 billion in 2020. During the period of COVID-19, virtual kidnapping also experienced a boost, especially targeting those in Chinese communities. According to Internet Crime Reports (FBI 2020, 2021), extortion fraud increased by

6 Virtual Kidnapping: Online Scams with ‘Asian …

117

78% during the early years of the COVID-19 pandemic, rising from 43,101 cases in 2019 to 76,741 in 2020. In Australia, 54 cases of virtual kidnapping were reported to the Australian Federal Police in 2020— double the figure (25) in 2018 (Mallick 2020; SBS 2018). Specifically, the reported cases show an emerging trend, with Chinese communities becoming the primary target of scammers (Bucci 2020; Mallick 2020). In July 2020, New South Wales Police issued a warning to Chinese international students in order to raise their awareness and be vigilant of virtual kidnappers. Similar official notices were also issued in other nations including the US (FBI 2022), the UK (EPRCUK 2022), Canada (VICPD 2020) and Singapore (Singapore Police Force 2020). Given its international prevalence, it is important to understand the reasons for the rapid development of scams targeting Chinese communities in the period of COVID-19 pandemic. Routine activity theory is, arguably, the most appropriate theory to understand why the surge in internet usage during the COVID-19 pandemic contributed to an increase in virtual kidnapping. Cohen and Felson’s (1979) theory of routine activities would explain the increased risk of victimisation being due to increased online exposure to motivated offenders. Due to the surge in internet usage with online activity increasing in frequency, duration and intensity, many ‘netizens’ (internet citizens) were exposed to motivated offenders, such as identity theft gangs and virtual kidnapping scammers. This increased exposure led not only to closer proximity between potential victims and offenders but also increased the motivation of offenders who saw increased opportunities for financial gain. While online routine activity theory offers interpretations for escalated victimisation of virtual kidnapping, the theory’s applicability has been restrained in explaining the phenomenon of targeting Chinese communities, leading to a search for the reasons from a practical perspective. Turning to the question of why Chinese community members were targeted more than others, routine activity theory could offer a number of possible explanations. The rapid development of the black market in identity credentials in China could be a critical factor for understanding why Chinese communities were at increased risk of victimisation of

118

L. Y.-C. Chang et al.

virtual kidnapping in recent years. Referring to the notion of market illegality, any market that meets one of the following criteria can be defined as a black market: (1) illegal products, (2) illegal market exchange, (3) exchange due to theft or forgery and (4) other violations of regulatory stipulations (Beckert and Wehinger 2011). Baidu (2020) suggests that hacking, insider leaking of personal information and private selling are the three major streams of the black market for Chinese identity theft. The hacking stream usually involves ‘credential stuffing’ (using stolen account credentials to gain access to the system), web crawlers and malware (Baidu 2020). Insider leaking denotes illegal identity selling by employees from financial, medical, commercial, telecommunications and other service-providing systems (Baidu 2020). The private selling stream refers to business conducted by the identity’s owners who have lower levels of identity-protection awareness or who are driven by profit motivations (Baidu 2020). A stolen identity involves obtaining any personal information that can be used for financial gain, such as account numbers, phone numbers, bank account information, travel information, online transaction records and online identity credentials (e.g. WeChat, online games, financial apps). Recent reports have shown a proliferation in identity theft on the black market during the COVID-19 pandemic, particularly involving Chinese offenders. For example, identity-related crimes increased by 300 per cent since the commencement of the pandemic in China (SPP 2022a). In particular, crimes involving illegal information networks and crimes involving O&T fraud, experienced an increase of 800 per cent in China between the first and second year of the COVID-19 pandemic (SPP 2022b). The pervasiveness of identity theft in Chinese society has provided fertile ground for virtual kidnapping scams, which require a higher level of information richness (e.g. travel records, contact details, financial background) than other types of fraud.

6 Virtual Kidnapping: Online Scams with ‘Asian …

119

Challenges Facing Virtual Kidnapping Investigations Similar to other O&T frauds, virtual kidnapping is also a ‘call-centre type’ scam. Call centres are usually operated outside the country where the victims, both students and parents, are located. For the cases in Australia, the real victims, the parents of the international students, are in China, not in Australia. The location of both perpetrators and victims outside Australia raises a question over jurisdiction; that is, whether Australian law enforcement has jurisdiction over these matters. Where both offenders and the victims who experience a financial loss are both located in China, then it is unlikely that an Australian court would have jurisdiction—simply due to the presence of the student in Australia (see Chapter 7 for further discussion of these jurisdictional questions). Apart from these jurisdictional concerns, the trans-border character of this type of crime makes it difficult for law enforcement agencies to establish swift cooperation with other foreign law enforcement agencies for the purposes of conducting investigations. While the cases of virtual kidnapping have been on the rise in recent years, the number of successful investigations leading to the arrest of scammers is still limited. In Spain, for instance, only 17 suspects have been arrested among the 1,474 reported cases of this type of fraud in the period 2015 to 2020 (López-Fonseca 2020). In Australia, Scamwatch received more than 2,000 reports of virtual kidnapping targeting the Chinese community between January and November 2020 with a total loss of A$6.6 million, but the clearance rate for this type of crime remains unclear (ACCC, n.d.). The transnational nature of virtual kidnapping and difficulties in international police cooperation present challenges for police in all countries in investigating such crimes. First, and foremost, the transnational nature of the crime constrains the power of a single national law enforcement agency. In most discovered cases so far, victims, their relatives and the fraudsters have been located in different parts of the world (LópezFonseca 2020). Thanks to the development of technology, offenders can make a fraudulent call from a remote location and receive the ransom payment in another. For instance, in a case handled by the

120

L. Y.-C. Chang et al.

US Federal Bureau of Investigation (FBI) in 2017, a prisoner in jail in Mexico defrauded dozens of victims in the US with money being received by his accomplices in another location (FBI 2017). In another case, many victims in Spain were scammed by perpetrators located in a South American country (López-Fonseca 2020). Call centres used by virtual kidnappers can be set up in various countries such as the Philippines, Indonesia and Thailand to make phone calls to victims while the ransom is required to be transferred to a third country to avoid detection and seizure by law enforcement agencies (Focus Taiwan 2022; Ngamkham 2022; South China Morning Post 2019). In one Sydney case, money was transferred to the Bahamas which was a proscribed nation for money laundering in 2020 (Reuters 2020). Because multiple locations are involved in virtual kidnapping, an investigation cannot be done solely by a single law enforcement agency but demands cooperation from law enforcement agencies from relevant countries. International cooperation has become one of the key measures to combat online scams. The close cooperation between Philippine and Chinese authorities led to the arrest of hundreds of suspects in 2019 in Manila (South China Morning Post 2019). Also, in 2022, cooperation between Taiwanese police and Indonesian police led to the arrest of 24 Taiwanese and Chinese suspects (Focus Taiwan 2022). Nevertheless, international cooperation by law enforcement agencies against virtual kidnapping still faces barriers. To respond to these, two mechanisms are discussed below, including formal and informal cooperation among law enforcement agencies.

Combating Virtual Kidnapping Formal cooperation in criminal justice proceedings is based on mutual legal assistance (MLA) treaties signed by relevant nation states (UNODC 2013). To seek legal assistance from other countries, the requesting state sends a formal letter of request (Letters Rogatory) to the requested state through designated central agencies such offices of the AttorneyGeneral through diplomatic channels. As information collected through

6 Virtual Kidnapping: Online Scams with ‘Asian …

121

this channel is backed by solid international legal instruments, it can be used as evidence in criminal proceedings. However, such avenues of formal cooperation tend to be a slow and cumbersome way of working (De Busser 2018). Numerous steps through many transitional institutions for the sending and receiving of documents between two different criminal justice systems need to be navigated, with the outcomes rarely matching the fast pace of virtual kidnapping in the contemporary world. For instance, while ransom payments can be wired to bank accounts opened in overseas countries and disposed of in a short period of time, formal cooperation can take up to ten months to be completed (European Commission 2018). This long timeframe for mutual legal assistance gives perpetrators more time to erase digital evidence, dispose of money and travel to other countries to avoid arrest. Due to the cumbersome nature of mutual legal assistance requests, law enforcement officers only use this means when it is required for a trial (Perras 2017). Additionally, the effectiveness of assistance is limited to the countries which have treaties with the requesting country. Finally, the effectiveness of cooperation also relies on the extent to which the countries have positive diplomatic relationships (Chang 2012; De Busser 2018). While formal cooperation needs to be conducted via a central contact point, informal cooperation can be implemented via direct contact between law enforcement agencies or via police liaison officers. Compared to the formal channel, informal cooperation is more flexible and faster in collecting necessary information (Perras 2017). Some international law enforcement organisations, including INTERPOL, ASEANAPOL, EUROPOL, promote their own communication channels for sharing information and intelligence among members. For instance, 195 members of INTERPOL can send and receive requests from other members in minutes via its 24/7 secure communications system. Members of the Council of Europe Convention on Cybercrime (Budapest Convention) are also bound to provide necessary assistance to other members (Council of Europe 2020). The Budapest Convention has created its Octopus Platform and a 24/7 network of contact points which facilitates timely information exchange among its parties in emergency cases (Council of Europe 2022). Recently, recognising the

122

L. Y.-C. Chang et al.

limitation of formal mutual legal assistance in dealing with the spread of cybercrime, the Budapest Convention’s Second Additional Protocol on Enhanced Co-operation and Disclosure of Electronic Evidence was finalised and opened for signature on 12 May 2022 (Council of Europe 2022). The additional Protocol allows a competent authority of a Party to request subscriber information and registration information from service providers in another party (Council of Europe 2022). Consequently, it allows law enforcement agencies to better cope with the speed of virtual kidnapping and other types of O&T fraud. However, as it is based on reciprocity, informal cooperation with un-cooperative counterparts can be limited. In some cases, police in a third country where the offenders are located are reluctant to cooperate because the victims and their relatives are not their citizens. Additionally, requested parties are not bound by a strong legal framework like a treaty, and their power to collect sensitive evidence may be limited by national laws. For instance, in the US a request via formal channels is required to obtain documentary information stored by private organisations such as banks and telecommunication companies (Perras 2017). In addition to the above-mentioned challenges in international cooperation, the COVID-19 pandemic created more burdens for law enforcement in combating cyber fraud. During COVID-19, while online frauds were increasing, law enforcement agencies witnessed a shortage of staff because of sickness or self-isolation (Frenkel et al. 2021; Levi and Smith 2022; Ma and McKinnon 2022; Stogner et al. 2020). Law enforcement officers remaining at work also experienced stress from their additional workload during COVID-19 (Frenkel et al. 2021). Finally, restricted international travel deterred joint investigations among police forces in different jurisdictions. Another issue faced by police in dealing with virtual kidnapping is its dark figure. Police chiefs from different countries have stated that a substantial number of victims of virtual kidnapping do not report the crime to police (Kelly 2019). Thus, the number of reported cases does not reflect accurately the whole picture of virtual kidnapping in several countries to date. The low rates of reporting to police can be explained by the psychological effects suffered by the victims and their fragile trust in the success of investigation. Victims of the crime are also traumatised and

6 Virtual Kidnapping: Online Scams with ‘Asian …

123

embarrassed by being tricked and are fearful of revenge (Victoria Police 2019). Some have even blamed themselves for placing themselves, and their loved ones, in real danger (Cave 2020). Moreover, they are fearful of revenge by criminal gangs and fear that they might still be kidnapped. In some cases, the victims do not consider their financial loss to be significant enough to take time to report it (Kelly 2019). For them, the life of their children is more important than the money they lost. Additionally, victims believe that it is difficult for law enforcement agencies to arrest the scammers (FBI 2017). They are also told that the amount of lost money is not enough for a major investigation (FBI 2017). The failure to report cases may result in a proportion of criminals being free to defraud other victims in the future.

Ways Forward As challenges in policing virtual kidnapping remain, preventive measures should be prioritised in the strategy to counter this type of crime. Raising public awareness has been proven as an effective way to prevent many types of crime including cybercrime. It is a way to harden the target before attacks from perpetrators. Raising public awareness can be considered as the main preventive measure against virtual kidnapping. As offenders conduct cold-calling or use robocalls to approach any person, people should be equipped with necessary information on the common modus operandi of fraudsters, how to protect their personal information on social networks and what they should do when they receive odd phone calls which look like they are from legitimate authorities. Crucial information can be disseminated frequently and widely via social media, social network accounts and social organisations such as student associations. Additionally, the importance of reporting crimes to the police should be emphasised to encourage hidden victims to feel comfortable reporting incidents. Such awareness-raising campaigns should be done in both countries where students and their parents are located. It is also important that the design of awareness-raising programmes should take into account different cultures and languages. Similarly, to prevent students from falling into this type of scam, the message

124

L. Y.-C. Chang et al.

needs to be tailored to international student groups and conveyed in a medium that they use. While the Australian government is raising awareness by disseminating messages relating to virtual kidnapping, the channels that are used might not be the ones through which international students receive messages. Also, the advertisements on TV and social media such as Facebook are not designed specifically for international students. Governments might consider working with NGOs or organisations that have connections with international students or with people with knowledge of the relevant culture and language to design an effective communication strategy. Moreover, it is suggested police utilise effective mechanisms for cooperation among law enforcement agencies in different countries. O&T fraudsters can be seen as ‘cybercrime nomads’ as they move from one country to another within short period of crime to avoid crime investigation. As formal cooperation based on MLA treaties is often timeconsuming, informal cooperation should be prioritised in urgent cases to keep up with the speed of the crime and quickly identify perpetrators and collect digital evidence. Existing mechanism of cooperation including the I-24/7 system of INTERPOL, G8 24/7 High Tech Crime Network and the 24/7 network of contacts of parties to the Budapest Convention which allow a police force to contact quickly its counterparts should be utilised to speed up police investigation. Additionally, law enforcement agencies of relevant countries should establish joint task forces to investigate multinational cases.

Conclusion Virtual kidnapping has existed since the start of the internet age and continues to evolve. The COVID-19 pandemic expanded the opportunities for scammers to conduct virtual kidnapping targeting international students. Like other O&T fraud, the transnational character of virtual kidnapping remains the main barrier for crime investigation due to the difficulties in international police collaboration. We argue that the roles of international organisations such as INTERPOL are becoming more

6 Virtual Kidnapping: Online Scams with ‘Asian …

125

important in combating this phenomenon. Raising awareness is also important to prevent more people from becoming victims. Unlike other O&T fraud, virtual kidnapping is designed to target specific groups with certain cultural and language characteristics. We recommend that for an awareness-raising programme to be successful, it is crucial to take into consideration culture and language barriers. Innovative programmes need to be proposed so that messages can be disseminated to the target group quickly and effectively.

References Adams, Lisa J. 2007. ‘Virtual kidnappings’ evoke real fear. http://www.bander asnews.com/0705/nw-virtualkidnappings.htm Accessed 16 January 2023. Australian Competition and Consumer Commission (ACCC). 2020. Targeting scams: Report of the ACCC on scams activity 2020. https://www.accc. gov.au/system/files/Targeting%20scams%20-%20report%20of%20the% 20ACCC%20on%20scams%20activity%202020%20v2.pdf Accessed 16 January 2023. Australian Competition and Consumer Commission (ACCC). (n.d.). Chinese authority scams. https://www.scamwatch.gov.au/types-of-scams/threats-ext ortion/chinese-authority-scams Accessed 6 July 2022. Australian Communications and Media Authority (ACMA). 2021. Trends and developments in telecommunications 2020–2021. https://www.acma.gov.au/ sites/default/files/2021-12/Trends%20and%20developments%20in%20tele communications%202020-21_0.pdf. Accessed 16 January 2023. Baidu. 2020. 2020 Online black and grey markets crime research report. https:// www.secrss.com/articles/26793 Accessed 16 January 2023. BBC. 2020. Chinese students in Australia targeted in virtual kidnapping scam. https://www.bbc.com/news/world-australia-53549933. Accessed 20 June 2022. Beckert, Jens and Wehinger, Frank. 2011. In the shadow: Illegal markets and economic sociology. MPIfG Discussion Paper 11/9. Cologne: Max Planck Institute for the Study of Societies.

126

L. Y.-C. Chang et al.

Bucci, Nino. 2020. Bizarre virtual kidnapping in Australia highlights risk to Chinese students. https://www.theguardian.com/australia-news/2020/sep/26/ bizarre-virtual-kidnapping-in-australia-highlights-risk-to-chinese-students. Accessed 16 January 2023. Cave, D. 2020. ‘Australia says Chinese students are targets in ‘virtual kidnapping’ scams’ The New York Times. https://www.nytimes.com/2020/07/ 28/world/australia/chinese-students-virtual-kidnapping.html Accessed 16 January 2023. Chang, Lennon. 2018. New ‘virtual kidnapping’ scam targeting Chinese students makes use of data shared online. https://theconversation.com/new-virtual-kid napping-scam-targeting-chinese-students-makes-use-of-data-shared-online96910. Accessed 16 January 2023. Chang, Yao-Chung. 2012. Cybercrime in the greater China region: Regulatory responses and crime prevention across the Taiwan Strait. Cheltenham: Edward Elgar Publishing. Chen, Shih-Wen Sue, Lau, Sin Wen and Chang, Lennon Yao-chung. 2018. ‘“We are all useful people”: Useful children and the notion of Guai in transnational Chinese cinema’ in Olson Debbie (ed.) The child in world cinema (1st ed.), 409–430. London: Rowman & Littlefield Publishers. Cohen, Lawrence E. and Felson, Marcus. 1979. ‘Social change and crime rate trends: A routine activity approach’ American Sociological Review, 588–608. Council of Europe. 2020. The Budapest convention on cybercrime: Benefits and impact in practice. https://rm.coe.int/t-cy-2020-16-bc-benefits-rep-pro visional/16809ef6ac Accessed 16 January 2023. Council of Europe. 2022. Convention on cybercrime. https://rm.coe.int/ booklets-bc-2-protocols-guidance-notes-en-2022/1680a6992a Accessed 16 January 2023. De Busser, Els. 2018. ‘The digital unfitness of mutual legal assistance’ Security and Human Rights, 1–4, 161–179. https://doi.org/10.1163/18750230-028 01008 Accessed 16 January 2023. Drake, Erin. 2021. America during the Covid-19 pandemic. https://insights. s-rminform.com/virtual-kidnappings-in-north-america Accessed 16 January 2023. Embassy of the People’s Republic of China in the United Kingdom. 2022. Remind Chinese citizens in the UK to prevent telecom fraud [In Chinese]. https://www.mfa.gov.cn/ce/ceuk/chn/lsfw/t1863963.htm Accessed 16 January 2023.

6 Virtual Kidnapping: Online Scams with ‘Asian …

127

European Commission. 2018. Frequently asked questions: New EU rules to obtain electronic evidence. https://ec.europa.eu/commission/presscorner/det ail/el/MEMO_18_3345 Accessed 16 January 2023. Federal Bureau of Investigation (FBI). 2022. FBI Chicago warns public about virtual kidnapping scams. https://www.fbi.gov/contact-us/field-offices/chi cago/news/press-releases/fbi-chicago-warns-public-about-virtual-kidnap ping-scams Accessed 16 January 2023. Federal Bureau of Investigation (FBI). 2021. 2020 Internet Crime Report. https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf Federal Bureau of Investigation (FBI). 2020. 2019 Internet Crime Report. https://www.ic3.gov/Media/PDF/AnnualReport/2019_IC3Report. pdf Accessed 16 January 2023. Federal Bureau of Investigation (FBI). 2017. Virtual kidnapping a new twist on a frightening scam. https://www.fbi.gov/news/stories/virtual-kidnapping Accessed 16 January 2023. Focus Taiwan. 2022. Taiwan, Indonesia police bust Jakarta fraud ring. https:// focustaiwan.tw/society/202203150027 Accessed 16 January 2023. Frenkel, Marie Ottilie, Giessing, Laura, Egger-Lampl, Sebastian, Hutter, Vana, Oudejans, Raoul D., Kleygrewe, Lisanne, Jaspaert, Emma and Plessner, Henning. 2021. ‘The impact of the COVID-19 pandemic on European police officers: Stress, demands, and coping resources’ Journal of Criminal Justice, 72(January–February). https://doi.org/10.1016/j.jcrimjus.2020. 101756 Accessed 16 January 2023. Get Kids Internet Safe. 2022. Virtual kidnapping, a parent’s worst nightmare. How to protect yourself and your family. https://getkidsinternetsafe.com/kid napping Accessed 16 January 2023. International Telecommunication Union. 2022. Internet use. https://www. itu.int/itu-d/reports/statistics/2021/11/15/internet-use/ Accessed 16 January 2023. INTERPOL. 2022. What is INTERPOL? https://www.interpol.int/en/Whowe-are/What-is-INTERPOL Accessed 16 January 2023. Kelly, Samantha Murphy. 2019. ‘Virtual kidnappings are rattling families across the US’ CNN Business. https://edition.cnn.com/2019/05/15/tech/virtualkidnapping/index.html Accessed 16 January 2023. Kircanski, Katharina, Notthoff, Nanna, DeLiema, Marguerite, SamanezLarkin, Gregory R., Shadel, Doug, Mottola, Gary, Carstensen, Laura L. and Gotlib, Ian H. 2018. ‘Emotional arousal may increase susceptibility to fraud in older and younger adults’ Psychology and Aging, 33(2), 325.

128

L. Y.-C. Chang et al.

Levi, Michael and Smith, Russell G. 2022. ‘Fraud and pandemics’ Journal of Financial Crime, 29 (2), 413–432. https://doi.org/10.1108/JFC-06-20210137 Accessed 16 January 2023. Loewenstein, George. 1996. ‘Out of control: Visceral influences on behavior’ Organizational Behavior and Human Decision Processes, 65 (3), 272–292. Loewenstein, George & Lerner, Jennifer S. 2003. ‘The role of affect in decision making’ in Davidson, R., Goldsmith, H. & Scherer, K. (eds.) Handbook of Affective Science, 619–642. Oxford: Oxford University Press. López-Fonseca, Óscar. 2020. ‘The ‘virtual kidnapping’ scam that’s claimed at least 1,500 victims in Spain so far’ EL PAIS. https://english.elpais.com/spa nish_news/2020-03-03/the-virtual-kidnapping-scam-thats-claimed-at-least1500-victims-in-spain-so-far.html Accessed 16 January 2023. Ma, Katelyn Wan Fei and McKinnon, Tammy. 2022. ‘COVID-19 and cyber fraud: Emerging threats during the pandemic’ Journal of Financial Crime, 29 (2), 433–446. https://doi.org/10.1108/JFC-01-2021-0016 Accessed 16 January 2023. Mallick, A. 2020. The rise of virtual kidnapping. https://risklogic.com.au/cyberresilience/the-rise-of-virtual-kidnapping/#:~:text=Virtual%20kidnapping% 20is%20happening%20right%20now&text=The%20NSW%20Police%20r eported%208,reach%20out%20to%20foreign%20authorities Accessed 16 January 2023. Matthews, Jack. 2021. Virtual kidnapping trend grows during the pandemic. https://global.lockton.com/gb/en/news-insights/virtual-kidnapping-trendgrows-during-the-pandemic Accessed 16 January 2023. National Institutes of Health. 2022. Virtual kidnapping ransom scam. https:// ors.od.nih.gov/News/Pages/Beware-of-Virtual-Kidnapping-Ransom-Scam. aspx. Accessed 16 January 2023. Ngamkham, Wassayos. 2022. ‘10 Chinese ‘scammers’ nabbed’ Bangkok Post. https://www.bangkokpost.com/thailand/general/2250763/thai-police-arr est-10-chinese-for-allegedly-running-call-centre-scam-and-online-gambling Accessed 16 January 2023. Perras, C. 2017. ‘Transnational policing and its contexts: Flexibility and (dis) trust’ in Hufnagel, Saskia & McCartney, Carole (eds.) Trust in international police and justice cooperation, 221–240. Oñati International Series in Law and Society. Oxford: Hart Publishing. Reuters. 2020. EU to add Panama, Bahamas, Mauritius to moneylaundering blacklist. https://www.reuters.com/article/eu-moneylaunderingblackslist-idUSL8N2CN6VF Accessed 16 January 2023.

6 Virtual Kidnapping: Online Scams with ‘Asian …

129

SBS. 2018. Dozens of Chinese international students targeted in fake kidnapping scam. https://www.sbs.com.au/news/article/dozens-of-chinese-internationalstudents-targeted-in-fake-kidnapping-scam/sz834akz7 Accessed 16 January 2023. Singapore Police Force. 2020. Police advisory on messages claiming kidnap of loved ones. https://www.police.gov.sg/media-room/news/20200601_others_ police_advisory_on_messages_claiming_kidnap_of_loved_ones Accessed 16 January 2023. South China Morning Post. 2019. 601 Chinese arrested for cybercrimes in the Philippines in less than a week. https://www.scmp.com/news/asia/southeastasia/article/3027741/more-320-chinese-arrested-philippines-illegal-online? module=perpetual_scroll_0&pgtype=article&campaign=3027741 Accessed 16 January 2023. Stogner, John, Miller, Bryan Lee and McLean, Kyle. 2020. ‘Police stress, mental health, and resiliency during the COVID-19 pandemic’ American Journal of Criminal Justice, 45 (4), 718–730. https://doi.org/10.1007/s12103-020-095 48-y Accessed 16 January 2023. Supreme People’s Procuratorate. 2022a. Procuratorial organs actively maintain the security of personal information: Handle more than 2,000 public interest litigation cases in the field of personal information protection in 2021 [In Chinese]. https://www.spp.gov.cn/spp/xwfbh/wsfbh/202203/t20 220302_546333.shtml Accessed 16 January 2023. Supreme People’s Procuratorate. 2022b. Procuratorial organs punish telecommunication and network fraud crimes in the whole chain 40,000 people indicted in 2021 [In Chinese]. https://www.spp.gov.cn/spp/xwfbh/wsfbh/202203/ t20220302_546333.shtml Accessed 16 January 2023. ThreatRate. 2018. Types of kidnappings. https://www.threatrate.com/pages/47types-of-kidnappings Accessed 16 January 2023. Tuoby, John. 2019. The phone call seemed to come from his daughter’s kidnapper. But it was all a scam. https://www.indystar.com/story/news/local/hamiltoncounty/2019/03/15/virtual-kidnapping-cellphone-scheme-prompts-fbi-war ning/3141425002/ Accessed 16 January 2023. United Nations Office on Drugs and Crime. 2013. Draft comprehensive study on cybercrime. https://www.unodc.org/documents/organized-crime/UNODC_ CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf Accessed 16 January 2023.

130

L. Y.-C. Chang et al.

University of Victoria. 2020. Virtual kidnapping scam. https://www.uvic.ca/ international/home/news/current/20200423-news-release-virtual-kidnappin g.php Accessed 16 January 2023. Victoria Police. 2020. Fraud alert | ‘virtual kidnapping’ scam prompts warning. https://vicpd.ca/2020/04/22/fraud-alert-virtual-kidnapping-scamprompts-warning/ Accessed 16 January 2023. Victoria Police. 2019. Virtual kidnapping warning issued. https://vicpd.ca/2019/ 12/24/virtual-kidnapping-warning-issued/ Accessed 16 January 2023. Xiao, Alison. 2020. ‘Chinese student based in Sydney falls victim to ‘virtual kidnapping’ scam’ ABC News, 21 September. https://www.abc.net.au/news/ 2020-09-21/chinese-student-scammed-into-faking-own-kidnapping/126 84784 Accessed 16 January 2023.

7 Lessons in a Time of Pestilence: The Relevance of International Cybercrime Conventions to Controlling Post-Pandemic Cybercrime Jonathan Clough

Introduction On 27 December 2019, the United Nations General Assembly adopted a resolution ‘to establish an open-ended ad hoc intergovernmental committee of experts, representative of all regions, to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes’ (‘Ad Hoc Committee’) (UN General Assembly 2019a). Just over one month later, on 30 January 2020, the World Health Organisation declared SARS-CoV-2 as a ‘Public Health Emergency of International Concern’ (WHO 2020a) and a pandemic on 11 March 2020 (WHO 2020b). Apart from the neat word-play of ‘virus’ being both a vector for cybercrime and for infectious diseases, the connection between these two J. Clough (B) Faculty of Law, Monash University, Melbourne, VIC, Australia e-mail: [email protected]

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 R. G. Smith et al. (eds.), Cybercrime in the Pandemic Digital Age and Beyond, Palgrave Studies in Cybercrime and Cybersecurity, https://doi.org/10.1007/978-3-031-29107-4_7

131

132

J. Clough

events might seem tenuous. However, the global response to the latter provides some important insights into the likely success of the former. On the one hand, the countries of the world were supporting an unprecedented and, some would say, improbable level of international cooperation to tackle the challenges of cybercrime. On the other hand, the global networks and structures that would be necessary to tackle a global pandemic would undergo their greatest test in modern history. This chapter considers the current state of international legal responses to cybercrime. It begins with the key lessons for the global community arising from COVID-19, including the proposal for a global pandemic convention. Consideration is then given to the nature of cybercrime, before discussing the Council of Europe Convention on Cybercrime (‘Budapest Convention’), the only binding international instrument currently to address the challenges of cybercrime (Council of Europe 2001a). This is followed by the fundamental question of whether a UN convention would provide a useful and viable alternative, examining key issues including territorial sovereignty, protection of human rights and the importance of norms. It is concluded that an international agreement, aligned with the Budapest Convention, could play a significant role in signalling international consensus on the importance of tackling cybercrime and remove some of the obstacles to effective international cooperation. It will not, however, provide a panacea, and much of the real work will continue at the bilateral and regional level.

Lessons from COVID-19 The COVID-19 pandemic has been described by the Independent Panel for Pandemic Preparedness and Response (‘The Independent Panel’) as ‘the twenty-first century’s Chernobyl moment’ because it revealed the gravity of the risk to global health and well-being and highlighted the need for global leaders to ‘urgently accept their responsibility to transform the way in which the world prepares for and responds to global health threats’ (The Independent Panel 2021, p. 4). Although a global pandemic and cybercrime are quite distinct global challenges, both require high levels of international collaboration, with apparent altruism

7 Lessons in a Time of Pestilence: The Relevance …

133

underwritten by a large amount of self-interest. Despite their differences, many of the findings in relation to COVID-19 provide important insights as to challenges associated with the transnational enforcement of cybercrime. The first is preparedness. A clear finding from the Independent Panel was that the ‘world was not prepared and had ignored warnings’ (The Independent Panel 2021, p. 15). Similarly, the threat of cybercrime has been warned against since at least the advent of modern computing (The White House 1999, p. 16). Governments continue to speak of ‘emerging threats’ when they are no longer emerging but rather evolving. Combating cybercrime has been on the agenda of the UN General Assembly since at least the early 2000s (UNIDR 2017, p. 44). In an area of reform that is notoriously fast moving, almost a quarter of a century has gone past before the resolution on an international convention was passed by the General Assembly. The next issue common to both is the technical capacity to respond. There was a stark contrast in the ability of countries to respond to the pandemic, where some ‘scrambled to get hold of the equipment, supplies, diagnostic tests, advice, funds and workforce they needed to respond’ (The Independent Panel 2021, p. 33). In what was described as ‘vaccine nationalism’ a number of developed countries were ‘able to secure vaccine doses that would be enough to cover 200 per cent of their populations’ (The Independent Panel 2021, p. 41). Similarly, tackling cybercrime can be challenging for well-resourced developed countries let alone less-developed countries. As at 2021, approximately 63 per cent of the world’s population had access to the Internet (International Telecommunications Union 2021, p. 1). Therefore, over one third of the world does not have access and, even within the majority that do, the quality of that access will vary enormously. The challenges are magnified in the case of less-developed countries so that, even if an international agreement was put in place, the capacity of countries to participate effectively in that framework would be extremely varied. It is not surprising that a number of countries emphasised the importance of capacity building and technical assistance in their submission to the convention process (United Nations Office on Drugs and Crime (‘UNODC’) 2022).

134

J. Clough

Despite the absence of an international convention, important capacity building work has been carried out by the United Nations (UNODC n.d.) and the Council of Europe (Council of Europe n.d.), as well as national governments, regional organisations, NGOs and the like. However, capacity building may be undermined if there is seen to be division in the international community as to the approach to be adopted. It is here that the third issue, and the focus of this chapter, is particularly important; the need for an overarching legal framework. The Independent Panel called for a transformation of the global health system. ‘The COVID-19 pandemic has laid bare the lack of high-level political leadership in coordinated global action against the pandemic’ (The Independent Panel 2021, p. 46). Although there had been some progress, any proposed transformation would require ‘robust international governance’, supported by international legal instruments (The Independent Panel 2021, pp. 46–7). Similarly, an international cybercrime convention has the potential to support broader global efforts of preparedness and to provide an internationally agreed framework upon which to base capacity building efforts. However, the content of an overarching response to a global pandemic is vastly different to the requirements necessary to combat cybercrime.

Know Your Enemy: Defining the Problem Although widely used in policy and academic discussions, the term ‘cybercrime’ remains without international definition. Nonetheless, it is generally accepted to encompass three distinct categories of crime (McGuire and Dowling 2013, p. 5). First, are so-called cyber-dependent crimes where information and communication technologies (‘ICTs’) are the target of the offending, for example, unauthorised access or modification of data and Distributed Denial of Service (‘DDoS’) attacks. Second, are ‘cyber-enabled’ crimes which are ‘traditional crimes that are increased in their scale or reach by the use of computers, computer networks or other ICT’ (McGuire and Dowling 2013, p. 5), for example, fraud, child exploitation and harassment. Third, there are those crimes where

7 Lessons in a Time of Pestilence: The Relevance …

135

the use of ICTs is incidental to the offence (‘cyber-facilitated’ or ‘cybersupported’ crimes). These are potentially any offence where there may be digital evidence of the offending, including homicides, drug offences or terrorism (Grabosky 2007). It is apparent that the proposed convention adopts a broad approach to the term, with a range of cyber-dependent and cyber-enabled crimes proposed for inclusion. For example, the draft convention provided by Russia proposes 22 articles that enact substantive offences, compared to eight contained in the Budapest Convention (Russian Federation 2021). While some of these offences largely overlap, some of the proposed offences are likely to prove challenging in gaining broad international agreement. For example, a number of countries have proposed an offence of ‘cyberterrorism’ which, given the lack of international agreement on the meaning of ‘terrorism’, is likely to face considerable challenges in reaching consensus (UNIDR 2017, p. 38). Similarly, proposed offences concerned with menacing or offensive messages, or image-based abuse, are likely to face significant obstacles given differing approaches to the protection of free speech (Walker 2019, p. 2). Further, agreeing on a defined set of cybercrimes is arguably the least of the challenges facing the Ad Hoc Committee. In order to facilitate enforcement, it is necessary for parties to enact agreed powers for law enforcement to investigate digital crimes. Even domestically, such measures are not without controversy. However, it is in the area of mutual cooperation and assistance that an international convention becomes the most challenging. It is in this context that the title of the proposed convention is telling. It is not a ‘cybercrime convention’, it is a convention ‘on countering the use of technology and crime.’ On one view, the convention becomes more about ‘the development of a “tool box” on modes of international cooperation’ than in defining substantive cybercrimes (Boister 2016, p. 45). Like the United Nations Convention against Transnational Organized Crime (‘UNTOC’) and the Budapest Convention, it would operate as a ‘mini mutual legal assistance treaty’ for electronic crimes (Boister 2016, p. 52). This understandably raises significant concerns, for governments and citizens, over issues such as sovereignty and rights protections. As daunting as such an agreement may seem, an example already exists. The role of the Budapest

136

J. Clough

Convention, and its significance in the international cybercrime debate, is arguably central to the success or failure of the UN resolution.

