Address by Michael O'Neill at a Federal Society panel discussion titled "Law Enforcement in Cyberspace: Who Has the Upper Hand -- the Hackers or the Cops?" on March 16, 2001. Editor's Notes:  • Tech Law Journal transcribed from its audio recording of the event.  • Hypertext links and sidenotes have been added.  • Tech Law Journal put select passages in bold.  • O'Neill was the second of three panelists to speak. Orin Kerr, a trial attorney in the Computer Crimes and Intellectual Property Section of the Department of Justice, spoke first. Marc Rotenberg, Director of EPIC, spoke last. Bill Jordan of the law firm of Alston & Bird moderated the panel.  • Copyright Tech Law Journal. All rights reserved.

Whenever I hear the government speak, and I recognize Orin, you are not representing the government, I assume, BE AFRAID, be very afraid.

I would like to give the Federalist Society, I think, for giving me the opportunity to speak on this panel. I think that the reason that I was slotted in between Orin and Marc is that I probably fall somewhere almost squarely in the middle of their positions. I certainly recognize the importance of having law enforcement, and giving law enforcement the tools that it needs to fight the very real problem of crime on the Internet. On the other hand, having been an erstwhile hacker in my youth, and having been somewhat of an early aficionado of the net, and recognizing many of its many charms, and certainly, the intriguing outer space of the Internet. I certainly have a concern, and an interest, to make sure that my rights as an American are protected.

As the Internet has ushered in a new form of mass communication, and really a very interesting notion of personal, person to person communication the world over, law enforcement itself has doubtless become much more complicated. I would just like to offer some basic observations today regarding today's discussion, and then outline a couple of possible recommendations for law enforcement efforts.

First, I think that it is beyond dispute that the Fourth Amendment applies on the Internet the same way that it applies in real space. The Fourth Amendment itself is a long learned noble tradition, and it is important that it helps preserve the privacy of American citizens.

Second, I think that cybercrime is no different from crime in real space. The motivations are the same. Generally, the types of crimes that are committed are the same. Where I think the differences lie are in the efficiencies of cybercrime. Cybercrime is certainly easier to conceal. The potential scope of cybercrime is certainly greater, and the nature in which cybercrime can be conducted, and the types of things that can be done, is certainly greater than that which can be conducted in real space.

But the very nature of cybercrime itself, and the motivations for committing it are really no different from crime in real space. To me the challenge, then, is that if cybercrime is in fact more efficient, and I think that at least in certain respects, it is, how does government, or how do we as individuals, affect those efficiencies to make sure that we can do the best job that we can to prevent and to frustrate the efforts of cybercriminals.

Finally, I think that it is clear that we don't want to sacrifice our liberty at the alter of security. But, neither do we want the Internet to be a safe haven for cybercriminals, and for cyberterrorists.

Now, ordinarily, we protect our liberty with a variety of legal mechanisms. Among those include the separation of powers. The fact that we have got three branches of government. Given the fact that this is James Madison's birthday, I think it is important to recognize Federalist 10, and the notion of factions. The idea that competing interests, although not necessarily the most efficient way to run a government, are an effective way of preventing government tyrrany. Well, I think the same thing is true respect to law enforcement on the net. I think we not only see law enforcement needs balance between state and federal actors, but also, peculiarly, private actors as well.

As has been the case with every major technological innovation that we have seen in this country, some people will use that technology to commit criminal acts. Just for an example, digital copy machines have made counterfeiting much easier. The innovation of the automobile, not only made committing certain crimes a whole lot easier, but also in fact, opened up whole new criminal markets. Well, the same thing is certainly true of computers, and of cybercrime. We use the Fourth Amendment, and the laws addressing privacy and public safety, at least, as a means for, and providing a framework, I guess, for the way that we deal with these problems on the Internet. Because, we want to make sure that we protect privacy interests, while at the same time, ensuring that the Internet is a cloistered community in the sense that it is somewhere where we can engage in transactions safely. Because if law enforcement is too timid in its response to cybercrime, then certainly we create an environment where, commercial interests will be frustrated, the pursuit of sort of personal interests may be frustrated on the Internet. We have got to create a situation where we move away from cloistered gated communities, and ensure that there is a certain degree of safety on the Internet.

Now, some time ago Frank Easterbrook wrote a very interesting article about the Internet, and sort of the burgeoning movement of deciding that the Internet is somehow different space and required a whole different concept or a legal framework in dealing with it. And basically, he said that that was bunk. Called it in fact "The Law of the Horse." I generally tend to agree with Judge Easterbrook on this point.

