In 2007, the criminologist Karuppannan Jaishankar founded a field of research called cyber criminology, which he defined as "the study of causation of crimes that occur in the cyberspace and its impact in the physical space". He recognised that cybercrime was different to other kinds of crime in meaningful ways, and that it would require an interdisciplinary approach to understand it.
When we look at criminology and forensic psychology programmes, there remains a shocking lack of teaching about cybercrime. Throughout my own university education, I didn’t have a single lecture on it. This was echoed in a 2015 review of the cyber-criminology field by Brie Diamond and Michael Bachmann: "Cyber criminology is largely ignored or marginalised by mainstream criminology ... many criminologists refrain from examining this important, future-oriented issue. Whether it be that they are lacking the necessary understanding of technology, are intimidated by the jargon of the field, or that they continue to fail to realise the full extent of societal implications of this new type of crime, the lack of consideration is troubling."
Given that cybercrime is the single most common form of crime, this omission is unacceptable. Cybercrime is not just an issue for engineers and computer scientists, it is very much an issue for psychologists, criminologists and law enforcement as well. After all, there are (usually) still humans behind computer screens who make the decision to do harm online.
This leads to a reasonable question, as Diamond and Bachmann point out: "Should cybercrime be conceptualised as a brand new crime type or traditional crimes pursued through a new medium?" After all, if it is traditional crime dressed up in fancy new clothes, then we can probably understand much of it using research on crime that we have from the past few centuries. If we think about what kinds of crime some of us commit online – stealing money or information, harassing each other, selling illicit goods, sharing lewd images – it seems as though we do the same things online as we do in real life. As the political scientist Peter Grabosky has asked, is virtual crime simply "old wine in new bottles"?
No it is not, according to Diamond and Bachmann. We haven’t just moved traditional crimes online, we have "bred a new type of dangerous criminal". Hacking, website defacement, using bots to troll each other – these are new types of crime that never existed before. Accordingly, traditional criminological theories are likely to fall short. The social scientist Wanda Capeller summarised this in a wonderful way: "Cyberspace comprises a new, de-territorialised, dematerialised and disembodied environment that is in crucial ways discontinuous with the terrestrial world."
But there is one thing that threatens the usefulness of traditional theories the most. "Criminological theories have long relied upon confluence of offenders and victims in time and space," say Diamond and Bachmann. But time and space no longer matter like they used to. We can plan an attack that happens days or years later, and never need to meet our victim. We don’t even need to be in the same country. In a more primitive way, this has been the case in the past with threats like booby-traps or planted bombs, but now the threat is far more global. This is particularly true if we change the definition of space, expanding from the physical world to cyberspace.
One theory that doesn’t completely break down in the face of this change is Routine Activity Theory (RAT), developed by Lawrence Cohen and Marcus Felson in 1979. They suggest that in order for a crime to be committed, there are three necessary ingredients. First, a motivated offender – someone who wants to commit a crime or otherwise do harm. Second, a suitable target – the offender needs a victim (barring a few exceptions such as perjury). Online, there are now billions of possible targets, all accessible without having to leave home. Third, the absence of a capable guardian. This means a lack of someone or something that can stop the offender from harming the victim, such as a police officer or a firewall.
Read more: The unbelievable tale of a fake hitman, a kill list, a darknet vigilante... and a murder
Arguably, if we can eliminate any of these three – dissuading potential offenders, helping potential victims protect themselves, or providing security measures – we can stop crime from happening. Mary Aiken, who has extensively researched cybercrime, writes in her book The Cyber Effect that RAT is useful for understanding crime online: "How many motivated offenders are there? Hundreds of thousands. Suitable targets? Even more. How about capable guardians? In cyberspace, authority is minimal and there is a perception that nobody is in charge. Because nobody is."
RAT is a theory that focuses on where crimes are committed, rather than by whom. The idea is that places that are part of our routines – our homes, our neighborhoods, our internet spaces – influence how likely we are to be the victims and perpetrators of crime. Where we hang out matters. For example, one study found that if we spend a lot of time shopping online we are more likely to be victims of fraud. Another found that teenagers who spend more time on their phones unsupervised are more likely to receive unwanted sexts.
This is even true at a country level. According to a large-scale study: "It was found that wealthier nations with more Internet users per capita had higher cybercrime activity." All of this intuitively makes sense, in the same way as boxers are more likely to get head injuries, or countries with lots of guns and pathetic controls on who can buy them are more likely to have mass shootings. As for perpetration, spending time around people in unsupervised spaces presents a risk factor. Easy victims can make perpetrators of even the most unlikely characters.
Cybercrime is made easier because we can more readily dehumanise people online. And when we stop seeing people as human beings, we may feel free to do more terrible things to them. To be online is to experience a disembodiment of ideas. The internet frees us from our physical selves, for better or for worse. And this leads to a flat experience, leaving behind the normal multi-sensory interaction we have with people in real life that reminds us that they are fleshy, vulnerable and sensitive.