The Budapest Convention As outlined above, the Budapest Convention provides for a limited number of substantive cybercrimes, including cyber-dependent crimes, child exploitation material, fraud and forgery and copyright infringement. In addition, it provides for updated procedural powers including preservation of data, access to traffic data (preserved and intercepted), production of data, and interception of communications. Finally, it provides for expansive jurisdiction, is intended to facilitate cooperation to the ‘widest extent possible’, and may be used as the basis for mutual assistance and extradition (Council of Europe 2001a). There are also two additional protocols; ‘concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems’ (Council of Europe 2006) and ‘on enhanced co-operation and disclosure of electronic evidence’ (Council of Europe 2022). The fact that the Budapest Convention contains relatively few substantive law provisions, and elaborate provisions relating to procedure and international cooperation suggests, as with UNTOC, that ‘international cooperation, rather than criminalisation is, in fact, the main subject matter’ (Boister 2016, p. 41). Although beginning as a regional instrument, it is open to any country invited to accede, and to date has been ratified by sixty-eight countries, or 35 per cent of UN member states. Two countries, Ireland and South Africa, have signed but not ratified. If the countries that have been invited to accede are also included (twelve), it brings the total to eightytwo countries, or 43 per cent of UN member states (Council of Europe 2023). As can be seen in Fig. 7.1, the proportion of non-Council of Europe countries has been increasing since around 2012, sustaining the upward trajectory of states ratifying the Budapest Convention (Council of Europe 2023). The parties to the Budapest Convention also represent a diverse range of cultural and legal traditions, as shown in Fig. 7.2 (Council of Europe

7 Lessons in a Time of Pestilence: The Relevance …

137

8 7 6 5 4 3 2 1 0 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 COE members

Non-COE members

Fig. 7.1 Countries ratifying the Budapest Convention by year, 2002–2022 (Source Author’s Figure derived from Council of Europe [2023])

2023). Although the Western Europe and Others Group (‘WEOG’) dominate the representation (41%), there is significant representation from the African Group (9%), Asia and the Pacific Group (7%), the Eastern European Group (30%) and Latin America and the Caribbean Group (‘GRULAC’) (13%). Although the Convention had not been ratified by any major non-Western country (Woods, 2017 p. 670) and had in fact been opposed by the ‘BRICS’ countries (Brazil, Russia, India, China and South Africa) (UNIDR 2017, p. 45), Brazil became the latest country to become a party, coming into force on 1 March 2023. Until recently, the Russian Federation was the only member of the Council of Europe that had neither signed nor ratified the Budapest Convention. As of 16 March 2022, the Russian Federation is no longer a member of the Council of Europe (Council of Europe Committee of Ministers 2022). Given the existence of such a widely accepted convention, it might be thought that a UN convention is superfluous. Certainly, that is the view of some parties to the Budapest Convention who consider it provides sufficient basis for an international response (Walker 2019, p. 2). However, there is intractable opposition from some countries on

138

J. Clough

9% 7% 41%

30%

13% African Group

Asia and the Pacific Group

Eastern European Group

Latin American and the Caribbean Group

Western European and Others Group Fig. 7.2 Parties to the Budapest Convention by UN region (Source Author’s Figure derived from Council of Europe [2023])

at least two bases. First, a number of countries, most notably the Russian Federation, consider that certain provisions of the Budapest Convention provide for unacceptable intrusions on sovereign rights without sufficient protection (Eichensehr 2015, p. 359). Second, many countries outside the Council of Europe object on the basis that they did not participate in its drafting (UNIDR 2017, p. 45). In the face of such opposition, it may be argued that the Budapest Convention will never achieve widespread acceptance, and a truly international convention is needed.

A Question of Sovereignty The nature of modern communications is such that it is relatively easy for law enforcement agencies (‘LEAs’) in one jurisdiction to access data in another. This may be done deliberately, inadvertently or recklessly, but for the country hosting the data that is accessed, such conduct may be

7 Lessons in a Time of Pestilence: The Relevance …

139

seen as a breach of the principle of territorial sovereignty. The lack of protection of sovereignty in the Budapest Convention has long been an objection and was raised by a number of countries in their preliminary comments in the UN process (UNODC 2022). The most controversial provision in the Budapest Convention is Article 32 which governs transborder access to data. In fact, the article provides for limited access by LEAs in only two situations. One is where the data are publicly available. The second is with the consent of the person who has the authority to disclose the data. It is the latter provision which is most controversial and which may infringe the territorial sovereignty of the country where the data is located (Clough 2014). More recently, other issues challenging principles of sovereignty have arisen, such as the execution of warrants on data held outside the jurisdiction (Daskal 2018, p. 9). Although such issues present significant challenges to international agreement, they are not insurmountable. It is notable that the Budapest Convention does not contain a sovereignty clause as is found in other international instruments. For example, UNTOC requires parties to carry out their obligations under that convention ‘in a manner consistent with the principles of sovereign equality and territorial integrity of States and that of non-intervention in the domestic affairs of other States’ (art. 4). Although not specifically addressing issues such as transborder access, the inclusion of a sovereignty clause may at least go some way to addressing these concerns. It may be that issues such as transborder access may not be addressed at all. Despite awareness of the issue when the Budapest Convention was being drafted, it was not specifically addressed (Clough 2014, p. 719). The issue has been raised more recently (Cloud Evidence Group 2016), yet the recent Second Additional Protocol to the Budapest Convention fails to address it. It may be that it is not addressed in any UN convention and the matter is left to individual states, as in the draft convention proposed by Russia where the issue is not raised at all (Russian Federation 2021). Although not ideal, it is clear that the issue of sovereignty is not insurmountable as an objection to an international convention.

140

J. Clough

We’re All in This Together (or Are We?): The Fragile Nature of International Cooperation The major advantage of a UN convention over the Budapest Convention or other regional instruments is its inclusiveness. The Ad Hoc Committee is scheduled to conclude in 2023, with the final draft presented to the General Assembly at its seventy-eighth session (UN General Assembly 2021, para. 4). Where consensus cannot be reached, decisions on substantive matters will be made by a two-thirds majority of representatives present and voting (UN General Assembly 2021, para. 5). This is a relatively short time frame for an international treaty, particularly when the member states are so divided. The global divisions are apparent from the voting patterns on the General Assembly resolution establishing the Ad Hoc Committee (UN General Assembly 2019b). Of the seventy-nine countries voting in favour of the resolution (46% of voting member states), only three were members of the Council of Europe, and each has ratified the Budapest Convention. Thirty-one were from the African Group, thirty-four from the Asia and the Pacific Group, four from the Eastern European Group, nine from GRULAC and one from WEOG. Of the sixty (35% of voting member states) who voted ‘no’, forty-one were members of the Council of Europe. In terms of regional representation, there was one from Africa, six from Asia and the Pacific Group, eighteen from the Eastern European Group, seven from GRULAC and twenty-eight from WEOG. There were thirty-three abstentions, (19% of voting member states), only one of which was a member of the Council of Europe (Turkey). Eight were from the African Group, nine from the Asia and the Pacific Group, fifteen from GRULAC, none from Eastern Europe and one from WEOG. The resolution was therefore opposed/abstained from by 54 per cent of voting member states. Such divisions are not new and in part are an inevitable consequence of the transnational nature of cybercrimes. Although solutions have been available for decades, the movement towards a truly international response has been hampered by opposing views as to the best way to proceed. Filling the vacuum left by a lack of UN action, the

7 Lessons in a Time of Pestilence: The Relevance …

141

UNODC has identified ‘clusters’ of international and regional instruments addressing the challenges of cybercrime. There is the Budapest Convention and instruments based on it such as the Commonwealth Model Law on Computer and Computer-related Crime. There are regional instruments drafted or implemented by the Commonwealth of Independent States and the Shanghai Cooperation Organisation, the League of Arab States and the African Union. Finally, there are UN instruments such as UNTOC that can be utilised in the context of transnational cybercrime. This has led to a situation which the UNODC has described, with some understatement, as ‘a certain degree of fragmentation…’ (UNODC 2013, p. 68). In many respects, this is to be expected. A challenge as far-reaching as cybercrime is clearly going to raise regional and/or national interests which might not secure agreement at the international level. However, regional or bilateral levels of cooperation might be assisted by an overarching agreement which provides an agreed upon framework for cooperation. A prime example of this is UNTOC which applies to the ‘prevention, investigation and prosecution’ of a number of specific offences required to be criminalised as well as ‘[s]erious crime’ where the offence is ‘transnational in nature and involves an organized criminal group’ (art. 3). UNTOC has been ratified by 190 countries and requires parties to ‘afford one another the widest measure of mutual legal assistance in investigations, prosecutions and judicial proceedings’ (art. 18). It may also be used as the basis for extradition in those cases to which it applies (art. 16). Despite being one of the most ratified UN conventions, there are concerns that it has not lived up to its expectations in terms of facilitating international cooperation (Boister 2016). A recent Canadian study found concerns expressed that international cooperation had not improved as a result of UNTOC (Jahn and Dandurand 2022). It also appears that while UNTOC frames the assistance provided, the actual assistance is commonly based on regional or bilateral treaties or MOUs (Boister 2016, p. 51). Nonetheless, multilateral conventions such as UNTOC may play ‘a role in fostering trust among law enforcement agents, if only by encouraging direct contact and a broader view of what is possible’

142

J. Clough

(Boister 2016, p. 53). An international cybercrime convention may therefore play an important role in providing a framework for cooperation that is agreed at the international level and provides an important normative framework against which such cooperation can take place.

The Importance of Norms It has been observed that a ‘good multilateral treaty signed by all relevant parties would be ideal. But in practice, it has at least one of two problems: if it is good, it will not be signed by all relevant parties, and if it is signed by all relevant parties, it will not be good’ (Woods 2017, p. 670). While there is undoubted truth in this observation, the importance of a UN convention may be less in the specific details, than in the creation and encouragement of agreed norms. ‘Norms’ may be defined as ‘collective expectations for the proper behaviour of actors with a given identity’ (Katzenstein 1996, p. 5). However, the specificity with which these are expressed may vary. It may include rules that state the required behaviour with some precision, standards which provide a means of evaluating conduct, and principles which put forward broad considerations for evaluating future conduct (Finnemore and Hollis 2016, p. 441). The incorporation of norms within law can be an important mechanism for their implementation, and an international treaty may provide considerable legitimacy (Finnemore and Hollis 2016, pp. 441–442). For this reason, the Budapest Convention is often called into question, despite being a treaty, because to some countries the way in which it was created undermines its legitimacy. This is why the UN process is potentially so important, ‘not just in what it says, but in who accepts it’ (Finnemore and Hollis 2016, p. 427). However, the fact that a convention goes through the UN process does not guarantee widespread acceptance, and as we have seen any draft cybercrime convention begins from a position of division (Dandurand and Jahn 2021, p. 13). It must also be cognisant of existing norms, norms that are dynamic and constantly evolving. For example, how an agency behaves with a trusted ally will be different to dealings with countries

7 Lessons in a Time of Pestilence: The Relevance …

143

that may be more hostile. However, even in a time of conflict and division, the fight against cybercrime continues and we still see examples of international cooperation even between unlikely allies (Tidy 2022). The challenge for any international agreement is finding ‘collective expectation’, the shared understanding that makes norms operative (Finnemore and Hollis 2016, p. 443). Even if agreement can be achieved, how is it to be implemented in practice? The hope is that a ‘norm may reach a tipping point and cause a “cascade” of norm adoption’ (Finnemore and Hollis 2016, p. 445). While countries ostensibly have a common interest in tackling global cybercrime, in reality their ‘interest’ in global agreement may vary. It is for this reason the Budapest Convention plays such a central role. Any future convention must take into account a comprehensive framework that has been in operation for almost two decades, and which has been adopted by one third of member states and influenced many more.

A Model for the Future? The challenges of international cooperation in investigating transnational crimes are well-established (Barton 2018, pp. 91–112). However, even where there is consensus on the need for increased cooperation, agreement on what that looks like in practice is another matter (Goldsmith and Wu 2006, p. 166). In responding to these challenges, the Budapest Convention is a good example of ‘first-mover advantage’ because it frames the debate in a way that is hard to dislodge (Finnemore and Hollis 2016, p. 447). It is really two forms of international instrument. On the one hand, there are the components which reflect the more typical terms of a convention, whereby the obligations of parties are spelt out with a reasonable degree of specificity. This can be seen in relation to articles concerned with specific criminal offences, powers of criminal procedure and requirements for mutual assistance and collaboration. Where it is less like a convention and more like a framework document is when dealing with matters of rights. A framework convention is ‘a type of legally binding treaty that establishes high level principles and broad commitments for its parties, leaving

144

J. Clough

specific obligations and targets to be contained in additional, more detailed agreements, known as protocols’ (Phelan and Pillai 2021, p. 9). While it is not suggested a framework convention would be sufficient for cybercrime, it may be appropriate in part in order to achieve agreement on high-level principles where more precise agreement may be limited. More specific matters of implementation can then be pursued via protocols. Such a hybrid approach sets out general principles on some issues, and detailed rules for others (Matz-Luck 2009, p. 449). That is, agreement at the framework level on key principles, agreement on substantive provisions where agreement is possible, and a protocol mechanism for more controversial issues to be agreed upon at a later date. One of the challenges of international cooperation on a broad scale is that it necessarily requires ‘reciprocity, trust, and mutual respect’ (Jahn and Dandurand 2022, p. 12). This may come into conflict with other rights protections. For example, it has been suggested that Canada’s more liberal disclosure laws may impact on the willingness of other states to share sensitive information (Jahn and Dandurand 2022, p. 12). While almost all countries have emphasised the importance of rights protections, they are likely to take divergent views on how this is to be achieved. Ultimately, if agreement is to be reached it is likely to be similar to that adopted in the Budapest Convention. This is the pragmatic approach of requiring parties to enact the necessary protections and standards according to their own standards under international and domestic law (Council of Europe 2001b, para. 145). This approach has been described as ‘flexible harmonization’; that is, ‘a model of uniform rule making confined to establishing parameters for acceptable substantive rules, leaving the formulation of procedural due process rules to the cultural peculiarities of each nation’ (Miquelon-Weismann 2005, p. 354). Such an approach may be criticised as prioritising the needs of law enforcement over human rights protections. It arguably places too much reliance on domestic law to provide protection, when such protections vary greatly throughout the world (Clough 2014, p. 709). Even allies such as the EU and US may take vastly different approaches to rights such as privacy (Walker 2019, p. 4). However, in the absence of agreement on rights, even at a general level, states may undertake unilateral

7 Lessons in a Time of Pestilence: The Relevance …

145

action which may reaffirm sovereignty but at the expense of the rule of law and human rights (Dandurand and Jahn 2021, p. 5). Further, if agreement even at this level cannot be reached, then it is arguable that the convention should not be pursued, at least as it relates to international cooperation. Such a convention may be so ‘watered down, it would have little utility; in fact, there is a serious risk that the resulting agreement would lead to an erosion of privacy rights, not an enhancement, while also unduly hampering legitimate law enforcement investigations – the worst of both worlds’ (Woods 2017, p. 671).

Conclusion A time of international division and conflict is not the ideal time to be seeking agreement on one of the most ambitious instruments in the field of transnational crime to have ever been attempted in the UN process. Yet on this measure, there is unlikely to ever be a good time. While it would be foolish to predict the content of the draft convention, the extent of agreement, or even whether agreement will be reached, a number of countries have emphasised the importance of any UN convention operating alongside existing international instruments, as well as regional and national efforts to address cybercrime (UNODC 2022). Pre-eminent among these is the Budapest Convention. The Budapest Convention is far more than merely ‘symbolic’ (cf. Marion 2010, p. 702). It is undoubtedly the most significant instrument in the area of cybercrime. In addition to the countries that have ratified it, its symbolic role in providing a model for other nations cannot be discounted (Marion 2010, p. 706). There is no international agreement that even approaches it for impact, and it is now routinely referred to in UN documents and in capacity building by the UN. Even if all that could be achieved was something close to an updated version of the Budapest Convention, agreed to at the UN level, it would still provide an important and symbolic way forward. Concerns about not being involved in drafting would be addressed (Eichensehr 2015, pp. 359–360). Controversial issues such as sovereignty may be addressed or put off for future consideration. Matters of rights protections might

146

J. Clough

be agreed at a high level. While this will disappoint many, it is unlikely that greater levels of agreement would be achieved at the UN level when it was not possible at the regional level. Such a convention would provide an important framework and standard which countries can be held to. By providing broad international agreement as to the necessary responses to cybercrime, the need for international cooperation, the importance of sovereignty and the protection of rights, it may provide an overarching framework for moving forward, putting behind us criticisms of the Budapest Convention which will continue to operate in tandem. Dandurand and Jahn identify five scenarios for the future of international criminal justice cooperation (Jahn and Dandurand 2022, p. 7). The first is ‘together’, where there is the ‘political will and willingness to refashion the existing cooperation mechanisms’. Second is ‘unbound’, with increased bilateral and regional cooperation. ‘Going alone’ sees reliance on unilateral action, while ‘retreat’ anticipates greater use of informal arrangements, ‘to the potential detriment of the rule of law and human rights’. Finally, there is ‘renewal’ which envisages radical reform of the international cooperation regime. It is not unduly cynical to discount renewal, at least in the foreseeable future. The current situation is probably best described as ‘unbound’, with a trend towards ‘going alone’ and ‘retreat’. The Budapest Convention has played a crucial role in creating momentum towards greater ‘togetherness’ by establishing a comprehensive framework that is utilised by a substantial number of the world’s countries. Although much of the real work of cybercrime investigation and prosecution will continue at the bilateral and regional level, an international cybercrime convention, for all its challenges and deficiencies, has the potential to bring together disparate voices, establish areas of common agreement and remove the sense of exclusion which is an inevitable feature of the Budapest Convention. It is an opportunity to test the conclusion drawn by Camus: ‘To state quite simply what we learn in a time of pestilence: that there are more things to admire in [people] than to despise’ (Albert Camus, The Plague (1947), as cited in Ratcliffe 2018).

7 Lessons in a Time of Pestilence: The Relevance …

147

References Barton, Joe. 2018. ‘Reforming the mutual legal assistance treaty framework to protect the future of the Internet’ Ohio State Law Journal, 79, 91–112. http://hdl.handle.net/1811/86110 Accessed 17 January 2023. Boister, Neil. 2016. ‘The cooperation provisions of the UN Convention against transnational organised crime: A “toolbox” rarely used?’ International Criminal Law Review, 16 (1): 39–70. https://doi.org/10.1163/15718123-016 01008 Accessed 17 January 2023. Clough, Jonathan. 2014. ‘A world of difference: The Budapest Convention on Cybercrime and the challenges of harmonisation’ Monash University Law Review, 40(3), 698–736. https://doi.org/10.26180/5db8050ca2b5b Accessed 17 January 2023. Cloud Evidence Group. 2016. Criminal justice access to electronic evidence in the cloud: Recommendations for consideration by the T-CY. Final report. TCY Cloud Evidence Group, Cybercrime Convention Committee, Council of Europe: Strasbourg, France. Council of Europe. 2023. Chart of signatures and ratifications of Treaty 185. https://www.coe.int/en/web/conventions/full-list?module=signaturesby-treaty&treatynum=185 Accessed 9 January 2023. Council of Europe. 2022. Additional Protocol to the Convention on Cybercrime on enhanced cooperation and disclosure of electronic evidence, opened for signature 12 May 2022, ETS No 224. Council of Europe. 2006. Additional Protocol to the Convention on Cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computing systems, opened for signature 28 January 2004, ETS No 189 (entered into force 1 March 2006). Council of Europe. 2001a. Convention on Cybercrime, opened for signature 23 November 2001, ETS No 185 (entered into force 1 July 2004). Council of Europe. 2001b. Explanatory report to the Convention on Cybercrime. Council of Europe. ETS No 185. 23 June 2001. https://rm.coe.int/16800c ce5b Accessed 17 January 2023. Council of Europe. n.d. ‘Worldwide capacity building’ Council of Europe. https://www.coe.int/en/web/cybercrime/capacity-building-programmes Accessed 25 September 2022. Council of Europe Committee of Ministers. 2022. ‘Resolution CM/Res (2022) 2 on the cessation of the membership of the Russian Federation to

148

J. Clough

the Council of Europe’ Council of Europe. https://www.coe.int/en/web/ moscow/-/resolution-cm-res-2022-2-on-the-cessation-of-the-membershipof-the-russian-federation-to-the-council-of-europe Accessed 25 September 2022. Dandurand, Yvon and Jahn, Jessica. 2021. The Future of International Cooperation Against Transnational Organized Crime the Undoing of UNTOC? International Centre for Criminal Law Reform, Geneva. https://globalinitia tive.net/wp-content/uploads/2021/10/GITOC-The-future-of-internationalcooperation-against-transnational-organized-crime.pdf Accessed 17 January 2023. Daskal, Jennifer. 2018. ‘Microsoft Ireland, the CLOUD Act, and International Lawmaking 2.0’ Stanford Law Review Online, 71(May), 9–16. https://digita lcommons.wcl.american.edu/facsch_lawrev/1099 Accessed 17 January 2023. Eichensehr, Kristen. 2015. ‘The cyber-law of nations’ Georgetown Law Review, 103(2), 317–380. https://heinonline.org/HOL/P?h=hein.journals/glj103& i=331 Accessed 17 January 2023. Finnemore, Martha and Hollis, Duncan B. 2016. ‘Constructing norms for global cybersecurity’ American Journal of International Law, 110(3), 452– 479. https://doi.org/10.1017/S0002930000016894 Accessed 17 January 2023. Goldsmith, Jack and Wu, Tim. 2006. Who Controls the Internet? Illusions of a Borderless World. New York: Oxford University Press. Grabosky, Peter. 2007. Electronic Crime. Upper Saddle River, NJ: Pearson. International Telecommunication Union. 2021. Measuring digital development facts and figures 2021. International Telecommunication Union. Geneva, Switzerland. https://www.itu.int/en/ITU-D/Statistics/Documents/ facts/FactsFigures2021.pdf Accessed 17 January 2023. Jahn, Jessica and Dandurand, Yvon. 2022. The implementation and impact in Canada of the United Nations convention against transnational organized crime and its protocols. International Centre for Criminal Law Reform, Vancouver. https://icclr.org/wp-content/uploads/2022/03/ ICCLR-2022-UNTOC-Review-Consultation-Report.pdf?x30948 Accessed 17 January 2023. Katzenstein, Peter J. 1996. ‘Introduction: Alternative perspectives on national security’ in Katzenstein, Peter J. (ed.) The Culture in National Security: Norms and Identity in World Politic. New York: Columbia University Press. Marion, Nancy E. 2010. ‘The Council of Europe’s cyber crime treaty: An exercise in symbolic legislation’ International Journal of Cyber Criminology,

7 Lessons in a Time of Pestilence: The Relevance …

149

4 (1 & 2), 699–712. https://www.proquest.com/scholarly-journals/councileuropes-cyber-crime-treaty-exercise/docview/870326495/se-2 Accessed 17 January 2023. Matz-Luck, Nele. 2009. ‘Framework conventions as a regulatory tool’ Goettingen Journal of International Law, 1(3), 439–458. https://doi.org/10.3249/ 1868-1581-1-3-matz-lueck Accessed 17 January 2023. McGuire, Mike and Dowling, Samantha. 2013. Cyber crime: A review of the evidence. Research Report 75. Home Office, United Kingdom https://ass ets.publishing.service.gov.uk/government/uploads/system/uploads/attach ment_data/file/246749/horr75-summary.pdf Accessed 17 January 2023. Miquelon-Weismann, Miriam F. 2005. ‘The Convention on Cybercrime: A harmonized implementation of international penal law: What prospects for procedural due process?’ John Marshall Journal of Computer and Information Law, 23(2), 329–361. https://heinonline.org/HOL/P?h=hein.journals/jmjcil a23&i=333 Accessed 17 January 2023. Phelan, Alexandra and Pillai, Priya. 2021 International health law in perspective. Background paper 16. The Independent Panel for Pandemic Preparedness and Response. https://theindependentpanel.org/wp-content/ uploads/2021/05/Background-paper-16-International-treaties.pdf Accessed 17 January 2023. Ratcliffe, Susan (ed.). 2018. Oxford Essential Quotations. Oxford: Oxford University Press. https://www.oxfordreference.com/view/10.1093/acref/978 0191866692.001.0001/acref-9780191866692 Accessed 17 January 2023. Russian Federation. 2021. ‘Draft United Nations convention on countering the use of information and communications technologies for criminal purposes’ (29 June 2021). United Nations Office on Drugs and Crime. https://www.unodc.org/documents/Cybercrime/AdHocCommittee/ Comments/RF_28_July_2021_-_E.pdf Accessed 25 September 2022. Tidy, Joe. 2022. ‘REvil Ransomware gang arrested in Russia’ BBC , 14 January. https://www.bbc.com/news/technology-59998925 Accessed 25 September 2022. The Independent Panel for Pandemic Preparedness & Response. 2021. COVID-19 make it the last pandemic. https://theindependentpanel.org/wpcontent/uploads/2021/05/COVID-19-Make-it-the-Last-Pandemic_final. pdf Accessed 17 January 2023. The White House. 1999. ‘A national security strategy for a new century’ Clinton White House. https://clintonwhitehouse4.archives.gov/media/pdf/ nssr-1299.pdf Accessed 25 September 2022.

150

J. Clough

UN (United Nations) General Assembly. 2021. Resolution 75/282 Countering the use of information and communication technologies for criminal purposes A/RES/75/282 (26 May 2021). https://undocs.org/en/A/RES/ 75/282 Accessed 17 January 2023. UN (United Nations) General Assembly. 2019a. Resolution 74/247 Countering the use of information and communication technologies for criminal purposes A/RES/74/247 (27 December 2019). https://undocs.org/A/Res/ 74/247 Accessed 17 January 2023. UN (United Nations) General Assembly. 2019b. Seventy-fourth session. 52nd plenary meeting. A/74/PV.52 (19 December 2019). https://documents-ddsny.un.org/doc/UNDOC/GEN/N19/423/19/PDF/N1942319.pdf?OpenEl ement Accessed 17 January 2023. UNIDR (United Nations Institute for Disarmament Research). 2017. The United Nations, cyberspace and international peace and security responding to complexity in the 21st century. Report, United Nations Institute for Disarmament Research. https://unidir.org/publication/united-nations-cyberspaceand-international-peace-and-security-responding-complexity Accessed 17 January 2023. UNODC (United Nations Office on Drugs and Crime). 2022. ‘Second session of the Ad Hoc Committee’ United Nations Office on Drugs and Crime. https://www.unodc.org/unodc/en/cybercrime/ad_hoc_commit tee/ahc-second-session.html Accessed 25 September 2022. UNODC (United Nations Office on Drugs and Crime). 2013. Comprehensive study on cybercrime. Draft, United Nations Office on Drugs and Crime, Vienna. https://www.unodc.org/documents/organized-crime/UNODC_ CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf Accessed 17 January 2023. UNODC (United Nations Office on Drugs and Crime). n.d. ‘Global programme on cybercrime’ United Nations Office on Drugs and Crime. https://www.unodc.org/unodc/en/cybercrime/global-programme-cyberc rime.html Accessed 25 September 2022. Walker, Summer. 2019. Cyber-insecurities? A guide to the UN cybercrime debate. Geneva, Switzerland: Global Initiative against Transnational Organized Crime. https://globalinitiative.net/wp-content/uploads/2019/03/TGI ATOC-Report-Cybercrime-in-the-UN-01Mar1510-Web.pdf Accessed 25 September 2022. WHO (World Health Organisation). 2020a. ‘Statement on the second meeting of the International Health Regulations (2005) Emergency Committee regarding the outbreak of novel coronavirus (2019-nCoV)’ World Health

7 Lessons in a Time of Pestilence: The Relevance …

151

Organisation. https://www.who.int/news/item/30-01-2020-statement-onthe-second-meeting-of-the-international-health-regulations-(2005)-emerge ncy-committee-regarding-the-outbreak-of-novel-coronavirus-(2019-ncov) Accessed 25 September 2022. WHO (World Health Organisation). 2020b. ‘WHO Director-General’s opening remarks at the media briefing on COVID-19—11 March 2020’ World Health Organisation. https://www.who.int/director-general/spe eches/detail/who-director-general-s-opening-remarks-at-the-media-briefingon-covid-19---11-march-2020 Accessed 25 September 2022. Woods, Andrew Keane. 2017. ‘Mutual legal assistance in the digital age’ in Gray, David & Henderson, Stephen E. (eds.) Surveillance law, 659–676. Cambridge University Press. https://doi.org/10.1017/9781316481127.029 Accessed 17 January 2023.

8 Domestic Laws Governing Post-Pandemic Crime and Criminal Justice Gregor Urbas and Marcus Smith

Introduction The COVID-19 pandemic and the public response to it have changed our lives. Within months of the announcement by the World Health Organisation (WHO) of a ‘public health emergency of international concern (PHEIC)’ on 30 January 2020, populations around the world adapted to new regimes of lockdowns, international and domestic travel restrictions, social distancing, mask-wearing and vaccinations, with some G. Urbas (B) College of Law, Australian National University, Acton, ACT, Australia e-mail: [email protected] M. Smith Centre for Law and Justice, Charles Sturt University, Barton, ACT, Australia e-mail: [email protected]

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 R. G. Smith et al. (eds.), Cybercrime in the Pandemic Digital Age and Beyond, Palgrave Studies in Cybercrime and Cybersecurity, https://doi.org/10.1007/978-3-031-29107-4_8

153

154

G. Urbas and M. Smith

of these becoming requirements for re-entry into the community, workplaces and public spaces (WHO 2022). These requirements have been backed up with criminal sanctions for disobedience, and the mechanisms of criminal justice and law enforcement have been applied on the basis that this was necessary for the protection of public health. Although there has been some resistance to many of these measures, populations generally have acquiesced in the new regimes and codes of behaviour, though arguably on the understanding that restrictive measures were to be in place only for as long as required for public health purposes. This chapter examines the impact of COVID-19 on society and law, with a particular focus on post-pandemic crime and criminal justice. The first part of the chapter examines how the pandemic has affected the Australian community, and the measures that have been implemented by governments in response, including lockdowns, contact tracing and vaccine mandates, reflecting on the implications for liberal democracies. The second part of the chapter highlights specific criminal law legislation enforcing public health orders, responding to the increase in online criminal activity and facilitating the administration of justice during a time when public hearings were not possible due to social distancing.

