Collaborative Justice and Harm Reduction in Cyberspace: Policing Indecent Child Images

Introduction

The concept of collaborative justice appears to have originated in the USA as a description of innovative penal thinking. ¹ This original usage implies: (a) internal initiatives (framed solely with reference to criminal justice objectives) to find external partners that can fix limitations of structure, processes and expertise (e.g. for responding to offenders’ complex personal problems); and (b) that state institutions retain agency (absolute control over decisions to collaborate or not, and, when collaboration takes place, over its form and duration). This concept ² provides the framework within this article for examining the extent to which cybercrime has been allowed—far beyond what was envisaged in the original US collaborative model—to be a disruptive force that reconfigures criminal justice. As such it is a case study in how neoliberal governments present policy decisions and developments that affect everyday life and reshape society—not as political choices—but as matters so determined ³ by apparently impersonal economic and technological forces that there is no alternative (often given emphasis through its expression as an acronym: TINA). ⁴

The transformative potential of the neoliberal dominance over Government policy making can be seen in the significantly different collaborative justice model that has emerged for the policing or social regulation of IIOC (falling within the broader category of ‘child sex abuse images’, CSAIs ⁵ ) in England and Wales. As will be seen below, it can be distinguished from the original American model by a far greater reliance on voluntary harm reduction or prevention by commercial organisations and industry funded NGOs than criminal justice interventions. Also the form and terms of the partnership with industry, especially ISPs and social media companies, and NGOs are no longer determinable solely within the public sphere. This model signifies: (a) a major retreat from a foundational concept of the state: that all actions deemed criminal under its laws are prioritised politically (in criminal justice policy) and quasi-judicially (including via prosecutorial discretion) as sufficiently grave to warrant state intervention; and (b) a change in power relationships as increasingly the state’s ability to respond to certain crimes relies on often variable levels of voluntary compliance by powerful non-state partners, whose resources and political influence on technological issues may rival that of governments diminished by neoliberalism. ⁶

A systemic risk inherent in this model is a gradual hollowing out of capacity and capability within the criminal justice system to deal with IIOC offenders. Criminal justice interventions against IIOC crimes—equivalent to ‘the tip of the iceberg’ (as noted from police statements and analysed statistically in the second section) have been largely replaced by industry funded and delivered social regulation, principally in the form of disruption or image suppression. Thus the initial identification of IIOC material that—for probably the great majority of such abhorrent crimes ⁷ —determines whether offenders are either dealt with through the criminal justice system or allowed impunity has been vested in private entities, some of whom contribute little even to these voluntary collaborative arrangements. This demonstrates a weakening of the state’s response since 2013 when Yar concluded that, in contrast to other areas of internet crime during the period studied, the policing of child abuse offences (not just IIOC, but such offences fall within and are central to his analysis) were accorded ‘an unusual degree of direct intervention by state-centred authorities’. ⁸

The article begins by describing two concepts—critical trust and civic epistemology—as they are used here—to understand the nature of public trust in government decision making concerned with risk management in scientifically and technologically focused policy making. The current collaboration model in which the state has yielded much of its authority over policing IIOC crimes is described in the second section. The third section seeks to unpick the reasons for signs of decline in criminal justice interventions, and the consequences of this, principally the risks arising from any hollowing-out of the criminal justice system that cannot be offset by improvements in image suppression. Technological limitations on the scope for social regulation via state-industry collaboration, notably because of the dark web (better described as anonymous communication networks: ACNs), ‘going dark’ in general (e.g. encryption) and relatively simple evasion (e.g. switching to a Russian ISP) are examined in the fourth section. This includes how the state’s ability to respond to IIOC crimes in such environments requires matching safeguards for all its powers and activities that engage privacy and fair trial rights. The fifth section reviews two Government initiatives: the policy document, the Online Harms White Paper, ⁹ published by the May administration but still the direction of travel under Johnson, and an attempt in July 2019 to negotiate a government-industry encryption key accord. These are analysed for evidence of a fundamental break with the earlier and neoliberal influenced policies towards the role of internet companies in helping to respond to IIOC crimes. The conclusions suggest how insights from the critical trust civic epistemology concepts used in this case study can help to find a way forward on these complex and contentious issues.

