The criminal justice (CJ) system has embraced the use of algorithmic tools. They are employed as decision aids, from policing to parole decisions. This may bring benefits such as improved efficiency and consistency, but also raises many concerns. We will discuss the gap between the promised benefits and what is happening in practice, highlighting challenges around data, ethics, and regulations.

On the data front, a key limitation of current ML for CJ research is overfocus on only a few datasets like COMPAS. Moreover, domain context is rarely taken into account even for these datasets. We will discuss our work on enabling researchers to 1) better utilise existing CJ datasets, and 2) create new datasets using human-machine cooperation. The latter relates to our effort to increase transparency in the UK court system by making trial transcripts amenable to quantitative research.

The cybercrime industry is characterised by work specialisation to the point that it has become a volume industry with various “as-a-service” offerings. One well-established “as-a-service” business model is blackmarket pay-per-install (PPI) services, which outsource the spread of malicious programmes to affiliates. Such a business model represents the archetype of specialisation in the cybercrime industry: a mass of individuals, known as affiliates, specialise in spreading malware on behalf of a service. Extant literature has focused on understanding the scope of such a service and its functioning. However, despite the large number and aggregate effect of affiliates on cybercrime, little research has been done on understanding why and how affiliates participate in such models. This talk summarizes a study that depicts the motivations and challenges of affiliates spreading Android banking Trojan applications through a blackmarket PPI service. In short, we conducted a thematic analysis of over 6,000 of their private chat messages. The findings highlight affiliates’ labour-intensive work and precarious working conditions along with their limited income, especially compared to their expectations. Affiliates’ participation in cybercrime was found to be entangled between legal and blackmarket programmes, as affiliates did not care about programmes’ legal status as long as they yielded money. This study contributes to the literature by providing additional evidence on the downsides of work specialisation emerging from the cybercrime industry.

When staff at a critical national infrastructure organisation were recently polled to associate a word with infosec, they chose “fear”. This is a talk about fear and failures - unavoidable and avoidable - their systemic and institutional causes, and how to overcome them. Using case studies from large organisations such as the civil service, aviation, CNI, and media, I will discuss the role of security engineering, purple team operations, threat and compliance. Drawing from experiences as a head of information security/chief information security officer, I attribute poor organisational security to failures in correctly interplaying people, processes, and technology. I will discuss issues such as why user access is breached despite multi-factor authentication and dedicated identity and access teams; why legacy technology remains misunderstood, and friction in patch management; how to know you’ve hired the right (or wrong) expertise, and why we still get hacked despite all the right intentions, if not the right incentives. I will explore third-parties and supply chains, deploying security tools, disjointed processes undermining secure behaviours, the perils of confusing regulation as a threat model for security, incident management and reactive security, as well as why boards struggle to care about information security, and how to make them.

Crime creates demand for insurance but supplying insurance can inadvertently promote crime. How do insurers reduce uncertainty, pay-outs, and their exposure to extreme and correlated losses from crime? And how do criminals respond to insurers’ attempts to “manage” crime? In this paper we conceptualize insurance and certain types of crime as binary stars, co-evolving as each side innovates and responds to the other side’s innovations. We examine this in five case studies: auto theft, art theft, kidnap and hijack for ransom, ransomware, and payment card fraud. We find that insurers counter criminal innovations that challenge profits by engaging with insureds and third parties: to reduce criminal opportunities, limit damage, salvage stolen property and cap criminal profits. They also increase the risk of detection, capture, and conviction of criminals that defy the (implicit) rules of the game. Across the case studies, “insurance as crime governance” follows a market logic: it erects barriers to opportunistic crime and engages in strategic interaction with sophisticated and organized crime. Insurance tolerates crime if prevention is costlier than covering losses and avoids covering non-profit-motivated crimes.

In this talk, I set out an emerging phenomenon in UK law enforcement - the use of digital ‘nudge’ communications campaigns to achieve strategic policing and security goals. Over the last year, we have studied the use of these campaigns by a single force - Police Scotland - in depth, drawing on empirical research conducted with their dedicated strategic communications team. These campaigns, which involve extremely targeted digital communications designed to directly ‘nudge’ behaviour and shape the culture of particular groups, began in counter-radicalisation as part of the UK’s Prevent programme, but have since moved into a range of other policing areas, from hate crime and domestic violence to knife crime and cybercrime. I set out the historical context of these campaigns in the UK, from their roots in social marketing, through the various iterations of the Prevent strategy, the rise of algorithmic digital marketing infrastructures and surveillance capitalist platforms, and their subsequent transfer from counter-terror policing to a range of other areas. Our study explores the developing institutional and professional arrangements around these campaigns in Police Scotland and the wider UK through interviews and document-based research, drawing on case studies of campaigns across a range of areas. Taking these together, we theorise the rise of influence policing as an embryonic but rapidly emerging domain of police practice, and discuss the ethical, institutional, and democratic implications for the future of law enforcement in the UK.

Ben Collier is Lecturer in Digital Methods at the Institute of Science, Technology, and Innovation Studies at the University of Edinburgh. His research focuses on digital infrastructure as a site of power and resistance, including mixed-methods studies of cybercrime communities, law enforcement engagements with Internet infrastructure, and an upcoming book with MIT Press which maps a cultural history of the Tor anonymity network.