The Impact of the Pandemic on Society and the Law The COVID-19 pandemic has profoundly impacted society in liberal democracies, with biosecurity or emergency health powers effectively suspending normal approaches to government. COVID-19 (the SARSCoV-2 zoonotic virus) causes flu-like symptoms, as well as possible longer term health impacts, including potentially permanent lung damage or fibrosis (Citroner 2020). At the time of writing, COVID-19 has infected more than 4 million people in Australia and is associated with the death of more than 5,000 (Australian Government 2022). Globally, it has been associated with the death of more than 6 million people (WHO 2022). In addition to the direct health costs, public health strategies such as lockdowns and quarantine have caused major disruption to everyday life and businesses, significant economic costs, as well

8 Domestic Laws Governing Post-Pandemic Crime …

155

as indirect impacts such as mental illness, and an increase in domestic violence and online crime (Beltekian et al. 2020). Public health strategies have sought to reduce the numbers of people exposed to the virus and reduce the effective reproductive number (R)—the average number of new cases per infection—to a number less than 1, which indicates that the number of active cases will decrease over time (Ferguson et al. 2020). In March 2020, the federal government declared a human biosecurity emergency as provided for by the Biosecurity Act 2015 (Cth). This facilitates a three-month period when the health minister is authorised to issue any direction or establish any requirement, they consider necessary to prevent or control the spread of COVID-19. The states and territories enacted similar provisions and so different measures were implemented around the country simultaneously, allowing flexibility in response to different case numbers being experienced in different states, but also leading to, for example, families in different states being unable to travel to see each other for extended periods, and disputes between states and the federal government in relation to international travel restrictions, which mostly remained within the remit of the federal government, though subject to state-level restrictions on numbers admitted to quarantine facilities. A degree of social unrest followed and protests against lockdowns were held around the country by those frustrated with the economic and social costs, but with some sections of the community likely to have been influenced by social media misinformation. There is even evidence that extremist groups contributed to organising protests and sought to grow their membership and influence by harnessing the frustration: Far-right nationalists, anti-vaxxers, libertarians and conspiracy theorists have come together over COVID, and capitalised on the anger and uncertainty simmering in some sections of the community. They appear to have found fertile ground particularly among men who feel alienated, fearful about their employment and who spend a lot of time at home scrolling social media and encrypted messaging apps. (Josh 2021)

In order to maintain public health, state and federal governments have a legitimate need to identify individuals infected with COVID-19 and

156

G. Urbas and M. Smith

those who may have been exposed to the virus, and direct them to quarantine while they are infectious, or potentially infectious. This is arguably justified in order to prevent a new wave of infection that could potentially kill thousands or millions of people in the community. During the COVID-19 pandemic, police in Australia were given extraordinary powers to issue fines and arrest citizens for not complying with ‘stay at home’ orders, or failing to wear a face mask in public. The military was even deployed to door knock homes and confirm that people were quarantining as directed (Davey 2020). In many cases, fines were later cancelled, except where repeated, deliberate or continuing breaches of the directions were established, after concerns were expressed about penalising citizens who had already suffered economic hardship resulting from the lockdowns. The inconsistent application of COVID-19 associated laws was a frustration for citizens throughout the pandemic (Houston and Webb 2021). Data collection by government agencies and the commercial sector, such as smartphone metadata, are now routine, and it was perhaps inevitable that they would be applied for public health surveillance in relation to COVID-19. Liberal democratic governments use surveillance technology for identification purposes, primarily to prevent crime and facilitate law enforcement investigations. Law enforcement agencies have the authority to enforce public health directions associated with COVID-19, and they have a range of existing technologies available to them, also including closed-circuit television cameras and automated numberplate recognition (Servick 2020). Smartphone ownership is now almost universal among the adolescent and adult population in Australia. They have, therefore, played a key role in tracking the movement of people for contact tracing purposes during the pandemic, including through metadata analysis, Bluetooth applications and QR code check-in at business premises (Servick 2020). The utilisation of metadata to track an individual’s movements for public health security purposes is the most invasive approach from a privacy standpoint. Metadata includes information such as the location of a device, the phone numbers involved in a communication and the date and time of the communication. It includes continual and accurate location data, due to contact between the phone and nearby cell towers

8 Domestic Laws Governing Post-Pandemic Crime …

157

to maintain reception, meaning that metadata can provide a detailed picture of an individual’s movements, particularly when analysed over time (Walsh and Miller 2016). During the COVID-19 pandemic, phone metadata was used for contact tracing and public health purposes in Australia, in specific instances, to determine who an infected person may have been in contact with, and to enforce quarantine directives— confirmed through statements by police, noting that they were using the same repositories of metadata for COVID-19 contact tracing as those used in criminal investigations (Sutton 2020). Metadata is available to potentially be used for the purpose of contact tracing in relation to COVID-19 because of Australian federal legislation enacted in 2015, requiring telecommunications companies to retain customer metadata and share it with law enforcement agencies where relevant to an investigation (Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth)). Metadata access has been used for COVID-19 contact tracing by many other countries around the world, with documented examples in South Korea, Israel and China. In South Korea, metadata from the phones of individuals diagnosed with COVID-19 was used to create maps of movements, and disseminate this to the community to allow others to determine if they may have had contact with the individual (Kim 2020). In Israel, the national security agency Shin Bet utilised a covert database of metadata to track individuals diagnosed with COVID-19, justified as a ‘focused, time-limited activity that is monitored by the government, the attorney general and regulatory mechanisms’ (Halbfinger et al. 2020). In Australia, the federal government launched a contact tracing application that applied Bluetooth technology to communicate between phones. It calculated whether a person had spent time in the proximity of another person who had contracted COVID-19, as an alternative to relying on location metadata (Miller and Smith 2021). While the benefit was a relatively low impact on individual privacy, Bluetooth applications are less reliable than metadata access, and their functionality can be affected by whether, for example, a phone is locked or unlocked, the operating systems of the phones they engage with; and other interference (Bogle 2020). QR code check-in applications, where a person used their phone to register upon entry to premises, subsequently surpassed

158

G. Urbas and M. Smith

Bluetooth applications to become the most widely used technology for contact tracing in Australia. However, controversy arose when it became evident that police were able to access check-in data for unrelated investigative purposes, causing a number of jurisdictions to enact legislation restricting police access (Hendry 2021). See, for example, the ="border: 1px solid blue;" Type="Italic">Service NSW (One-stop Access to Government Services) Amendment (COVID-19 Information Privacy) Act 2021 (NSW), and the Protection of Information (Entry Registration Information Relating to COVID-19 and Other Infectious Diseases) Act 2021 (WA). The rapid development and administration of vaccines to prevent or lessen the severity of COVID-19 infections has allowed societies to return to some degree of normalcy and move away from lockdowns. However, despite the well-established scientific foundation of vaccines, a small number of adverse reactions, and more general concern about the potential for the vaccine to cause harm, have led some segments of the population expressing hesitancy or outright refusing to be vaccinated. The WHO defines vaccine hesitancy as a ‘delay in acceptance or refusal of vaccination despite availability of vaccination services’ (MacDonald 2015). The dissemination of misinformation online has contributed to raising the profile of a wide range of concerns that span harm to children, risk of death, to quite elaborate government conspiracies (Cornwall 2020). This highlights a wider social phenomenon of misleading information (fake news) associated with social media sites such as Facebook and Twitter that has influenced society over the past decade (Smith and Urbas 2021). The spread misinformation can be extremely pervasive when combined with social media functionality, leading to a rise in conspiracy theories, pseudoscience and social engineering to achieve political objectives that may have been further exacerbated due to the COVID-19 lockdown and associated increase in time spent online. The WHO Director-General has described an ‘infodemic’ in relation to the nature of the COVID-19 virus, its origins, and the efficacy and risks associated with the various vaccines (Bin Naeem et al. 2020). New laws associated with managing the COVID-19 pandemic, or phenomena associated with it, such as a failure to comply with public health orders, or the rise in particular forms of crime, relate to managing the conflict between biosecurity, and the prevention of morbidity and

8 Domestic Laws Governing Post-Pandemic Crime …

159

mortality, on the one hand, and maintaining appropriate rights to privacy, autonomy and democratic accountability, on the other. The goods of health and safety, associated with biosecurity, are vital to society; however, in liberal democracies, so are individual rights and political accountability. In implementing public health responses to COVID-19, it is important that legal responses are proportionate and take fairness and rule of law seriously, to maintain the trust of the community in relation to future public health security measures and their approach to public health interventions more broadly (Parker et al. 2020, p. 106). Following the previous major security event of the twenty-first century, 9/11, there was an expansion in data collection, including metadata, justified on the basis of the threat of terrorism. Data integration, including biometric and financial data, and the use of data collected for one purpose, being used for a wider range of purposes, is occurring against the background of a rapid expansion in big data analytics and artificial intelligence capabilities. Miller and Smith (2021) describe the issue and the potential parallels with 9/11: First, the security contexts in which their use is to be permitted might become both very wide and continuing, e.g. the COVID-19 (‘biosecurity emergency’) context becomes the need to prevent future pandemics and maintain public health more generally; just as, arguably, the ‘war’ (without end) against terrorism became the war (without end) against serious crime; which, in turn, became the ‘war’ (without end) against crime in general. Second, data, including surveillance data, originally and justifiably gathered for one purpose, e.g. taxation or combating a pandemic, is interlinked with data gathered for another purpose, e.g. crime prevention, without appropriate justification. The way metadata use has expanded in some countries, from initially being used by only a few police and security agencies to being used quite widely by governments in many western countries, is an example of function creep and illustrates the potential problems that might arise as the threat of COVID-19 eases. (Miller and Smith 2021, p. 368)

It is important the data collected in relation to the COVID-19 pandemic are not used for broader purposes without appropriate legislative backing and public debate (Zimmermann and Forrester 2020). The potential

160

G. Urbas and M. Smith

use of technology to surveil and control populations is evident from the social credit system established in China (Qiang 2019). It is possible that the COVID-19 pandemic could lead to further advances in surveillance powers encroaching on individual rights in liberal democracies just as occurred following 9/11. As mentioned earlier, prior to the COVID-19 pandemic, Australia already had enacted some of the world’s most proactive data retention and access laws to enable it to investigate and prosecute serious crime, requiring telecommunications service providers to retain Australians’ metadata and store it for two years, in order to ensure that it is available for law enforcement and national security investigations. Additionally, Australia was one of the first liberal democratic countries to enact legislation that seeks to facilitate access by law enforcement and national security agencies to communications that have been encrypted. This can occur following enactment of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth), which requires technology companies to provide reasonable assistance to access the content of communications facilitated by their platforms. Companies may be required to provide this in the form of a ‘technical assistance request’ (TAR): a request that they voluntarily assist law enforcement by providing the technical details about one of their products or services; ‘a technical assistance notice’ (TAN): a requirement that they assist by decrypting a specific communication, or face a fine if they refuse; or a ‘technical capability notice’ (TCN): a requirement that they create a new function to enable police to access a suspect’s data, or face a fine if they refuse. Although there have been significant developments in cybercrime laws over the past two years in Australia (Urbas 2020, 2021), these have been in train for a longer period and are not obviously related to any increased threat within the pandemic context. However, these law enforcement powers are noteworthy in increasing the capacity for online surveillance and detection of criminal exploitation, including to undertake disruption activities to frustrate the commission of criminal activity, and take over a person’s online account to gather evidence of criminal activity. The criminal law that has been enacted in response to the pandemic, particularly in relation to an increase in online crime, and to adapt court

8 Domestic Laws Governing Post-Pandemic Crime …

161

proceedings to allow for social distancing has generally been measured and proportionate, as will be discussed in the second part of the chapter.

New Criminal Laws in Response to the Pandemic Some existing criminal laws already applied to the transmission of diseases, largely driven by earlier waves of pandemics or epidemics such as HIV-AIDS (Lelliott et al. 2021). For example, in New South Wales, various offences of causing grievous bodily harm extend to causing a ‘grievous bodily disease’ in virtue of the definition of ‘grievous bodily harm’ as including ‘any grievous bodily disease (in which case a reference to the infliction of grievous bodily harm includes a reference to causing a person to contract a grievous bodily disease)’. This is provided for under the Crimes Act 1900 (NSW), sections 4, 33, 35 and 54; however, the terms ‘grievous bodily disease’ and ‘disease’ are not further defined, leaving it to the common law to work out whether an illness such as COVID-19 might qualify. The High Court case of Aubrey v The Queen [2017] HCA 18 (10 May 2017) dealt with a prosecution under s 35 of the Crimes Act 1900 (NSW) relating to reckless transmission of HIV (Morgan 2018). Additionally, public health legislation creates offences of failure to comply with public health orders and directions. In New South Wales, orders made in 2020 resulted in offences of intentionally spitting or coughing at public officials ‘in a way that would reasonably be likely to cause fear about the spread of COVID-19’ (Lelliott et al. 2021). Penalties of six months’ imprisonment or fines up to $11,000 (or both) apply to breaches of these and other orders restricting public and private gatherings, or imposing self-isolation. Relevant orders include the Public Health (COVID-19 Restrictions on Gathering and Movement) Order (No 5) 2020 (NSW); Public Health (COVID-19 Self-Isolation) Order (No 3) 2020 (NSW); Public Health (COVID-19 General) Order (No 2) 2021 (NSW); Public Health (COVID-19 Self-Isolation) Order 2022 (NSW).

162

G. Urbas and M. Smith

Similar offences can be found in other Australian jurisdictions and internationally (Golder Lang 2021). Relatively, few prosecutions for breaches of COVID-19 public health orders have been dealt with by higher courts, though numerous fines have been issued (Wakatama 2022). See, for example, State of New South Wales v Doherty (Preliminary) [2022] NSWSC 82 (9 February 2022). There have been numerous challenges to such fines, with some being subsequently withdrawn (Houston and Webb 2021; Fitzsimmons 2021). More broadly, it has widely been reported that some types of offending, particularly domestic violence and child sexual assault, as well as online victimisation, have increased significantly with the imposition of lockdowns and policies requiring adults to work from home and children to stay home from school for extended periods (Khweiled et al. 2021; Morley et al. 2021; Stoianova et al. 2020). As summarised by Boxall et al. (2020, p. 1), the following factors were identified as ‘contributing to a potential increase in both the prevalence and severity of domestic violence during the COVID-19 pandemic’: Victims and offenders spending more time together; increased social isolation and decreased social movement, which may restrict avenues for women to seek help; increased situational stressors associated with domestic violence (e.g. financial stress and job insecurity); offenders feeling out of control due to situational factors and using violence and abuse as a means of creating a sense of control and increased alcohol consumption among domestic violence perpetrators.

However, while the prevalence and context of domestic violence may have been affected by the COVID-19 pandemic and policy responses to it, there is little by way of legislative reform that can be identified as constituting a direct response to increased rates of offending. Similarly, the pandemic and its disruptions to workplace and business operations were predicted to provide increased opportunities for online victimisation, such as through the following vectors (Council of Europe 2020):

8 Domestic Laws Governing Post-Pandemic Crime …

163

phishing campaigns and malware distribution through seemingly genuine websites or documents providing information or advice on COVID-19 are used to infect computers and extract user credentials; ransomware shutting down medical, scientific or other health-related facilities where individuals are tested for COVID-19 or where vaccines are being developed in order to extort ransom; attacks against critical infrastructures or international organizations, such as World Health Organization; ransomware targeting the mobile phones of individuals using apps that claim to provide genuine information on COVID-19 in order to extract payments; offenders obtaining access to the systems of companies or other organisations by targeting employees who are teleworking; fraud schemes where people are tricked into purchasing goods such as masks, hand sanitizers, but also fake medicines claiming to prevent or cure SARS-CoV-2 and misinformation or fake news are spread by trolls and fake media accounts to create panic, social instability and distrust in governments or in measures taken by their health authorities.

Mention should also be made of the increased risk of online sexual victimisation of children who have been spending many more hours weekly on computers and webcams, both for educational and social purposes. The following factors are associated with online risk, as reported by the Australian Centre to Counter Child Exploitation (ACCCE) (2020, p. 18): Sexting–among young people aged 14–17 years, nearly 1 in 3 reported having some experience with sexting (including sending, asking or being asked for, and sharing or showing nude or sexual images or videos); lack of consideration of privacy settings—31% of young people who used social media had not managed their social media presence at all; talking to strangers online–38% of young people aged 8–17 had talked to strangers online, however contact was nearly twice as high among those aged 13– 17 years (50%) and sharing personal information with strangers–14% of young people tended to share information such as they real age, images with their face, or their full name.

Disturbingly, the e-Safety Commissioner has noted a surge in complaints about sexually invasive online activity during COVID-19 lockdown periods (Dagg 2020):

164

G. Urbas and M. Smith

One explanation for the rise in image-based abuse is the effect of widespread social lockdown. As isolation and social distancing lead to fewer opportunities for physical intimacy, it is possible that more adults are online for alternatives. That may be leading to more sexually explicit material being shared, both within relationships, as well as with strangers. Sadly, we know that some of these images are shared without any consideration of the damaging impact this may have. Disturbingly, there is an increased risk of children being sexually abused during the COVID-19 pandemic. This happens when a child is tricked or coerced into sharing intimate images or videos of themselves, often without even being aware of how they will be used. The abuser may be a stranger, an online ‘friend’ the child has not met face-to-face, or even someone they actually know. Through eSafety’s online investigations we have noticed an upswing of coronavirus-related activity in the dark web. In one forum, paedophiles noted that isolation measures have increased opportunities to contact children remotely and engage in their ‘passion’ for sexual abuse via platforms such as YouTube, Instagram and random webchat services.

Increased vigilance by parents and other responsible adults may provide some protection against online victimisation by strangers, but sadly, many children are also at risk of sexual exploitation and other forms of abuse by family members during episodes of lockdown and being kept home from school (AIHW 2021).

New Court Procedures in Response to the Pandemic One of the more visible effects of the COVID-19 pandemic on the criminal justice systems was the rapid introduction of restrictions on open public hearings, with face-to-face hearings being largely replaced by teleconferencing, jury trials being temporarily suspended in favour of judge-alone trials, and public access to proceedings sharply reduced. For example, in the Australian Capital Territory (ACT) a COVID-19 Emergency Period was declared for the period beginning on 16 March 2020 and ending on 30 June 2021, during which a judge of the ACT Supreme

8 Domestic Laws Governing Post-Pandemic Crime …

165

Court could order that a trial be heard by judge alone, either with or without the consent of a defendant. The first author (Urbas) appeared as defence counsel in a mid-2020 judge-alone trial for sexual offences which would otherwise have been required to have been heard before a jury: R v Masina (No 2) [2020] ACTSC 152 (10 June 2020); R v Masina (No 3) [2020] ACTSC 154 (19 June 2020). Constitutional arguments in another ACT case against the validity of the temporary legislative provisions allowing a judge-alone trial to be ordered without the defendant’s consent were not successful: Vunilagi v The Queen [2021] ACTCA 12 (9 November 2021). Although the business of the courts managed to proceed under the altered arrangements, the experience for both legal and non-legal participants was often alienating and disruptive. Apart from the difficulties of remote witness examination and cross-examination using sometimes intermittent audio-visual link technology, basic practices such as taking instructions confidentially from clients or having mid-trial conversations with other lawyers became fraught (Anderson 2020; Bashir and Bonnor, 2020). The tender of documents simply by handing them to the bench via a court officer was no longer possible in an online environment (Babb 2020). To a considerable extent, technological solutions had already been introduced in civil, particularly commercial, litigation contexts, so that criminal courts were more or less required to ‘catch up’ rather than radically transform. Nonetheless, many participants felt that the quality of justice was being compromised in the process (Legg and Song 2021). Bail and sentencing hearings have also been affected. In particular, conditions of detention both before trial and as part of any sentence imposed after trial were affected by COVID-19 restrictions on contact and mobility, so that court orders had to take changed conditions into account. Health authorities and public defenders adopted guidelines on making submissions for non-custodial supervision of persons charged with offences, as well as submissions on appropriate sentencing (Beaufils 2020; NSW Public Defender’s Office 2020). An interesting example of a NSW Supreme Court sentencing proceeding where extensive evidence on the risk of contracting COVID-19 while in a correctional facility is R v Macdonald; R v Edward Obeid; R v Moses Obeid (No 18) [2021] NSWSC 1343 (21 October 2021), with Fullerton J noting at [148]: ‘I

166

G. Urbas and M. Smith

accept that entering custody at this time will expose each of the offenders to an increased risk of contracting COVID-19 than would otherwise be the case were they ordered to serve their sentences in the community where they could monitor and manage their exposure to the risk of community transmission of the virus’.

Conclusion COVID-19 has profoundly impacted Australian society since it emerged in 2020, as has been the case for most countries around the world. The response of governments in applying and adapting existing laws and criminal procedure over this period of time provides insights into the effectiveness of administrative and legal processes during significant social, political and economic stress. Corresponding with a time of technological advancement, the COVID-19 pandemic has also provided insights into the impact and implications of new technologies, hastening their uptake. This chapter has highlighted the use of technology and data analytics to manage the pandemic, and the importance of balancing individual rights against community safety and security during times of emergency. It also canvassed more specific social and criminal law matters, including a rise in online victimisation and domestic violence during this period, and associated case law and legislation responding to these developments. The impact of social distancing on court room processes has meant that technology developments in this area were expedited, along with consideration of legal issues associated with adapting to new forms of document submission, remote hearings and judge-alone trials. Ensuring that adaptations and new approaches can be implemented within the legal system in response to unexpected events, such as pandemics and associated criminal activity, as well as social and technological change more broadly, while maintaining individual rights and justice is a continuing challenge for liberal democracies such as Australia. This discussion indicates that the country is emerging from the disruption caused by COVID-19 with a suite of domestic laws governing post-pandemic

8 Domestic Laws Governing Post-Pandemic Crime …

167

crime and criminal justice that have evolved as effectively as could be expected in light of the extraordinary circumstances. Finally, as liberal democracies such as Australia move into the postpandemic phase, further reflection on technology induced changes in society that have been accelerated during the pandemic, and associated legal and policy responses, will be necessary. It is likely that as technology continues to rapidly advance, traditional regulatory approaches will be increasingly ineffective. In response to this, we foresee that a greater reliance on using technology (rather than laws) as regulation will be necessary (See, e.g. Lessig 2006). This approach can already begin to be observed (e.g. in the national blockchain architecture platform being developed in Australia) and will likely be implemented widely across healthcare, business and communications sectors in addition to the criminal justice system, in the years ahead (Smith 2020; Smith and Urbas 2021; Smith and Urbas 2022).

References Australian Centre to Counter Child Exploitation (ACCCE). 2020. ‘Online child sexual exploitation: Understanding community awareness, perceptions, attitudes and preventative behaviours’. http://accce.prod.acquiasites.com/sites/default/files/2021-02/ACCCE_Research-Report_OCE.pdf Accessed 18 July 2022. Australian Institute of Health and Welfare (AIHW). 2021. ‘Media release: Child protection in the time of COVID-19’ 15 January. https://www.aihw. gov.au/reports/child-protection/child-protection-in-the-time-of-covid-19/ summary Accessed 18 July 2022. Australian Government, Department of Health. 2022. ‘COVID-19 case numbers and statistics’. https://www.health.gov.au/health-alerts/covid-19/ case-numbers-and-statistics Accessed 18 July 2022. Anderson, Troy. 2020. ‘COVID-19: The public defenders perspective’ Bar News: Journal of the NSW Bar Association, 46–47. Babb, Lloyd. 2020. ‘Impact of COVID-19 on the criminal justice system’ Bar News: Journal of the NSW Bar Association, 44–45.

168

G. Urbas and M. Smith

Bashir, Gabrielle and Bonnor, Ann. 2020. ‘COVID and crime: A view from the private bar’ Bar News: Journal of the NSW Bar Association, 48–49. Beaufils, Damian. 2020. ‘The impact of COVID-19 on sentencing’ Bar News: Journal of the NSW Bar Association, 32–33. Beltekian, Diana et al. 2020. ‘Coronavirus Pandemic (COVID-19)’. https:// covid.ourworldindata.org/data/owid-covid-data.csv Accessed 18 July 2022. Bin Naeem, Salman, Bhatti, Rubina and Khan, Aqsa. 2020. ‘An exploration of how fake news is taking over social media and putting public health at risk’ Health Information and Libraries Journal, 38, 143–149. Bogle, Ariel. 2020. ‘Will the government’s coronavirus app COVIDSafe keep your data secure? Here’s what the experts say’ Australian Broadcasting Corporation News, 27 April. https://www.abc.net.au/news/science/2020-04-27/cov idsafe-contact-tracing-app-coronavirus-privacy-security/12186044 Accessed 18 July 2022. Boxall, Hayley, Morgan, Anthony and Brown, Rick. 2020. ‘The prevalence of domestic violence among women during the COVID-19 pandemic’ Statistical Bulletin, no. 28. Canberra: Australian Institute of Criminology. Citroner, George. 2020. ‘What we know about the long-term effects of COVID-19’ Healthline, 21 April. https://www.healthline.com/health-news/ what-we-know-about-the-long-term-effects-of-covid-19 Accessed 18 July 2022. Cornwall, Warren. 2020. ‘Officials gird for a war on vaccine misinformation’ Science, 369, 14–19. Council of Europe. 2020. ‘Cybercrime and COVID-19’. https://www.coe.int/ en/web/cybercrime/cybercrime-and-covid-19 Accessed 18 July 2022. Dagg, Toby. 2020. ‘COVID-19: Online risks, reporting and response’ 9 April. https://www.esafety.gov.au/newsroom/blogs/covid-19-online-risks-rep orting-and-response Accessed 18 July 2022. Davey, Melissa. 2020. ‘Victoria police given ‘extraordinary powers’ to enforce COVID-19 restrictions’ The Guardian, 4 August. https://www.theguardian. com/australia-news/2020/aug/04/victoria-police-given-extraordinary-pow ers-to-enforce-covid-19-restrictions Accessed 18 July 2022. Ferguson, Neil M. et al. 2020. ‘Impact of non-pharmaceutical interventions (NPIs) to reduce COVID19 mortality and healthcare demand’ Imperial College COVID-19 Response Team. https://www.imperial.ac.uk/media/ imperial-college/medicine/sph/ide/gida-fellowships/Imperial-College-COV ID19-NPI-modelling-16-03-2020.pdf Accessed 18 July 2022.

8 Domestic Laws Governing Post-Pandemic Crime …

169

Fitzsimmons, Caitlin. 2021. ‘More than 7000 people challenge COVID-19 fines, but most fail’ Sydney Morning Herald , 5 December. https://www.smh. com.au/national/nsw/more-than-7000-people-challenge-covid-19-fines-butmost-fail-20211202-p59e94.html Accessed 18 July 2022. Golder Lang, Iris. 2021. ‘Laws of fear in the EU: The precautionary principle and public health restrictions to free movement of persons in the time of COVID-19’ European Journal of Risk Regulation, 1–24. Halbfinger, D., Kershner, I. and Bergman, R. 2020. ‘To track coronavirus, Israel moves to tap secret trove of cellphone data’ New York Times, 16 March. https://www.nytimes.com/2020/03/16/world/middleeast/israelcoronavirus-cellphone-tracking.html Accessed 18 July 2022. Hendry, Justin. 2021. ‘NSW bans police from accessing QR code check-in data’, IT News, 21 November. https://www.itnews.com.au/news/nsw-banspolice-from-accessing-qr-code-check-in-data-573015 Accessed 18 July 2022. Houston, Cameron and Webb, Carolyn. 2021. ‘Police to drop most COVID19 fines and hand out cautions’ The Age, 18 January. https://www.theage. com.au/national/victoria/police-to-drop-most-covid-19-fines-and-hand-outcautions-20210117-p56uoo.html Accessed 18 July 2022. Khweiled, Raghad, Jazzar, Mahmoud and Eleyan, Derar. 2021. ‘Cybercrimes during COVID-19 pandemic’ International Journal of Information Engineering and Electronic Business, 2, 1–10. Kim, Nemo. 2020. ‘More scary than coronavirus: South Korea’s health alerts expose private lives’ The Guardian, 6 March. https://www.theguardian.com/ world/2020/mar/06/more-scary-than-coronavirus-south-koreas-health-ale rts-expose-private-lives Accessed 18 July 2022. Legg, Michael and Song, Anthony. 2021. ‘The courts, the remote hearing and the pandemic: From action to reflection’ University of New South Wales Law Journal, 44, 126–166. Lelliott, Joseph, Schloenhardt, Andreas and Ioannou, Ruby. 2021. ‘Pandemics, punishment, and public health: COVID-19 and criminal law in Australia’ University of NSW Law Journal, 44, 167–196. Lessig, Lawrence. 2006. Code 2.0. New York: Basic Books. MacDonald, Noni E. 2015. ‘Vaccine hesitancy: Definition, scope and determinants’ Vaccine, 33, 4161–4164. Miller, Seamus and Smith, Marcus. 2021. ‘Ethics, public health and technology responses to COVID-19’ Bioethics, 35, 366–374. Morgan, James. 2018. ‘Offences against the person and sexually transmitted diseases: Aubrey v The Queen’ (2017) 260 CLR 305’ Adelaide Law Review, 39, 207–217.

170

G. Urbas and M. Smith

Morley, Christine et al. 2021. ‘Locked down with the perpetrator: The hidden impacts of COVID-19 on domestic and family violence in Australia’ International Journal for Crime, Justice and Social Democracy, 10, 204–222. New South Wales Public Defender’s Office. 2020. ‘COVID-19 resources for criminal lawyers’. https://www.publicdefenders.nsw.gov.au/Pages/c19resour ces.aspx Accessed 18 July 2022. Parker, Michael J., Fraser, Christopher, Abeler-Dorner, Lucie and Bonsall, David. 2020. ‘Ethics of instantaneous contact tracing using mobile phone apps in the control of the COVID-19 pandemic’ Journal of Medical Ethics, 46, 427–431. Qiang, Xiao. 2019. ‘The road to digital unfreedom: President Xi’s surveillance state’ Journal of Democracy, 30, 53–67. Roose, Josh. 2021. “‘It’s almost like grooming’: How anti-vaxxers, conspiracy theorists and the far-right came together over COVID” Australian Broadcasting Corporation, 22 September. https://www.abc.net.au/news/2021-0922/how-antivaxxers-conspiracy-theorists-far-right-melbourneprotest/100 481874 Servick, Kelly. 2020. ‘COVID-19 contact tracing apps are coming to a phone near you. How will we know whether they work?’ Science, 21 May. https:// www.sciencemag.org/news/2020/05/countries-around-world-are-rollingout-contact-tracing-apps-containcoronavirus-how Accessed 18 July 2022. Smith, Marcus. 2020. ‘A modern approach to regulation: Integrating law, system architecture and blockchain technology in Australia’ Australian Business Law Review, 48, 460–466. Smith, Marcus and Urbas, Gregor. 2022. ‘Evolving legal responses to social media in Australia: Litigation, legislation and system architecture’ ANU Journal of Law and Technology, 3, 8–30. Smith, Marcus and Urbas, Gregor. 2021. Technology Law: Australian and International Perspectives. Cambridge: Cambridge University Press. Stoianova, Tatiana, Ostrovska, Liudmyla and Tripulskyir, Grygorii. 2020. ‘COVID-19: Pandemic of domestic violence’ Ius Humani, Revista de Derecho, 2, 111–136. Sutton, Malcolm. 2020. ‘Phone tracking used to follow movements of Chinese couple with coronavirus in Adelaide’ Australian Broadcasting Corporation News, 6 February. https://www.abc.net.au/news/2020-02-06/phone-tra cking-follows-movements-of-couple-with-coronavirus/11935912 Accessed 18 July 2022. Urbas, Gregor. 2021. ‘Legal considerations in the use of artificial intelligence in the investigation of online child exploitation’ ANU College of Law Research

8 Domestic Laws Governing Post-Pandemic Crime …

171

Paper No. 21.44. https://ssrn.com/abstract=3978325 or https://doi.org/10. 2139/ssrn.3978325 Accessed 18 July 2022. Urbas, Gregor. 2020. Cybercrime: Legislation, Cases and Commentary, 2nd ed. Sydney: Lexis Nexis. Wakatama, Giselle. 2022. ‘NSW COVID fine data reveals hotspots in Mount Druitt, Liverpool, Dubbo’ ABC News, 23 February. https://www.abc.net. au/news/2022-02-24/nsw-covid-fine-penalty-notice-hotspots-revealed/100 855472 Accessed 18 July 2022. Walsh, Patrick and Miller, Seumas. 2016. ‘Rethinking ‘five eyes’ security intelligence collection policies and practice post Snowden’ Intelligence and National Security, 31, 345–368. World Health Organisation (WHO). 2022. ‘Timeline: WHO’s COVID19 response’. https://www.who.int/emergencies/diseases/novel-coronavirus2019/interactive-timeline Accessed 18 July 2022. Zimmermann, Augusto and Forrester, Joshua. 2020. ‘Protecting fundamental rights in the age of COVID-19’ The Western Australian Jurist, 1, 1–6.

9 Perspectives on Policing Post-pandemic Cybercrime Rick Sarre

Introduction The massive changes in societal expectations of human and business connectivity and the shifts in technology that have been designed to meet these demands are profound. The modern world is well-entrenched in the digital age. It is dependent upon its complex features and storage capabilities that can accommodate the flood of data from millions of sensors in our commercial hubs, the streams of visual images generated by users of social networks and the information produced by those who use mobile devices. This was foreshadowed in the past.

R. Sarre (B) Justice and Society, University of South Australia, Adelaide, SA, Australia e-mail: [email protected]

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 R. G. Smith et al. (eds.), Cybercrime in the Pandemic Digital Age and Beyond, Palgrave Studies in Cybercrime and Cybersecurity, https://doi.org/10.1007/978-3-031-29107-4_9

173

174

R. Sarre

The new economy is more about analysing rapid real-time flows of unstructured data … The world will bristle with connected sensors so that people will leave a digital trail wherever they go … (Economist 2017, p. 24)

Indeed, the digital world expands exponentially year by year, and the pandemic has only served to hasten this growth as more people move their social lives online and more and more workers are asked to log in to their workplaces remotely from home. Even before the pandemic began, a market research firm predicted in 2017 that the digital universe (the amount of data created and copied) would reach 180 zettabytes (180 followed by 21 zeros) by 2025 (Economist 2017). This level of global connectivity has led to a massive expansion of instantaneous commercial expediency, enhanced trade opportunities and heightened levels of personal networking. However, there is a significant downside to this revolution: the willingness and aptitude of those who share this new-found connected cyberspace to engage in criminality. Estimates a decade ago reported that cybercrime was costing the global economy billions of dollars annually (Broadhurst and Chang 2013; Sarre, Brooks et al. 2014; Australian Crime Commission 2015), and losses continue to expand virtually unabated. A most recent estimate by the Australian Competition and Consumer Commission (ACCC), based on its analysis of more than 560,000 reports of losses in 2021, calculated the annual costs of consumer cybercrime in Australia alone to be above $A2 billion (ACCC 2022). Investment scams were the highest loss category (A$701 million), followed by payment redirection scams (A$227 million) and romance scams (A$142 million). However, as approximately one-third of victims do not report scams, the ACCC estimated actual losses far exceeded this amount. It is no exaggeration to say that ‘malicious cyber activity against Australia’s national and economic interests is increasing in frequency, scale, sophistication and severity’ (Australian Cyber Security Centre 2017, p. 16). There is little doubt that the pandemic from 2020 to the present day has only served to heighten these risks and losses.

9 Perspectives on Policing Post-pandemic Cybercrime

175

The Phenomenon of Cybercrime There are variable definitions of cybercrime. It has been variously referred to as ‘computer crime’, ‘computer-related crime’, ‘hi-tech crime’, ‘technology-enabled crime’, ‘e-crime’ or ‘cyberspace crime’ (Chang 2012). Grabosky (2007) helpfully classified three general forms, including crimes where the computer is used as the instrument of crime, crimes where the computer is incidental to the offence, and crimes where the computer is the target of crime. McGuire and Dowling (2013) developed the now accepted concept of classifying cybercrime as ‘cyberenabled’ crime or ‘cyber-dependent’ crime. Cyber-enabled crimes are traditional crimes facilitated by the use of computers, such as fraud perpetrated through computer scams (Cross 2020). Cyber-dependent crimes are those crimes that would not exist without the technology, such as a state seeking to crash another state’s internet structure (Perlroth 2021). Another useful classification is the one devised by Gordon and Ford (2006) who divided activities into Type I and Type II offences. Type I cybercrimes are crimes which are more technical in nature, for example, implementing malware attacks designed to disrupt a business by destroying its database (Falk and Brown 2022), or the activities of the ‘hacktivist,’ someone who protests against an organisation’s actions or policies by orchestrating a denial of service (Sarre, Lau and Chang 2018). Type II cybercrime is crime that relies on human contact rather than technology, for example, fraudulent financial transactions, identity theft, romance scams, ransom attacks, theft of electronic information for commercial gain, drug-trafficking, money-laundering, aberrant voyeuristic activities, image-based sexual abuse, harassment, stalking and other threatening behaviours (Sarre, Lau and Chang 2018; Cross et al. 2022). While these sorts of activities have traditionally been classified as criminal, they are now so much easier to pursue with digital technologies. Moreover, they involve far less risk of capture by local authorities (often on the other side of the world), and far less danger of physical violence which would accompany, for example, a street robbery (Sarre 2022). Today’s criminals can commit cybercrime without the need for highlevel technical skills. The internet can, itself, assist, with ‘do-it-yourself ’

176

R. Sarre

malware kits, for example, available in online forums and the dark web. The borderless nature of the internet means that potential victims of cybercrime can be targeted from thousands of miles away, making law enforcement not only challenging, but, in some instances, impossible (Perkins and Howells 2021). Cybercrime is thus an escalating problem for national and international police and global security agencies.

Policing Cybercrime Tackling cybercrime is a difficult task. There are a number of factors that militate against effective crime prevention in this domain. The first is the difficulty associated with jurisdictional boundaries. No other field of criminality finds international borders more permeable than they are in cyber criminality (Holt 2018, p. 141). It is exceedingly problematic for police or security agencies in one nation to assume control over an investigation in another nation, especially if the other nation denies that the crime emanated from within their country. The second is the limited expertise of law enforcement when pitted against some of the best information-technology minds in the (ill-gotten gains) business (Holt 2018, p. 144). Moreover, just when the state’s wellresourced teams catch up, capacity-wise, cybercrime operatives shift into another form of opaque and lawless territory. The third factor is the rising cost of enforcement in dollar terms. Resourcing high-tech crime abatement is an expensive task, especially when there are often other more highly visible and localised calls upon the law enforcement budget (Holt 2018). True, in March 2022, the Australian Government allocated A$9.9 billion over 10 years to the Australian Signals Directorate to deliver a Resilience, Effects, Defence, Space, Intelligence, Cyber and Enablers package, the largest ever investment in Australia’s intelligence and cyber capabilities (MinterEllison 2022, p. iii), and significant budgetary inputs to fight terrorism (Grattan 2015). However, there is no guarantee that government funding will ever be adequate to meet the growing demand for prophylactic measures, especially given the highly versatile and transitory nature of the phenomenon.

9 Perspectives on Policing Post-pandemic Cybercrime

177

When one considers the above factors, it should come as no surprise that, in a time of fiscal restraint, there is a general reluctance of governments to do all of the heavy lifting. Other resourcing is needed beyond the capability and capacity of formal police forces. Fortunately, the demand is being addressed enthusiastically by a resource that is amenable to the task at hand: the private sector.