Understanding Government Technologically Focused Decision Making: Critical Trust and Civic Epistemology

Walport, writing as the UK Government’s then Chief Scientific Adviser, advocated critical trust as a means of addressing concerns held by lay citizens about the trustworthiness of an institution to manage scientific and technological risks:

Most of us have neither the time nor the expertise to examine every decision or explore all the evidence. We rely on judgements about the values and behaviours of those in charge. For the individual, ‘critical trust’ may be the best frame of mind: neither outright scepticism nor uncritical acceptance. ¹⁰

Ward’s analysis of the judicial scrutiny of the reliability of scientific expert evidence in English criminal trials, in acknowledging the relevance of critical trust alongside its limitations, offers an insight that strengthens the concept’s potential analytical value: the object of critical trust is not an individual judgement or claim, but confidence in a complex system of interlocking forms of regulation and scrutiny. ¹¹ This is not dissimilar to the scrutiny process—taking written and oral testimony from government and experts (often judiciously selected for their contrary views and opinions) in order to test government actions, policies and proposals for legislation –that Parliament uses (not always successfully) to hold the Executive to account. ¹²

It is suggested here that the value of critical trust would be much greater if combined with an understanding of the fundamental ideas and assumptions the trusted themselves rely on. The origins of critical trust in a study by Walls et al. of perceptions of health and safety regulation reported that people who have only limited knowledge of the Health and Safety Executive (HSE)’s work generally trusted it to act ‘altruistically’ in the public interest. Significantly, they were also aware of possible limitations on the HSE’s effectiveness and independence, such as lack of resources and government influence. ¹³ That, however, still leaves a gap in respect of ‘the values and behaviours of those in charge’, especially the possible prevalence of fundamental ideas and assumptions the trusted experts or institutions themselves rely on or take for granted.

In other words, are there cultural and socio-economic dispositions or group-think ¹⁴ that may restrict the range of options considered, or the seriousness with which some options are examined by decision makers? For example, the assumption in favour of ‘self-regulation’ or ‘light regulation’ ¹⁵ that proved so damaging within the finance industry may still flourish relatively unchecked as ‘independent regulation’ ¹⁶ , or as a modified approach in which regulation is sufficient if it bears most heavily on the major entities in a market. ¹⁷ As will be seen below, these concepts that are so influential in neoliberal thinking generally about the role of government can be traced in the emergence of the problems that beset the current model of collaborative justice and harm reduction. They are also pivotal to understanding the potential limitations of the Online Harms proposals and some of the risks in how encryption key access is being sought.

This approach to critical trust draws on insights from Jasanoff’s studies. She conceptualises the credibility of science and technology ‘in contemporary political life as a phenomenon to be explained, not to be taken for granted’ ¹⁸ and equally importantly (in a different context) stresses the need to avoid ‘strategic deletions and omissions’. ¹⁹ One of the strengths of her approach is that it is culturally and historically specific to the different models of democratic society in which issues are deliberated and the legal order ²⁰ under which decisions are enacted. For example, one of her studies explains how a contentious scientific regulatory issue was resolved after an exceptionally inclusive and unorchestrated public consultation by settling on a precautionary approach. This outcome was a surprise to the UK government scientific and political establishment. They had failed, however, to anticipate the impact of a scandal that had deeply damaged public confidence in the integrity and competence in government management of health risks and scientific decision making. ²¹ Many examples of the risks of group-think, the subtle stifling of dissent among UK government decision makers, or only ‘the survival of ideas that fit’ can be found in the literature. ²² Often these have bypassed effective challenge because public understanding of other options was not encouraged, poor or constrained by the acceptance of claims that government decisions were objectively based on economic, scientific and technological knowledge that confuted alternative choices.