We can also do more damage, and do it faster, than ever before. According to computer scientists Pranshu Gupta and Ramon Mata-Toledo, cybercrimes are not just abstract, they are psychologically violent. "Cybercrimes can cause more psychological harm and deprivation than any other crime committed against a person." From an email scam getting us to transfer money to a prince in Nigeria, to having our private images leaked as part of a revenge porn attack, to a hacker accessing and sharing our sexual health information with the world unless we pay up, the toll of cybercrime on our lives can be enormous. And with the increasing use of gadgets that are connected to the internet, our heating, cars and front doors are now also hackable. And that’s just on a personal scale.
On a larger scale, companies, political organisations and public services are common targets. It has been estimated that by 2021, cybercrime will cost about $6 trillion a year. This will make it more profitable than the worldwide drug trade.
Cybercrime costs to businesses include stolen money, damaged and destroyed data, loss of productivity, intellectual property theft, theft of financial and personal information, embezzlement, fraud, paying someone to investigate, restoring data and systems, deleting problematic data, and harm to reputation. The hacking and manipulation of elections is threatening democracy, with bots and other non-humans playing increasingly large roles.
The irresponsible use of our personal data by organisations such as Facebook and Cambridge Analytica has a profound influence on how we see the world, and who we vote for. The access to and manipulation of public-service data – including military, police, prison and health-service computers – is threatening our very way of life.
But is it evil? Let’s take one of the biggest cyber-attacks of all time as an example, the WannaCry attack. Jesse Ehrenfeld, who has expertise on the safety of online storage of sensitive medical files, summarised the attack as follows: "On Friday, May 12, 2017 a large cyber-attack was launched using WannaCry (or WannaCrypt). In a few days, this ransomware virus targeting Microsoft Windows systems infected more than 230,000 computers in 150 countries.
Once activated, the virus demanded ransom payments in order to unlock the infected system." The virus would pop up an error message on the screen saying: "Ooops, your files have been encrypted!" and then state that the user had to pay $300 worth of Bitcoin to a specified internet link. One of the benefits of Bitcoin, which makes it a favourite for criminals online, is that it can mostly be transferred anonymously – without the seller or buyer knowing who the other is.
Ehrenfeld says: "The widespread attack affected endless sectors – energy, transportation, shipping, telecommunications, and of course healthcare. Britain’s National Health Service (NHS) reported that computers, MRI scanners, blood-storage refrigerators and operating room equipment may have all been impacted. Patient care was reportedly hindered and at the height of the attack, the NHS was unable to care for non-critical emergencies and resorted to diversion of care from impacted facilities." People were turned away from hospitals because of the attack. People might well have died because of WannaCry.
Read more: This bot for workplace harassment takes the bias out of reporting
Although the scale is enormous, we often exclude this kind of cybercrime from our conceptualisation of evil. Let’s take the WannaCry study as an example. I could not readily find any mention of it in conjunction with the word evil. Rather, it was described as exploitative and devastating, and the fault seemed to be placed randomly on Microsoft, the victimised businesses, or the hackers who built it.
I even found an article specifically saying that WannaCry was not created by evil geniuses, but was the result of people not updating their computers often enough. It’s the same kind of victim-blaming that communicates to victims of revenge porn that they shouldn’t have sent naked pictures, or the victims of identity theft that they should have more sophisticated passwords. Captain Hindsight seems to have a lot to say.
But not all scholars are fans of cyber-RAT. In 2016, Eric Leukfeldt and Majid Yar reviewed the literature on the applicability of RAT to cybercrime. Across different studies they found different results: "Analysis shows some RAT elements are more applicable than others." But there is one thing that did seem to have a large effect across studies: "Visibility clearly plays a role within cybercrime victimisation." "Visibility" includes posting tweets, sending messages and having a blog. The more places we go online, the higher the chance that at some point we stumble across someone who wants to do us harm.
Technology is presenting new ways to empower and exploit, humanise and humiliate. But just because we can all become awful people online doesn’t mean that we are justified in doing so. If you aren’t an asshole offline, don’t be one online. We are all citizens of this shiny new cyberworld. Only we can make this new world one that we want to live in.
And there is hope. In the realm of the "world wild west" there are many ways in which online "evil" has been successfully thwarted. Online marketplaces have taken a stance on what can be sold on their sites. There are international efforts to fight the distribution of child pornography online. The dark web is getting lighter, as police infiltrate and identify individuals who do illegal things. AI ethics boards are emerging in companies. It’s a start.
However, fighting hackers or trolls or bots one at a time won’t work. For this challenge, traditional criminology and policing aren’t enough. We must bring in the nerds. Fight fire with fire, machines with machines, hackers with hackers, AI with AI. Most importantly, we must become more conscientious consumers and creators of technology.
How to NOT be an asshole online: A step-by-step guide\1. Re-humanise your online experience. Picture the real or imagined face of the person you are dealing with online. Picture their emotional reactions, the human consequences of your digital life. Be kind out there. \2. Post online as if it were one day going to be read aloud in a deposition. Pretty much everything you say or do online can be used against you in a court of law. When I work as an expert witness, I often see tweets, Facebook messages and emails submitted as evidence in court. Unbridled posting online might result in a history that does not do you any favours.
Julia Shaw's Making Evil: The Science Behind Humanity’s Dark Side is available now.
This article was originally published by WIRED UK