The Private Sector and Cybercrime Prevention A great deal of the responsibility of policing the world of cybercrime has shifted away from governments to the private realm (Sarre and Prenzler 2021; 2023). On the one hand, this is a good thing: the private sector is well-resourced and ready to participate in this exercise of supplementation. Indeed, during the pandemic, the private sector was enjoined to develop the Covid-safe App and a Quick Response (QR) code regime both of which were purchased by the Australian government to assist with contact tracing. Moreover, the private sector’s prophylactic measures such as multi-factor authentication of internet users and other identification software capable of thwarting cybercrime have been embraced enthusiastically by governments, too. On the other hand, the private sector can be self-serving and has been accused of being more beholden to the protection of its shareholders’ interests than to the common weal (Prenzler and Sarre 2017). Former Australian Prime Minister Malcolm Turnbull offered the following by way of explanation and caution: If we are to fully realise the social, economic and strategic benefits of being online, we must ensure the internet continues to be governed by those who use it—not dominated by governments. Equally, however, we cannot allow cyberspace to become a lawless domain. The private sector and government sector both have vital roles to play. (Australian Government 2016, p. 2)

The foundations have nevertheless been laid for a strong level of cooperation between governments and private companies in facing the threats that continue to rear their heads in cyberspace. This trend goes hand in

178

R. Sarre

hand with private sector security cooperation that has operated under the aegis of government agencies for years and across most nations of the world in crime prevention more generally (Prenzler and Sarre 2022). The following section outlines particular fields of endeavour where public and private crime prevention cooperative efforts and formal public/private policing partnerships have played a role (and continue to do so) in meeting the task of preventing or forestalling cybercrime— particularly in response to the risks created by the coronavirus pandemic. As can be seen, there are mixed messages that emerge from these examples in terms of potential over-reach not only of the private sector, but the public sector as well.

Metadata Retention in Telecommunications Key to the way in which governments have sought to target cybercrime is the shift to accessing of digital data through what is referred to as ‘metadata retention’ (Branch 2014; Fernandes and Sivaraman 2015; Sarre 2017a). This strategy relies heavily upon the cooperation of the private telecommunications sector (Australian Parliament 2017). In order to frustrate and block those who would orchestrate organised crime, or who would perpetrate violence in the name of some particular ideology, governments now have the capacity to keep track of metadata by enlisting the compliance of private sector telecommunications companies (Kowalick et al. 2018). In 2015, new laws came into force in Australia requiring telecommunications service providers to retain and store their metadata (normally, call data, SMS text data and IP addresses) so that the information remains available for analysis by crime fighters and anti-terrorism strategists (Gal 2017). The vehicle for the change in Australian policy was the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth.). The legislation circumvented any objection by the public that, contractually, their metadata information was private between them and their telecommunications provider (Sarre 2018). The new laws were not universally welcomed, however.

9 Perspectives on Policing Post-pandemic Cybercrime

179

Access to private communications records is already out of control in Australia, with telecommunications regulator the Australian Communications and Media Authority (ACMA) reporting 580,000 warrantless demands in the last financial year. … But in the few years I’ve been working up close to government, I’ve learned one important lesson: Governments cannot be trusted. This government, the one before it, the one that will come after it. (Ludlam 2015)

The jury is still ‘out’ on whether this legislation has had the effect its designers had intended, and discussion of its use and effect has gone somewhat into abeyance (Sarre 2017b).

Surveillance Tools Visual imaging has played an important role in modern policing, and the private sector has been willing and able to assist in the burgeoning market that provides the tools of surveillance. In retail shops and market precincts, for example, closed-circuit television (CCTV) has become seemingly indispensable, with widespread business support for its potential value as a means of crime reduction (Prenzler and Sarre 2012). Another innovation is the ability of surveillance tools such as facial recognition ‘search’ software to allow police, building owners, sportsground managers and retail proprietors (to name a few) to watch, count and identify people moving past a certain point. Such systems are capable of tracking people not only by their facial features but by their wearing certain distinctive clothing, or walking with a distinctive gait, which is very helpful in search and rescue situations, but also in following up matters pertaining to the commission of a crime (Sarre 2020). In the not-too-distant past, the market for these tools was limited by the size of the investment required to install and use the technology. Over the last decade, however, advances in camera technological capacity, including storage of data, have been phenomenal (Sarre 2015). These advances bring with them opportunities for public authorities and private entities to use digital data in innovative ways to manage and respond effectively to crises, crime risks and physical risks to property. These innovations continue to inform surveillance in cyberspace as well.

180

R. Sarre

Digital information can be traced and tracked with the sophisticated tools developed by privately-based cyber sleuths (Kowalick et al. 2018).

Concerns Regarding the Tools of Cybercrime Prevention In the fight against cybercrime, however, there is good reason for apprehension. There are concerns regarding the invasion of privacy and the intrusiveness exercised by those who engage in data collection, whether instructed by governments to catch people flouting pandemic lock-down laws, or by private businesses seeking to limit commercial losses (Prenzler and Sarre 2017). These concerns include the ability of the owners of data to prevent ‘leakage’, namely to forestall its spreading to a wider audience, or the sale of private data for marketing purposes. Concerns about dubious ethical practices and the regularity of instances of ‘over-reach’ by private companies were heightened by the March 2018 revelations that the information company Cambridge Analytica had manipulated and exploited the data of more than 80 million Facebook user profiles (Manokha 2018). This helped to facilitate the targeting of American voters with strategic electronic interruptions ahead of the 2016 United States election. Just forty-six days later, Cambridge Analytica announced it would close its doors. So, too, did its parent company, SCL Elections. Facebook admitted that it was (unwillingly and unwittingly) complicit in this clear breach of privacy. It might seem inherently incompatible with democracy for that knowledge to be vested in a private body. Yet the retention of such data is the essence of Facebook’s ability to make money and run a viable business … Maybe the internet should be rewired from the grassroots, rather than be led by digital oligarchs’ business needs. (Joseph 2018)

According to Manokha (2018), there is a new era of ‘surveillance capitalism’ brewing.

9 Perspectives on Policing Post-pandemic Cybercrime

181

The outcry against Cambridge Analytica has not attempted to sanction, nor even to question, the existence of digital platforms and other actors which depend on the ever more extensive acquisition and monetisation of personal data. If anything, the Cambridge Analytica story has unintentionally contributed to the further normalisation of surveillance and the lack of privacy that comes with being an internet user nowadays. Even the web pages of the sites that broke the story (The Observer and New York Times) allow dozens of third-party sites to obtain data from the browser of the user accessing the articles. It was 75 and 61 sites, respectively, last time I checked … (Manokha 2018)

The case of Cambridge Analytica provides a sobering reminder of why the relationship between government policing agencies and the private sector needs to be kept under constant scrutiny (Holt 2018, p. 153). Indeed, modern societies struggle to find an acceptable balance between the rights of their citizens to enjoy freedom from the prying eyes of government (and the private security businesses enjoined by governments to assist them), and the legitimate interests that the state might have in monitoring them. In July 2015, the then Australian Communications Minister (and later Prime Minister) Malcolm Turnbull expressed the challenge in this way. [W]e need to recognise that getting the balance right is not easy (not least because the balance may shift over time) and we are more likely to do so if there is a thoughtful and well-informed public debate— weighing up the reality of the national security threat, the effectiveness of particular proposed measures and then asking whether those measures do infringe on our traditional freedoms and if so whether the infringement is justifiable. (Turnbull 2015)

It is appropriate to turn attention to address the challenge posed by the former Communications Minister.

182

R. Sarre

Getting the Balance Right An appropriate equilibrium must be struck between forestalling cybercrime using all available electronic and disruptive means (public and private), while not unduly curtailing the legitimate rights to privacy that citizens in modern democracies currently expect to enjoy. How much government surveillance is acceptable? What controls should society employ over the private sector to monitor its engagement in cyber surveillance? What degree of intrusion should be permissible? There are no easy answers, especially given that modern society appears uncertain about what levels of privacy its citizens demand, and the extent to which its citizens trust private operators and governments to manage their private data. On the one hand, there is the view that we should safeguard strictly the privacy of the personal data held by governments and private companies, given that digital data can spread worldwide in a matter of seconds, or can be hacked, or can be used to target our potential voting preferences. On this view, we should be very cautious of any covert surveillance that allows an emboldening of private and governmental agencies to spy upon the legitimate activities of those whom they (or any other authorities) deem ‘undesirable’. On the other hand, there is a strong sense that citizens’ lives are enhanced by having a ready supply of data available to anyone who wishes to access it. The new generations of digital users appear to be ambivalent about how much privacy they are willing to sacrifice in the rush to maintain contemporaneous contact with the world (Sarre 2014a). Access to internet sites and messaging services such as Instagram, Facebook, Facetime, WhatsApp, TikTok, Viber and Tango, for example, has enhanced private communication channels across the globe. They provide instantaneous and useful information as demonstrated during the pandemic when health advice was disseminated widely on the Internet. Each can act as a safety and protection tool, too, when, say, a user is lost, or fearful, or has become a victim of crime. Experience has shown that private companies, however, cannot be trusted unequivocally to deal with our data in a manner that befits our

9 Perspectives on Policing Post-pandemic Cybercrime

183

privacy, and meets our expectations (Gal 2017). In the wake of two highprofile data breaches in October 2022 (Optus, and Medibank Private), the Australian Government introduced legislation that exponentially increases the financial penalties entities face for allowing cybercriminals to expose these entities to repeated or serious privacy breaches. AttorneyGeneral Mark Dreyfus introduced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth.) which significantly increased the existing maximum penalty to whichever is the greater of an A$50 million fine; three times the value of any benefit obtained through the misuse of information; or 30 per cent of a company’s adjusted turnover in the relevant period (ACSM 2022). But government intrusions can be problematic too. In September 2021, the Australian Federal parliament passed the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 (Cth.) which introduced new law enforcement powers to combat online crime. With the support of the, then, Labor opposition, the government sought to create new police powers to spy on criminal suspects online, disrupt their data and take over their accounts (Kantor and Kallenbach 2021). The Bill sought to create three new types of warrants to enable the Australian Federal Police and Australian Criminal Intelligence Commission to surveil Australians operating in networks suspected of committing cybercrimes. Data disruption warrants need to be ‘reasonably’ necessary and proportionate, and account takeover warrants need to specify the types of activities proposed to be carried out. The Bill became law despite concerns about the low bar regarding who can authorise a warrant, and amidst allegations that the government failed to implement all the safeguards recommended by the bipartisan Joint Committee on Intelligence and Security which had reviewed the Bill (Karp 2021). Indeed, under the Act it is an offence for the media to engage in an unauthorised disclosure about a specific data disruption or account takeover, although there is a public interest exception for any person working in a professional capacity as a journalist. Opponents of the Act argued that the legislation further erodes privacy rights, and that the targets of the new law could be broader than organised cybercrime networks and extend to civil and political activists

184

R. Sarre

(Kantor and Kallenbach 2021). Only time will tell how effective these new provisions will be and whether these concerns are realised.

Is There a Way Through the Maze? To my mind, and based upon the evidence presented in this chapter, there is a way through this dilemma if private sector operatives and government security agencies and police pursue the adoption of the following policy options:

Policy Option 1 This seeks to determine what we as a society want and expect from cyberspace technology. Citizens need to decide what they can and cannot abide with the innovations that arise from technology, and how much they are prepared to sacrifice in the privacy versus connectedness dichotomy. [This] means more innovative forms of public debate. And it means that the most influential institutions in this space—…governments, technology firms and national champions—need to listen and experiment with the goal of social, as well as economic and technological, progress in mind. (Davis and Subic 2018)

Policy Option 2 This requires that appropriate rules are put in place and financed accordingly. These rules need to ensure that we can enjoy the benefits of the digital age without bringing us closer to a ‘surveillance society’ in which our every move is monitored, tracked, recorded and scrutinised by governments and private interests (Rodrick 2009). Nations should build in more safeguards as the technology becomes more widespread and spend the required money to keep them going.

9 Perspectives on Policing Post-pandemic Cybercrime

185

Policy Option 3 This entails encouraging and adopting governmental guidelines. The Australian experience on this front is worth noting. On 8 May 2017, the Australian Government tabled the Productivity Commission’s Data Availability and Use Inquiry (Australian Government 2018). The Inquiry made 41 recommendations designed to shift from policies based on risk avoidance towards policies based on value, choice, transparency and confidence in the digital age. A year later, on 1 May 2018, the government committed to establishing an office of the National Data Commissioner, introducing legislation to improve the sharing, use and reuse of public sector data while maintaining the strong security and privacy protections the community expects, and introducing a Consumer Data Right to allow consumers of data to share their usage with private service competitors and comparison services. The government has enshrined in legislation that data sharing and release is only authorised for specified purposes (such as informing and assessing government policy and research and development with public benefits), and provided that data safeguards are met (Flannery 2019). Today, the Office of Australian Information Commissioner exists. It is its role to monitor breaches of all forms of privacy.

Policy Option 4 This involves engagement with the private sector, but being suitably wary of its power and motives. Policy-makers should be on guard to ensure that the private sector is thoroughly accountable for its cybercrime prevention efforts. Private corporations are being trusted with vast amounts of sensitive personal data that will be generated as they ‘police’ the internet. But there are some commentators who are not confident that this trust is well-placed. There are … serious unintended consequences that may result from the various extralegal measures employed by industry and corporate entities. Specifically, they have no legal or constitutional remit to enforce national laws or the interests of any one country. Industrial involvement

186

R. Sarre

in transnational investigations … may lead some to question whether they have overstepped their role as service providers into order maintenance based on their economic interests only. (Holt 2018, p. 152)

Policy Option 5 This entails engagement with all sectors to adopt practices of selfpolicing. Policy-makers should ensure that the right incentives are in place to enjoin those entities that are vulnerable to cybercrime to act in their own self-interest and put in place their own shields from potential threats (Prenzler and Sarre 2022). This call has been referred to as ‘responsibilisation’ (O’Malley 2009). An example is the 2022 code put in place by the Australian Communications and Media Authority (ACMA). All companies (typically communications and broadcasting companies) that are required to be licensed by ACMA must now do all in their power to trace, identify and block SMS scam messages and to publish information on how to report any scams (ACMA 2022). The government has also expanded the rules required of businesses by the Security of Critical Infrastructure Act 2022 (Cth), which became effective from 8 July 2022. Sectors defined as critical infrastructure (originally electricity, gas, water and ports) have been expanded to include businesses associated with communications, data storage or processing, financial services, healthcare and medical providers, along with sectors that deliver services such as higher education and research, food and grocery production, transport, space technology and the defence industry. Businesses and companies within these sectors are required to alert the Australian Cyber Security Centre within 12 hours of any cyber-attack if it significantly impacts their operations, and all other incidents must be reported within 72 hours. Allied examples of responsibilisation include firms and individuals being asked to raise, and taking responsibility for raising, awareness of the possibilities of scams, followed by customised training of staff, and target-hardening.

9 Perspectives on Policing Post-pandemic Cybercrime

187

Conclusion Police have a role to play in ensuring that cyberspace is not a lawless domain, but their resources devoted to global crime prevention are limited. They cannot go it alone especially in a post-pandemic world where global communications have become far more expansive and intrusive than ever before. That being the case, the private sector has been, and will continue to be, co-opted. Great trust between public and private agencies has been developed in relation to prophylactic measures, and that trust is set to grow . However, given the excesses of some corporate entities, particularly in the processing and storage of digital data records, governments cannot adopt a ‘hands-off ’ approach and allow the private sector free rein in their quest to defeat cybercrime (Sarre 2014b). It is imperative that governments regulate and monitor the interventions by the private sector into citizens’ daily lives, even if it is done in the name of cyber security, lest these interventions leave people more vulnerable to policy over-reach and breaches of privacy. Hence, governments must develop a clear over-arching framework to require compliance of private owners of surveillance tools and data managers in the same way as controls (such as codes of conduct) are in place to protect the security of government-collected data. Governments cannot afford to get this wrong. Our future security depends upon the decisions we make today regarding the strategies we need to adopt to reduce the impact of cybercrime in the years ahead. That, inevitably, will entail the development of new forms of digital responses to future pandemics.

References Australian Competition and Consumer Commission (ACCC). 2022. ‘Scams robbed Australians of more than $2 billion last year’, Canberra: Australian

188

R. Sarre

Competition and Consumer Commission, https://www.accc.gov.au/mediarelease/scams-robbed-australians-of-more-than-2-billion-last-year. Accessed 4 July 2022. Australian Communications and Media Authority (ACMA). 2022. ‘New Rules to Fight SMS Scams’, Australian Communications and Media Authority, https://www.acma.gov.au. Accessed 12 July 2022. Australian Cyber Security Magazine (ACSM). 2022. Australian Government to Increase Data Breach Penalties, Australian Cyber Security Magazine, 24 October. https://australiancybersecuritymagazine.com.au/australian-gov ernment-to-increase-data-breach-penalties/ Accessed 17 January 2023. Australian Crime Commission (ACC). 2015. Organized crime in Australia report. Canberra: Commonwealth of Australia. Australian Cyber Security Centre. 2017. Australian Cyber Security Centre 2017 Threat Report. https://www.acsc.gov.au/publications/ACSC_Threat_ Report_2017.pdf Accessed 20 February 2019. Australian Government. 2018. New Australian Government Data Sharing and Release Legislation, Issues Paper for Consultation. Canberra: Department of Prime Minister and Cabinet. Australian Government. 2016. Australia’s Cyber Security Strategy. https://www. pmc.gov.au/sites/default/files/publications/australias-cyber-security-strategy. pdf. Accessed: 20 February 2019. Australian Parliament. 2017. Review of the implementation period of the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2014, 13 April. Canberra: Joint Parliamentary Committee on Intelligence and Security. Branch, Phillip. 2014. ‘Surveillance by metadata’. Issues 109 (December): 10– 13. Broadhurst, Roderic and Chang, Lennon Yao-Chung. 2013. ‘Cybercrime in Asia: Trends and challenges’ in Handbook of Asian Criminology Liu, Jianhong, Hebenton, Bill and Jou, Susyan (eds.), 49–63. New York: Springer. Chang, Lennon Yao-Chung. 2012. Cybercrime in the Greater China Region: Regulatory Responses, and Crime Prevention Across the Taiwan Strait Cheltenham: Edward Elgar Publishing. Cross, Cassandra. 2020. ‘“Oh we can’t actually do anything about that”: The problematic nature of jurisdiction for online fraud victims’ Criminology and Criminal Justice, 20(3), 358-375. Cross, Cassandra, Holt, Karen and O’Malley, Roberta Liggett. 2022. ‘“If U Don’t Pay they will Share the Pics”: Exploring Sextortion in the Context of

9 Perspectives on Policing Post-pandemic Cybercrime

189

Romance Fraud’, Victims & Offenders: An International Journal of Evidencebased Research, Policy, and Practice. https://doi.org/10.1080/15564886.2022. 2075064 Accessed 23 September 2022. Davis, Nicholas and Subic, Aleksandar. 2018. ‘Hope and fear surround emerging technologies, but all of us must contribute to stronger governance’, The Conversation, 18 May. https://theconversation.com/hope-andfear-surround-emerging-technologies-but-all-of-us-must-contribute-to-str onger-governance-96122. Accessed 1 February 2019. Economist. 2017. ‘Data is the new oil’ The Economist, 6 May. https://www. economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-isno-longer-oil-but-data Accessed 17 January 2023. Falk, Rachael and Brown, Anne-Louise. 2022. ‘Exfiltrate, encrypt, extort: The global rise of ransomware and Australian’s policy options’, Journal of the Australasian Institute of Policing 14(2) 29-37. Fernandes, Clinton and Sivaraman, Vijay. 2015. It’s only the beginning: Metadata retention laws and the internet of things Australian Journal of Telecommunications and the Digital Economy, 3(3). http://telsoc.org/ajtde/ index.php/ajtde/article/view/21. Accessed 1 February 2019. Flannery, Angela. 2019. Public Sector Data: The Proposed Data Sharing and Release Act and implications for governments. http://www.mondaq.com/art icle.asp?article_id=772966&signup=true. Accessed 1 February 2019. Gal, Un. 2017. ‘The new data retention law seriously invades our privacy— and it’s time we took action’, The Conversation 16 June. https://thecon versation.com/the-new-data-retention-law-seriously-invades-our-privacyand-its-time-we-took-action-78991?sa=pg2&sq=metadata&sr=1 Accessed 1 February 2019. Gordon, Sarah and Ford, Richard. 2006. ‘On the definition and classification of cybercrime’, Journal of Computer Virology, 2, 13–20. Grabosky, Peter. 2007. Electronic Crime. New Jersey: Prentice Hall. Grattan, Michelle. 2015. ‘$131 million for companies’ metadata retention in budget boost to counter terrorism’, The Conversation 12 May, https://theconversation.com/131-million-for-companies-metadata-ret ention-in-budget-boost-to-counter-terrorism-41637. Accessed 1 February 2019. Holt, Thomas J. 2018. ‘Regulating cybercrime through law enforcement and industry mechanisms’, The Annals of the American Academy of Political and Social Science 679 (1), 140-157. Joseph, Sarah. 2018. ‘Why the business model of social media giants like Facebook is incompatible with human rights’ The Conversation. 3 April.

190

R. Sarre

https://theconversation.com/why-the-business-model-of-social-media-gia nts-like-facebook-is-incompatible-with-human-rights-94016. Accessed 1 February 2019. Kantor, Susan and Kallenbach, Paul. 2021. ‘How might the new Identify and Disrupt laws impact you?’ https://www.minterellison.com/articles/howmight-the-new-identify-and-disrupt-laws-impact-you. Accessed 1 July 2022. Karp, Paul. 2021. ‘Australian powers to spy on cybercrime suspects given green light’ The Guardian, 25 August 2021. Kowalick, Phil, Connery, David and Sarre, Rick. 2018. ‘Intelligence-sharing in the context of policing transnational serious and organized crime: a note on policy and practice in an Australian setting’ Police Practice and Research: An International Journal 19(6), 596-608. Ludlam, Scott. 2015. ‘Data retention: We need this opposition to oppose’ ABC The Drum, 27 February http://www.abc.net.au/news/2015-02-27/ludlamwe-need-this-opposition-to-oppose/6269504 Accessed 1 February 2019. Manokha, Ivan. 2018. ‘Cambridge Analytica’s closure is a pyrrhic victory for data privacy’ The Conversation, 3 May. https://theconversation.com/cambri dge-analyticas-closure-is-a-pyrrhic-victory-for-data-privacy-96034 Accessed 1 February 2019. McGuire, Mike and Dowling, Samantha. 2013. Cybercrime: A review of the evidence: Summary of key findings and implications. Home Office Research Report 75. London: Home Office, October. MinterEllison. 2022. Perspectives on Cyber Risk, https://www.minterellison. com/articles/perspectives-on-cyber-risk-new-threats-and-challenges-in-2022 Accessed 1 July 2022. O’Malley, Pat. 2009. ‘Responsibilisation,’ in Wakefield, Alison and Fleming, Jenny (eds), Sage Dictionary of Policing, 277–279, London: Sage Publications. Perkins, Roberta C. and Howell, C. Jordan. 2021. ‘Honeypots for Cybercrime Research’ in Lavorgna, Anita and Holt, Thomas J. (eds.), Researching Cybercrimes, 233–261, Geneva: Springer Nature. Perlroth, Nicole. 2021. This Is How They Tell Me the World Ends: The Cyberweapons Arms Race, London: Bloomsbury. Prenzler, Tim and Sarre, Rick. 2022. ‘Facilitating Best Practice in Security: The Role of Regulation’ in Gill, M (ed.), Handbook of Security, 777–799, Houndmills: Palgrave-Macmillan. Prenzler, Tim and Sarre, Rick. 2017. ‘The Security Industry and Crime Prevention’, in Prenzler, T. (ed) Understanding Crime Prevention: The Case

9 Perspectives on Policing Post-pandemic Cybercrime

191

Study Approach, 165–181, Samford Valley, Queensland: Australian Academic Press. Prenzler, Tim and Sarre, Rick. 2012. ‘Public-Private Crime Prevention Partnerships’ in Prenzler, T. (ed). Policing and Security in Practice: Challenges and Achievements, 149–167, Basingstoke, Hampshire: Palgrave Macmillan. Rodrick, Sharon. 2009. ‘Accessing telecommunications data for national security and law enforcement purposes’ Federal Law Review 37(3): 375-415. Sarre, Rick. 2022. ‘Policing Cybercrime: Is There a Role for the Private Sector?’ in Eterno, John A., Stickle, Ben, Peterson, Diana S. and Das, Dilip K. (eds.) Police Behavior, Hiring and Crime Fighting, 217–227, New York, NY: Routledge. Sarre, Rick. 2020. ‘Facial recognition technology is expanding rapidly across Australia. Are our laws keeping pace?’ The Conversation, 10 July 2020. https://theconversation.com/facial-recognition-technology-is-exp anding-rapidly-across-australia-are-our-laws-keeping-pace-141357. Accessed 1 March 2020. Sarre, Rick. 2018. ‘Revisiting metadata retention in light of the government’s push for new powers’ The Conversation, 8 June 2018. https://theconversat ion.com/revisiting-metadata-retention-in-light-of-the-governments-pushfor-new-powers-97931 Accessed 1 March 2020. Sarre, Rick. 2017a. ‘Metadata retention as a means of combatting terrorism and organized crime: a perspective from Australia’ Asian Journal of Criminology 12: 167-79. Sarre, Rick. 2017b. ‘The Surveillance Society: A Criminological Perspective’ in Viano, Emilio C. (ed.) Cybercrime, Organized Crime, and Societal Responses: International Approaches, 291–300, New York City: Springer. Sarre, Rick. 2015. ‘Eyes in the Sky’, Drone Magazine, Issue 1, 48-51. Sarre, Rick. 2014a. ‘The Use of Surveillance Technologies by Law Enforcement Agencies: What are the Trends, Opportunities and Threats?’ in Pływaczewski, Emil W. (ed.), Current Problems of the Penal Law and Criminology, 755–767, Białystok, Poland: Temida Publishing House. Sarre, Rick. 2014b. ‘National security gags on media force us to trust state will do no wrong’, The Conversation, 26 September 2014b. https://theconversation.com/national-security-gags-on-media-forceus-to-trust-state-will-do-no-wrong-32103 Accessed 20 July 2022. Sarre, Rick and Prenzler, Tim. 2023 forthcoming. ‘Cyber Space Crime Prevention Partnerships in Blackstone, Erwin A., Hakim, Simon and Meehan, Brian. (eds), Handbook on Public & Private Security, New York: Springer.

192

R. Sarre

Sarre, Rick and Prenzler, Tim. 2021. ‘Policing and security: Critiquing the privatisation story in Australia’ in Birch, Philip, Kennedy, Michael and Kruger, Erin (eds.) Australian Policing: Critical issues in 21st century police practice, 221–233, New York, NY: Routledge. Sarre, Rick, Brooks, David Jonathan, Smith, Clifton L. and Draper, Rick. 2014. ‘Current and Emerging Technologies Employed to Abate Crime and to Promote Security’, in Arrigo, Bruce A. and Bersot, Heather Y. (eds.) The Routledge Handbook of International Crime and Justice Studies, 327-349, New York: Routledge. Sarre, Rick, Lau, Laurie and Chang, Lennon. 2018. ‘Responding to cybercrime: current trends’ Police Practice and Research: An International Journal, 19(6), 515–518. Turnbull, Malcolm. 2015. ‘Magna Carta and the rule of law in the digital age’ Speech to the Sydney Institute, Sydney, 7 July. https://www.malcolmturnb ull.com.au/media/speech-to-the-sydney-institute-magna-carta-and-the-ruleof-law-in-the-digit. Accessed 18 January 2021.

10 Digital Criminal Courts: The Place or Space of (Post-)pandemic Justice Carolyn McKay and Kristin Macintosh

Introduction Back in 1997, the concept of remote or virtual justice seemed the stuff of science fiction: By 2020 video conferencing, the early 21st century successor to physical meetings, may well have been replaced by sophisticated virtual reality systems that better capture the nuances of physical presence. Combined C. McKay (B) · K. Macintosh The University of Sydney Law School, University of Sydney, Sydney, NSW, Australia e-mail: [email protected] K. Macintosh e-mail: [email protected]

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 R. G. Smith et al. (eds.), Cybercrime in the Pandemic Digital Age and Beyond, Palgrave Studies in Cybercrime and Cybersecurity, https://doi.org/10.1007/978-3-031-29107-4_10

193

194

C. McKay and K. Macintosh

with the use of holograms such technology will enable the creation of mobile court-rooms without traditional court-houses or court-rooms. Judges will then be able to be in two places at the same time (How 1997, p. 22)

Just over two decades later, while we still await the courtroom holograms, digital innovation is here. Major changes were certainly brought about by the 2020 COVID-19 pandemic and associated emergency health measures that forced courts to suspend jury trials, adjourn hearings and abandon traditional, co-present courtrooms. Civil courts quickly pivoted to digital processes and remote procedure to keep the wheels of justice turning, and we witnessed a rapid acceleration in the use of an array of digital communication technologies: court and tribunal systems of audio and audio-visual links as well as third-party proprietary platforms such as Microsoft Teams and Zoom (McIntyre et al. 2020; McKay and Blake 2022). While criminal courts initially demonstrated more reticence in adopting remote or virtual procedure (R v Macdonald; R v Edward Obeid; R v Moses Obeid (No 11) [2020] NSWSC 382; see also Smith et al. 2021), clearly the era of digitalised criminal justice has begun. A new normal in law has arisen and digital communication technologies will continue to shape post-pandemic legal procedure (McKay 2021; Wallace and Laster 2021). The changes are of such magnitude that many posit that ‘“Court” is no longer a physical place’ (Legal Technology Committee 2020, p. 18) and the programme of court closures in England and Wales evidences this shift (Cameron 2020) to the metaphysical. In this chapter, we focus on the diminishing relevance of the tangible courtroom in favour of emergent ‘places’ or ‘spaces’ of remote, dispersed, virtual, hybrid, digital, telematic or ‘e’ courtrooms. How–and where– does the law operate when it becomes so intangible and untethered from a physical base? For example, McIntyre et al. (2020) ask what does an online interface communicate about the gravitas of court matters; how does an online interface express and operationalise judicial impartiality? We draw on scholarly literature, judicial commentary and legislative provisions to examine how a courtroom might now be constituted of a network of diverse remote access technologies and remote locations that embrace disparate private homes, offices, chambers, police stations

10 Digital Criminal Courts: The Place or Space …

195

and correctional facilities. In this analysis, we adopt Castells’ (1999, 2004, 2010) network approach to draw a distinction between ‘place’ and ‘space’ and question whether virtual courtrooms are perhaps better understood as a networked ‘space’, not a ‘place’. On this basis, we reflect on the use of the word ‘place’, often referenced in case law and legislation, and whether ‘place’ necessarily captures the growing emphasis in justice on networked, process-driven spaces and the emergence of collaborative, mobile and interactive environments. We present a theoretical provocation that nevertheless has real world relevance. We begin by examining law’s preoccupation with ‘place’, a word much used in legislation, before discussing the traditional and tangible places of the administration of justice. This leads us to explain the technological innovations and the rise of digital justice, particularly since the 2020 pandemic, and the spread of the reach of courtrooms into disparate but connected spaces. Finally, we analyse the situation through the lens of Castells’ network theory and the interrelationship between the new places, spaces and networks of post-pandemic criminal justice.

The Significance of ‘Place’ in Law Law is intimately connected with space and place–concepts of jurisdiction, borders and territory frame the law’s authority, power, hierarchical relations, scope and limits (Farmer 1997, 2016). For instance, we see law’s fixation with site (lex situs, the law of the place in which property is situated for the purposes of the conflict of laws), locus (loci delicti, the law of the place where the tort was committed for the purposes of conflict of laws or of an offence) and appropriate forum (forum conveniens) (LexisNexis n.d.). More recently, we have even seen the rise of law’s interest in the sovereignty over data (Legg and Song 2021). Jurisdiction is a pre-condition to the application of law, related to law’s spatial and temporal limits and the basis for the authority of courts to make binding determinations (Farmer 2016). Farmer (2013, 2016) argues that

196

C. McKay and K. Macintosh

the central organising idea of jurisdiction in common law systems is territoriality, and this is critical to establishing the ‘place’—of law. But what is the place of law now that we have entered the era of digitalised and dematerialised justice that relies on networks, internet and proprietary communication platforms to connect disparate parties, places, spaces and time zones? Before delving into that question, we first provide an overview of traditional, physical places of law as compared with the nascent virtual mode.