The ‘Tip of the Iceberg’: The Current Collaborative Model and Trends in Criminal Justice Interventions Against Indecent Web Images of Children (IIOC)

Senior police officers admit that the criminal justice system is only dealing with the ‘tip of the [internet child abuse] iceberg’. ²³ Some officers have expressed the view that the police had reached ‘saturation point’, and that they and the criminal justice system were ‘not coping’. ²⁴ The mirror image to such statements is that, with the exception of ANCs (anonymous communication networks or the ‘Dark Web’) and encrypted communications, web surveillance to find and respond to IIOC images—the 21st-century equivalent of the police beat officer patrolling the streets—is undertaken largely by commercial entities or privately funded NGOs, all of whom are currently allowed to be outside the reach of government regulation.

The Government frequently draws on information provided by this global community when describing the scale of IIOC offending. An important UK Government 2020 publication ²⁵ cited 16.8 million referrals in 2019 to the US National Center for Missing and Exploited Children (NCMEC) to illustrate the scale of internet abuse. When doing so it failed to indicate that this figure was a global total, a significant proportion of the material may have no UK connections and to acknowledge that such data includes virtual child pornography (VCP), ²⁶ imagination based images, such as cartoons and drawings, ²⁷ self-generated IIOC images (‘youth sexting’) or, possibly prima facie non-erotic images that may have had an innocent origin. Such statements, while reflecting important successes in responding to IIOC crimes, focus on the symptoms and not the causes or direct risks of such offending.

Any account focused on the direct UK causes and risks of IIOC crimes needs to start with an estimate that this country’s residents are ‘the third-largest global consumers of internet child abuse images’ ²⁸ —a group of possibly 80,000 individuals ²⁹ —and the inestimable number of children they harm. If these estimates are reliable, this level of potential criminality is a daunting initial surveillance challenge for the police. It is approximately on the same scale as US internet surveillance or espionage against foreign data subjects revealed by Snowdon, and only about 30,000 short of the number of ‘new entrants’ to the criminal justice system in England and Wales (many for minor and easily dealt with offences e.g. TV licence evasion) in the year ending December 2018. ³⁰ Finding ways to reach this group of IIOC offenders and responding to them as individuals has to be a principle objective of criminal justice policy relating to web IIOC images and must not be confused with the equally important but offender and victim remote policy objective: image suppression.

As far as circulated images are concerned, ISPs (Internet Service Providers) and other digital industry entities have created powerful disruption apparatus. In 2018 the industry-funded IWF (Internet Watch Foundation) ³¹ ensured that 29,865 UK hosted posts were suppressed or ‘taken-down’ quickly (45% within two hours). This appears to have made the UK surface web a comparatively hostile environment for IIOC commerce. This country’s estimated share of the global total of hosted child sexual abuse content is believed to have fallen from 18% in 1996 when the IWF was established to 0.04% in 2018. ³² Since 2018 the IWF has been given accessed images collected during police investigations and recorded on the UK police Child Abuse Database (CAID). The IWF distributes new CAID images to IWF industry members so that any copies accessible elsewhere through services controlled by its members can be deleted. ³³ At first sight, these results suggest that this collaborative model—based primarily on self–regulation and measured in terms of image suppression, not, as will be seen below, criminal justice interventions—is a pragmatic response to technologically determined change in the nature of crime. In line with neoliberal thinking it also limits the role of the state and avoids significant public expenditure.

The Government, the IICA (the Independent Inquiry into Child Sexual Abuse), and in the USA, the NCMEC (see the last two sections), however, have called for significant reforms to the present collaborative model so that businesses within regulatory reach cannot evade, for commercial reasons, their responsibilities to take action against child abuse by their service users. This reflects a significant change in Government thinking compared with 2017, when a Parliamentary inquiry looking at wider questions relating to children and internet safety identified a neoliberal preference for industry self-regulation. ³⁴ From a criminal justice perspective, the current commercially led arrangements, possibly combined with the Government’s somewhat undisciplined emphasis on the scale of global IIOC image data, also have unanticipated adverse consequences. For example, the greater unfairness (almost akin to ‘entrapment’) risk when evidence is gathered by ‘paedophile hunters’, who believe their activities fill a void left by the police. ³⁵

The National Crime Agency (NCA) received from industry sources 113,948 reports of child sexual abuse material believed to be UK-related in 2018. ³⁶ It is impossible to be certain how this statistic compares with three million images a year being added to CAID in 2019 from devices seized by the police. ³⁷ If, however, the CAID volume is compared to the 2019 estimated 6,000 IIOC arrests annually, ³⁸ the number of images for every arrest would average 500. That would be a comparatively low number given the scale of material seized from individuals in some investigations. ³⁹

