Center for Long-Term Cybersecurity Grantees Aniket Kesari, Chris Hoofnagle, and Damon McCoy recently released a paper in the Berkeley Technology Law Journal, “Deterring Cybercrime: Focus on the Intermediaries,” focused on how various enforcers use the law to police cybercrime. Specifically, the authors describe how intellectual property owners, technology companies, and law enforcement agencies employ a “deterrence by denial” strategy, which entails disrupting access to cybercriminals’ intermediaries, including domain registrars, web hosts, payment providers, banks, and even shipping companies.
As the abstract to the paper describes, “Policing illicit actors through their intermediaries raises due process and fairness concerns because service-providing companies may not be aware of the criminal activity, and because enforcement actions have consequences for consumers and other, licit firms. Yet, achieving direct deterrence by punishment suffers from jurisdictional and resource constraints, leaving enforcers with few other options for remedy.” They note that their article draws upon literature from the computer science and legal fields to “explain enforcers’ interventions, explore their efficacy, and evaluate the merits and demerits of enforcement efforts focused on the intermediaries used by financially-motivated cybercriminals.”
What led you to study the role of intermediaries in deterring cybercrime?
Our work stems directly form our co-author’s, Damon McCoy, prior research into deterring financially motivated cybercrime. We want to push against the common notion that cybercrime is an intractable problem because cybercriminals are diffuse, anonymous, and difficult to track. Instead, we argue that much of cybercrime is financially motivated, and relies on the same intermediaries that licit firm use to conduct business. Realizing this fact led us to explore the different ways that law can deter cybercrime by policing cybercriminals through their access to intermediaries.
How would you boil down the key findings or arguments of your paper?
Well-resourced litigants can quickly obtain broad relief with Temporary Restraining Orders (TROs), and seize virtually all assets held by intermediaries used by the suspects. We found that in cases dealing with both botnets and intellectual property infringement, plaintiffs brought civil suits against cybercriminal entities and were given relief within a matter of weeks. The resulting court orders end up being vast in scope (in some cases, the orders apply against unnamed intermediaries from many different industries), and we explore the due process concerns stemming from the use of this mechanism.
Your paper describes some of the approaches that can be used by law enforcement officials to force web hosts and other intermediaries to address illegal activities by users. How would you summarize those mechanisms?
The main mechanism we explored is the TRO. A TRO results from a plaintiff bringing a civil suit with the claim that the defendant must cease some harmful activity immediately until the court can rule on the merits of the case. It can be issued without the defendant present and can compel intermediaries to undertake actions to help enforce it within a matter of days. If the defendant fails to respond to the court, then after several weeks, the plaintiff wins the case by default. In all the cases we found, the defendants never appeared, offering the enforcer quick and total relief.
What led you to focus on sellers of online pharmaceuticals and counterfeit handbags as a particular niche of cyber criminals?
Our focus came from an earlier study where we found online pharma companies hacking the websites of small businesses and non-profits in order to boost their standing in Google rankings. In Online Pharmacies and Technology Crime, we found that the highest-ranked pharma companies appeared to be operated by the same people, and they used hacking techniques to “juice” their Google ranks.
What lessons or insights might policymakers or law enforcement representatives take away from your research?
The major lesson that policymakers should take away from this work is that cybercrime is not an intractable problem. It is increasingly a professionalized, organized, and financially motivated enterprise. These features make it look like many other organizations, and therefore the tools that we use to police behavior more generally may be applicable to cybercrime as well.
Based on your research, what do you think is likely to change in the coming years in how illicit actors are able (or not) to use digital channels for their activities, or in how law enforcement officials deter cybercrime?
We do not foresee big changes in the dynamics that we identified in the paper in the near-term. At the end of the day, cybercriminals need to make money by charging lots of customers money. This ties them to the financial system, with all of its traceability. Alternative payment mechanisms, such as cryptocurrencies, are too niche to work for many.