1 It ain't what it is, it's the way that they do it? Why we still don't understand cybercrime
Dr Michael McGuire
Introduction: definitions, concepts, and more definitions
On the face of it, our concept of cybercrime appears straightforward enough. It has usually been taken to signify âthe occurrence of a harmful behaviour that is somehow related to a computer (Wall, 2001, p. 3) crime that is âmediatedâ by a computerâ (Thomas & Loader, 2000) or âcrime that is facilitated or committed using a computerâ (Gordon & Ford, 2006, p. 15). Put simply, cybercrime appears to âinvolveâ computers and to âinvolveâ crime. Of course, if defining cybercrime were that simple, this would be a very short chapter indeed. But upon closer inspection, it quickly becomes apparent that matters are not quite so simple as they first appear. Aside from the obvious need for a few more qualifications (what type of crime does cybercrime involve, for example?), this ostensibly straightforward definition soon begins to unravel when scrutinized in more detail. It is not just that agreeing upon an appropriate concept of âcomputerâ has been far from straightforward. The scope of such a definition also appears too wide. It would, for example, entail that the mere theft of a computer or that listening to a podcast whilst committing a burglary might âinvolveâ cybercriminality. A workable concept of cybercrime therefore seems to require a more precise sense of what being âinvolvedâ in a criminal act entails. But defining what involvement means has been a recurring problem for any definition of cybercrime (Fafinski, Dutton, & Margetts, 2010; McGuire, 2012; Ngo & Jaishankar, 2017; Furnell, 2017).
Two wholly opposed responses to this conundrum seem possible:
- To argue that a viable concept/definition of cybercrime doesnât matter and that we can get on perfectly well measuring and responding to acts we call âcybercrimeâ without any need for more developed conceptions.
OR
- To argue that a viable concept of cybercrime is an essential element of any successful response to it.
For those who incline towards the former view, debates about âwhat cybercrime isâ or âhow it should be definedâ will seem about as pointless as the medieval dispute about how many angels can dance on a pinhead. Surely, they might argue, any concept of cybercrime we elect to adopt has little or no effect upon what cybercriminals do or how police and the justice system respond to their actions? Thus, whilst such debates might be of interest in the seminar room, they distract from the ârealâ purpose of dealing with cybercrime.
This position echoes what philosophers of science have called âinstrumentalismâ1 â a way of avoiding commitments to unnecessary concepts or entities (cf. Worrall, 1982). Instead of assuming that our concepts or definitions refer to real features of the world, instrumentalists argue that they are best viewed as tools for getting a job done. For example, Ernst Mach, the Austrian physicist and philosopher of science, famously refused to accept the reality of the (as yet undetected) atom in the late 19th century (Mach, 1893). For Mach, atoms were no more than a âprovisional aidâ for more important tasks, such as collecting data, organizing and classifying it, and using this to make scientific predictions.
An instrumentalist position on the concept of cybercrime might involve similar reservations. That is, whilst it might be accepted that there is something âout thereâ which we call cybercrime, debates about how we should define or conceptualize it are secondary issues to a more pressing concern â what we do about it.2
Do concepts or definitions of cybercrime matter?