There is a considerable volume of evidence to be assessed when taking cases to court, but the potential burden of work after an arrest has to be seen in context:

The above points are not made to downplay the demands created by criminal justice interventions resulting in 22,896 obscene publications offences recorded in England and Wales (the NSPCC suggest that 94% related to images of children) during 2017/18, ⁴⁴ particularly, as will be considered later, when making difficult decisions (often involving complex psychological and risk assessments ⁴⁵ ) about arrested and convicted offenders. The impact of IIOC offences on criminal justice workloads, however, should be seen in the context of the exponential rise and additional complexity of both cybercrime (including online monetary offences and illicit trading) and digital evidence for a much wider range of offences. ⁴⁶ The overall impact of these digital and cyber trends, including IIOC offences, is not just seen in the UK, as ‘a threat to [police] capability to investigate such crimes and identify victims’. ⁴⁷

The most detailed statistics (counting offences not defendants) about criminal justice interventions are summarised below in Table 1. The prosecution to conviction ratios, when expressed as percentages, by showing figures in excess of 100% suggest a reduced flow of new offences prosecuted each year compared with proceedings completed during that period measurable as convictions.

OPEN IN VIEWER

Table 1.

IIOC and sexual grooming offence statistics 2017 and 2018 (on an all offences charged basis). ⁴⁸

Home Office Offence Code (n.b. also the key to HO codes in Figures 1–3 below)	2017 Principal offenceProsecution/Conviction ratio	2018 Principal offenceProsecution/Conviction ratio	2017 Non-principal offenceProsecution/Conviction ratio	2018 Non-principal offenceProsecution/Conviction ratio
86.1 (creation, publication and distribution of indecent child images)	3,132/3,020 (96.4%)	2,298/2,193 (95.4%)	8,839/8,817 (99.8%)	6,155/6,086 (98.9%)
86.2 (possession of indecent child images)	339/385 (113.6%)	235/248 (105.5%)	1,726/1,633 (94.6%)	1,057/1,041 (98.5%)
86.3 (possession of prohibited child images)	29/47 (162.1%)	29/35 (120.7%)	749/674 (90.0%)	626/550 (87.9%)
88A (‘Sexual grooming’ of a child)	330/241 (73.0%)	441/359 (81.4%)	522/216 (41.4%)	1,027/350 (34.1%)

OPEN IN VIEWER

Figure 1.

Outcomes on a principal disposal basis—HO Code 86.1.

OPEN IN VIEWER

Figure 2.

Outcomes on a principal disposal basis—HO Code 86.2.

OPEN IN VIEWER

Figure 3.

Outcomes on principal disposal basis—HO Code 88A.

This downward trend in criminal justice interventions against IIOC offences can be seen more clearly in the standard criminal statistics summarised in Figures 1 and 2 below, with a comparison with the markedly different pattern for child sexual grooming at Figure 3 (for the key to the HO codes see Table 1). ⁴⁹ Unlike the data summarised in Table 1, these only provide information about the offence that attracted the most severe sentence or outcome (the principal disposal basis). The volume of IIOC proceedings doubled between 2013 and 2016 but then fell significantly. While these lack the detail of the statistics analysed in Table 1, the picture presented by the principal disposal data is also consistent with the view that ‘the tip of the iceberg’ may well be getting smaller.

The decline in IIOC criminal justice interventions contrasts markedly with the impression given by police estimates of a national increase in IIOC offences of 424% between 2013–14 and 2017–18 ⁵⁰ and an increase in IWF recorded ‘child sexual abuse URLs’ by 54% between 2015 and 2018. ⁵¹ The decline in IIOC proceedings also appears to be greater than general criminal justice trends, for example, the aggregate 12% reduction in the number of arrests nationally between 2016 and 2017. ⁵² With the exception of grooming, the statistics demonstrate a significant contrast with Yar’s conclusion in 2013 (consistent with the above data analysis at that time) that, in contrast to other internet crime, the policing of child abuse offences were accorded ‘an unusual degree of direct intervention by state-centred authorities’. ⁵³ It has be assumed that the reasons for the decline in criminal justice interventions are likely to be attributable to policy choices, including resource allocation decisions, not changes in criminal behaviour.