From Tangible Courtrooms to Disparate Places and Intangible Spaces Traditionally, justice has been administered within special buildings that have been designated as sites for impartial legal adjudication. Through sombre and imposing architectural design, publicly accessible courthouses have expressed the authority of the law as well as their open and civic function (Graham 2004; Hodgson 2006; McKay 2018, 2021; Mulcahy 2011; Rowden 2018). Inside these buildings are the courtrooms, those physical locations within which the law and associated rituals are performed (Mulcahy 2020, 2011; Mulcahy and Howes 2019; Leader 2020, 2021; Rossner 2021). They are filled with symbolism and hierarchical spatial elements that formally delineate the different actors, for instance, the elevated judicial officer at the bench, bar table for counsel, segregated jury box, accused within the stigmatising courtroom dock, the media and public gallery (Russell et al. 2022; Rowden 2018; Rossner 2021). Despite the many spatial demarcations or inequalities as well as the confrontational and adversarial nature of proceedings, courtrooms have been considered shared social sites of co-presence that orchestrate effective advocacy, face-to-face examination/cross-examination and human interaction (Rowden 2018). Through these dynamics, trials are conducted, procedural matters are resolved and the principle of open justice is operationalised. We must, however, resist valorising a traditional system that can also be considered ‘archaic and exclusionary’ (McIntyre

10 Digital Criminal Courts: The Place or Space …

197

et al. 2020, 199; Rowden 2018). Traditional courtrooms do not necessarily provide a site for equality before the law, participation, inclusion or accessibility (Rowden 2018; Rossner 2021). Since the 1990s, well before the pandemic-induced court closures, technologies were gradually making an incursion into courts, prisons, police stations and lawyers’ offices. This technological uptake reflected the incremental alignment between the justice system and the embedding of technologies into most aspects of daily life. In criminal justice, communication technologies, such as audio-visual links, introduced the concept of remote appearance of overseas or vulnerable witnesses and incarcerated people, thereby enabling court proceedings to be ‘spatially dispersed events’ (Rowden 2018, p. 264). The site of adjudication was becoming more fluid with the administration of justice shifting from physical bricks and mortar courtrooms in favour of ICT, remote or virtual hearings and increasingly intangible ‘digital architecture’ (Donaghue 2017, p. 1020; McKay 2018). Central to these incremental technological changes has been an array of legislative instruments giving rise to remote proceedings. In New South Wales (NSW), the use of remote access technologies, such as audio-visual links, has been enabled by both legislation and case law. Of significance to our focus on space and place is s 5C(1) of the Evidence (Audio and Audio Visual Links) Act 1998 (NSW) which provides that any ‘place’ at which audio or audio-visual link facilities are used for the giving of evidence or making of a submission in proceedings is to be treated as part of the courtroom or other place at which the proceedings are conducted. The courtroom is, in effect, extended to those other places. ‘Place’ is referenced several times in that statute and, in relation to criminal proceedings, in particular, we note that the definition in section “From Tangible Courtrooms to Disparate Places and Intangible Spaces” of an accused detainee means a person who is being held in custody in a correctional centre, detention centre, police station or ‘other place’ of detention. At a Federal level, where criminal jurisdiction is limited, the Federal Court of Australia Act 1976 (Cth) (FCA Act) also references the word ‘place’ in Sect. 47C, such that the Court or Judge must not direct or allow a person to appear by video link unless the courtroom or

198

C. McKay and K. Macintosh

‘other place’ where the Court or Judge is sitting is equipped with facilities that enable all eligible persons in that court or ‘other place’ to see and hear the remote person (see, for example, Australian Securities and Investments Commission v Wilson (2020) 146 ACSR 149). So, even before the pandemic, the digital revolution had begun. Of course, the start of the 2020 COVID-19 pandemic saw a quantum shift in how and where justice was administered as courts were propelled into the virtual space—or place—by necessity. The pandemic forced criminal courts to suspend jury trials, to adjourn hearings and, in some instances, to pivot to remote or virtual procedures. Integral to the sudden changes in the delivery of criminal justice has been a range of digital communication technologies: audio-alone links including mobile phones, audio-visual links as well as third-party proprietary platforms such as Microsoft Teams. COVID-19 outbreaks have continued to impact criminal courts with intermittent lockdowns necessitating the ongoing use of digital technologies to keep the wheels of justice turning. These technologies are replacing the symbolism and gravitas of the physical courtroom with remote hearings that connect disparate parties appearing from disparate places including personal homes with all the associated informality that entails (McIntyre, et al. 2020; see also Palmer v McGowan (No 2) (2022) 398 ALR 524). Legislation (such as Sect. 22C of the Evidence (Audio and Audio Visual Links) Act 1998 (NSW)) and case law since 2020 reveal the special measures required to enable the administration of justice, despite the health crisis and closure of many physical courthouses. The situation has prompted judicial commentary on the ‘place’ of the remote, dispersed or virtual courtroom. As mentioned earlier, criminal courts had some reluctance in embracing remote hearings and virtual courtrooms. For instance, in R v Macdonald; R v Edward Obeid; R v Moses Obeid (No 11) [2020] NSWSC 382, the proceedings were challenged by repeated connectivity difficulties and the complexity of numerous parties, lawyers, witnesses and documents appearing from home and chambers. In that case, Justice Fullerton was advised by Courts Administration that the parties’ difficulties in connecting to the virtual courtroom were a consequence of either the internet connection the parties were using, or their

10 Digital Criminal Courts: The Place or Space …

199

devices, or both. The ‘virtual courtroom, with all its attendant technical issues’ could not provide the place—or space—for a fair trial to the accused (R v Macdonald [2020], [18], [29]). While our focus is on the criminal jurisdiction, there are several civil cases that examine ‘place’ in the context of remote access technologies. For instance, in Quirk v Construction, Forestry, Maritime, Mining and Energy Union (Remote Video Conferencing) [2020] FCA 664, Justice Perram made orders in relation to excluding members of the public from a hearing that was being conducted by remote video conferencing without any persons being in the actual, physical courtroom. Not only does the case demonstrate that the principle of open justice is not absolute, especially during the COVID-19 crisis, it provides insights into the relationship between open justice and virtual hearings. Justice Perram analysed Sect. 47C(1)(a) of the FCA Act, which, as we described above, requires that the Court must be satisfied that the ‘courtroom or other place’ where the Court is sitting has the facilities to enable all eligible persons in the courtroom or place to see and hear the remote person. But where is that courtroom, especially when no one was in the physical courtroom? Justice Perram posited that ‘the expression ‘courtroom’ includes a digital courtroom, such as that occurs where a hearing is conducted by video conferencing and all participants are remotely located.’ Moreover, ‘courtroom’ must be interpreted ejusdem generis with ‘other place’: As a matter of ordinary language, a ‘place’ is not limited only to a physical location but can also include a digital place: cf. expressions such as ‘website’, ‘online location’, ‘online shop’, ‘leaving a website’, ‘landing on a website’ or being ‘present in a chatroom’. Thus, the meaning of ‘courtroom’ within s 47C(1)(a) includes a courtroom which is located in a digital place. (Quirk [2020], [9])

This explanation of ‘place’ envisages that the open court is no longer limited to a physical locality and, therefore, the essential character of an open court can, apparently, be fulfilled by a video conferencing platform that enables members of the public to witness proceedings remotely

200

C. McKay and K. Macintosh

(Quirk [2020], [10]). On this basis, Justice Perram held that ‘a ‘courtroom’ includes a digital place’ (Quirk [2020], [11]) that may operate to curtail open justice, at least during a pandemic (for instance, Jarrow v Manard [2020] FCCA 2598, Harman J, [31]). Bearing in mind that many cases describe how parties often appear from the privacy and informality of their own home (see Palmer No 2 (2022)), does this understanding mean that any place can be part of the metaphysical courtroom? Our case law analysis suggests that the answer is, seemingly, yes. Related to the recognition of a ‘digital place’ in justice is the emerging recognition of the ‘digital forum’, relevant to civil rather than criminal procedure. In the context of forum non conveniens, that is, determining whether one court or tribunal is more convenient than another, a Canadian judge summed up some of the critical post-pandemic changes in the shift to the ‘digital forum’: ‘In the age of Zoom, is any forum more non conveniens than another? Has a venerable doctrine now gone the way of the VCR player or the action in assumpsit?’ (Kore Meals LLC v Freshii Development LLC , 2021 ONSC 2896, Morgan J, [1], [28]–[29]). Since the pandemic forced most proceedings to a digital forum, the majority of forum non conveniens factors were effectively undermined (Kore Meals 2021, [28]–[29]). Justice Morgan continued: It is by now an obvious point, but it bears repeating that a digital-based adjudicative system with a videoconference hearing is as distant and as nearby as the World Wide Web. With this in mind, the considerable legal learning that has gone into contests of competing forums over the years is now all but obsolete … Chicago and Toronto are all on the same cyber street. They are accessed in the identical way with a voice command or the click of a finger. No one venue is more or less unfair or impractical than another. (Kore Meals 2021, [31]–[32])

Here we see an articulation of the diminution of physical location and the recognition of the connectedness of disparate places, along the ‘same cyber street’ brought about by remote access technologies. The stretching of the place of the courtroom is also seen in Australian pandemic cases. For instance, in EBA v Commonwealth [2021] ACTSC 186, an application to transfer the proceedings was made and Associate Justice

10 Digital Criminal Courts: The Place or Space …

201

McWilliam remarked that given the present state of technology and arrangements now in place in most courts: absent some particular feature of a party or witness, the general convenience of the parties and witnesses by reference to where they reside or work may not have as much weight now as it had in the past. This is due to the greater mobility of witnesses at modest costs, but more significantly, the ability for evidence to be taken by audio-visual link. (EBA [2021] ACTSC 186, [17])

Similarly, in Barbour v Trustees of the De La Salle Brothers [2021] NSWSC 1254, Justice Cavanagh noted that most civil cases have been determined during the pandemic through the use of audio-visual links, diminishing the importance of a particular witness’ actual physical address. It can be seen from the above cases that the pandemic has accelerated the use of digital platforms in the delivery of justice. The displacement of the physical courtroom has actually unravelled some of the foundational concepts and practices of ‘traditional’ justice. The centrality of the ‘place’ of the courtroom and the key territorial concept of jurisdiction is being profoundly challenged by the new dynamic and mobility of the digital courtroom. On this basis, access to technology and internet services has become critical and the lack thereof is a potential new source of digital inequality (McIntyre, et al. 2020). This emergent situation produces new challenges relating to access to justice, fundamental principles of open justice, the provision of a fair trial in criminal cases and procedural fairness. These challenges are apparent in the results of a 2022 study by the Law Society of New South Wales regarding post-pandemic justice which found that, while most of the remote processes utilised in pandemic litigation and workplaces were considered by legal practitioners as positive, particularly with respect to efficiencies and cost savings, concerns about the suitability of remote proceedings were evident in relation to cross-examination, unrepresented parties, defended hearings, complex evidence and juries (Law Society 2022). Sixty-nine per cent of the members that responded to the survey agreed that the option should

202

C. McKay and K. Macintosh

remain available for court processes to take place in person in physical places (Law Society 2022).

Place or Space? The above case law and legislation reference the word ‘place’ in relation to remote hearings that use audio-visual links and, in this section, we interrogate the concept of a courtroom being a digital place through the lens of Castells’ network theory. Is the shift from the public and physical sphere of the courtroom to virtual modes best understood as a shift in place, space, network or something else? In earlier research on the use of audio-visual links by people in prison appearing in remote courtrooms, McKay (2018) finds that the use of such technologies radically transforms users’ experiences of both the place and space of justice. While some scholarship, case law and legislation seemingly use the words ‘place’ and ‘space’ interchangeably, Fiddler (2010) argues that there is a distinction, albeit one that might be contested. Place is an ‘understood reality’ (Harrison and Dourish 1996, p. 1), a geographic area or delimited zone such as a courthouse or a prison (de Certeau 1988; McKay 2018). On the other hand, space is abstract and existential; it relates to the volumes, gaps, distances and mobility; and space provides opportunity (Bollnow 2011; de Certeau 1988; Fiddler 2010; Harrison and Dourish 1996). Spanish sociologist, Manuel Castells, provides an analysis of ‘network society’, a means to understand the relationships between society, technology and the economy, in which he argues there is a tension between the ‘space of places’ and the ‘space of flows’ (2004, pp. 422–3). The ‘space of places’ relates to cultural and social experience, activity and meaning within a confined geographic location (Castells 2010). The ‘space of flows’ can be understood as the electronic linking of disparate locations into an interactive virtual network; it is where society constantly connects with information systems and it has spawned ‘new spatial forms and processes’ (Castells 2004, p. 423). Functionality and power can be seen as key concepts in the space of flows (Castells 2010). The space of flows allows for ‘simultaneity of social

10 Digital Criminal Courts: The Place or Space …

203

practices without territorial contiguity’ through technological infrastructure, networked nodes and communication hubs, spaces for the ‘social actors who operate the networks’ and ‘electronic spaces’ of interaction (Castells 2010, pp. 295–6). Despite the differences between places and flows, there is an interface between physical space of places and the electronic space of flows, resulting in a double system of communication. Indeed, ‘the space of flows is folded into the space of places. Yet, their logics are distinct: online experience and face-to-face experience remain specific’ (Castells 2004, p. 423). Much has changed in society since Castells theorised the melding of spaces of place and of flow into cyborg or hybrid models; he was writing at a time when ‘telecommuting’ and the new spatial dimensions of networked mobile connectivity were futuristic concepts (2004, pp. 425– 6). Nevertheless, within Castells’ forecast ‘networked spatial mobility’, which has undoubtedly come to fruition, there are connections between the networked spaces and physical places: ‘we move physically while staying put in our electronic connection. We carry flows and move across places’ (2004, pp. 425–6). Now, with the increasing mobility of devices, a strictly dualistic approach to space and place is possibly unhelpful given that both domains are products of forms of social practice and thoroughly embedded in everyday life (Dourish 2006). O’Malley (2010, p. 804) casts a pessimistic shadow over the concept of networked society, instead focusing on ‘telematic society’ and the surrounding ‘technocratic environment’, framed by codified electronic transmissions, leading to simulated justice. This concept of simulation is pertinent to considering the contemporary quest to replicate the gravitas of courtrooms in the online realm that connects judges, lawyers and parties from disparate places including their private homes (McIntyre et al. 2020). But not everything is replicable in networked justice and an emphasis on technological transformation is, perhaps, more realistic.

Discussion and Conclusion How do these concepts apply to the symbolic identity and function of post-pandemic courts? As discussed earlier, tangible courtrooms, as

204

C. McKay and K. Macintosh

public and civic places, have had specific spatio-cultural meanings. They have been the site of live, human interaction founded on a level of spontaneity within the strictures of legal procedure and protocol. However, in our current era of networked spatial mobility, the emphasis has shifted away from a fixation on place to an emphasis on systems of communication that provide a means of simultaneous transmission and social process. With this in mind, the rise of virtual courts can be analysed and understood as a transformation from the space of places to the space of flows, the latter being the dominant space in our networked society. That is, remote access technologies enable a ‘spatial dispersal’ (Castells 1999, p. 295) of the administration of justice. The contemporary remote or networked court is dependant on connectivity over and above any specific or special place. Justice now seemingly resides increasingly in the conceptual process, not the edifice, and the process is increasingly networked, not performed. Instead, the justice that is administered online is one that is transmitted through many networks that connect the disparate parties. With the dematerialisation of the special place of justice and its associated symbolism (Mulcahy 2011), justice is losing its performance value, its rituals and visibility. Instead, the networked flows of communication prioritise the process. Criminal procedure is becoming mechanistic and telematic (O’Malley 2010) in its transmission of data over long distances, its intersecting nodes with other institutions and its establishment of matrixed links with an array of justice agencies and professionals (McKay 2018). With this emphasis on process-driven justice in combination with the dispersal of the courtroom to ‘other places’, we see the judiciary exerting their authority more over the technology, rather than over any delineated place. As an example, instead of the physical hierarchical positioning of the judiciary in a tangible and locatable courtroom, we see judicial authority expressed through technology, such as the power to mute or disconnect disruptive remote parties (McKay 2020). It is through such technological means that the administration of justice might seek to recapture some elements of courtroom spatial organisation (see Dourish 2006). Does the conceptual distinction between physical place and networked space really matter? We argue that it does. For instance, the risk of technological failure in remote proceedings is multiplied by the need

10 Digital Criminal Courts: The Place or Space …

205

for synchronous communications between the disparate places. Those synchronous communications occur through the networks—the spaces between places—requiring all parties to have stable connectivity and appropriate devices to enable full participation (R v Macdonald [2020]). We see that the law is increasingly untethered from its traditional courtroom habitat, instead operating within intangible spaces and transmissions that connect disparate places. The case law shows instances of the judiciary recognising that the court is no longer a physical place and how technologies, such as audio-visual links, collapse distance and time zones and embrace the online realm (Quirk [2020]). These technologies mean that remote hearings and remote parties exist and interact on the same, ill-defined, abstract and amorphous ‘cyber street’ (Kore Meals 2021). Especially since the beginning of the 2020 pandemic, there has been an ongoing process of reconstructing or revisioning the administration of justice. From one perspective, we can see the diminution of place-rooted symbolism and legal tradition as courthouses dematerialise (Mulcahy 2011). Another perspective suggests that there is a developing synthesis between physical places and networked spaces of flow that enable social, cultural and legal exchange and processes. Interactivity and collaboration at a distance are made possible (Dourish 2006). Indeed, Castells (2010, p. xliv) argues that networks of ‘communication technologies have constructed virtuality as a fundamental dimension of our reality.’ However, within this new age of spatially dispersed criminal justice, and even with a recognition of virtuality as part of post-pandemic reality, there remains an indispensable role for face-to-face, high-level decisionmaking processes to be undertaken in shared physical places—the logics of online versus face-to-face remain distinct (Castells 2010; Law Society 2022). Exchanges that ‘occur in the less intimate world of a video link’ are different to exchanges within a shared physical place (Palmer No 2 (2022), [45]). With the privileging of connectivity and process over place, we see post-pandemic criminal justice operating in the transmissions, those spaces between places. We find that, while a formal expression of the logic of the new virtual, hybrid or digitalised space of justice is yet to be articulated, it may be that the remote or telematic court provides

206

C. McKay and K. Macintosh

spatial meaning through new symbolic nodalities; it may well be a metaphysical environment or domain of functional transmitted communication, networked collaboration, simultaneity of social practices and meaningful interaction. If those electronic transmissions are emerging as organised environments of human intention, experience and connection, perhaps they do, indeed, create a ‘place’ with a legal meaning—the digital courtroom. Acknowledgements Dr Carolyn McKay is the recipient of an Australian Research Council ‘Discovery Early Career Researcher Award’ (DE210100586), funded by the Australian Government.

References Bollnow, Otto F., Shuttleworth, Christine and Kohlmaier Joseph. 2011. Human Space. London, Hyphen. Cameron, Lorna. 2020. ‘Do our buildings make us? COVID-19 and the courts reform’, Counsel , May 2020: 29–31. Castells, Manuel. 2010. The Rise of the Network Society, Chichester, West Sussex; Malden, MA: Wiley: Blackwell. Castells, Manuel. 2004. ‘Space of Flows, Space of Places: Materials for a Theory of Urbanism in the Information Age’ in William W. Braham, Jonathan A. Hale, and John S. Sadar (eds.) 2012. Rethinking Technology: a reader in architectural theory, Routledge, New York, pp. 418–432. Castells, Manuel. 1999. ‘Grassrooting the space of flows’, Urban Geography 20(4): 294–302. de Certeau, Michel. 1988. The Practice of Everyday Life. Berkeley: University of California Press. Translated by Steven Rendall. Donoghue, Jane. 2017. ‘The rise of digital justice: Courtroom technology, public participation and access to justice’, The Modern Law Review 80(6): 995-1025. Dourish, Paul. 2006. ‘Re-space-ing Place: “Place” and “Space” Ten Years on’, Proceedings of the 2006 20th anniversary conference on computer supported cooperative work, pp. 299–308, New York: Association for Computing Machinery.

10 Digital Criminal Courts: The Place or Space …

207

Farmer, Lindsay. 2016. Making the Modern Criminal Law: Criminalization and Civil Order, Oxford: Oxford Scholarship Online. Farmer, Lindsay. 2013. ‘Territorial Jurisdiction and Criminalization’, University of Toronto Law Journal 63(2): 225-246. Farmer, Lindsay. 1997. Criminal Law, Tradition and Legal Order, Cambridge: Cambridge University Press. Fiddler, Michael. 2010. ‘Four wal1s and what lies within: the meaning of space and place in prisons’, Prison Service Journal , 187: 3–8. Graham, Clare. 2004. ‘A History of Law Court Architecture in England and Wales’, in SAVE Britain’s Heritage (ed.) Silence in Court: The Future of the UK’s Historic Law Courts, London: SAVE Britain’s Heritage, pp. 36–47. Harrison, Steve and Dourish, Paul. 1996. ‘Re-place-ing space: The roles of place and space in collaborative systems’, Proceedings of the 1996 ACM conference on computer supported cooperative work, pp. 67–76, New York: Association for Computing Machinery. Hodgson, Jacqueline. 2006. ‘Conceptions of the trial in inquisitorial and adversarial procedure’, in Antony Duff, Lindsay Farmer, Sandra Marshall and Victor Tadros, (eds), The Trial on Trial: Judgment and Calling to Account, vol 2, London: Hart Publishing, pp. 223-42. How, Yong Pung. 1997. ‘AIJA and Subordinate Courts of Singapore 1997’, Conference Paper, Australasian Institute of Judicial Administration AsiaPacific Courts Conference, Sydney, 22–24 August, p. 22. Law Society of New South Wales. 2022. A Fair Post-covid Justice System: Canvassing Member Views. Research Summary Report. January 2022. Leader, Kate. 2021. ‘Law, Presence to Absence: The Case of the of the Disappearing Defendant’ in Shirin Rai, Milija Gluhovic, Silvija Jestrovic and Michael Saward (eds.) The Oxford Handbook of Politics and Performance, Oxford: Oxford Handbooks Online. Leader, Kate. 2020. ‘The trial’s the thing: Performance and legitimacy in international criminal trials’, Theoretical Criminology, 24(2): 241–257. Legal Technology Committee. 2020. ‘Technically Covid—a summary of technological increments experienced as a result of Covid-19’, Bulletin (Law Society of South Australia) 42(6): 18–20. Legg, Michael and Song, Anthony. 2021. ‘The Courts, the Remote Hearing and the Pandemic: From Action to Reflection’, University of New South Wales Law Journal , 44(1): 126–166. LexisNexis. n.d. The Encyclopaedic Australian Legal Dictionary, Sydney: LexisNexis Online.

208

C. McKay and K. Macintosh

McIntyre, Joe, Olijnyk, Anna and Pender, Kieran. 2020. ‘Civil courts and COVID-19: Challenges and opportunities in Australia’, Alternative Law Journal , 45(3): 195-201. McKay, Carolyn. 2018. The Pixelated Prisoner: Prison Video Links, Court ’Appearance’ and the Justice Matrix, Abingdon: Routledge. McKay, Carolyn. 2020. ‘Glitching justice: Audio visual links and the sonic world of technologized courts’, Law Text Culture, 24(1): 364-404. McKay, Carolyn. 2021. ‘Digital Justice and Video Links: Connecting and Conflating Courtroom and Carceral Space’, in Kirsty Duncanson and Emma Henderson (eds.) Courthouse Architecture, Design and Social Justice, Abingdon: Routledge, pp. 191-121. McKay, Carolyn and Blake, Rodney. 2022. ‘Cross-examination and remote access technologies: a changing calculus?’ The Journal of the NSW Bar Association, Autumn, pp. 9–10. Mulcahy, Linda. 2011. Legal architecture: Justice, Due Process, and the Place of Law. London: Routledge. Mulcahy, Sean and Howes, David. 2019. ‘Silence and Attunement in Legal Performance’, Canadian Journal of Law and Society / Revue Canadienne Droit et Société, 34(2): 191-207. Mulcahy, Sean. 2020. ‘Singing the law: The musicality of legal performance’, Law Text Culture, 24: 480–514. O’Malley, Pat. 2010. ‘Simulated Justice: Risk, Money and Telemetric Policing’, The British Journal of Criminology, 50(5): 795–807. Rossner, Meredith. 2021. ‘Remote rituals in virtual courts’, Journal of Law and Society, 48(3): 334–361. Rowden, Emma. 2018. ‘Distributed courts and legitimacy: What do we lose when we lose the courthouse?’ Law, Culture and the Humanities, 14(2): 263– 281. Russell, Emma K., Carlton, Bree and Tyson, Danielle. 2022. ‘Carceral churn: A sensorial ethnography of the bail and remand court’, Punishment and Society, 24(2): 151–169. Smith, Russell G., Savage, Rebecca. and Emami, Catherine. 2021. ‘Benchmarking the use of audiovisual link technologies in Australian criminal courts before the pandemic’ Research Report no. 23, Canberra: Australian Institute of Criminology. Wallace, Anne and Laster, Kathy. 2021. ‘Courts in Victoria, Australia, During COVID: Will Digital Innovation Stick?’, International Journal for Court Administration, 12(2): 1–19.

11 Online Messaging as a Cybercrime Prevention Tool in the Post-pandemic Age Richard Wortley and Jeremy Prichard

Introduction In this chapter, we make the case for the use of online warning messages as a cybercrime prevention tool. As other chapters in this book attest, cybercrime is complex and dynamic—new opportunities for offending emerge with technological advances, or during periods of social upheaval as we have witnessed in the COVID-19 era. We argue that the extent of the cybercrime problem we now face cannot be tackled through R. Wortley (B) Jill Dando Institute of Security and Crime Science, University College London, London, UK e-mail: [email protected] J. Prichard Faculty of Law, College of Arts, Law and Education, University of Tasmania, Hobart, TAS, Australia e-mail: [email protected]

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 R. G. Smith et al. (eds.), Cybercrime in the Pandemic Digital Age and Beyond, Palgrave Studies in Cybercrime and Cybersecurity, https://doi.org/10.1007/978-3-031-29107-4_11

209

210

R. Wortley and J. Prichard

traditional law enforcement tactics alone; we must explore prevention approaches aimed at reducing the incidence of cybercrime. Internet warning messages are worth considering as one technique—ideally among many others—that could help make the Internet a safer environment for users and work to alleviate pressure on the conventional detect-arrest-prosecute-imprison model. This chapter has six main parts. The first examines the dynamic nature of cybercrime and the impact of COVID-19 on it. Following this, the chapter fleshes out the case for enhancing cybercrime prevention strategies. The next section overviews the hallmarks of effective messages as derived from research both on and off the Internet. Following, we discuss empirical studies that demonstrate the effectiveness of warning messages to prevent cybercrime and explain how messages can be deployed online. A final section critically examines key issues arising from the use of messaging, and also considers future opportunities for their enhancement.

Cybercrime, Opportunity and COVID-19 The Internet has revolutionised the way that crimes are committed. It has created a space for new crimes, and offered new ways to commit old crimes. In defiance of the so-called worldwide crime drop (Farrell, Tilley and Tseloni 2014), cybercrime has continued to grow—in some cases dramatically—over the past 30 years or so. Crimes such as ransomware attacks, computer hacking, the spreading of malware and denial of service attacks only exist because of the Internet (Holt and Bossler 2015). Traditional acts of victimisation, such as bullying, harassment and stalking, can now be efficiently carried out online, targeting victims at any time and place (Holt and Bossler 2015). The proliferation of child sexual abuse material (CSAM), largely kept under control by law enforcement pre-Internet (Wortley and Smallbone 2012), is now described as a ‘tsunami’ (WeProtect 2019, p. 2). More than half of all financial crime—fraud, scams and piracy—now involves a cyber element (Office

11 Online Messaging as a Cybercrime Prevention Tool …

211

for National Statistics 2020). In the 2020–2021 financial year, selfreported cybercrime losses amounted to A$33 billion in Australia alone (Australian Cyber Security Centre 2021). The growth of cybercrime highlights the crucial role played by opportunity. Cybercrime flourishes because it can. It is generally easy to commit, there is a ready availability of suitable targets, it involves relatively little risk of being caught and it can satisfy a range of desires, including the attainment of money, sexual gratification, revenge and peer approval. The technology required is widely available and relatively inexpensive. Through the Internet, cyber criminals can reach an enormous pool of corporate and private victims. They have demonstrated a willingness to rapidly embrace ‘new technologies to modernise and industrialise their operations, including the use of automated tools’ (Australian Cyber Security Centre 2021, p. 24). Users have a level of anonymity that not only makes them difficult to trace, but also confers a sense of disinhibition that allows them to engage in behaviours they would never carry out offline. Enter COVID-19. The restrictions on movement instituted by most jurisdictions in response to the COVID-19 pandemic had significant impacts on crime, in both positive and negative directions (Buil-Gil, Miró-Linares, Moneva et al. 2021b; Buil-Guil, Zeng and Kemp 2021a; Nivette, Zahnow, Aquilar et al. 2021). Rates for offences which required offenders and victims to be out and about—such as burglary, robbery, assault and vehicle theft—generally fell. Conversely, rates generally rose for crimes committed in the home—such as domestic violence and child sexual assault—or that otherwise did not require a physical presence in the community. Cybercrime fell into this latter category. Not only could cyber offenders continue to operate without bringing attention to themselves by flouting COVID-19 restrictions, the increased use of the Internet during lockdowns for online shopping, social networking, streaming media and activities associated with working from home such as video conferencing, meant there was an increased pool of potential victims online at any one time (Australian Cyber Security Centre 2021). Increases in cybercrime rates during COVID-19 have been reported for consumer fraud (Buil-Gil, Miró-Linares, Moneva et al. 2021b; BuilGuil, Zeng and Kemp 2021a; Kemp, Buil-Gil, Moneva et al. 2021a),

212

R. Wortley and J. Prichard

hacking of social media and email (Buil-Gil, Miró-Linares, Moneva et al. 2021b), cyber-attacks (INTERPOL 2020; Kemp, Buil-Gil, MiróLinares et al. 2021a; Lallie, Shepherd, Nurse et al. 2021), romance fraud (Buil-Gil and Zeng 2021), online hate speech (Stechemesser, Wenz and Levermann 2020) and online child sexual exploitation (Slater and Wong 2021). It remains to be seen if the spike in cybercrimes will be sustained as COVID-19 restrictions are lifted, or if rates drop back to pre-COVID19 levels as has been observed for many offline offences (Buil-Guil, Zeng and Kemp 2021a). Plausibly, the pandemic has merely accelerated an existing upward trajectory and cybercrime will continue to rise postCOVID-19, albeit perhaps at a slower rate. Either way, the increase during the pandemic reinforces the fundamental importance of opportunity as a driver of cybercrime. And just as the Internet has created new ways to commit crime, so too cybercrime requires new methods of control.

The Case for Prevention Cybercrime poses major challenges for law enforcement and policy makers. While most jurisdictions have specialised units to deal with the various types of cybercrime, these units are typically overwhelmed by the sheer volume of crime they need to deal with. This, coupled with the fact that offenders are more than likely to be outside the jurisdiction of the investigating agency, means that, in comparison to the size of the problem, arrest rates are miniscule. It has been estimated that fewer than one percent of malicious cyber actors are subject to law enforcement action (Crane 2022). Of course, this is not to say that law enforcement does not have a crucial role to play in combatting cybercrime. But by necessity, agencies need to triage cases and focus resources on the most serious. This leaves a long tail of less serious offenders who effectively receive no attention. In countries like Australia, the focus on prevention strategies is growing (Australian Cyber Security Centre 2021). This includes ‘target hardening’ in the form of advice to potential victims. The advice covers cybersecurity, but it also acknowledges the ‘human factor’ by explaining how risks can be reduced by regulating emotional

11 Online Messaging as a Cybercrime Prevention Tool …

213

responses to scam messages, and asking basic questions about their credibility (Australian Cyber Security Centre 2021, p. 29). Still, a greater array of prevention strategies is clearly needed to alleviate an already stretched traditional criminal justice model that is simply not fit for purpose where cybercrime is concerned. If opportunity is at the root of cybercrime, then reducing opportunity must be a central plank of any prevention effort. To this end, situational crime prevention (SCP) provides a useful framework for devising opportunity-reduction strategies (Clarke 2016). SCP shifts the usual focus from changing the presumed criminality of offenders to tackling the criminogenic features of the immediate environment that allow criminal behaviour to occur. SCP is sometimes referred to as a place-based model of prevention. In the cybercrime context, the place is cyberspace. The aim of SCP is to make the Internet a less fertile environment for criminal decision-making and a safer place for potential victims. There are five basic SCP strategies: increasing the perceived risk, to make potential offenders believe it is more likely they will be observed and caught; increasing the effort, to make carrying out the offence more difficult or time-consuming; reducing the rewards, to limit the payoff that the perpetrator is seeking from offending; removing excuses, to challenge the cognitive distortions that offenders may use to minimise their behaviour; and reducing provocations, to counter conditions that may create or intensify the motivation to offend. Online warning messages are a promising tool that can be used to implement SCP principles on the Internet. Online messaging is cheap, easy to implement and can be scaled up to reach literally millions of people simultaneously at the very moment that they are about to engage in the targeted behaviour.

What Makes an Effective Message? We encounter warning messages routinely in our everyday life. In the offline world, they are used extensively in the areas of public health, occupational safety, road safety, consumer protection and ergonomics (e.g. Hall, Lazard, Grummon et al. 2021; Mollen, Engelen, Kessels et al.

214

R. Wortley and J. Prichard

2017; Rosenblatt, Bode, Dixon et al. 2018; Taylor and Wogalter 2019; Wogalter 2020). Warning messages are now also frequently used online and appear on users’ screens in a number of ways, including pop-up messages and banner messages. They are used to alert us that our hard drive is nearly full, that the computer battery is low, that the site about to be visited may be unsafe and so on. Offline warning messages have been subject of extensive empirical research. Warning messages should attract attention, impart explicit information about the specific hazard they are referring to and advice on the steps necessary to avoid harm (Lenorovitz, Leonard and Karnes 2012). Messages are more effective if they are believable (Riley, Ingegneri, Passi et al. 2006), come from a credible source (Selejan, Muresanu, Popa et al. 2016; Wathen and Burkell 2002; Wogalter and Mayhorn 2008), are clear and concise (Laughery and Page-Smith 2006) and use relevant colours, alert symbols and signal words (caution, warning, etc.) (American National Standards Institute 2017; Ng and Chan 2009; Kim and Wogalter 2015). At a psychological level, warning messages may be pitched at the behavioural, cognitive or affective level. Behaviourally focused messages attempt to influence the user by emphasising the benefits of compliance or the costs of non-compliance. Cognitive-focused messages present facts and rely on the user’s capacity to make rational judgments. Affectivefocused messages attempt to engage the user’s emotions, either positively, for example, by fostering feelings of self-worth for doing a good deed, or negatively, by creating anxiety or fear. As a general rule, messages that appeal to the user’s emotions are most persuasive (Carfora, Pastore and Catellani 2021; De Hoog, Stroebe and De Wit 2007). The lessons learned about offline messages are likely to apply equally to the online environment. Additionally, there are some specific considerations that apply online. Active warnings, which disrupt users in their activity and require them to takes some action to make the message disappear, are more effective than passive warnings, which disappear of their own accord (Egelam, Cranor and Hong 2008). Messages are also more effective the closer they appear on screen to the relevant activity (Petelka, Zou and Passi 2019), or ideally, if the rest of the screen is shaded (Institute for Safe Medication Practices 2019). Analyses of millions of

11 Online Messaging as a Cybercrime Prevention Tool …

215

responses to browser security warnings indicate that messaging does influence human behaviour online (Akhawe and Felt 2013).

Warning Messages as an Online Crime Prevention Tool Depending on the crime in question, warning messages may be directed at either potential victims or potential offenders. In the case of potential victims, the aim of the message is to encourage computer users to take actions to make themselves less vulnerable to cybercrime; in the case of potential offenders, messages aim to deter, deflect or disrupt individuals contemplating illegal acts online, while the very appearance of a warning message can help challenge the perception that online behaviour is anonymous.

Victim-Focused Messages As noted, online messages are already common and many of these have a crime prevention element by warning users about hazardous activities that could be exploited by offenders. The effectiveness of these messages is difficult to evaluate ‘in the wild’, but there are number of studies that have adopted experimental designs involving inventive laboratory simulations. Three illustrative examples are provided below. Egelman et al. (2008) investigated the effectiveness of warnings about spear phishing attacks (online scams targeting specific people or organisations). The research was portrayed to participants as an online shopping study. Participants made online purchases at spoof Amazon and eBay websites, after which they were sent a phishing email. If the participants visited the URL in the email, they either received no warning or one of two standard website messages—an active message from Internet Explorer (‘Suspicious website: This may be a phishing website’) or passive banner warning message from Firefox (‘This is a reported phishing website’). In the no warning condition, 97% of participants fell for the spear phishing attack. When presented with the active warning,

216

R. Wortley and J. Prichard

only 21% fell for the attack, while the passive banner warning had no discernible deterrent effect. Carpenter and colleagues (Carpenter, Zhu and Kolimi 2014) investigated the sharing of personal details online. In a study ostensibly involving an online application for automobile insurance, participants were asked to provide their drivers licence details and email address. In the absence of a warning, 100 per cent of participants provided their email and 75 per cent licence details. In the experimental conditions, one of three different signal words was used—‘warning’, ‘hazard’ or ‘caution’—followed by the sentence ‘disclosing this information may be hazardous to your identity privacy’. ‘Hazard’ was the most effective signal word, reducing disclosure of licence detail to zero and email to 9 per cent. ‘Warning’ was the least effective signal word, with 8 per cent still supplying licence details and 64 per cent supplying email. Silic and Back (2017) used warning messages to try to dissuade users from installing supposedly malicious software. The researchers created functioning, non-malicious software, which they made available on the Internet, that allowed users to manipulate PDF documents. When people downloaded the software they received either no warning, or one of three warnings that varied in intensity: (1) a low-impact message in which malicious software was said to be against security policies; (2) a medium-impact messages, where malicious software was said to be illegal, and usage was monitored; and (3) a high-impact message, where malicious software was potentially dangerous and harmful to the user. The messages resulted in the ‘malicious’ software being installed less often, and with shorter duration, and less repeated use, with the levels of desistence 34 per cent for low, 44 per cent for medium, 63 per cent for high and 10 per cent for the control group, which received no warning. Results indicate that the more salient the message is made to the user, the more effective it is. In sum, the research indicates that victim-focused messages can be successful in changing risky Internet behaviour, but that the level of effectiveness depends upon the specific features of the warning. In terms of Clarke’s (2016) classification of SCP techniques, these messages can be

11 Online Messaging as a Cybercrime Prevention Tool …

217

regarded as examples of increasing the effort and reducing the rewards of offending. By heeding warning messages, Internet users better protect themselves, thus making offending more difficult and less profitable for potential offenders.