The limited consensus around the objectivity of concepts has been a notorious problem within social science (Weber, 1904; Cunningham, 1973; Goodman, 1978). An instrumentalist approach to concepts and definitions of cybercrime might therefore be appealing in terms of theoretical as well as ontological economy. For just as we can use socio-economic metrics like âpoverty levelsâ or theoretical constructs like a âhabitusâ whilst remaining agnostic about their existence or their precise conceptual conditions, our thinking about criminal justice issues appears similarly underdetermined by what we hold to exist or to be the case (Quine, 1975). For example, many legal theorists have held that criminal law is merely a tool or technique that can be used for certain useful ends and that any theoretical constructs they entail are not decisively real things (Duff& Green, 2011). Legal characterizations of crime play an inferior role to all that really matters â the consequences or outcomes of such characterizations (see Walker, 1980; Braithwaite & Pettit, 1990). In more overtly criminological terms, it could equally be argued that we can get on with thinking about and measuring crime without being beholden to absolute definitional and conceptual precision about crime. For example, we donât need to have an exhaustive consensus on what the concept of labelling amounts to, or even to accept it as a real factor in causing crime, in order to use it as a background assumption in shaping our responses to certain criminal acts. Something like this view can be discerned in the crime science approach, which has been notoriously keen to evade questions about the causes of crime (in particular, the social-cultural factors which lead to it) in favour of a focus on the outcomes of crime and the elements which contribute to this (the opportunity, the means, the outcome, etc.). Thus, for crime scientists, our conceptions of âcrimeâ or of âcriminalsâ have been far less important than our methods of preventing or responding to crime (Clarke, 2004).
But an instrumentalist position on crime/cybercrime would be just as unsatisfying (and ultimately unproductive) as instrumentalism about natural science objects like the atom has been. For whilst it might help in evading theoretical difficulties about the precise nature of computer-based offending, instrumentalism would simply postpone the question of what cybercrime may or may not be. Nor would it quite get us off the conceptual hook. Even if the measurement of cybercrime is preferred over its explanation, some reasonably clear conceptions about what is being measured need to be in place if measurement is to be accurate, or even possible at all. As Popper suggested when demonstrating the inadequacy of empiricist assumptions (1962), the imperative to go out and âobserveâ always comes with a set of implicit conceptual pre-conditions (âobserve what?,â âobserve how?,â etc.). Thus, whilst we might want to be agnostic about the reality of â say â IQ levels or absolute versus relative âpoverty,â effective measurement of intelligence or poverty requires us to be very clear about the boundaries of such concepts. More seriously, imprecision about concepts in social science contexts can often have negative (and very real) socio-economic consequences for at-risk groups in society. Ill-defined notions of poverty may result in inadequate support for the neediest, just as poorly formulated concepts of âintelligenceâ might deprive worthy candidates of employment, promotion, or other opportunities. In other words, where key social variables or indicators are improperly conceptualized, direct and evidenced impacts upon the quality of everyday life may follow. This risk holds equally for conceptualizations within the criminal justice field. Indeed, the risk of inadequate conceptualization is arguably far more serious here, given the potential damage from issues like excess criminalization or miscarriages of justice which this might lead to.
It does not take too much reflection then to see how even slight variations in the way cybercrime is conceptualized can produce wildly differing ways of measuring or responding to it. For example:
Prevalence and seriousness. A familiar way in which the seriousness of any crime type is evaluated is in terms of the volume of recorded offending. This enables us to say (for example) that a crime has risen or fallen from previous years or that it is âmore or lessâ serious than other forms of offending. Claims around prevalence and seriousness have been especially common in discussions of cybercrime. For example, most researchers will be all too familiar with the alarming assertions about spectacular year-on-year increases in the volume of offending (see amongst many others Europol, 2016 or Ismail, 2017. See also McGuire, 2012, p. 77ff). In turn, such assertions have been used to justify claims that cybercrime is not just âmore seriousâ than traditional crime but is the most serious kind of criminal risk we now face (Muncaster, 2010; Allen, 2018). But imprecise conceptualizations about cybercrime and its measurement pose challenges to the credibility of such claims. Over what period has it been the âmost prevalentâ form of crime? At what rate is it growing? And how can we be sure that the data chosen are appropriate for a particular definition/conceptualization of cybercrime? Even slight variations in what cybercrime is thought to encompass can produce radically different evaluations of how serious or how common it is assumed to be. Take, for example, an âarchetypicalâ cybercrime like card fraud. If our conceptualization of this were based solely on cards used over the Internet to purchase goods (called variously âcard not presentâ fraud, âremote purchaseâ fraud, or âe-commerceâ fraud), then the fact that losses on this rose every year in the UK between 2011 and 2016 (FFA, 2018) might justify the claim that cybercrime exhibits a year-on-year upward trend and is therefore a âvery seriousâ from of crime.3 If, on the other hand, this conceptualization was based more upon the use of counterfeit cards, then such claims might be less plausible, given that losses here have fallen from nearly ÂŁ150 million annually in 2007 to only around ÂŁ25 million annually in 2017. Indeed, such a drop in prevalence might suggest that cybercrime is far less serious than it is often portrayed.
