Improving Cyber Crime Data to Protect Vulnerable Communities

Many state and local politicians, like New York City Mayor Bill de Blasio, have recently praised their districts’ historically low crime rates. Yet a trend of underreported cyber crimes upsets this sunny narrative. Law enforcement agencies, criminologists, and cyber security researchers agree: cyber crime data are sketchy and vastly under-counted. Donna Gregory of the FBI’s Internet Crime Complaint Center told the New York Times that the number of reported cyber crimes may only represent 10-12 percent of the actual number of cyber crime victims in the United States.

According to a recent analysis from reporter Al Baker, some of the uncounted cyber crimes that communities face include: “identity theft; sexual exploitation; ransomware attacks; fentanyl purchases over the dark web; human trafficking for sex or labor; revenge porn; credit card fraud; child exploitation; and gift or credit card schemes that gangs use to raise cash for their traditional operations or vendettas.” Clearly, these acts constitute a violation of the law, so why do they remain uncounted?

There are many challenges with recording cyber crimes, particularly because of definitional issues regarding what constitutes a ‘pure cyber crime’ and a ‘cyber enabled’ crime (the former being a criminal attack directly targeting a digital system, the latter being the use of the Internet to perpetrate other crimes). The challenges of correctly recording cyber crimes multiply when considering all of the possible crimes that fall under this umbrella; from denial of service attacks and massive data breaches against large companies to the unique threats that individuals and vulnerable communities face online. Broadly defined, vulnerable online communities include elderly folks, children, women, lower socio-economic populations, people of color, journalists, activists, LGBTQ individuals, religious minorities, and others. Vulnerable populations are even more likely to be targeted online for several different reasons, either because they are generally less educated on basic digital hygiene, because they vocalize controversial or highly political viewpoints, or because of real-world discrimination that leads to online abuse.

Another challenge with recording cyber crimes is that victims often choose not to report the crimes perpetrated against them. Victimized companies who experience a data breach or criminal attack against their IT infrastructure may choose not to disclose the full extent of an attack for fears over reputational damage. As New America Cybersecurity Fellow Josephine Wolff points out regarding targeted individuals, there are “two important motives at play here for cyber crime victims: one is embarrassment, and the other is a sense that law enforcement won’t be able to help.” To understand this first motive, it’s important to recall that cyber crime victims are often sexually exploited or blackmailed. These individuals may find it too embarrassing to go to local law enforcement with photographic or video evidence that could support their case, and as a result choose to keep the crime hidden.

For other victims, working with law enforcement agencies seems like a futile undertaking. Activists and members of vulnerable communities often fear law enforcement retaliation, don’t know where to go for help, or (after reaching out for help) receive little recourse. Eva Galperin’s work at the Electronic Frontier Foundation (EFF) speaks to this problem. As Director of Cybersecurity at EFF, an organization dedicated to protecting civil liberties in the digital world, Galperin provides privacy and security support to vulnerable populations around the world, largely to women who have been sexually abused by hackers. After sending this tweet:

Galperin began receiving countless requests. As she told Wired in a recent profile, she has already helped over 100 women, which merely scratches the surface of, in her words, an “endless” problem. The overwhelming number of requests sent to Galperin and organizations like EFF indicate the lack of support many victims receive from formal institutions in the justice system. Similar experiences have left other victims of cyber crime jaded towards law enforcement, so crimes often go unreported.

All of this and it’s no wonder that the true number of cyber crimes remains elusive. If a new crime classification system is created based on an existing United Nations framework (as was proposed by the National Academy of Sciences, Engineering, and Medicine), more and better data could be collected. Better still, law enforcement agencies should heed the advice of professor and journalist Josephine Wolff, who calls for “authorities to shift from relying on victims to report these cyber crimes to hunting down and aggregating this data themselves.”

In the meantime, according to Donna Gregory’s estimate, we know that approximately 88-90 percent of the cyber crimes that are being perpetrated remain uncounted. The fact that we don’t have a perfectly clear picture of the scope of cyber crimes affecting specific populations should not stop us from pursuing the important work of protecting the communities that are likely to be most targeted online. As detailed throughout this piece, media reports and advocacy organizations have documented countless instances where certain populations are indeed more vulnerable to becoming victims of cyber crime than others. It is important to understand these existing efforts to protect against and respond to cyber crimes perpetrated against vulnerable online communities, especially since these victims are typically least equipped to receive justice through formal mechanisms.

While grassroots efforts of organizations like EFF help fill the justice gap, companies and law enforcement agencies should also be doing more to protect these vulnerable communities online. As such, we need to challenge these organization to rethink their approach to cybersecurity. This means shifting the burden off of individuals who are disproportionately responsible for protecting themselves and placing more responsibility on institutions, like businesses and formal law enforcement agencies, to take action.