I really think that it comes down to this. The commission of certain crimes on the Internet are more efficient. The response of the government on the Internet, and how it is able to conduct criminal investigations, how it is able to effectively bring criminal prosecutions, certainly can be thwarted on the Internet in a way that they can't necessarily be thwarted in real space. So, what should we look to.

Well, I would like to look at a slightly different concept. The government currently has a monopoly upon criminal law enforcement. As a consequence, most criminal law enforcement strategies require some sort of government participation, whether it is in terms of prosecutorial efforts, licensing schemes, or fine collection. However, given the amount of Internet traffic, and the unrelenting pace at which these technological innovations occur, suggest that it is going to be extremely difficult for law enforcement alone ever to effectively control, or enforce, criminal laws on the net.

If the ultimate goal is to raise the costs of cybercrime, and still, being careful of the fact that we don't want to increase governmental intervention to the point that it itself throws off certain substantial negative costs of its own, such as decreasing privacy, for example, we might want to look to victim centered, third party, and private vigilante strategies, for enforcing criminal law on the net. Reliance on the private means of deterrence may provide a reasonable alternative to government fostered strategies.

Although in real space, there may be, and I think this point is debatable, some advantages to maintaining government control over the prosecution of crime and the enforcement of criminal laws, that balance may in fact be shifted with respect to the Internet in certain important respects.

First of all, the government is unable as a practical matter to police the Internet in quite the same way it is able to police the regular city streets. The Internet is simply too large. It is simply too fast moving. There are simply too many people on line at any given time for the government, I think, without compromising privacy interests rather significantly, really to be an effective force.

Second, the nature of cybercrime, as Orin pointed out, makes it very difficult to trace. Coupled with the inevitable lag before the government can actually intervene to investigate a crime, it gives cybercrooks an enormous time advantage in being able to cloak their activities.

Third, jurisdictional problems may make it difficult even to bring a criminal case. Even if the cybercrook is identified, she may be someone who is beyond the reach of the United States laws, or beyond the jurisdiction of our criminal courts. In fact, as was discovered with respect to the I Love You worm, not only are some activities not illegal in foreign countries, but some other countries may not even have the means to ferret out the crime itself.

Unlike the streets, where the government doubtless maintains the most sophisticated weaponry, it also may not have the biggest guns in terms of technical prowess on the Internet. I think it is doubtful, and I could be wrong about this, but I tend to think it is doubtful that the government computer specialists are technologically as adept as those in private industry. Indeed, I think much of the technical prowess, either to stave off an attack, or to trace past attacks, resides only in the hands of private concerns. As a result, I think, the most efficient form of deterrence may come in terms of self help.

Just as settlers in the old west couldn't necessarily always rely upon the local sheriff to provide good crime control, it may be in fact the case that Internet users may have to rely upon private parties, and third party concerns, for preventing crime, and enforcing certain criminal norms.

I turn for a moment, before I conclude, to some of the different strategies that could be employed by private parties and by third parties. I think there are basically two types of strategies that can be used, and both could possibly work well on the net. The first involves passive strategies. Those are things as simple as uploading anti-virus software, requiring password protection codes, or using firewalls to prevent hackers.

Interestingly, in these sorts of passive strategies that may be used on the net, there are certain spillover benefits that don't exist necessarily in real space. For example, when a homeowner in real space decides to buy herself a watchdog, and positions the watchdog in front of her door, the crook who comes up to her house and hears the barking dog may simply move on to the next house. And as Ayres and Levitt have demonstrated in a very important law and economics piece, they have suggested that those types of strategies, whether it is car alarms or house alarms, don't necessarily provide any spillover benefits to the community at large in terms of crime prevention or crime control.

With respect to the Internet, however, private passive strategies can have an enormous effect. Just think about the way a number of the most recent computer viruses and worms have worked -- through Internet systems. They have allowed, for example, the I Love You worm, to take an interesting and fairly recent case, worked by having e-mails opened and going out and sending itself to other people's e-mail systems, and then, sort of, exponentially increasing in turn over the net. Well, if each one of those e-mail servers, or each one of those e-mail clients, had in fact adopted anti-virus software, and inoculated their computer against the virus, to the extent that that would have been possible under those circumstances, it would have possibly prevented that, the infection of other computer systems, and other e-mail servers across the land. So, the type of passive strategy that may not work necessarily as well in real space, in terms of providing general protection to the community, may in fact work much better in the Internet.

Second, while active strategies also may have a place in the virtual world.

From this sort of conjured up notions of the vigilante, and images of mobs sort of stringing up the innocent party, vigilanteism was actually a fairly effective means in the old west of allowing criminal control in the absence of government intervention.