Offender-Focused Messages It is difficult to quantify the prevalence of crime prevention messages online, but in all likelihood to date the majority of Internet warnings have been directed towards potential victims, rather than potential offenders. The most common area in which offender-focused messages have been employed is in relation to child sexual abuse material (CSAM). Online messages to prevent CSAM-use are now commonly employed by international philanthropic agencies which aim to reduce child abuse, such as StopitNow! (2020) and Thorn (2022). Similar messages have recently been implemented by one of the world’s largest pornography companies to warn users whose search terms may lead to CSAM (Pornhub 2020). CSAM-deterrence messages have also been trialled by law enforcement agencies (Wortley and Smallbone 2012) and are used by some Internet companies (e.g. Essers 2013; Google 2020). There have been limited attempts to evaluate these measures in the field. In 2014 Microsoft and Google implemented a search engine blocking system combined with a warning banner on the Google interface. These two strategies resulted in a 67 per cent reduction in global CSAM search terms over 12 months; the trend was not observed in other search engines where the strategies had not been instituted (Steel 2015). However, it is unclear from these data the extent to which the warning banners or the blocking contributed to the reduction. As with victim-focused messages, experimental approaches have been used to empirically examine the effectiveness of offender-focused warnings. Methodologically, investigating the effectiveness of warning messages presents challenges. It is generally not practically or ethically appropriate to use college student participants as was the case in the studies described in the previous section. One solution has been to use

218

R. Wortley and J. Prichard

‘honeypots’—fake websites that mimic likely crime targets that are used as bait—to examine the behaviour of actual Internet users. Using a honeypot website pretending to be a university IT system, Maimon and colleagues (Maimon, Alper, Sobesto et al. 2014; Maimon, Kamerdze, Cukier et al. 2013; Testa, Maimon, Sobesto et al. 2017; Wilson, Maimon, Sobesto et al. 2015) conducted a series of online randomised experiments to try to deter computer hackers. The participants, real potential hackers, were exposed to a warning message written by the US National Institute of Standards and Technology (NIST) (see Testa et al. 2017, p. 700). The results showed that the warning did not immediately deter hacking. However, it did influence some hackers’ behaviour by (a) reducing time spent trespassing (Maimon et al. 2014), (b) changing the types of commands entered in certain circumstances (Wilson et al. 2015) and (c) deterring non-administrative users from changing files (Testa et al. 2017). While the studies provided modest support for the efficacy of warning messages, a criticism of them is their lack of grounding in the literature on message compliance referenced in Sect. 3. In particular, the NIST message they deployed was an 86-word explanation of legal issues and potential outcomes for hackers. Lacking colour, signal words, alert symbols or conciseness, the technically phrased message bore few of the features known to increase the likelihood of compliance. Stronger evidence supporting the potential of offender-focused messaging was provided by Prichard and colleagues (Prichard, Scanlan, Krone et al. 2022a; Prichard, Wortley, Watters et al. 2022b; Prichard, Wortley, Watters et al. forthcoming). They conducted three honeypot studies to investigate whether warning messages could deter Internet users from entering websites purporting to contain dubious sexual material. A legitimate men’s fitness website was created that targeted young men. The website carried advertisements, including ones to the honeypot websites (run at different times). The first advertisement was to a ‘barely legal’ website, which for legal and ethical reasons were used as a proxy for CSAM (Prichard, Wortley, Watters, et al. 2022b). If someone clicked on the advertisement they were either taken straight to the landing page (control condition), or they received one of four warning messages: (1) Health professionals believe the individuals shown may experience

11 Online Messaging as a Cybercrime Prevention Tool …

219

long-term feelings of distress; (2) Health professionals believe the individuals shown may experience long-term feelings; (3) Police may obtain IP addresses to track users; and (4) Viewing this material may be illegal in some countries and lead to arrest. The dependent measure was the number of participants who clicked the ‘enter’ button on the landing page (which brought up an error message). The click-through rates were: control, 73 per cent; harm to viewer, 62 per cent; harm to victim, 55 per cent; police may trace IP, 51 per cent; and material may be illegal, 53 per cent. There were significant differences between the control condition and both IP and illegal conditions. Results suggest that deterrence messages are more effective than harm messages. The second study was an extension of the first (Prichard et al. forthcoming). In addition to the previous control and ‘police may trace IP’ conditions, three new messages were added: (1) Police may obtain IP addresses to track users + image of young male being arrested; (2) Concerned about your porn use? Visit mensline.org.au (text only); and (3) Concerned about your porn use? Visit mensline.org.au + image of young male in distress. The click-through rates for the three new conditions were: police may trace IP + image, 35 per cent; concerned about porn (text only), 40 per cent; and (4) concerned about porn + image, 47 per cent. Click-throughs for all three of the new conditions were significantly lower than for the control. The inclusion of an image seemed to value-add to the deterrence message but not for the referral message. The third study involved a different honeypot (Prichard, Scanlan, Krone, et al. 2022a). On this occasion, the advertisement was for a ‘Swap My Babe’ website inviting visitors to upload sexual images of their girlfriend and view images that had been uploaded. In addition to a control condition, there were two warning conditions: (1) It’s a crime to share sexual images of people who look under 18 (text only); (2) It’s a crime to share sexual images of people who look under 18 + animation. Clickthrough rates were: control, 60 per cent; text only, 43 per cent; and text + animation, 38 per cent. Both experimental conditions were significantly lower than the control condition, but the animation did not seem to add appreciably to the effect.

220

R. Wortley and J. Prichard

Together, the honeypot studies provide encouraging support for the effectiveness of offender-focused warning messages in dissuading progression to a sex website of dubious status. It is particularly pleasing to see that the referral message for individuals concerned about their pornography use was as powerful as the deterrent message. The role of images and animation is less clear-cut, and would seem dependent upon the message in question. In terms of SCP, messages focused on the illegality of the targeted behaviour and the possibility of arrest are designed to increase the perceived risks of offending. Those highlighting the potential harms to victims may be considered examples of removing excuses while the referral-focused messages are primarily aimed at reducing provocations. It is conceded, however, that the current research base on offender-focused messages is limited and the extent to which the findings can be applied to other offences requires further investigation.

Deploying Messages Warning messages are typically triggered when an Internet user enters a specified keyword as a search query into a search engine, or attempts to access a specified URL. Even when a URL is taken down, messages can still be activated to warn users who have attempted to access the site, instead of them receiving the usual 404 error message. Messaging of this sort can be implemented by a wide range of actors within the technology, government, non-government and private sectors (Hunn, Watters, Prichard et al. in press). These include the following.

The Account Holder This includes companies that provide Internet access to employees, or establishments that provide free Wi-Fi to customers. The account holder may, for example, install security software that monitors web browser activity, or use a proxy server.

11 Online Messaging as a Cybercrime Prevention Tool …

221

Internet Search Engine (ISE) Companies Internet search engines, including, Google, Bing and Baidu, are software systems through which a user can systematically search the Internet using keywords. As not earlier, some search engines already display warning messages to users who type in proscribed CSAM search terms (Google 2020).

Internet Service Providers (ISPs) Commercial ISPs, such as Telstra, Vodaphone and Virgin Media (among many others), sell internet connections and services to private individuals and organisations, including institutions and corporations. ISPs have the capacity to monitor Internet activity of account holders and to block certain search terms.

Third Parties Third parties include government departments, statutory bodies (e.g. eSafety Commissioner), law enforcement agencies, non-government organisations (NGOs) (e.g. the Internet Watch Foundation), and relevant industry stakeholders. In practice, the deployment of warning messages will typically require the collaboration between nongovernmental players, who may have crucial data on risky keywords and URLs, and governmental agencies, which have the legal power to implement messaging.

Issues and Opportunities We are under no illusions that warning messages are a panacea for combatting cybercrime. There are number of issues with the use of messaging that we acknowledge. These include the determination of offenders, the possibility of displacement and the problem of habituation. At the same time, we believe that warning messages are currently

222

R. Wortley and J. Prichard

under-utilised and could be used more extensively, for a wider range of crimes, and in more online contexts. There are undoubtedly many cybercrimes committed by determined and predatory individuals or organised crime groups, who are unlikely to be fazed by the appearance of a warning message. However, as we noted at the beginning of this chapter, warning messages are not proposed as a replacement for law enforcement but as a supplement. Where possible, serious offenders need to be arrested and prosecuted. But we should be careful not to fall for what Felson (2016) calls the ingenuity fallacy and assume the extreme cases are typical. Much cybercrime, like all crime, is mundane and poorly planned, committed by unskilled and occasional offenders. This is true for cyber-bullying and harassment (Rice, Petering, Rhoades et al. 2015; Baumann, Bernhard, Martinelli, et al. 2022), digital piracy (Higgins, Wolfe, and Marcum 2008), downloading of CSAM (Prichard, Wortley, Watters, et al. 2022b; Wortley and Smallbone 2012), and cyber-dependent crimes such as hacking and malware distribution (Harbinson and Slezer 2019; Holt and Kilger 2012). Warning messages are likely to be most effective at deterring low level offenders, and may deflect some individuals from progressing to more serious offences. A related concern is that of displacement, that is, that warning messages will simply shift offenders to other targets. This is a common criticism levelled at SCP more generally. The logic underpinning displacement is superficially appealing, but it overestimates the determination of many offenders. Guerette and Bower (2009) conducted a systematic review of 102 evaluations of SCP projects involving 574 observations. They found that displacement occurred in 25 per cent of cases, but that this was offset by a diffusion of benefits (i.e. crime prevention in non-targeted areas) in 26 per cent of cases. Guerette and Bowers argued that their findings are consistent with the rational choice perspective on offender decision-making; displacement will only occur when the rewards for committing new crimes outweigh the risks and effort involved. While the review did not include examples of cybercrime prevention, the results suggest that we keep an open mind on the issue of displacement until specific research involving online messaging is conducted.

11 Online Messaging as a Cybercrime Prevention Tool …

223

The final issue is the potential for habituation, that is, the tendency for message effectiveness to diminish over time with repeated exposure (Floyd, Whelan & Meyers 2006; Wogalter and Laughery 1996). Research suggests that habituation is a threat to warning message effectiveness but it is not inevitable (Amran, Zaaba and Singh 2018; Anderson, Jenkins, Vance et al. 2016; Kim and Wogalter 2009). Habituation to messages can be reduced by varying the content or visual presentation of the message, using messages more selectively, and using active rather than passive messages (Egelam, Cranor and Hong 2008). It is also the case that habituation does not necessarily mean there is a deterioration in learning (Webb 2012). Advertisers, for example, see benefit in repeating advertisements long after their novelty has worn thin. Against these concerns, there is potential to expand the current use of warning messages. To date, triggering messages has relied on the use of specified search terms and URLs. This method suits cases where potential victims are about to enter a hazardous website, or potential offenders are attempting to find illicit material such as CSAM. However, many cases of cyber-victimisation—child sexual grooming, romance fraud, bullying, stalking, harassment and so on—occur in the context of an ongoing interaction between offenders and victims, usually on online social networks (OSN) such as Facebook, Messenger, and Instagram. Intervening in these cases involves actively monitoring the online behaviour of users. OSNs may already use warning messages when users violate platform rules. For example, according to Facebook’s published policy on spam and harassment, users may receive a warning if they send friend requests to people they do not know, or send someone a message or link they mark as unwelcome (Meta 2022a, 2022b). Such messages do not depend upon knowing the content of the messages. Automated scanning of messages to detect problematic conversations is far more complex and contentious. It requires the identification of words or phrases that reliably indicate that illicit activity is occurring. To this end, a number of studies have examined online interactions between child sex groomers and their victims to identify grooming tactics and linguistic patterns (Lorenzo-Dus, Kinzel, Di Cristofaro 2020; Powell, Casey and Rouse 2021). We acknowledge the difficulties inherent in developing message functions—directed to potential

224

R. Wortley and J. Prichard

victims or offenders—based on text scanning. Apart from the technical feasibility, complex issues may arise concerning (a) privacy, (b) communicating with minors, and (c) the accuracy of the activities that trigger pop-up warning messages and the risk of exposing falsely identified victims or offenders to some type of harm. Plans by some Open Storage Networks (OSN) to move to end-to-end encryption creates additional challenges (Goodwin, 2022; Hughes, 2021). Nevertheless, we see this as a fertile area for further research with the view to addressing a wider range of cybercrimes. As 50 years of research on warnings by multiple disciplines attests, messages have been thoughtfully designed to deal with a myriad of highly specific contexts.

Conclusion Cybercrime is multifarious, damages individuals and businesses in a wide variety of ways, and is perpetrated by skilled and unskilled offenders alike. During the social turmoil of COVID-19, we witnessed how the architecture of the Internet enables cybercriminals to quickly develop new ways of exploiting others. Their strategy often combines technology with psychology—deceiving victims through carefully crafted online communication. All too often this communication is automated cheaply on an industrial scale. Only a fraction of communications need to be successful to make the endeavour worthwhile. In many respects, this chapter is simply arguing that automated cybercrime prevention messages are a way to mimic key aspects of these criminal business models. They too can be rolled out quickly and economically on a very large scale. And in our view, they are worth considering even if they only deter, deflect or disrupt a fraction of cybercrime. Using the architecture of the Internet to merely send warning messages of one kind or another seems dull, and even trivial, in comparison to the incredibly sophisticated (and essential) cybersecurity methods that are being pursued by government and corporations. But, as cybercriminals demonstrate on a daily basis, simple online communications do influence human decision-making.

11 Online Messaging as a Cybercrime Prevention Tool …

225

All communication with humans requires emotional intelligence, and warning messages are no different. The vast archives of research on messaging—both online and offline—is replete with examples of warnings that failed to work, or even backfired, for a wide variety of reasons. Messages need to be crafted from context to context. And even relatively simple changes, like the inclusion of an image, can increase or decrease their effectiveness. Consequently, there is a compelling case for research to systematically examine categories of cybercrimes and to determine if and how warning messages can be of use.

References Akhawe, Devdatta and Felt, Adrienne Porter. 2013. ‘Alice in warningland: A large-scale field study of browser security warning effectiveness’ Paper presented at the 22nd USENIX Security Symposium, 14 August, pp. 257– 272. American National Standards Institute. 2017. American National Standard Design Principles for Environmental/Facility Safety Signs and Product Labels (ANSI Z535.X-2016). Rosslyn VA: National Electrical Manufacturers Association. Amran, Ammar, Zaaba, Zarul Fitri and Mahinderjit Singh, Manmeet Kaur. 2018. ‘Habituation effects in computer security warning’ Information Security Journal: A Global Perspective, 27 (4), 192–204. Anderson, Bonnie Brinton, Jenkins, Jeffrey L., Vance, Anthony, Kirwan, C. Brock and Eargle, David. 2016. ‘Your memory is working against you: How eye tracking and memory explain habituation to security warnings’ Decision Support Systems, 92, 3–13. Australian Cyber Security Centre. 2021. Annual Cyber Threat Report 1 July 2020 to 30 June 2021. https://www.cyber.gov.au/sites/default/files/2021-09/ ACSC%20Annual%20Cyber%20Threat%20Report%20-%202020-2021. pdf. Accessed 1 July 2022. Baumann, Sarah, Bernhard, Anka, Martinelli, Anne, Ackermann, Katharina, Herpertz-Dahlmann, Beate, Freitag, Christine, Konrad, Kerstin & Kohls, Gregor. 2022. ‘Perpetrators and victims of cyberbullying among youth with conduct disorder’ European Child and Adolescent Psychiatry, 1–11.

226

R. Wortley and J. Prichard

Buil-Gil, David and Zeng, Yongyu. 2021. ‘Meeting you was a fake: Investigating the increase in romance fraud during COVID-19’ Journal of Financial Crime, 29 (2), 460–475. Buil-Gil, David, Zeng, Yongyu and Kemp, Steven. 2021a. ‘Offline crime bounces back to pre-COVID levels, cyber stays high: Interrupted time-series analysis in Northern Ireland’ Crime Science, 10 (1), 1–16. Buil-Gil, David, Miró-Llinares, Fernando, Moneva, Asier, Kemp, Steven and Díaz-Castaño, Nacho. 2021b. ‘Cybercrime and shifts in opportunities during COVID-19: a preliminary analysis in the UK’ European Societies, 23: sup1, S47–S59. Carfora, Valentina, Pastore, Massimiliano and Catellani, Patrizia. 2021. ‘A cognitive-emotional model to explain message framing effects: Reducing meat consumption’ Frontiers in Psychology, 12, no. 583209. Carpenter, Sandra, Zhu, Feng and Kolimi, Swapna. 2014. ‘Reducing online identity disclosure using warnings’ Applied Ergonomics, 45 (5), 1337–1342. Clarke, Ronald V. 2016. ‘Situational crime prevention’ in Richard Wortley and Michael Townsley (eds.). Environmental Criminology and Crime Analysis (2nd ed). London: Routledge. Crane, Casey. 2022. ‘A look at 23 key cybercrime statistics data from 2021 and 2022’ https://www.thesslstore.com/blog/cyber-crime-statistics/. Accessed 1 July 2022. De Hoog, Natascha, Stroebe, Wolfgang and de Wit, John B. F, 2007. ‘The impact of vulnerability to and severity of a health risk on processing and acceptance of fear-arousing communications: A meta-analysis’, Review of General Psychology, 11(3), 258–285. Egelman, Serge, Cranor, Lorrie Faith and Hong, Jason. 2008. ‘You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings’ in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, April, pp. 1065–1074. Essers, Loek. 2013. ‘Google to warn users of 13,000 search terms associated with child pornography’ PCWorld . https://www.pcworld.com/article/206 4520/google-to-warn-users-of-13000-search-terms-associated-with-childpornography.html. Accessed 1 July 2022. Farrell, Graham, Tilley, Nick and Tseloni, Andromachi. 2014. ‘Why the crime drop?’ Crime and Justice, 43(1), 421–490. Felson, Marcus. 2016. ‘Routine activities approach’ in Richard Wortley and Michael Townsley (eds.). Environmental Criminology and Crime Analysis (2nd ed). London: Routledge.

11 Online Messaging as a Cybercrime Prevention Tool …

227

Floyd, Kim, Whelan, James P. and Meyers, Andrew W. 2006. ‘Use of warning messages to modify gambling beliefs and behavior in a laboratory investigation’ Psychology of Addictive Behaviors, 20 (1), 69. Goodwin, Bill. 2022. ‘Tech companies risk being compelled by law to protect children says online expert’ Computer Weekly. https://www.computerweekly. com/news/252513162/Tech-companies-risk-being-compelled-by-law-to-pro tect-children-says-online-safety-expert. Accessed 1 July 2022. Google. 2020. ‘Fighting child sexual abuse online’ https://protectingchildren. google/intl/en/. Accessed 1 July 2022. Guerette, Rob T. and Bowers, Kate J. 2009. ‘Assessing the extent of crime displacement and diffusion of benefits: A review of situational crime prevention evaluations’ Criminology, 47 (4), 1331–1368. Hall, Marissa G., Lazard, Allison J., Grummon, Anna H., Higgins, Isabella C., Bercholz, Mamime, Richter, Ana Paula C. Taillie, and Lindsey Smith. 2021. ‘Designing warnings for sugary drinks: A randomized experiment with Latino parents and non-Latino parents’ Preventive Medicine, 148, no. 106562. Harbinson, Erin and Selzer, Nicole. 2019. ‘The risk and needs of cyberdependent offenders sentenced in the United States’ Journal of Crime and Justice, 42(5), 582–598. Higgins, George E., Wolfe, Scott E. and Marcum, Catherine D. 2008. ‘Digital piracy: An examination of three measurements of self-control’ Deviant Behavior, 29 (5), 440–460. Holt, Thomas J. and Bossler, Adam M. 2015. Cybercrime in Progress: Theory and Prevention of Technology-enabled Offenses. London: Routledge. Holt, Thomas J. and Kilger, Max. 2012. ‘Examining willingness to attack critical infrastructure online and offline’ Crime & Delinquency, 58(5), 798–822. Hughes, Owen. 2021. ‘Facebook: Don’t expect full end-to-end encryption on Messenger until 2022 “at the earliest”’ TechRepublicI , 5 May. https://www.techrepublic.com/article/facebook-dont-expect-full-endto-end-encryption-on-messenger-until-2022-at-the-earliest/. Accessed 1 July 2022. Hunn, Charlotte, Watters, Paul, Prichard, Jeremy, Wortley, Richard, Scanlon, Joel, Spiranovic, Caroline and Krone, Tony. (in press). ‘Implementing online warnings to prevent CSAM use: a technical overview’. Canberra: Australian Institute of Criminology.

228

R. Wortley and J. Prichard

INTERPOL. 2020. ‘INTERPOL report shows alarming rate of cyberattacks during COVID-19’ https://www.interpol.int/en/News-and-Events/News/ 2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-duringCOVID-19, Accessed 1 July 2022. Institute for Safe Medication Practices. 2019. ‘Your attention please… Designing effective warnings’ https://www.ismp.org/resources/your-attent ion-please-designing-effective-warnings-0. Accessed 1 July 2022. Kemp, Steven, Buil-Gil, David, Moneva, A, Miró-Llinares, Fernando and DíazCastaño, Nacho. 2021a. ‘Empty streets, busy internet: A time-series analysis of cybercrime and fraud trends during COVID-19’ Journal of Contemporary Criminal Justice, 37 (4), 480–501. Kemp, Steven, Buil-Gil, David, Miró-Llinares, Fernando and Lord, Nicholas. 2021b. ‘When do businesses report cybercrime? Findings from a UK study’ Criminology & Criminal Justice.https://doi.org/10.1177/174889582 11062359. Accessed 18 January 2023. Kim, Soyun, and Wogalter, Michael S. (2009, October). Habituation, dishabituation, and recovery effects in visual warnings. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting 53(20), 1612–1616. Sage CA: Los Angeles, CA: SAGE Publications. Kim, Soyun and Wogalter, Michael S. 2015. ‘Effects of emphasis terminology in warning instructions on compliance intent and understandability’ Journal of Safety Research, 55, 41–51. Lallie, Harjinder Singh, Shepherd, Lynsay A., Nurse, Jason R. C., Erola, Arnau, Epiphaniou, Gregory, Maple, Carsten and Bellekens, Xavier. 2021. ‘Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic’ Computers & Security, 105, no. 102248. Laughery, Kenneth R. and Paige-Smith, Danielle. 2006. ‘Explicit information in warnings’ in Michael S. Wogalter (ed.), Handbook of Warnings (pp. 419– 428), Mahwah, NJ: Lawrence Erlbaum Associates Inc. Lenorovitz, David R., Leonard, S. David and Karnes, Edward W. 2012. ‘Ratings checklist for warnings: A prototype tool to aid experts in the adequacy evaluation of proposed or existing warnings’ Work, 41 (Supplement 1), 3616–3623. Lorenzo-Dus, Nuria, Kinzel, Anina and Di Cristofaro, Matteo. 2020. ‘The communicative modus operandi of online child sexual groomers: Recurring patterns in their language use’ Journal of Pragmatics, 155, 15–27.

11 Online Messaging as a Cybercrime Prevention Tool …

229

Maimon, David, Alper, Mariel, Sobesto, Bertrand and Cukier, Michel. 2014. ‘Restrictive deterrent effects of a warning banner in an attacked computer system’ Criminology, 52(1), 33–59. Maimon, David, Kamerdze, Amy, Cukier, Michel and Sobesto, Bertrand. 2013. ‘Daily trends and origin of computer-focused crimes against a large university computer network: An application of the routine-activities and lifestyle perspective’ The British Journal of Criminology, 53(2), 319–343. Meta. 2022a. ‘How technology detects violations’ Transparency Center, https://transparency.fb.com/en-gb/enforcement/detecting-violations/techno logy-detects-violations/. Accessed 1 July 2022. Meta. 2022b. ‘Facebook help center’ https://www.facebook.com/help/152457 281489359. Accessed 1 July 2022. Mollen, Saar, Engelen, Susanne, Kessels, Loes T. and van den Putte, Bas. 2017. ‘Short and sweet: the persuasive effects of message framing and temporal context in antismoking warning labels’ Journal of Health Communication, 22(1), 20–28. Ng, Annie W. and Chan, Alan H. S. 2009. ‘What makes an icon effective?’ AIP Conference Proceedings, 1089, pp 104–114, AIP. Nivette, Amy E., Zahnow, Renee, Aguilar, Raul, Ahven, Andri, Amram, Shai, Ariel, Barak, ... and Eisner, Manuel. P. 2021. ‘A global analysis of the impact of COVID-19 stay-at-home restrictions on crime’ Nature Human Behaviour, 5 (7), 868–877. Office for National Statistics. 2020. Nature of Fraud and computer misuse in England and Wales: year ending March 2019. London: Office for National Statistics. Petelka, Justin, Zou, Yixin and Schaub, Florian. 2019. ‘Put your warning where your link is: Improving and evaluating email phishing warnings’ in Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, 2 May, pp. 1–15. https://doi.org/10.1145/3290605.3300748. Accessed 18 January 2023. Pornhub. 2020. 2020 Transparency Report. https://help.pornhub.com/hc/en-us/ articles/4419860718483. Accessed 1 July 2022. Powell, Martine B., Casey, Sharon and Rouse, Jon. 2021. ‘Online child sexual offenders’ language use in real-time chats’ Trends and Issues in Crime and Criminal Justice, no. 643, Canberra: Australian Institute of Criminology, pp. 1–15. Prichard, Jeremy, Scanlan, Joel, Krone, Tony, Spiranovic, Caroline, Watters, Paul and Wortley, Richard. 2022a. Warning messages to prevent illegal

230

R. Wortley and J. Prichard

sharing of sexualised images: Results of a randomised controlled experiment’ Trends and Issues in Crime and Criminal Justice, no. 647, Canberra: Australian Institute of Criminology. Prichard, Jeremy, Wortley, Richard, Spiranovic, Caroline and Watters, Paul. forthcoming. ‘Warnings for Internet users attempting to access ‘barely legal’ pornography: examining the effects of imagery on therapeutic and deterrent messages’ Trends and Issues in Crime and Criminal Justice. Canberra: Australian Institute of Criminology. Prichard, Jeremy, Wortley, Richard, Watters, Paul A., Spiranovic, Caroline, Hunn, Charlotte and Krone, Tony. 2022b. ‘Effects of Automated Messages on Internet Users Attempting to Access “Barely Legal” Pornography’ Sexual Abuse, 34 (1), 106–124. Rice, Eric, Petering, Robin, Rhoades, Harmony, Winetrobe, Hailey, Goldbach, Jeremy, Plant, Aaron, Montoya, Jorge and Kordic, Timothy. 2015. ‘Cyberbullying perpetration and victimization among middle-school students’ American Journal of Public Health, 105 (3), e66–e72. Riley, Donna M., Ingegneri, L., Passi, L. and Siqueira, J. 2006. ‘Modelling exposure outcomes to improve warning assessment and design for chemical consumer products’ Paper presented at the Proceedings of the 16th Congress of the International Ergonomics Association, Maastricht, The Netherlands. Rosenblatt, Daniel H., Bode, Stefan, Dixon, Helen, Murawski, Carsten, Summerell, Patrick, Ng, Alyssa and Wakefield, Melanie. 2018. ‘Health warnings promote healthier dietary decision making: Effects of positive versus negative message framing and graphic versus text-based warnings’ Appetite, 127 , 280–288. Salter, Michael and Wong, W. K. Tim. 2021. The Impact of COVID-19 on the Risk of on Online Child exual Exploitation and the mplications for Child Protection and Policing. Sydney: University of New South Wales. https:// www.end-violence.org/sites/default/files/paragraphs/download/esafety% 20OCSE%20report%20-%20salter%20and%20wong.pdf. Accessed 1 July 2022. Selejan, O., Muresanu, Dafin, Popa, L., Muresanu-Oloeriu, I., Iudean, Dan, Buzoianu, Arica and Suciu, Soimita. 2016. ‘Credibility judgments in web page design–a brief review’ Journal of Medicine and Life, 9 (2), 115–119. Silic, Mario and Back, Andrea. 2017. ‘Deterrent effects of warnings on user’s behavior in preventing malicious software use’ in Silic, Mario and Back, Andrea, Deterrent Effects of Warnings on User’s Behavior in Preventing Malicious Software Use, in Proceedings of the 50th Hawaii International Conference on System Sciences, January.

11 Online Messaging as a Cybercrime Prevention Tool …

231

Stechemesser, Annika, Wenz, Leonie and Levermann, Anders. 2020. ‘Corona crisis fuels racially profiled hate in social media networks’ eClinicalMedicine, 23, no. 100372. Steel, Chad M. S. 2015. ‘Web-based child pornography: The global impact of deterrence efforts and its consumption on mobile platforms’ Child Abuse and Neglect, 44, 150–158. StopitNow! 2020. ‘IWF and Stop It Now! to Develop “Ground-Breaking” Chatbot to Combat Online Child Sexual Abuse’ 14 October, https://www. stopitnow.org.uk/home/media-centre/news/iwf-and-stop-it-now-to-developground-breaking-chatbot-to-combat-online-child-sexual-abuse/. Accessed 1 July 2022. Taylor, Jesseca R. I. and Wogalter, Michael S. 2019. ‘Specific egress directives enhance print and speech fire warnings’ Applied Ergonomics, 80, 57–66. Testa, Alexander, Maimon, David, Sobesto, Bertrand and Cukier, Michel. 2017. ‘Illegal roaming and file manipulation on target computers: Assessing the effect of sanction threats on system trespassers’ online behaviors’ Criminology and Public Policy, 16 (3), 689–726. Thorn. 2022. Deterring Online Behaviour. https://www.thorn.org/deterrenceprevent-child-sexual-abuse-imagery/. Accessed 1 July 2022. Wathen, C. Nadine and Burkell, Jacquelyn. 2002. ‘Believe it or not: Factors influencing credibility on the Web’ Journal of the American Society for Information Science and Technology, 53(2), 134–144. Webb, Robert. C. 2012. Psychology of the Consumer and its Development: An Introduction. London: Springer Science & Business Media. We Protect. 2019. Global Threat Assessment 2019: Working Together to end the Sexual Exploitation of Children Online. London: Open Government Licence. https://static1.squarespace.com/static/5630f48de4b00a75476ec f0a/t/5deecb0fc4c5ef23016423cf/1575930642519/FINAL+-+Global+Thr eat+Assessment.pdf. Accessed 1 July 2022. Wilson, Theodore, Maimon, David, Sobesto, Bertrand and Cukier, Michel. 2015. ‘The effect of a surveillance banner in an attacked computer system: Additional evidence for the relevance of restrictive deterrence in cyberspace’ Journal of Research in Crime and Delinquency, 52(6), 829–855. Wogalter, Michael S. 2020. ‘Forensic human factors and ergonomics analysis of a trip and fall event in a parking lot’ Theoretical Issues in Ergonomics Science, 21(3), 347–368. Wogalter, Michael S. and Laughery, Kenneth R. 1996. ‘Warning! Sign and label effectiveness’ Current Directions in Psychological Science, 5 (2), 33–37.

232

R. Wortley and J. Prichard

Wogalter, Michael S. and Mayhorn, Christopher B. 2008. ‘Trusting the internet: Cues affecting perceived credibility’ International Journal of Technology and Human Interaction (IJTHI), 4 (1), 75–93. Wortley, Richard and Smallbone, Stephen. 2012. Internet Child Pornography: Causes, Investigation and Prevention. Santa Barbara, CA: Praeger.

12 Artificial Intelligence, COVID-19, and Crime: Charting the Origins and Expansion of Dystopian and Utopian Narratives Sanja Milivojevic

Introduction When the outbreak of COVID-19 hit the world in 2020, digital technologies were hailed as critical tools needed to stem the tide of the pandemic, monitor the spread of the disease and facilitate treatment (Moss and Metcalf 2020; Whitelaw et al. 2020). Many governments worldwide developed their version of ‘digital solutions’ to the crisis, such as mobile phone apps for track and trace, digital COVID-19 passports and surveillance strategies to enforce lockdowns and other restrictive measures imposed on populations to stop the spread of disease (Moss and Metcalf 2020). The world was told that technological innovations and surveillance strategies such advances enable are critical if we wish to S. Milivojevic (B) Bristol Digital Futures Institute/School for Policy Studies, University of Bristol, Bristol, UK e-mail: [email protected]

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 R. G. Smith et al. (eds.), Cybercrime in the Pandemic Digital Age and Beyond, Palgrave Studies in Cybercrime and Cybersecurity, https://doi.org/10.1007/978-3-031-29107-4_12

233

234

S. Milivojevic

return to the ‘new normal’. As the future increasingly looks risky, even dangerous, the pathway to answers appeared to be located in digital and information technology and science. In addition to contagious diseases, the ongoing threat of global warming, over-development and the potential use of weapons of mass destruction dominate the media and public discourse, as we are seemingly only one step away from one such disaster. The future is precarious, and technology and scientific innovations pave the path to salvation. On the other hand, technological innovations are deemed hazardous, if not fatal, for individuals, communities or humankind. Undoubtedly, in the ‘age of algorithms’ (Abiteboul and Dowek 2020), artificial intelligence (AI), interconnected intelligent devices and autonomous machines, unwanted outcomes of digital frontier technologies could be severe (Sheikh 2021; Tegmark 2017; Walsh 2017). Both narratives of techno-utopia and dystopia are prevalent in analysing the crimetechnology nexus (Milivojevic 2021). Technology, in particular digital frontier technologies such as AI, the Internet of Things (IoT), autonomous mobile robots, blockchain, 5G (or 6G), nanotechnology and others, have been poised to transform nearly every aspect of crime and justice processes, from crime prevention, offending and victimisation, to criminal justice responses. At the same time, cybercrimes continue to dominate the criminological agenda as crimes in which computers or other electronic devices connected to the Internet are used to carry out criminal offences. We have witnessed repeated warnings about the rise of offences (both traditional and new) committed with assistance or via technology during the pandemic. The World Health Organisation, arguably the international body with the utmost authority immediately before and during the pandemic, warned in the early stages of the pandemic that individuals and organisations/businesses are likely to become victims of cyberattacks and cyber threats while in-home quarantine (Chigada and Madzinga 2021; Ma and McKinnon 2021). At the same time, we have seen an introduction and testing of a range of technologically-based innovations to combat a rise in offending and new modes of criminality. This paper focuses on artificial intelligence. By reviewing existing literature on the topic identified through database search, it analyses how

12 Artificial Intelligence, COVID-19, and Crime: Charting …

235

the ‘risky’ times of the global pandemic were linked to criminal activity underpinned by AI (AI-enabled crimes—or ‘AI(C)’) and the construction of the promise of artificial intelligence in combating offending during the crisis. It theorises the dystopian and utopian narratives and their current and possible implications in the immediate future.