Costings. Attempts to measure the cost of cybercrime have been a recurring feature of research in the area (Detica, 2011; Anderson et al., 2012, CSIS, 2014/2018). This economic focus has, more recently, been supplemented by attempts to construct metrics around the revenues which cybercrime generates (McGuire, 2018). But even the most cursory inspection of data in this area again demonstrates how sensitive cost estimates of cybercrime are to particular conceptualizations of cybercrime. For example, a recent evaluation of cybercrime costs by the UK Home Office (HO, 2018) found that by defining defacements to websites in terms of âcybercriminal activity,â anything up to ÂŁ1.6m in costs could be added to the overall total. Similarly, the estimate that, at a minimum, around $1.5tn worth of revenues is now being generated annually by cybercriminals (McGuire, 2018) is significantly contingent upon what kind of concept of cybercrime is being utilized. Where âcybercrimeâ is defined more rigidly â that is, in terms of explicit computer-related misuse alone (such as the sale of exploits or malware), then revenues from activities like illicit online sales presumably ought not to be included. But the sale of items like counterfeit pharmaceuticals in online markets is a highly lucrative activity â generating up to $400bn annually (Scott, 2016). Thus, a decision to conceptualize cybercrime in certain ways can have major impacts upon the way its financial impacts are evaluated. And significantly lower cost/revenue estimates might produce very different kinds of criminal justice responses.
Legal responses. Notoriously, the legal background to cybercrime is riddled with conceptual ambiguities â not least because there is no specific offence of cybercrime within any jurisdiction (Wall, 2001). Instead, legislation typically relates to a variety of actions, often with little obvious unity or conceptual continuity. This has produced inevitable conceptual inconsistencies in the way cybercrimes are defined across differing jurisdictions (Brenner, 2012; Clough, 2014) and little clarity on how far the âinvolvementâ of a computer/network in a crime is required for it to be a cybercrime, rather than just a crime. Whilst current legislation is closely informed by the kinds of computer misuse deemed undesirable or harmful, it is equally clear that simple definitions of such misuse will produce mala prohibita offences â where it is the definition of illegality which produces the crime, rather than any conceptualization of cybercrime itself. Such definitional decisions do not just affect the legality/illegality of certain behaviours, but have a range of other important ancillary outcomes, for example, changes in crime figures, imprisonment levels, policing resources, and so on. Thus, if it was decided that legal definitions of cybercrimes should incorporate any kind of harm resulting from the use of computers, many more acts would now be criminal than is currently the case â such as addictive gaming, exploitative online pornography, and so on (McQuade, Gentry, Colt, & Rodgers, 2012; Nair, 2019). And this, of course, would then affect perceptions of the scale, seriousness, and so on of cybercrime.
Perpetrators and victims. The way that certain definitions and concepts of crime are developed often include or exclude certain types of offenders. For example, crimes falling under the definition of âyouth crimeâ would rule out crime committed by 60-year-olds, just as crimes conceptualized in terms of knife violence would probably not be classified under the concept of âgreen crime.â Because the term âcybercrimeâ does not quite so obviously correlate with specific perpetrator/victim types, profiling cybercriminals and their typical victims has been a highly uncertain method (see Rogers, 2006; Shoemaker & Kennedy, 2009; Kigerl, 2017; Martellozzo & Jane, 2017; Weulen Kranenbarg et al., 2019 for some ...