Unpicking the Reasons for the Decline in Criminal Justice Interventions and the Potential Consequences

The political and economic circumstances that gave rise to the current collaborative model and intimations of the risk that—despite the impression created by Online Harms—statutory regulation might not result in fundamental reform are partly explained by Zuboff’s analysis of ‘surveillance capitalism’: a concentration of monopolistic capitalism that confers democratically unaccountable and transnational political power derived from the concentrated ownership of data analysis and communication platforms. She notes the significance of ‘the neoliberal capture of the government machinery for oversight and regulation of the US economy’ ⁵⁴ for how this developed during the decades that bridged the Millennium, particularly how the relationship between right-wing politics (neoliberal and libertarian) and the nascent power of Silicon Valley blocked attempted US government oversight of abusive content on the web. ⁵⁵

This section focuses on aspects and consequences of the neoliberal dominance over policy making that (a) go beyond Zuboff’s analysis and (b) are criminal justice specific: the reasons for the downward statistical trends and how, if this is a sign of the hollowing-out of capacity and capability within the criminal justice system for dealing with IIOC crimes, this could result in risks that cannot be offset by improvements in image suppression.

Inadequate capacity is not a uniquely English problem. This is clear from NCMEC testimony (March 2020) to the US Senate Judiciary Committee:

Relatively static governmental funding to address the horrifying increase in child sexual exploitation content being circulated worldwide has become an impediment in effectively combatting this problem. ⁵⁶

Other problems stem from inadequate police resources, including the likelihood that criminal justice interventions would increasingly reflect UK-centric prioritisation. The Philippines is the greatest source of IIOC material, ⁶¹ whereas sexual grooming—where criminal justice interventions continue to rise—will normally take place in-country. Such policy choices would be consistent with IICA commissioned research findings about restrictions on known offenders. Only 0.2% of sexual harm prevention orders imposed in 2017/18 included foreign travel restrictions. The Commission questioned this introspective approach to child protection. They recommended international intelligence sharing similar to that for money laundering so that travel restrictions could be targeted proportionately to prevent travel to destinations notorious for child abuse. ⁶² This recognition of the importance of proportionality also serves to emphasise that Government policy and police operational priorities cannot just focus on supressing abuse images. Criminal justice casework tailored to the circumstances and risks of individual offenders, harm suffered by victims and potential future risks of either offending or harm needs to be adequately funded.

IIOC offences were not within the remit of the Law Commission’s 2018 scoping study of abusive and offensive communications, ⁶³ but what it stated about the significance of the criminal law in the different context of its work on online offences is arguably also applicable to web IIOC crimes:

While the challenge of addressing the scale and reach of abusive and offensive online communications may seem overwhelming, we consider that the law, and in this particular context the criminal law, has an important role to play in punishing and deterring the most serious conduct, and in shaping community attitudes as to its unacceptability. ⁶⁴

Criminal proceedings are distinguishable from social control or aggregate contributions to social welfare because of a unique retributive function in which due process is integral with the objective of ‘blaming wrongdoers according to their just deserts’. ⁶⁶ Retributive justice should not, however, be confused with narrow punitiveness, especially bearing in mind that imprisonment often does more harm than good. Criminal justice interventions must be proportionate to the degree of and responsibility for harm: for example, in the IIOC context, between primary harm, where an image was produced through child rape and secondary harm arising from a victim’s recurrent anxiety about the continued circulation of a partly naked image. ⁶⁷ Prosecutors and judges are not only capable of dealing with such potentially complex matters, but the fact that their decisions, and the rules or guidelines under which they are made are open to scrutiny is vital for maintaining critical trust in the criminal justice response to internet IIOC crimes.

An emphasis on focusing on image suppression over criminal justice interventions against individuals acquiring IIOC images also means numerous lost opportunities to encourage desistence (even if this may rely more for success on activities and influence outside the criminal justice system, the criminal justice intervention may be needed to initiate behavioural change) and, at a minimum, bring the individuals within sex offender risk management arrangements.