Methodological Note Since the pandemic is ongoing, systematic desk research was deemed most appropriate for this paper. Searches were conducted on the following databases using relevant keywords—artificial intelligence and COVID-19 and crime: ProQuest and La Trobe University News Archive. ProQuest yielded 21,241 results, of which 20,745 were full-text. After limiting the search to include scholarly (peer-reviewed) articles, books, reports, magazines and newspapers only, the number was reduced to 3,172. The inclusion criteria for the studies and news reports considered in this research were that the research (empirical or not) and media reports referred to the link between crime, offending and victimisation on the one hand, and artificial technology or AI-based systems and innovations during the COVID-19 pandemic. After analysing the title, keywords and abstracts, 42 articles on the topic were reviewed. Papers and reports on cybercrime were included for two reasons: first, there is a scarcity of literature that talks about AI without reflecting on cybercrimes. Secondly, the promise of AI to automate cyber offending is identified as the next step in the cybercrime threat (Jaber and Fritsch 2021). As such, the literature on AI links to the crime-technology nexus is a continuum of the contributions to the cyber. Moreover, examples in developing the narrative around cybercrime are, arguably, likely to be followed in the construction of both dystopian and utopian narratives vis-à-vis AI, COVID-19 and crime. Undertaking a media analysis via La Trobe University News Archive in the period 2019–2022 yielded 6,035 results, of which 1,163 with full access. After limiting the search to include major traditional news outlets, 50 news reports from the early stages of the pandemic (January 2020– May 2020) were reviewed.

236

S. Milivojevic

This systematic literature review allowed me to form the following four research questions that require a more comprehensive and interdisciplinary research approach: 1. What connections have been purported and/or established in the literature and the media vis-à-vis crime, offending and artificial intelligence during the COVID-19 pandemic? 2. What connections have been purported and/or established in the literature and the media regarding artificial intelligence and responses to crime and offending during the COVID-19 pandemic? 3. Are the narratives pertinent to crime, artificial intelligence and the COVID-19 pandemic utopian or dystopian in nature, and what/who are their main drivers? 4. What are the implications of such narratives to various groups of people, citizens and non-citizens? This chapter begins to unpack dystopian and utopian narratives in academia and traditional media, with no ambition to provide any answers to the above questions. The chapter opens a much broader debate and research on knowledge production in the risk society. It is suggested that AI and machine learning’s relationship to offending and victimisation in the global pandemic is limited. Contemporary literature and knowledge production, however, are lacking on many fronts. This chapter invites colleagues from a range of disciplines to investigate the suggestion by Moss and Metcalf (2020) that AI and machine learning are deeply embedded in the social production and distribution of risk in this area of inquiry. One of the underpinning factors of such a process (if one exists) might be the unchallenged influx of the security industry in the production of knowledge around AI(C). The implications of these processes on human rights and the fabric of liberal democracies are yet to materialise fully and will require our attention in the immediate future. Issues around borders and mobility have intentionally been omitted from this chapter, as this is the focus of attention in the author’s other papers and academic contributions.

12 Artificial Intelligence, COVID-19, and Crime: Charting …

237

Artificial Intelligence, COVID-19 and Crime: The Dystopian Narratives Artificial intelligence refers to many things. Experts advise that when one hears someone talking about AI, one should always ask what they mean by it (Broad 2018). Computer scientist and mathematician John McCarthy coined the term artificial intelligence in 1956 as ‘the science and engineering of making intelligent machines’ (cited in Goodman 2016, p. 469). Definitions have since moved from intelligent machines to machines or systems that, seen from the outside, do things and perform tasks that would require intelligence if done by humans (Abiteboul and Dowek 2020, p. 152). This paper defines existing (weak) AI as a computer system that receives data from the environment and, with a degree of autonomy, acts to achieve complex goals that would otherwise require human intelligence to be completed successfully. Thus, artificial intelligence emulates a specific human ability, skill or sense (such as calculation, optical or audio recognition) and uses heuristic learning models to solve the problem with accuracy that is good enough for our current use (Osi´nski 2020). In AI, we tell the machine what to do, but not how to do it—or at least not every step of the way. Nevertheless, AI always has a ‘human in the loop’ (Ugwudike 2021). Against this backdrop, the global pandemic of coronavirus was in many ways an unprecedented event, particularly in terms of interruptions of societal norms and exchanges. The dynamic nature of our work, social life and mobility changed almost overnight, leaving us stuck in our homes, dependent on our computers for information on local and global events, work, family and social contacts, medical appointments and the like. Academics and social commentators are still trying to unpack the impact of COVID-19 on society, businesses, the economy and education, as well as its implications on offending and criminal justice responses. While the scholarship on traditional crimes is growing, data on cybercrimes and, in particular, AI-powered online offending and victimisation is ‘more elusive and analyses–at least in the academic and open source literature—less complete’ (Nikolovska et al. 2020, p. 2). Yet, while empirical research is lagging (which is to be expected, given that the pandemic is ongoing), there is a plethora of reports, findings and

238

S. Milivojevic

assessments on the impact of the COVID-19 pandemic on cybercrime, offending and victimisation produced by consultancy agencies (such as PwC and McKinsey) and business/industry-commissioned desk research. As shown in the analysis segment of the chapter, this non-empirical and often non-peer-reviewed ‘evidence’ has been commonly used to illustrate ‘the exponential growth rate of cyberattacks and threats during the COVID-19 pandemic and that the global village is under severe stressfighting two pandemics simultaneously’ (Chigada and Madzinga 2021, p. 2). This chapter now continues to chart both the dystopian and the utopian narratives, with a minimal reflection on their validity. From the onset of the crisis, many cybersecurity experts, government and law enforcement agencies suggested that one of the impacts of COVID-19 is likely to be a rise in AI(C), in particular cybercrimes. Media headlines warned that ‘[a]n “unprecedented” wave of coronavirus scams are coming’ (Brewster 2020). While the timeline of the rise in AI(C) provided by the US Federal Bureau of Investigation proposes that there was a time gap between the initial outbreak of coronavirus and the first attacks associated with COVID-19, the gradual increase as the pandemic unfolded reached up to 4,000 attacks a day (Jaber and Fritsch 2021). There was a reported 600 per cent increase in phishing attacks to March 2020, while ‘the World Economic Forum stated that the pandemic led to a 50.1 per cent increase in cyberattacks and an associated 30,000 cyberattacks which were specifically COVID-19-related between 31 December 2019 and 14 April 2020’ (Lallie et al. 2021, p. 3). Information technology consulting company CGI suggested a staggering 30,000 per cent increase in the number of cyber threats specifically due to COVID-19. At the same time, Google advised the company blocked 18 million malware and phishing emails and scams related to the virus daily (Lallie et al. 2021). However, some researchers suggested that, compared to pre-pandemic times, the rates of cyber victimisation did not change (Hawdon et al. 2020) but these dissonant tones were a minority. The claim that cyber fraud was on the rise in the US during the first few months of the pandemic (Payne 2020) was also prominent, with projections of a rise that will follow the rise in several cases (Ma and McKinnon 2021). Some of the arguments used to explain the growth

12 Artificial Intelligence, COVID-19, and Crime: Charting …

239

in cyber frauds were linked to the increased vulnerability and emotional instability of victims in isolation and the overall psychological impact of the pandemic (Ma and McKinnon 2021). One researcher suggested that offenders use a range of tactics, including relief as emotional appeal and hope (Naidoo 2020). In Australia, the rise in malicious URL attacks of 260 per cent was recorded between February and March 2020 (Chigada and Madzinga 2021). This attack mechanism, also called browser hijacking, has been purportedly lifted to a higher threat level via increased automation (Jaber and Fritsch 2021). Research from the UK found a link between government announcements and media stories covering such announcements and corresponding cyberattacks, aiming to utilise the event as a hook and thus increase its chances for success. Such events include inter alia, budgetary announcements of support for National Health Service (NHS) and other public services in the UK, entitlement for statutory sick pay for individuals advised to self-isolate and the like (Lallie et al. 2021). As the attention of the public was drawn to these incentives and initiatives aimed to mitigate the consequences of the pandemic, so was the attention of the scammers and attackers. A typical modus operandi for the attacks was identified as the following sequence: – A phishing campaign directs victims to download the file or access a URL; – The file or a URL carry malware that acts as a vehicle for financial fraud; – The phishing campaign leverages media and government announcements (Lallie et al. 2021, emphasis added). Thus, while not necessarily a novel means for offending—or, to adapt John Perry Barlow’s observation (2018—see also Ma and McKinnon 2021, p. 5), fraudsters during COVID-19 ‘put old wines into the new bottles’—the support offered to the public in the times of the crisis likely acted as the generator: the aid aimed to mitigate the impact of the pandemic was the ‘hook’ for unsuspected victims. Researchers also suggested that government initiatives in times of heightened risk should be followed by a note or a disclaimer about how information about

240

S. Milivojevic

these announcements will be relayed (Lallie et al. 2021). Moreover, it was established that the two-month period of the strictest lockdown in the UK brought the highest number of cybercrimes, particularly cyber frauds associated with online shopping, auctions and the hacking of social media and emails. The vast majority of victims were individuals, not organisations, which was explained by the fact that during the strict lockdown, businesses were moved to employees’ home offices (Buil-Gil et al. 2021). However, the level of automation and the potential role of AI in the above offending behaviours was not clearly established. As the lockdown was easing in some settings, news reports warned about the potential threat by organised crime linked to the use of contactless technology applied to mitigate the spread of the virus (such as, for example, the use of QR codes in restaurants and at sporting events). During COVID, people became more accustomed and trusting vis-à-vis QR codes, which is precisely what offenders count on—taking unsuspecting users to fraudulent or phishing websites. The problem was expected to be so significant that the FBI released a statement in January 2022 warning about this new post-pandemic potential crime problem (Mitchell 2022). Luckily, as experts had suggested, the QR attacks are hard work and yield relatively small gain, so they are still in their infancy. However, the warning that they might become more prevalent in the post-pandemic times was clear (Mitchell 2022). Both academic works and the media linked the remote nature of work and a lack of security protocols in home offices/remote locations during the pandemic with an increase in cyberattacks (Chigada and Madzinga 2021; Grado´n 2020; Lallie et al. 2021). The financial industry, healthcare systems and government agencies have been common targets of such attacks during the pandemic, with a 238 per cent increase of cyberattacks on financial institutions globally between February and April 2020 (Chigada and Madzinga 2021). Yet, as we shall see in the analysis section, many of the above projects were based on data or conducted by consultancy agencies commissioned desk research (not peer-reviewed and not empirical). The rest were estimates provided by governing bodies, such as WHO, Interpol and others. The same methodology was applied in the context of AI and crime.

12 Artificial Intelligence, COVID-19, and Crime: Charting …

241

A particular concern in the literature reviewed for this chapter was (often semi-automated or automated) information warfare that includes so-called fake news and disinformation campaigns about the virus, the vaccines and nation-states’ methods to curb the spread of the disease (Jaber and Fritsch 2021). Security experts from technology companies warned that: [t]oday, we’re seeing a nexus between nation-states and cyber criminals [who] continue to rapidly advance the development of increasingly sophisticated and destructive cyberattacks, combined with the broadening of the attack surface as a result of COVID-19. … The digital and physical worlds have converged, and everything can be manipulated by modernday attackers. The reality is that first adopters of advanced technologies, such as artificial intelligence and machine learning, are often cybercriminals on the dark web and in nation-states intelligence communities. (VMware 2021)

Indeed, fake news—as the information provided as news to the public to mislead the reader/consumer—was flagged as one of the pressing issues during the pandemic (Grado´n 2020; Suanpang et al. 2021), so much so that the governments and international organisations such as WHO joined forces to tackle the problem (WHO 2021). While the western media, security experts, and various government officials and agencies speculated that behind some of the better-orchestrated misinformation campaigns were Russian, Chinese and, to a lesser extent, Iranian, North Korean and Pakistani-sponsored websites and platforms (Grado´n 2020), there was little evidence to substantiate such claims. Most importantly, ascertaining just how widespread the problem was during the pandemic is still a challenging task (not just because the pandemic is ongoing). There are several fact-checking organisations documenting the range, the spread and the impact of disinformation campaigns (Grado´n 2020). Disinformation campaigns are closely linked to so-called deep fakes— artificially generated videos that use images and audio cloning technology to impersonate people (Grado´n 2020; Sylvester 2021)—that involve (most commonly) celebrities, politicians and other public figures. These interruptions have been entirely created by artificial intelligence, in particular the deep learning mode of the algorithms. The technology

242

S. Milivojevic

that generates deep fakes is cheap and easy to use (Sylvester 2021). At the start of the pandemic, deep fakes were singled out as a challenge for health professionals, government agencies and law enforcement during the pandemic (Sylvester 2021). The technology’s disruption is amplified in risky times, such as the global pandemic. Some of these problems, we were told, could be addressed with the same technology used for offending.

Artificial Intelligence, COVID-19 and Crime: The Utopian Narratives Experts suggested that misinformation about COVID-19 (in particular vaccines, lockdown, quarantine and masks) could be combated by artificial intelligence. Artificial intelligence, it is held, can better identify patterns in data or attacks in fraudulent news or crimes (Aphiwongsophon and Chongstitvatana 2018). Incorporating AI into the system development might strengthen security controls, such as vulnerability assessment and scanning, thus potentially improving system robustness and general resilience against cyberattacks (Jaber and Fritsch 2021). Computer scientists and AI developers have come out with a range of strategies and systems that, they believe, could be effective in filtering fake news, such as Support Vector Machine, Extreme Learning Machine and others (Suanpang et al. 2021). It was also suggested that AI might be useful in creating counter-measures that can help law enforcement and public safety agencies in addressing fake news campaigns and their impact (Grado´n 2020). Several of these technologies were tested in smart cities in Thailand with limited success (Suanpang et al. 2021). These findings echo the reports predating the COVID-19 crisis that warned against policy optimism on the promise of AI and, in particular, uses of automated detection, (de)prioritisation and removal in countering online disinformation (Meyer and Marsden 2019). COVID-19 has also fuelled the growth in algorithmic surveillance technologies as algorithm-based technologies that

12 Artificial Intelligence, COVID-19, and Crime: Charting …

243

classify, store, combine, and search structured and unstructured data, compare captured data to other data, and provide matches to systems that use machine-learning algorithms to find patterns and actionable knowledge in big data sets and attempt to predict events based on the designs found in the captured data. (van Brakel 2021, p. 232)

Designed and sold by private companies and used by law enforcement and other agencies for crime control, public order policing, border and mobility control, and as management tools (van Brakel 2021), these AI-based systems and devices have had a profound impact on policing and justice systems for some time now (Milivojevic 2021; van Brakel 2021). However, the global pandemic has seen these technologies on a grander scale to prevent the spread of the disease (Moss and Metcalf 2020). Belgium, Greece and other countries in Europe and elsewhere started using AI systems of surveillance embedded in drones to monitor the movement of people and traffic during lockdowns (Gkougkoudis et al. 2022; van Brakel 2021). As spreading the disease directly correlates with the mobility of people, algorithmic surveillance technologies were deployed mainly to curb such mobility. In Belgium, for example, socalled corona cameras were installed on the Belgian coast and in several cities to monitor public spaces such as shopping centres; drone surveillance was also used to monitor potential violations of the COVID-19 lockdown regime (van Brakel 2021). Academia has recently commenced the debate on the impact of these technologies on vulnerable and disproportionately targeted communities (Moss and Metcalf 2020). The utopian narratives around the promise of automation and AI in countering cybercrime and other threats resulted in a change of mindset in some users. Consumers were eager to find ‘new ways to fight back’ during the pandemic. They were ‘increasingly willing’ (in one report, up to 81 per cent of the surveyed population) to ‘leverage active defence in the next 12 months’ (VMware 2021). This meant, of course, more spending on the technology that will protect us from the same technology. Technological solutions came with a price tag.

244

S. Milivojevic

Unpacking the AI-crime Nexus in Risky Times: Knowledge Production and the Aftermath of the Crisis What is emerging from the above narratives is that the COVID-19 global pandemic signalled a rise in dystopian and utopian narratives vis-à-vis AI(C), offending and victimisation. Significantly, the knowledge production in this area of inquiry was rarely based on robust academic processes and empirical research. Of the articles analysed for this chapter (42 academic papers), 18 were exploratory literature reviews, scoping reviews of open sources or analyses of data provided by the security industry. Six articles had no stated methodology. Several were theoretical conference papers or papers that analysed the impact of COVID-19 on traditional crimes (no reference to technology). Almost all of the 50 media reports analysed for this chapter presented security researchers and law enforcement officers as experts on the matter, with a trail of referencing that often led to nonacademic, security industry or consulting informant pieces. For example, the claim that there has been ‘a spike in crime involving COVID19, impersonating legitimate businesses, offering suspicious links for receiving money, such as one from MoneyGram or Western Union, or requesting bitcoin payments for face masks’ (Jaber and Fritsch 2021, p. 1) was initially linked to the academic publication (Chawki 2021) but in fact emanated from security company and media portals. Browser hijacking examples from the dystopian segment of the chapter (Jaber and Fritsch 2021) was referenced back to the sandpit event at one of the UK-based universities on the future of AI crime (Caldwell et al. 2020). In the sandpit event, experts were asked to rate a catalogue of 20 scenarios of AI-enabled crimes (devised by using/conducting a literature review of academic contributions, news reports, current affairs, fiction and popular culture sources) according to four factors (harm, profit, achievability and profitability) and to rank them according to the necessity of potential intervention—ignore, watch and act (Caldwell et al. 2020). This sandpit with possible scenarios of AI crimes was occasionally referenced in the scoped literature as the evidence base for the AI-crime

12 Artificial Intelligence, COVID-19, and Crime: Charting …

245

nexus (Grado´n 2020; Jaber and Fritsch 2021). The top-rated scenarios in the sandpit involved AI-authored fake news, deep fakes and tailored phishing enhanced by AI (Grado´n 2020; Caldwell et al. 2020)—the same problems highlighted in the literature as the most pressing during COVID-19 pandemic. Importantly, however, the protection against AI-powered offending follows the well-travelled road we are familiar with from the broader context of cybercrime. We (the consumers) should protect ourselves by downloading (buying) products that will protect us and our assets (antivirus software, malware scanners, anti-phishing tools and the like), as well as a ‘security culture’ in our workplace and home office (Jaber and Fritsch 2021). Thus, the 30,000 per cent increase in cyberattacks reported by the CGI was, in fact, the number of attacks the company’s Security Operation Centre experienced, ‘including malware, weaponised websites and phishing emails (Yes, the number of zeros is correct!)’ (CGI 2020). The company’s press release suggests that education is the best defence and that CGI’s conference phishing simulation and triage products used for training are the way to safeguard ourselves and our organisations from this enormous threat. Google’s 18 million-a-day effort mentioned above was a plug for the company’s G Suite, where ‘advanced phishing and malware controls are turned on by default, ensuring that all G Suite users automatically have these proactive protections in place’ (Kumaran and Lugani 2020). While such recommendations are to be expected from private companies aiming to profit in a risky society, academic research often followed this path, suggesting that they: encourage the use of cyber security best practices included using trusted anti-virus software, checking web address details to avoid domain spoofing scams, and refraining from downloading attachments from suspicious emails or submitting sensitive financial information to untrusted websites. We also highly recommend potential victims reconsider before taking action online, and review their emotional state carefully to examine if fraudsters may have used emotional appeals like relief, fear, hope, enjoyment, threat, or compassion, especially in these difficult times. (Ma and McKinnon 2021, p. 10; see also Naidoo 2020)

246

S. Milivojevic

The onus for protecting against victimisation is, yet again, placed solely on the victim. And to top it off, law enforcement agencies were also advised to include ‘private–public policing partnerships that leverage the private sector’s efforts to optimise the allocation of responsibilities and make policing accountable to the public’ (Ma and McKinnon 2021, p. 10). As Moss and Metcalf (2020) would have it, the outcome is ‘financialisation’ and arbitration of risk by individual or enterprise users. This is not to suggest that a fundamental emphasis on ‘cyber hygiene’ (Chang 2020) that includes the think-before-act strategy for crime prevention be mandatory for everyone online. Rather, the emphasis should not be designed to have consumers pay more to address uncertain threats, nor should they be held responsible if victimisation does happen. This critique of current engagement is not to say that all academic endeavours on this topic are problematic—quite the opposite. Many examples of a creative approach to data collection, methodology and knowledge production exist in the sample reviewed for this chapter. One such example is comprehensive research on the timeline of attacks during COVID-19 done by a multidisciplinary and inter-university research team in the UK (Lallie et al. 2021). This and similar academic efforts have clear policy implications and action plans for effective crime prevention. They need a greater prominence in academia and the public discourse and should serve as a steppingstone for future projects and analyses. In addition to knowledge production, the issue that warrants our attention is the harm created by the dystopian and utopian narratives only hinted at in this chapter. During the COVID-19 crisis, AI-based systems for surveillance were deployed to monitor people’s compliance with the counter-pandemic measures. While the surveillance was not used to identify occupants’ cars and while the technology did not collect personal data, these interventions were, many argue, potentially jeopardising the fundamental human rights of privacy and personal data protection (Gkougkoudis et al. 2022). That remains an issue for another day.

12 Artificial Intelligence, COVID-19, and Crime: Charting …

247

Conclusion This chapter aimed to initiate the process of mapping the origins, development and effects of dystopian and utopian narratives around AI(C). It reviewed and analysed the knowledge production in this area of academic inquiry and pointed out some implications of the lack of robust intellectual engagement in this field. This chapter does not suggest that the risks of AI(C) in the post-pandemic world are negligent, nor does it call for disengagement in this important area of academic inquiry. What is suggested is that we need clarity when it comes to mapping the scope of the problem, the concerned actors in both dystopian and utopian narratives (as well as what motivates such concern) and what solutions (if any) we see offered in the debate. This chapter outlined a range of matters, some of which were also registered in the context of cybercrime before the pandemic. The dystopian narrative produced the risk, actively managed by technocrats and stakeholders, only to counter the risk with utopian narratives of capitalist intervention. These accounts will continue to dominate the debate around AI crime in the post-pandemic times unless there is a dramatic change in knowledge creation. This change needs to include the following steps (at a minimum). First, empirical research in the AI(C) nexus needs to take prominence. This is necessary to subvert current power hierarchies in knowledge production. The difficulty in accessing research subjects and objects of study and the limitations of social scientists in understanding the technical issues can and should be overcome by creating an interdisciplinary research team and the novel methodology they will produce. Secondly, literature review and open source-based articles by academics in this field need a clear disclaimer of concerns and ambiguities about the ‘facts’ they reproduce. Stating the ‘facts’ by either dismissing the ‘elephant in the room’ about who is generating the facts and with what purpose (and with what benefit financially to the news makers) only contributes to the feedback loop of misinformationturned-facts-turned- ‘truthful’ misinformation, that we must desist. Factchecking is necessary even if the original information originates from academic sources.

248

S. Milivojevic

Thirdly, knowledge production, on any account, must include representatives of the security industries, government agencies, and other partners and stakeholders who are in the business of alleviating the scourge of cybercrime. What is needed, however, is an integration of these inputs into the peer-reviewed, robust research and publication plan suggested above rather than anecdote and self-serving scenarios of disease and cure. Finally, the focus needs to broaden to include the role of AI systems and automation in offending and victimisation, not only humaninduced cybercrime. This ambitious, new research agenda requires a multidisciplinary approach, both local and global, and novel methodologies that will allow us to not only understand where future threats might be, but to engage in the co-production of technology which give rise to new and desirable digital futures for all.

References Abiteboul, Serge and Dowek, Giles. 2020. The Age of Algorithms. Cambridge: Cambridge University Press. https://doi.org/10.1017/978110 8614139. Accessed 20 January 2023. Aphiwongsophon, Supanya and Chongstitvatana, Prabhas. 2018. Detecting Fake News with Machine Learning Method. 15th International Conference on Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology (ECTI-CON), 18–21 July. Barlow, John Perry. 2018. ‘Selling wine without bottles: The economy of mind on the global net’ Electronic Frontier Foundation, 9 February, https:// www.eff.org/pages/selling-wine-without-bottles-economy-mind-global-net Accessed 24 January 2023. Brewster, Thomas. 2020. An ‘Unprecedented’ Wave Of Coronavirus Scams Is Coming, U.S. Attorney Warns. Forbes. https://www.forbes.com/sites/tho masbrewster/2020/03/18/how-americas-cyber-defenders-are-preparing-tosave-you-from-an-unprecedented-wave-of-coronavirus-scams/?sh=69bed8 23a74a Accessed 20 January 2023.

12 Artificial Intelligence, COVID-19, and Crime: Charting …

249

Broad, Ellen. 2018. Made by Humans: The AI Condition. Melbourne: Melbourne University Publishing. https://books.google.co.uk/books?id=K29 lDwAAQBAJ. Accessed 20 January 2023. Buil-Gil, David, Miró-Llinares, Fernando, Moneva, Asier, Kemp, Steven and Díaz-Castaño, Nacho. 2021. ‘Cybercrime and shifts in opportunities during COVID-19: a preliminary analysis in the UK’ European Societies, 23: sup1, S47–S59. Caldwell, Matthew, Andrews, Jerone T. A., Tanay, Thomas and Griffin, Lewis D. 2020. ‘AI-enabled future crime’ Crime Science, 9 (1): 1–14. https://doi. org/10.1186/s40163-020-00123-8 Accessed 20 January 2023. CGI. 2020. ‘Helping defend against a 30,000% increase in phishing attacks related to COVID-19 scams’ https://www.cgi.com/uk/en-gb/blog/cyber-sec urity/helping-defend-against-a-30000-increase-in-phishing-attacks-relatedto-covid-19-scams Accessed 20 January 2023. Chang, Lennon. 2020. ‘Coronavirus, cybercrime and the parasitising of a pandemic’ Monash Lens, 25 March. https://lens.monash.edu/@politics-soc iety/2020/03/25/1379885/coronavirus-cybercrime-and-the-parasitising-ofa-pandemic. Accessed 20 January 2023. Chawki, Mohammed. 2021. ‘Cybercrime in the context of COVID-19’ in Kohei Arai (ed.), Intelligent Computing: Proceedings of the 2021 Computing Conference, vol. 3, pp. 986–1002. Cham: Springer. Chigada, Joel and Madzinga, Rujeko. 2021. ‘Cyberattacks and threats during COVID-19: A systematic literature review’ South African Journal of Information Management, 23(1), a1277. https://doi.org/10.4102/sajim.v23i1.1277. Accessed 20 January 2023. Gkougkoudis, Georgios, Pissanidis, Dimitrios and Demertzis, Konstantinos. 2022. ‘Intelligence-led policing and the new technologies adopted by the Hellenic Police’ Digital, 2(2), 143–163 https://doi.org/10.3390/digital20 20009. Accessed 20 January 2023. Goodman, Marc. 2016. Future Crimes: Inside the Digital Underground and the Battle for Our Connected World . Anchor Point: Anchor Books. Grado´n, Kasper. 2020. ‘Crime in the time of the plague: Fake news pandemic and the challenges to law-enforcement and intelligence community’ Society Register, 4 (2), 133–148. Hawdon, James, Parti, Katalin and Dearden, Thomas E. 2020. ‘Cybercrime in America amid COVID-19: the Initial Results from a Natural Experiment’ American Journal of Criminal Justice, 45 (4), 546–562. https://doi.org/10. 1007/s12103-020-09534-4. Accessed 20 January 2023.

250

S. Milivojevic

Jaber, Aws Naser and Fritsch, Lothar. 2021. ‘COVID-19 and global increases in cybersecurity attacks: Review of possible adverse artificial intelligence attacks’ 25th International Computer Science and Engineering Conference (ICSEC), 18–20 November. https://oda.oslomet.no/oda-xmlui/bitstream/ handle/11250/3029084/IEEE__Conference_Covid_19_.pdf?sequence=4 Accessed 20 January 2023. Kumaran, Neil and Lugani, Sam. 2020. ‘Protecting businesses against cyber threats during COVID-19 and beyond’ https://cloud.google.com/blog/pro ducts/identity-security/protecting-against-cyber-threats-during-covid-19and-beyond. Accessed 20 January 2023. Lallie, Harjinder Singh, Shepherd, Lynsay A., Nurse, Jason R. C., Erola, Arnau, Epiphaniou, Gregory, Maple, Carsten and Bellekens, Xavier. 2021. ‘Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic’ Computers & Security, 105, no. 102248. https://doi.org/10.1016/j.cose.2021.102248. Accessed 20 January 2023. Ma, Katelyn Wan Fei and McKinnon, Tammy. 2021. ‘COVID-19 and cyber fraud: Emerging threats during the pandemic’ Journal of Financial Crime, in press. https://www.researchgate.net/publication/351525186_COVID19_and_cyber_fraud_emerging_threats_during_the_pandemic Accessed 20 January 2023. Meyer, Trisha and Marsden, Chris. 2019. ‘Regulating disinformation with artificial intelligence: Effects of disinformation initiatives on freedom of expression and media pluralism’ Brussels: European Parliament, DirectorateGeneral for Parliamentary Research Services. https://doi.org/10.2861/ 003689. Accessed 20 January 2023. Milivojevic, Sanja. 2021. Crime and Punishment in the Future Internet: Digital Frontier Technologies and Criminology in the Twenty-First Century. London: Routledge. Mitchell, Heidi. 2022. ‘Beware of QR Code Scams; It’s so easy to click on a QR code: Criminals are counting on it’ Wall Street Journal (Online), 19 March. Moss, Emanuel and Metcalf, Jacob. 2020. ‘High tech, high risk: Tech ethics lessons for the COVID-19 pandemic response’ Patterns, 1(7): 1–8, no. 100102. https://doi.org/10.1016/j.patter.2020.100102. Accessed 20 January 2023. Naidoo, Rennie. 2020. ‘A multi-level influence model of COVID-19 themed cybercrime’ European Journal of Information Systems, 29 (3), 306–321.

12 Artificial Intelligence, COVID-19, and Crime: Charting …

251

https://doi.org/10.1080/0960085X.2020.1771222. Accessed 20 January 2023. Nikolovska, Manja, Johnson, Shane D. and Ekblom, Paul. 2020. ‘“Show this thread”: policing, disruption and mobilisation through Twitter. An analysis of UK law enforcement tweeting practices during the Covid-19 pandemic’ Crime Science, 9 (1), 1–16. https://doi.org/10.1186/s40163-020-00129-2. Accessed 20 January 2023. Osi´nski, Jedrzej. 2020. Cunning Machines: Your Pocket Guide to the World of Artificial Intelligence, London: CRC Press LLC. http://ebookcentral.pro quest.com/lib/latrobe/detail.action?docID=6038733. Accessed 20 January 2023. Payne, Brian. K. 2020. ‘Criminals work from home during pandemics too: a public health approach to respond to fraud and crimes against those 50 and above’ American Journal of Criminal Justice, 45 (4), 563–577. https:// doi.org/10.1007/s12103-020-09532-6. Accessed 20 January 2023. Sheikh, Salim. 2021. Understanding the Role of Artificial Intelligence and Its Future Social Impact. Hershey PA: IGI Global.https://doi.org/10.4018/9781-7998-4607-9. Accessed 20 January 2023. Suanpang, Pannee, Pothipasa, Pattanapong and Netwrong, Titiya. 2021. ‘policies and platforms for fake news filtering on cybercrime in smart city using artificial intelligence and blockchain technology’ International Journal of Cyber Criminology, 15 (1), 143–157. https://doi.org/10.5281/zenodo.476 6539. Accessed 20 January 2023. Sylvester, Shannon. 2021. ‘Don’t let them fake you out: how artificially mastered videos are becoming the newest threat in the disinformation war and what social media platforms should do about it’ Federal Communications Law Journal, 73(3), 369–392. http://www.fclj.org/wp-content/ uploads/2021/05/73.3.1-Dont-Let-Them-Fake-You-Out-How-ArtificiallyMastered-Videos-Are-Becoming-the-Newest-Threat-in-the-DisinformationWar-and-What-Social-Media-Platforms-Should-Do-About-It.pdf. Accessed 20 January 2023. Tegmark, Max. 2017. Life 3.0: Being Human in the Age of Artificial Intelligence. London: Penguin Books Limited. Ugwudike, Pamela. 2021. ‘AI audits for assessing design logics and building ethical systems: the case of predictive policing algorithms’ AI and Ethics, 2: 199–208. https://doi.org/10.1007/s43681-021-00117-5 Accessed 20 January 2023. van Brakel, Rosamund. 2021. ‘How to watch the watchers? democratic oversight of algorithmic police surveillance in Belgium’ Surveillance and Society,

252

S. Milivojevic

19 (2), 228–240. https://ojs.library.queensu.ca/index.php/surveillance-andsociety/article/view/14325. Accessed 20 January 2023. VMware. 2021. ‘Cybercriminals manipulate reality via integrity and destructive attacks, vmware report finds’ Al Bawaba, 2 August. https://news.vmw are.com/releases/cybercriminals-manipulate-reality-via-integrity-and-destru ctive-attacks-vmware-report-finds. Accessed 20 January 2023. Walsh, Toby. 2017. It’s Alive!: Artificial Intelligence from the Logic Piano to Killer Robots. Melbourne: Schwartz Publishing. Whitelaw, Sera, Mamas, Mamas A., Topol, Eric and Van Spall, Harriette G. C. 2020. ‘Applications of digital technology in COVID-19 pandemic planning and response’ The Lancet Digital Health, 2(8), e435-e440. https://doi.org/ 10.1016/S2589-7500(20)30142-4. Accessed 20 January 2023. World Health Organization (WHO). 2021. ‘Fighting misinformation in the time of COVID-19, one click at a time’ WHO Newsroom, 27 April. https://www.who.int/news-room/feature-stories/detail/fighting-misinf ormation-in-the-time-of-covid-19-one-click-at-a-time. Accessed 20 January 2023.