Now, I hear some laughter out in the crowds over this. And it is interesting that you sort of have that response, because it is the common response with respect to vigilanteism, and the way it worked in the old west. That is the myth we have of the old west, created by, whether it is Clint Eastwood, or John Wayne. But, in fact, fairly recent historical research looking at the way that private justice actually was carried out in the old west demonstrates the fact that, more often than not, it was actually an effective means of crime control, and of brining down crime in individual communities plagued by bandits, where the government law enforcement functions had simply broken down.

Well, in similar fashion, I think that you can look at the Internet as an old west sort of scenario -- as our frontier. And in fact, it may be the case, that private vigilante efforts, by for example, computer companies, software vendors, Internet servers, who are often the subject of attacks, may in fact be in the best situation, both to fend off attacks, and also to retaliate in kind. I am not necessarily suggesting that they need to send viruses off to other script kiddies and hackers that are attacking them. But, I am suggesting that one of the benefits of the Internet, from the cybercrooks' perspective is the fact that grants them a certain degree of anonymity. They think that they can get away with it, whether that is true or not. Often times they can, apparently.

Well, if private concerns are able to group together to respond fairly swiftly to hacking attacks, or to script kiddies, or other infections of their systems and servers, by providing warning to folks who are attempting to do it, that may in fact serve, at least to deter, at least those individuals.

Just as an example, shortly after the distribute denial of service attacks that occurred against several major web sites recently, eBay, and Yahoo, and Microsoft got together within ninety minutes of the first attack, after the first attack was launched. eBay was able to deploy a filter that enabled the company's web site to function normally again. They were actually able to send out warnings to the perceived people who were attacking their site. That is something that the government, in terms of a government sponsored attack to control cybercrime, were to come after the fact long after the attack has ended, would likely be ineffective.

So, just as a homeowner may be permitted to defend his or her home with deadly force, on occasion, when the need arises, so might in fact individuals on the net be able to use their own technical prowess to defeat these sorts of attacks.

The other thing is the idea of private cooperation. Once again, often times in real space, private cooperative efforts may not work quite as well in terms of thwarting cybercrime. However, on the Internet it is a little bit different, in the sense that even among competitors, whether it is AOL, and gee, AOL has no other competitors in terms of large other Internet Service Providers these days, having bought CompUSA, and having seen the fall of Prodigy, I guess, but individual, whether it is ISPs, servers, financial services, where they are repeat players on the Internet, and require and demand a certain degree of security on the Internet for their systems, in order to function, even normal business competitors may have significant motivations to band together to share information to ensure that the overall system itself remains secure. So, cooperation is possible among these players, because of their need to have repeat interaction with one another, and to essentially keep the Internet's streets safe.

Finally, with respect to third party strategies. Every cybercrook has to rely upon the good offices of some third party, whether it is a server, whether it is a software vendor, or a hardware vendor. And in fact, these sorts of folks, whether its the software vendor, the hardware vendor, the Internet Service Provider, or the phone company, can in fact sometimes be in the best position to monitor the activities of their clients online, to work with them to make sure that problems that may exist, that criminal laws that may be broken, might be thwarted before it ever happens. Just as an example, an ISP such as AOL, cut potentially monitor sensitive web sites. The Department of Defense, for example, the Department of Justice, I know, get literally thousands of hacks a week in terms of people trying to hack into their systems, if not a day. AOL could certainly monitor efforts by people that use its services to try to hack online to these different sites, and warn them that what they are doing is being investigated, that what they are doing is being watched by AOL.

Now, before we start worrying about the fact that, gee, do I want AOL providing those sorts of warnings, or being concerned about those sorts of things, just think about the alternative. Do we want that power exclusively in the hands of the government? I think just as Madison and the founding fathers understood, the division of governmental power is an important prerequisite to guarding personal liberty and personal autonomy. Similarly, I think, that we might benefit by having law enforcement, and law protection strategies, divided up, not only with respect to centralized government law enforcement, where I think that there are serious and significant privacy concerns at issue, but also among private parties to empower them as private individuals and private corporations, to protect their own web sites, to protect their own servers from cybercrime.

Right know I think the Internet is in its infancy, obviously. And, cybercrime is in its infancy as well. I would hate to see technological developments somehow held back or put down, because of concern about cybercrime. Yet on the other hand we want to make sure that we keep the Internet community safe, because we can certainly frustrate commercial interests, private and personal interests, if we can't conduct business, whether it is personal or commercial on the Internet, without some degree of privacy of some degree of our reasonable expectation of safety, in terms of conducting our transactions.

That having been said, however, I think there is certainly a role for private interests in criminal law enforcement in terms of protecting our rights and ensuring that our liberty is not unduly infringed by government working on the Internet.