It is unclear whether significant numbers of passive consumers of IIOC images are likely or not to become contact offenders (e.g. shift their offending to sexual grooming and beyond). Research in this area is relatively new and the results are inconsistent, but generally studies suggest that the internet has a disinhibiting effect that facilitates offending behaviour. ⁶⁸ There is a significant risk that consuming sexualised imagery of minors and sexually abusing minors ‘may exist in a mutually enforcing dynamic’. ⁶⁹ Police views and IIAC commissioned assessments suggest that between 16% and 50% of child abuse cyber criminals will later commit physical offences, ⁷⁰ fewer criminal justice interventions certainly means that more potentially dangerous offenders will remain unknown to the police and thus evade child safeguarding measures.

This safeguarding system was created to protect children and vulnerable adults following the Soham child murders in 2002. Adoptive parents, salaried workers and volunteers are vetted for evidence of criminal behaviour that could indicate a risk of harm if there is future regular contact with children. ⁷¹ Under these arrangements persons convicted or cautioned for an offence, inter alia, under s 1 of the 1978 act or s 160 of the 1988 Act are automatically barred from such activities and roles. ⁷² The police also have discretion to reveal information about an IIOC incident to a potential employer etc. for safeguarding purposes, even if proceedings were not initiated. The exercise of discretion has to be proportionate and, as a process undertaken by a public authority, the decision making process can be challenged through judicial review.

As noted earlier, the potential complexity of criminal justice casework decisions relating to IIOC is reduced by the limited defences to possession etc. under s 1 PCA 1978 or s 160 CJA 1988. There is a downside to this that is relevant to the advantages and, in some respects, the need for the response to IIOC images to remain in the hands of adequately resourced and publicly accountable agencies. When these statutes were enacted, Parliament could not have anticipated self-generated imaging (SGI, or ‘youth sexting’). To avoid wrongly criminalising young people the police were encouraged in 2015 not to initiate proceedings in certain circumstances: where the making and sharing of the image is ‘non-abusive and there is no evidence of exploitation, grooming, profit motive, malicious intent (e.g. extensive or inappropriate sharing…) or…persistent behaviour’. The police were also advised to exercise discretion in disclosing information about such an incident, should the young person responsible later apply for a safeguarding check. ⁷³

This issue also might cast further light on the downward statistical trends. FOI data obtained by The Guardian suggests that as a result of the 2015 guidance only 0.5% of SGIs incidents involving children under 14 over almost 34 months up to August 2019 resulted in a charge, caution or court proceedings. ⁷⁴ With 241 SGI under 14 investigations a month, this change in policy could have had a significant impact on the IIOC intervention statistics with a total of 500 child abuse arrests each month according to the police (2019) ⁷⁵ and the Government (2020) ⁷⁶ There is certainly a temporal correlation between the publication of the 2015 guidance and the emergence of downward trends, particularly when allowance is made for the initially inconsistent application of the guidance by different police forces. ⁷⁷

Sexting is a risky behaviour, but Gillespie (writing prior to the 2015 guidance) suggested that the alternative to adolescent criminalisation was:

A more proportionate approach would be to recognise this harm by requiring the identification and prosecution of the individual who distributes the images more widely, including to the Internet at large. ⁷⁸

Limits to Collaboration—ACNs, the Deep Web, ISPs That Are Beyond Regulation and Social Media Platforms ‘Going Dark’

This section explains the limits of what is apparently achievable through government-industry accords for image suppression on the surface web by considering how criminals exploit platforms and communication networks that (a) cannot be regulated (ACNs and surface web services operated from countries that are relatively safe for cybercriminals ⁸⁴ ) and (b) are not regulated (but could be) such as commercially provided encryption, for example, Signal (‘going dark’) and police responses. This includes the combination of anonymization techniques, for example, the combined WhatsApp and ACN connectivity revealed by Operation Tantalio’s investigation into IIOC distribution. ⁸⁵ Consideration of these issues also underlines how policy inconsistency between criminal justice interventions on the surface web (for which the Government appears to have a limited appetite) may weaken the policing of anonymised web communication. This is a domain where successive governments have strengthened the role and surveillance powers of the state and where this Government wishes, as will be considered in the next section, to go much further.