13 Conclusion: Minimizing Crime Risks in Pandemics of the Future Rick Sarre

Introduction The risk environment created by the onset of the coronavirus caught everyone off guard. In March 2020, the World Health Organization declared that the COVID-19 outbreak was a pandemic. Fortunately, the ability of modern societies to cope with such disruptions by interacting ‘virtually’ (for example, online shopping, online teaching and online meetings) had been settled for some years. Indeed, the modern world now boasts of digital capabilities that can accommodate the flood of data from millions of sensors in our commercial hubs, streams of visual images generated by users of social networks and storage of information produced by those who have access to digital devices. That being the case, R. Sarre (B) Justice and Society, University of South Australia, Adelaide, SA, Australia e-mail: [email protected]

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 R. G. Smith et al. (eds.), Cybercrime in the Pandemic Digital Age and Beyond, Palgrave Studies in Cybercrime and Cybersecurity, https://doi.org/10.1007/978-3-031-29107-4_13

253

254

R. Sarre

most households and business operatives were able to shift their interactions from face-to-face engagements to cyberspace in a short period of time. Access to internet sites and messaging services such as Instagram, Facebook, Facetime, WhatsApp, TikTok, Viber and Tango opened relatively cheap worldwide communication channels to those who traditionally would have been locked out of these media (Sarre and Prenzler 2023). However, with these remarkable advances in technology came cyber criminality. Indeed, cybercriminals were quickly on board to develop a range of creative and nefarious platforms and dubious engagements. As detailed by the Australian Cyber Security Centre (ACSC 2021), in the financial year 2020–2021 a cybercrime was reported every eight minutes in Australia, an increase of 13 per cent on the previous year. Economic losses in that year were reported as amounting to A$33 billion (Toh et al. 2022). Globally, 623 million ransomware attacks were recorded in 2021, that is, twenty attacks every second, and more than triple the number recorded in 2019 (SonicWall 2022). The pandemic added another element of vulnerability. Reports of cybercrime increased during the COVID-19 outbreak, and these often occurred during the strictest lockdown measures. The increases were mainly experienced by individual victims rather than organisations. In particular, the number of frauds associated with online shopping and auctions, and the hacking of social media and email were the largest increases in the number of incidents in the United Kingdom (Buil-Gil et al. 2021).

What Did the Pandemic Teach Us About Cyber-Vulnerability? The various manifestations of the pandemic/cybercrime phenomena are described in the chapters of this book. The authors have drawn together the information on the cyber risk environment if not created certainly captured by the pandemic. They have outlined the sorts of crimes that continue to plague cyberspace or that have emerged for the first time during the global health crisis. They have written of the crime control

13 Conclusion: Minimizing Crime Risks in Pandemics …

255

and regulatory failures that manifested themselves during the pandemic. They have touted the successes achieved over the last three years that allow us to, at the very least, recognise if not address the various aspects of criminality arising from future pandemics and other global shocks. They have suggested strategies that could be used to forestall similar problems arising in the future. They have added to the vast array of resources that now provide ready information on data breaches and victimisation rates. They have reviewed a range of potential solutions, such as built-in cyber security of new products before release, and the promotion by governments and private industry of cyber-safety awareness. They have reported the outcomes of evaluations of these solutions. They have identified the importance of international mutual legal communication and cooperation given the cross-border nature of cybercrime and cyber criminality. They have pointed to the importance of public–private partnerships that are needed for the effective suppression of cybercrime at the national and international levels. They have pointed to the important role of governments in developing an over-arching framework to require compliance of private owners of surveillance tools and data managers to secure their data. Moreover, they have considered how effective prophylactic measures might be in seeking to address the criminality that will arise from future pandemics, including strategies that can be deployed such that our societies can avoid similar problems arising in the first place.

How Have the Authors Addressed These Issues? Jill Slay examined the use of illegal manipulation of digital technologies during and following the current pandemic, offering us an opportunity to view some of the societal changes and disruptions which occurred. She drew our attention to emerging technologies such as the Internet of Things (or IoT, namely physical objects with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other communications networks). She highlighted the power of quantum computing and the

256

R. Sarre

broad usage of satellite services for communications and earth observation. She described how modelling using the Cyber Kill Chain provides a method whereby the technical context of transactions can be envisaged within a bank, a satellite or any other institution during, before or after a pandemic. Michael Levi discussed the patterns of and responses to a range of economic crimes, offline and online, short term and longer term. He wrote of the importance of measuring cyber fraud victimisation, using both official recorded data and victimisation surveys. He maintained that they are essential tools in considering the scale of some components of these problems in what he termed ‘human security’. Monica Whitty wrote of the way in which there was a tectonic plate shift of the workforce during the pandemic from the office to work from home, and, for some, consequential and enduring high levels of stress and anxiety. During this time, the number of victims and financial losses from cybercrime increased dramatically. She introduced readers to various psychological theories to understand human vulnerabilities to cyber scams (e.g. romance scams, investment scams, phishing, consumer scams). Importantly, she provided an insight into how we are to develop resilience to these scams post-pandemic. She critiqued the criminological theories to explain the conditions that may lead to an increased chance that fraud will occur. Hedi Nasheri shifted our attention to the way in which both public and private sectors must be able to act and respond to threats with preparedness. She wrote of the ongoing threats, especially to the United States, of what is suspected to be state-sponsored espionage. There is little doubt in the global realm that cyber sleuthing and stalking often emanates from China, but it is not confined to the East. Western democracies are not blameless in this regard. One need only think of Australia’s involvement in the interceptions that preceded the East Timor and Australian Maritime Boundary Treaty, and the rights appertaining thereto, to gain an appreciation of the global reach of state-sponsored cyber stalking. Lennon Chang’s chapter focused our attention on the scams that target people with a specific cultural and social background, an example of which is virtual kidnapping of international students. Although such

13 Conclusion: Minimizing Crime Risks in Pandemics …

257

‘kidnapping’ is not a new phenomenon, lockdowns and travel bans created additional opportunities for it, especially with Chinese students. He reminded us that the Australian Securities and Investments Commission issued a broadly-based warning in May 2021 that scammers are using the COVID-19 pandemic to target Australian small businesses with a range of scams including phishing, vaccine supply scams and email ransomware. Moreover, he noted, online bullying and hate speech are becoming more invasive. Jonathan Clough reminded us that much of the most effective work of cybercrime investigation and prosecution continues at the local, regional and bilateral levels. But the most effective prophylactic responses will emerge only when international cooperation can be harnessed and coalesced. The Budapest Convention, which, as Clough asserts, ‘has the potential to bring together disparate voices, establish areas of common agreement and remove the sense of exclusion’, is but a start. The world, as Professor Clough reminds us, will need to remain on the alert for the next pandemic wave, and the next iteration of criminality to follow. Gregor Urbas and Marcus Smith highlighted the way criminal justice systems have had to deal with specific offences enacted in response to public health concerns. Restrictions on personal movement and international travel, and prevention measures such as mandated maskwearing, were enforced through fines and imprisonment for people who, they might have thought, were exercising their rights as law-abiding (sovereign) citizens to remain aloof from governmental strictures. The conduct of legal proceedings has also been affected, said the authors, with an increased use of remote hearings, technological forms of document submission and judge-alone hearings. Bail, trial and sentencing procedures were all modified, and these changes are likely to continue well beyond the pandemic. Rick Sarre addressed the way we need to monitor and police the new cybercrime landscape. He reviewed the role privatisation can play. He wrote of the important role of the private sector but added that governments cannot adopt a ‘hands-off ’ approach and allow the private sector free rein in their quest to defeat cybercrime. Rather, he asserted, it is imperative that governments regulate and monitor the interventions by the private sector into citizens’ daily lives, even if it is done in the name

258

R. Sarre

of cyber security, lest these interventions leave people more vulnerable to policy over-reach and unacceptable breaches of privacy. Carolyn McKay and Kristin Macintosh directed our attention to the effect of the pandemic on the criminal courts. We witnessed, they wrote, suspension of jury trials, adjourned hearings and ‘pivoting’ of systems to remote procedures. Integral to this sudden change was an array of digital communication technologies: audio and audio-visual links as well as third party proprietary platforms. They concluded that the era of digital criminal justice has begun. However, within this new age of spatially dispersed criminal justice, and even with a recognition of virtuality as part of post-pandemic reality, there remains an indispensable role for face-to-face, high-level decision-making processes to be undertaken in shared physical places. In other words, the logics of online versus face-to-face interactions are clear, and their dividing lines remain suitably distinct. Richard Wortley and Jeremy Prichard made the case for the use of online warning messages as a key cybercrime prevention tool. They argued that the extent of the cybercrime problem cannot be tackled through traditional law enforcement tactics alone; we must explore prevention approaches aimed at reducing the incidence of cybercrime in the first place. Internet warning messages are one technique that will help make the Internet a safer environment for users. Automated cybercrime prevention messages can mimic key aspects of criminal business models. They, too, can be rolled out quickly and economically on a large scale. They are worth considering, said the authors, even if they only deter, deflect or disrupt a fraction of cybercrime. Sanja Milivojevic highlighted the role played by artificial intelligence in the pandemic world. She noted that we rely on technology and science as essential tools that can ‘tame’ the ‘beast.’ On the other hand, technological innovations can be deemed hazardous, if not fatal, for individuals and communities. There is no doubt, she said, that in the future of digital frontier technologies such as the Internet of algorithms, artificial intelligence, interconnected smart devices and autonomous machines, there will be unwanted outcomes. She declared that the ‘risky’ times of the global pandemic were linked to criminal activity in traditional and social

13 Conclusion: Minimizing Crime Risks in Pandemics …

259

media and the policy development in the Global North. She concluded that many interventions designed to disrupt cybercrime led to further restrictions of fundamental human rights and civil liberties rather than crime prevention, inserting a tricky conundrum into the plans of cyber security policymakers.

So, Where to from Here? The first point to make is that the phenomenon of cybercrime is set to continue apace. Globalisation will continue to expand, and, with the internet’s highly decentralised structure of connectivity and communication, globalisation will continue to accept and promote anonymity. Thieves can be working tens of thousands of kilometres from their victims (Broadhurst 2017). Moreover, by virtue of the borderless nature of the internet, thieves can pretend that they are in the same location as the victim who is none the wiser to the ruse. Moreover, as Grabosky and Smith (1998, p. 13) observed a quarter of a century ago, ‘crime follows opportunity.’ Hence, electronic commerce will continue to facilitate the transactions of the dark-web illicit markets such as the Silk Road drug markets (Martin 2014), the distribution of malicious content, and ransomware (Cross et al. 2022). Other criminal elements will continue to engage in hacking or phishing for unsuspecting victims (Cross 2020) or stealing identities with ruthless and instantaneous efficiency (Smith and Hutchings 2014). Thus there are still many unanswered questions relating to cybercrime beyond the pandemic.

What Next? Researchers will not only need to focus on the trends and issues identified in this book, but also to apply their minds and test their theories against three other recent developments that require mention briefly here. The first is the way governments and the courts are demanding that Australian corporations take more responsibility in the cybercrime

260

R. Sarre

prevention task. In May 2022, the Australian Federal Court made a ruling against the Australian Financial Services Licence (AFSL) holder RI Advice, which, after several security breaches, was found to have breached the Corporations Act 2001 (Cth) by not having adequately addressed its cyber risks. At the same time, and in harmony with this ruling, significant changes to the Security of Critical Infrastructure Act 2018 (Cth) came into force. This Act now requires critical infrastructure asset owners and operators to demonstrate adequate and principles-based risk management for their cyber, personnel, supply chain and physical security. Under the Act, asset owners, operators and their Boards are made directly accountable for establishing and implementing a robust risk management program. The second is the phenomenon observed by Harkin and Molnar (2022, pp. 84–85) of the massive rise in buying and selling security tools, which they refer to as the ‘commodification of cyber security.’ An ongoing research agenda is, they assert, urgently required to bring the appropriate level of academic and social scrutiny to practices of cyber security commodification that have thus far been under-developed if not entirely lacking (Harkin and Molnar 2022). The third imperative is to answer the call to build better public–private collaboration, or co-production of cyber security. At the moment these alliances are largely ad hoc and all too often caught up in commercial in confidence agreements which place them outside the gaze of policymakers and evaluators.

In Conclusion Through this collection, we hope to fill some gaps in our understanding of COVID-19 and its connections to cybercrime, and to forge new opportunities to build future collaborations, not only among academics but also between academics and industry. These collaborations will need to be broad enough to prepare us for not only pandemic risks, but risks associated with other global threats including economic threats (global recessions) and the consequential actions and reactions of nations threatened by climate change. In other words, as the risk landscape changes,

13 Conclusion: Minimizing Crime Risks in Pandemics …

261

so the responses that follow will need to be adjusted accordingly. To paraphrase the quotation attributed to Thomas Jefferson, the price of freedom from any future harm, cyber or otherwise, is eternal vigilance.

References Australian Cyber Security Centre (ACSC). 2021. ACSC annual cyber threat report—1 July 2020 to 30 June 2021. https://www.cyber.gov.au/sites/def ault/files/2021-09/ACSC%20Annual%20Cyber%20Threat%20Report% 20-%202020-2021.pdf Accessed 29 January 2023. Broadhurst, Roderic. 2017. ‘Cybercrime’ in Deckert, Antje and Sarre, Rick (eds.) The Australian and New Zealand Handbook of Criminology, Crime and Justice, 221–236. London: Palgrave Macmillan Buil-Gil, David, Miró-Llinares, Fernando, Moneva, Asier, Kemp, Steven and Díaz-Castaño, Nacho. 2021. ‘Cybercrime and shifts in opportunities during COVID-19: A preliminary analysis in the UK’ European Societies, 23(sup1), S47–S59. Cross, Cassandra. 2020. ‘“Oh we can’t actually do anything about that”: The problematic nature of jurisdiction for online fraud victims’ Criminology and Criminal Justice, 20 (3), 358–375. Cross, Cassandra, Holt, Karen and O’Malley, Roberta. 2022. ‘“If U don’t pay they will share the pics”: Exploring sextortion in the context of romance fraud’ Victims and Offenders: An International Journal of Evidence-based Research, Policy, and Practice. https://doi.org/10.1080/15564886.2022.207 5064 Accessed 30 January 2023. Grabosky, Peter and Smith, Russell. 1998. Crime in the Digital Age: Controlling Telecommunications and Cyberspace Illegalities. London: Transaction Publishers. Harkin, Diarmaid and Molnar, Adam. 2022. ‘The buying and selling of cyber security commodities’ Crime, Law and Social Change. https://doi.org/10. 1007/s10611-022-10037-y Accessed 30 January 2023. Martin, James. 2014. ‘Lost on the silk road: Online drug distribution and the “cryptomarket”’ Criminology and Criminal Justice, 14 (3), 351–367. Sarre, Rick and Prenzler, Tim. 2023. ‘Australian public and private crime prevention partnerships in cyberspace’ in Blackstone, Erwin, Hakim,

262

R. Sarre

Simon & Meehan, Brian (eds.) Handbook on Public and Private Security. Cham: Springer (forthcoming). Smith, Russell and Hutchings, Alice. 2014. ‘Identity crime and misuse in Australia: Results of the 2013 online survey’ Research and Public Policy Series, no. 128, Canberra: Australian Institute of Criminology. https://www. aic.gov.au/publications/rpp/rpp128 Accessed 29 January 2023. SonicWall. 2022. SonicWall cyber threat report. https://www.sonicwall.com/med ialibrary/en/white-paper/2022-sonicwall-cyber-threat-report.pdf Accessed 29 January 2023. Toh, Win-Li, Simmonds, Ross and Neary, Michael. 2022. ‘Cyber risk and the role of insurance’ Green Paper, September 2022. Sydney: Actuaries Institute. https://www.actuaries.asn.au/public-policy-and-media/thought-leader ship/green-papers/cyber-risk-and-the-role-of-insurance Accessed 29 January 2023.

Index

A

Action Fraud (UK) 42, 63, 66 Ad Hoc Committee. See United Nations (UN) Advanced Persistent Threat (APT) 21, 23 Antideception Coordination Centre (ADCC) 38 Anti-malware software 16 Application Programming Interface (API) 104 Artificial intelligence (AI) 6–8, 42, 89, 159, 234–237, 240–248, 258 Aseanapol 121 Asia-Pacific 37 Audio-visual link 194, 197, 198, 201, 202, 205, 258 Australian 16, 18, 38, 66, 111, 119, 124, 154, 157, 160, 162, 166,

177, 178, 183, 185, 200, 257, 259 Centre to Counter Child Exploitation 163 Communication and Media Authority 116, 179, 186 Competition and Consumer Commission 38, 58, 63, 66–68, 174 Computer Society 23 Crime Commission 174 Cyber Security Centre 23, 174, 186, 211–213, 254 Cyber Security Magazine 183 Human Rights Commission 6 Institute of Criminology 6, 67 Institute of Health and Welfare 164

© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 R. G. Smith et al. (eds.), Cybercrime in the Pandemic Digital Age and Beyond, Palgrave Studies in Cybercrime and Cybersecurity, https://doi.org/10.1007/978-3-031-29107-4

263

264

Index

B

Bail 7, 165, 257 Banking 25, 93 cards 35 fraud 35 online 35 trojan 25 Barlow, John Perry 239 Bentham, Jeremy 33 Big Five personality factors 74 Biosecurity 154, 155, 158, 159 Black market data 115, 117, 118 Blockchain 41, 62, 70, 167, 234 Bluetooth applications 156–158 Booz Allen Hamilton 98 Botnet 23 Brazil, Russia, India, China and South Africa (BRICS) 137 British Academy xi, 50 Broadcasting Corporation 110, 112, 114 Budapest Convention. See Council of Europe Business Email Compromise (BEC) 23, 42

C

Cambridge Analytica data breach 180, 181 Camus, Albert 146 Castells’ network theory 195, 202 Causation, of pandemic crime 67 Chainalysis 39–41 Chang, Lennon 4, 112, 115, 175, 246, 256 Child abuse 8, 217

sexual abuse material 8, 210, 217, 218, 221–223 China 33, 46, 98–103, 105, 110–113, 115, 117–119, 157, 160, 256 espionage 98, 99, 105, 256 security agency 157 City of London Police 49 Civil liberties 259 Closed-circuit television (CCTV) 156, 179 Cloud 4, 14, 17, 18, 23, 93, 96 Clough, Jonathan 5, 139, 144, 257 Coca-Cola recipe 91 Computer-mediated communication (CMC) 61 Consumer fraud. See Scam Contact tracing 154, 156–158, 177 Conventions. See Council of Europe; United Nations (UN) cybercrime 5, 6, 122, 124, 132–136, 140–146, 210, 257 framework 5, 133, 134, 142–144, 146 Coping behaviours 58 Coronavirus. See COVID-19 Cost 2, 18, 34, 38, 43, 47, 49, 60, 66, 90, 154, 155, 201, 214 crime 49, 176 cybercrime 174, 176 pandemic 2, 43, 66, 201 prevention of crime 10, 178 Council of Europe 5, 121, 122, 132, 136–138, 140, 144, 162 Budapest Cybercrime Convention 5, 121, 124, 132, 135–146, 257 Octopus Platform 121 Courtroom. See Courts

Index

Courts 7, 102, 119, 160, 162, 165, 166, 194, 195, 197–202, 204, 205, 258, 259 buildings 133, 179, 196 place 7, 133, 194, 195, 198, 199, 201, 202, 205, 206 space 7, 194, 195, 205 COVID-19 3, 6, 13, 15–21, 23, 24, 27, 31, 32, 34, 39, 43–45, 57, 65, 66, 68, 87, 88, 97, 101, 105, 110, 112, 115–118, 122, 124, 132–134, 153–166, 194, 198, 199, 209–212, 224, 233, 235–239, 241–246, 253, 254, 257, 260 Crime. See Statistics incidence 2, 4, 9, 49, 210, 258 trends 6, 8, 10, 47, 259 Crime prevention 9, 176, 178, 187 AI uses 7, 242 displacement effects 7, 201, 221, 222 habituation effects 221, 223 situational 5, 67, 69, 162, 213 Crime Survey England and Wales (CSEW) 42 Criminal law/procedure 59, 143, 154, 160, 161, 166, 200, 204 Criminogenic effects 213 Criminology. See Theories Critical infrastructure 18, 19, 87, 90, 99, 163, 186, 260 Cryptocurrency 5, 39, 40 Bitcoin 39 cryptography 15 fraud 5, 39, 40 Cybercrime 2–5, 8, 9, 13–16, 19, 21–23, 27, 33, 35, 37, 46, 49, 123, 131, 132, 134, 135, 141,

265

143, 160, 174–178, 180, 182, 183, 185–187, 209–213, 215, 221, 222, 224, 235, 238, 243, 245, 247, 248, 254–260 cost 109, 174, 176 cyber-dependent 2, 32, 42, 43, 134–136, 175, 222 cyber-enabled 2, 32, 33, 42, 43, 48, 50, 98, 134, 135, 175 reporting 9, 21, 123 Cybercrime nomads 124 Cyber Kill Chain 25–27, 256 Cyber Readiness Institute 19 Cybersecurity 4, 13–16, 20, 22, 46–48, 75, 95, 212, 224, 238 Cyber stalking 15, 256

D

Dark figure - unreported crime 122 Dark web 20, 96, 164, 176, 241 Data 4–6, 10, 15, 17, 20, 23, 24, 32–38, 40, 45–49, 64, 87, 89, 93–97, 99–101, 104, 105, 114, 134, 136, 138, 139, 156, 158–160, 166, 173, 174, 178–183, 185–187, 195, 204, 217, 221, 237, 240, 242–244, 246, 253, 255, 256 breach 6, 14, 46, 49, 89, 97, 139, 183, 255 monitoring 4, 15 protection strategies 139, 246 Dating online. See Romance fraud Decentralised Finance (Protocols used on a blockchain network) 40 Denial of service (DOS) 22, 175, 210

266

Index

Deterrent effects of sanctions 10, 216 Disinformation. See Fake Displacement 7, 201, 222 extent 9, 24, 41, 43, 67, 113, 121, 145, 165, 182, 209, 217, 220 of crime 36, 43, 46, 71, 112, 119, 123, 124, 134, 179 Distributed Denial of Service (DDoS) 23, 134 Domestic (family) violence during pandemics 155, 162 Dropbox 104

E

Economic crime. See Fraud state-sponsored 33, 46, 48, 87, 88, 97, 105 Economic Espionage Act (US) 92, 93 Eiffel Tower scam 59 Email 15, 16, 21, 22, 34–36, 38, 43, 45, 59, 60, 68, 97, 104, 212, 215, 216, 238, 240, 245, 254, 257 attacks 21, 22 business email compromise 23, 42 fraudulent 34, 35, 104 Encryption 9, 224 end-to-end 224 Equifax data breach 100 eSafety Commissioner 221 Espionage 4, 46, 87–89, 93, 96–99, 102, 105 Chinese 98, 100 cyber 4, 87, 96

state-sponsored 33, 48, 87–89, 97, 98, 105, 256 Estee Lauder data breach 18 European 32, 35, 59 Central Bank 36 Union 34, 35, 42, 98, 99, 144 Europol 48, 121 Threat assessment 47 Eurostat 35

F

Facebook 124, 158, 180, 182, 223, 254 Facial recognition 179 Fake 16, 34, 59, 65, 67, 68, 111, 112, 114, 158, 163, 218, 241, 242, 245 deep 241, 242, 245 identity 35, 64 medicines 16, 67 news 158, 163, 241, 242, 245 vaccines 241 Federal Bureau of Investigation (FBI) 21, 34, 35, 39, 99, 111, 116, 117, 120, 123, 238, 240 Financial Action Task Force 45 Forensic 2 computer 2 Fraud. See Scam bank 35, 48 romance 36, 38, 42, 113 triangle 67, 69–71, 73, 79 typologies Function creep 159

G

Gambling 8

Index

Gartner 18 Gender, and victimisation 5 Global Initiative Against Transnational Organized Crime (GI-TOC) 6 Globalisation 259 Global Positioning System (GPS) 9 Global South 9, 49 Google 217, 221, 238, 245 Grievous bodily harm, and disease 161

H

Hacking 23, 24, 36, 47, 49, 72, 100, 101, 103, 104, 115, 118, 210, 212, 218, 222, 240, 254, 259 hacktivism 175 Health 1–3, 43–45, 66, 103, 113, 132, 134, 154, 155, 159, 163, 165, 182, 194, 198, 218, 242, 254 High Court of Australia (HCA) 161 History 61, 71, 92, 97, 132 fraud 61 pandemics 132 scams 58 HIV-AIDS 161 Home-based work 4 Honeypots 218–220 Hong Kong 37, 38 Human factors 212 Human rights 2, 8, 101, 132, 144–146, 236, 246, 259 Hypersonal relationships 61

267

I

Identity crime 115 authentication methods 9 fraud involving 65, 222 Independent Panel for Pandemic Preparedness & Response 132 Infodemic 9, 158 Information and communications technologies 1, 2, 131 Information technology 95, 234, 238 Insider fraud 33 Insurance 4, 216 cyber 4 Intellectual property (IP) 48, 89–92, 94, 97, 100, 101 crime 90 enforcement coordinator 41, 156 espionage 105 trade secrets 90, 91, 97, 100 Intelligence 15, 25, 41, 47, 74, 97, 98, 121, 176, 225, 241 Surveillance and Reconnaissance 27 Interception 136 International Labour Organization (ILO) 57 Internet 14, 15, 36, 49, 58, 60, 61, 64, 65, 70, 72, 78, 95, 96, 110, 115–117, 124, 133, 175–177, 180–182, 185, 196, 198, 201, 210–213, 216–218, 220, 221, 224, 234, 254, 255, 258, 259 Crime Complaint Center (FBI) 34 Internet of Things 4, 15, 22, 23, 234, 255 protocol 45, 178

268

Index

service provider 221 Israel 157 Shin Bet 157

J

Jurisdiction over cybercrime 212 Jury trials 7, 164, 194, 198, 258

K

Korea North 33, 241 South 37, 43, 46, 157 Korean National Police Agency (KNPA) 37

L

Language 42, 45, 123–125, 199 justice 120, 146 Latin America and the Caribbean Group (GRULAC) 137, 140 Lau, Laurie 175 Law enforcement 6, 9, 15, 32, 39, 42, 48–50, 90, 91, 105, 112, 119–124, 135, 141, 144, 145, 154, 156, 157, 160, 176, 183, 210, 212, 217, 221, 222, 238, 242–244, 246, 258 Legislation 7, 16, 90, 92, 93, 154, 157, 158, 160, 161, 166, 178, 179, 183, 185, 195, 197, 198, 202 domestic 7 international 5, 66, 122, 132, 134, 138 reform 162

Levi, Michael 4, 5, 9, 10, 31, 32, 34, 39, 41, 42, 47, 49, 65, 67, 122, 256 Lockdown 2, 4, 10, 13, 63, 66, 69, 73, 78, 79, 87, 153–156, 158, 162–164, 198, 211, 233, 240, 242, 243, 254, 257 Lockheed Martin Cyber Kill Chain (LMCKC). See Cyber Kill Chain Low Earth Orbit Satellites (LEO) 22–24, 26 Lustig, Victor 58, 59, 75

M

Macintosh, Kristin 258 Madoff, Bernard 61, 75 Malware kits 176 McKay, Carolyn 7, 194, 196, 197, 202, 204, 258 Member of the Order of Australia (AM) xvii–xviii Memorandum of Understanding (MOU) 141 Metadata 6, 156, 157, 159, 160, 178 analysis 156 retention laws 160, 178 risks 6 Methodology, research 240, 244, 246, 247 Mexico 120 Microsoft 217 Teams 14, 17, 19, 194, 198 Milivojevic, Sanja 7, 234, 243, 258 Ministry of State Security. See China Model Law of Computer Crime 141 Money laundering 39, 40, 120

Index

Money Service Bureau 33 Western Union 33 Monsanto 99, 100 Moral panic 33 Multi-factor Authentication (MFA) 4, 9, 16, 18, 177 Mutual legal assistance (MLA) 42, 120–122, 141

269

Online shopping 14, 20, 57, 58, 63, 64, 66–68, 78, 211, 215, 240, 253, 254 e-Commerce 47, 95 Open Storage Network (OSN) 223, 224 Opportunity theory 67 Organised crime 32, 45, 48, 111, 178, 222, 240 Russian 33

N

Nanotechnology 234 Nasheri, Hedi 4, 90, 91, 94–96, 256 National Audit Office (UK) 34 Cyber Security Centre (UK) 21 Health Service (UK) 45, 239 Institute of Standards and Technology (US) 218 Networked society 203, 204 Nigerian 419 scam 60, 61 Non-government organisation (NGO) 124, 134, 221 North American Free Trade Agreement (NAFTA) 93 North Atlantic Treaty Organization (NATO) 98

O

Octopus Platform. See Council of Europe Office for National Statistics (ONS) 36, 42, 211 Offline crime 49 Online and telecommunications (O&T) 110, 112, 113, 118, 119, 124, 125

P

People’s Republic of China (PRC). See China Personality – dark triad 75 Personally Identifiable Information (PII) 18, 23, 100 Personal Protective Equipment (PPE) 16, 34, 45 Phan, Duc xvii Philippines 120 Manila 120 Phishing 16, 19, 21, 34, 42, 48, 58, 67, 72, 97, 104, 163, 215, 238–240, 245, 256, 257, 259 Piracy, digital. See Intellectual property (IP) Policing. See Law enforcement cost 176 self-help 186 Policy 2, 3, 11, 15, 134, 167, 178, 184, 187, 212, 223, 242, 246, 258, 259 options 184–186 reform 162 Pornhub 217 Position, Navigation and Timing 27 Prevention. See Crime prevention

270

Index

Prichard, Jeremy 8, 218–220, 222, 258 Privacy 8, 9, 14, 40, 144, 145, 156, 157, 159, 163, 180–185, 187, 200, 216, 224, 246, 258 Private sector 5, 10, 33, 42, 45, 178, 182, 185, 187, 220, 256 policing 43, 177–179, 181, 246 security 48, 88, 96, 97, 178, 181, 184, 187, 257 Procurement 44 control 43 fraud 43, 44 Prosecutions 41, 49, 91, 99, 141, 146 public health 162 scam 257 Psychology 71, 75, 77, 224 theories 5, 10, 58, 71, 73, 79, 256 Public health 6, 10, 11, 44, 45, 116, 154–159, 161, 162, 213, 257 policy 116 Public Health Emergency of International Concern (PHEIC) 131, 153 Public policy. See Health Public sector fraud 6

Q

Quantum computing 4, 255 Quarantine directives 157 Quick Response (QR) code 8, 156, 157, 177, 240

R

Ransomware 8, 21, 23, 32, 42, 97, 98, 163, 210, 254, 257, 259 Rationalisation of crime 67, 69–71 Remote work. See Home-based work Risk assessment 48, 88 Robot 234 Romance fraud 42, 113, 212, 223 Russia 33, 41 draft convention on cybercrime 135, 139, 145

S

Sandpit scenarios 244, 245 Sarre, Rick 6, 174, 175, 177–180, 182, 186, 187, 254, 257 SARS-CoV-2 virus. See COVID-19 Satellite 4, 22–24, 26, 27, 89, 256 Scam. See Phishing; Romance fraud history of 58 Melon Drop 59 puppy scams 68 Scamwatch (Australia) 38, 119 Security 4, 9, 14–19, 22, 24, 25, 27, 33, 47, 48, 76, 87–92, 95–100, 104, 105, 156, 157, 159, 160, 166, 176, 178, 181, 184, 185, 187, 215, 216, 220, 236, 240–242, 244, 245, 248, 255, 258–260 Sentencing 7, 165, 257 Sexting 163 Sexual abuse. See Child abuse Singapore Police Force 117 Situational crime prevention (SCP) 213, 216, 220, 222 Slay, Jill 4, 5, 9, 22, 23, 25, 255

Index

Small to medium enterprises (SME) 17 Smith, Marcus 6, 7, 9, 157–159, 167, 257 Smith, Russell G. 4, 10, 31, 34, 39, 67, 122, 194, 196, 259 Social 2, 4, 5, 10, 13, 15, 16, 46, 48, 58, 68, 70–72, 78, 79, 100, 160, 162, 163, 166, 174, 177, 184, 196, 202–206, 209, 211, 224, 236, 237, 247, 256, 260 distancing 7, 21, 153, 154, 161, 164, 166 engineering 14, 16, 24, 158 media 20, 38, 44, 45, 47, 111, 123, 124, 155, 158, 163, 212, 240, 254, 259 network 96, 123, 173, 223, 253 Sovereignty 5, 132, 135, 139, 145, 146, 195 Spain 119, 120 Spam 64, 223 Spanish Flu 9 Spyware 23 Statistics 9, 33, 48 Steganography 15, 104 Student 110, 111, 113, 123, 124, 217 Asian 4 Chinese 111, 117, 257 victims 111, 119, 123, 125 Surveillance technologies 156, 242, 243

T

Taiwan 99, 120 Telemedicine 4, 14

271

Terrorism 135, 159, 176 The Onion Router (TOR) 104 Theories 5, 10, 58, 69, 71–74, 76, 79, 80, 158, 256, 259 criminological 4, 10, 58, 72, 76, 79, 80, 256 individual differences 58, 72–75, 79 Planned Behaviour 73, 75, 76, 79 psychological 5, 10, 58, 71, 73, 79, 256 routine activity 10, 71–73, 117 Tianjin University (TJU) 102 Trade-related Aspects of Intellectual Property Rights (TRIPS) 93 Trade secrets. See Intellectual property (IP) Training 4, 19, 64, 186, 245 crime prevention 10 IT security user 16 Treaty. See Conventions Turnbull, Malcolm 177, 181 Twitter 16, 158

U

Underground banking 33 United Kingdom (UK) 6, 21, 35, 36, 42, 43, 45, 48, 63, 66, 67, 98, 117, 239, 240, 244, 246, 254 United Nations (UN) 5, 16, 132, 134, 136, 137, 142, 145 Ad Hoc Committee 131, 135, 140 Convention against Transnational Organized Crime 135, 136, 139, 141

272

Index

Institute for Disarmament Research 133, 135, 137, 138 Office on Drugs and Crime 120, 133, 139, 141, 145 United States (US) 4, 21, 34, 43, 49, 64, 66, 67, 87–94, 97–103, 105, 117, 120, 122, 144, 180, 218, 238, 256 Universal Resource Locator (URL) 215, 220, 239 Urbas, Gregor 6, 7, 9, 158, 160, 165, 167, 257

V

Vaccine 16, 21, 45, 101, 154, 158, 163, 242, 257 fake 16, 34, 163 hesitancy 158 nationalism 133 Victimisation 6, 9, 20, 22, 34, 37, 41, 46, 47, 58, 71–74, 76, 78, 79, 117, 162–164, 166, 210, 223, 234–238, 244, 246, 248, 255, 256 Victoria Police 123 Virtual 7, 95, 193–195, 197–199, 202, 205 dematerialised justice 196 fairness 159, 201 justice, syn. digital justice 195 kidnapping 4, 110–125, 256 Private Network 4, 16

W

Warning messages 8, 209, 210, 213, 214, 216, 218, 220–224, 258 effectiveness 210, 215–217, 220, 223, 225 offender-focused 217, 218, 220 victim-focused 215–217 WebEx 14, 17, 19 Western Europe and Others Group (WEOG) 137, 140 Whitty, Monica T. 4, 5, 10, 32, 59–61, 66, 70, 72, 74, 75, 77, 256 Work 4, 14, 20–25, 27, 42, 44, 45, 47, 57, 58, 64, 67, 70, 72, 74, 76, 79, 90, 102, 105, 113, 116, 122, 132, 134, 146, 161, 162, 201, 210, 225, 237, 240, 256, 257 home-based 4 remote 4, 15–18, 88, 89, 95, 97, 98, 240 World Economic Forum (WEF) 21, 238 World Health Organization (WHO) 1, 9, 57, 131, 153, 154, 158, 163, 240, 241, 253 World Intellectual Property Organization (WIPO) 89, 91 Wortley, Richard 8, 218, 222, 258

Z

Zhou, You xix Zoom 14, 17, 19, 194, 200 bombing 34