It is obviously even more difficult to estimate the scale of IIOC offending on ACNs than on the surface web or the volume of crime that uses a combination of different web levels, or the volume of IIOC images involved:

…virtually all reports made to the [NCMEC] CyberTipline relate to content that is being shared, stored, and distributed on the open web, not the dark web.…though NCMEC is aware that the dark web is increasingly where new, and virulently explicit, child sexual exploitation content is solicited, traded, and discussed among predators. ⁸⁶

Image suppression on the regulated parts of the surface web may be less effective in curbing crime than might be hoped. During 2014 Microsoft and Google achieved a 67% reduction in child sexual exploitation searches in the USA, but the Russian based search engine Yandex was known to have been used by American residents. Empirical research into whether, how and to what extent police and commercial interventions against cybercrime result in displacement is at an early stage. The authors of one pioneering study (financial not IIOC crimes) noted, however, the creativity of cyber criminals and concluded that effective police and private sector responses can result in at least some displacement that takes different forms (e.g. from personal bank accounts to corporate targets and from banks in one country where security is strong to those where crime prevention is weak). ⁹⁰ This problem is not really addressed in Online Harms, although the known displacement of terrorist activity to less hostile locations as a result of more intensive effort by companies to supress extremist content is acknowledged. ⁹¹ What is particularly troubling about potential cross-border IIOC crime displacement on the surface web is that commercial benefits would accrue to the new platform hosts. More users translates into increased advertising revenue for sites that do not take down such images, as noted in another path-finding study of criminal displacement, on the internet ‘further monetizing the sexual exploitation of children’. ⁹²

The potential relationship between the legal impact of the future Online Harms legislation and internet policing in domains beyond regulation, however, might also extend to equipment interference (‘hacking’) and distributed denial of service attacks (DDOS), both of which are lawful and like bulk data analysis subject to oversight by the Investigatory Powers Commissioner’s Office (IPCO). ⁹³ These exceptional state activities also provide important precedents for how criminal law may override the legal privileges that the digital industry enjoys under commercial and regulatory law.

UK policing and harm reduction on other domains, including encrypted communications interception is undertaken by the state agencies, chiefly the National Crime Agency (NCA) and individual police forces supported by regional crime units, the intelligence services and specialist agencies such as HM Revenue and Customs. Their work has an operational link with the surface web collaboration arrangements and will involve the same industry or NGO participants. For example, when ACN sites hosting IIOC material are taken down the NCMEC assists in this process by identifying first-generation seized images that had not been previously been logged in their IIOC database, and already shared nationally and internationally with police agencies and or other specialist child protection NGOs. ⁹⁴ Criminal justice interventions, however, are not dependent on voluntary assistance. For example, bulk data analysis (the analysis of communication footprints, often on the deep web (e.g. bank account records) but also on the surface web, enables state agencies to identify clusters of criminal activity in order to identify UK citizens who pay to access extreme IIOC material. ⁹⁵ This is permitted by statute and because such surveillance engages Convention privacy and sometimes fair trial rights, the law requires that it should be supervised by IPCO, to ensure that such powers are used proportionately. ⁹⁶

Judgements about proportionality can pivot on the weight attached to the public objective, expressed in another common law jurisdiction as a ‘sufficient importance’ test. ⁹⁷ It may be arguable that an absence of policy consistency—including (judging by current statistical trends) over resource allocation to maintain or increase criminal justice interventions together with irresolution about seeking effective powers to require industry action where less invasive techniques can be used (e.g. on the surface web)—might weaken a proportionality claim to justify the use of exceptional measures against an ACN, surface web encryption, or a platform well beyond UK regulation. It would certainly be difficult to reconcile a claim that the state must always be able to intervene with the full force of the criminal law against IIOC crimes in such domains, when (a) its policies only allow for very limited and diminishing criminal justice interventions on the unencrypted surface web where most IIOC images are to be found and (b) even uncooperative corporate entities enjoy impunity from prosecution or exceptional protection from civil litigation.

Such exceptional activities have a further link with the impact of neoliberal policies on criminal justice: how government technological development and research capabilities on which police and other state agencies at one time relied are now either seriously inadequate or non-existent. ⁹⁸ As a result the police and other government agencies rely on the marketplace for hacking devices and services. A law suit brought by WhatsApp/Facebook against NSO, an Israeli cybersecurity device developer in October 2019 exposed some of the risks arising from this. It was alleged that NSO’s malware product Pegasus ⁹⁹ had been used against diplomats, senior government officials, human rights activists, dissidents and journalists, including people linked to the Saudi journalist, Jamal Khashoggi, who was assassinated inside the Saudi consulate in Istanbul. Allegedly it is effective against many commonly used smartphone operating systems, including Apple’s iOS, Google’s Android, Microsoft’s Windows Phone and Samsung’s Tizen. NSO’s response was that it did not itself use malware operationally and that its state security agency customers could have their use of the malware stopped for a breach of licence conditions. That, of course, does not answer the obvious question: would such a breach be reported by such customers?

The litigation revealed how a combination of neoliberal policies—fiscal austerity, the hollowing-out of state capabilities and minimal regulation—has resulted in revenue from state agencies funding the commercialised development of advanced surveillance devices and services that may be acquired by rogue states and criminals. According to The Wall Street Journal, the publicity from the Pegasus affair compromised a criminal justice investigation into suspected anti-terrorist activity. ¹⁰⁰ Similarly, Home Office evidence to IICSA indicated that one ACN site required its subscribers to upload 20 ‘first-generation images’, as an alternative to a two-minute video of infant or toddler abuse, each month. ¹⁰¹ Unless there was an element of bluff to this, presumably the criminals involved were able to access the same or similar image analysis software as that used internationally by police, intelligence services and anti-abuse NGOs, or as a result of corruption, an image suppression database.

The Future Evolution (and Its Potential Limitations) of the Collaborative Justice Interventions and Harm Reduction Model

Conclusions

The encryption key impasse might be resolvable by building on the powers introduced in 2000 for the judicial authorisation of access to protected information on, for example, a suspect’s telephone (protected by an encryption key or password) under arrangements overseen by IPCO. ¹⁴³ Facebook - although it does not use the terms - appears to have given considerable attention to the need to improve critical trust and to have grasped the lessons of civic epistemology. Even if its apparent change of heart towards the acceptance of Online Harms type social regulation, is a result of ‘tech lash’, from customers/users frustrated over how web platforms profit from their data at a time when in its most important markets, USA and Canada, user growth is stagnating, ¹⁴⁴ in other words evidence of the potential influence of ‘an issue-specific public’. ¹⁴⁵ Certainly its publication about future internet services regulation is much more sensitive to the wider question of restoring public trust than the Government’s Online Harms document. Facebook acknowledges the importance of legal structures and procedures for building trust among citizens who might have good reason to have lost faith in both government and the digital industry:

Problems arise when people do not understand the decisions that are being made or feel powerless when those decisions impact their own speech, behavior, or experience. People may expect similar due process channels to those that they enjoy elsewhere in modern society. ¹⁴⁶

On specific issues relating to IIOC crimes, the analysis in this article also points to the importance of bringing into any future deliberations about surface web regulation and encryption other issues: preventing the hollowing out of criminal justice capacity and capabilities; ensuring compatibility and consistency in operational responses and legal principles when dealing with IIOC crimes across all levels of the web; and ensuring that the response to IIOC crimes focuses on the offenders and their victims by accepting that image suppression alone is insufficient.

This article has attempted to offer an informed and constructive critique of the evolution and potential future of collaborative justice and harm reduction in response to IIOC crimes as’ something to be explained, not to be taken for granted’. It has sought to highlight potential ‘strategic deletions and omissions’. In doing so it has emphasised the significance of genuine political and policy choices that will determine how IIOC crimes are dealt with. In doing so it has warned against any mind-set that considers or argues that decisions on and developments in technologically and scientifically focused decision making are so determined by apparently impersonal economic and technological forces, that there is no alternative to whatever government can negotiate with vested interests behind closed doors.