Digital Architecture as Crime Control

Katyal, Neal Kumar, The Yale Law Journal

The first generation of cyberlaw was about what regulates cyberspace, Led by Larry Lessig's path-breaking scholarship isolating architecture as a constraint on behavior online, (1) a wide body of work has flourished. In a recent article, I took those insights and reverse-engineered them to show how attention to architecture in realspace (such as our city streets, parks, houses, and other buildings) constrains crime. (2) It is time to begin a new generation of work, one that applies the lessons of realspace study back to the cybernetic realm. The question will not be what regulates cyberspace, but how to do so given the panoply of architectural, legal, economic, and social constraints.

This Essay details how theories of realspace architecture inform the regulation of one aspect of cyberspace, computer crime. Computer crime causes enormous damage to the United States economy, with even a single virus causing damage in the billions of dollars and with a recent survey finding that ninety percent of corporations detected computer security breaches. (3) Yet despite apparent metaphorical synergy, architects in realspace generally have not talked to those in cyberspace, and vice versa. There is little analysis of digital architecture and its relationship to crime, and the realspace architectural literature on crime prevention is often far too "soft" to garner significant readership among computer engineers. However, the architectural methods used to solve crime problems offline can serve as a template to solve them online. This will become increasingly obvious as the divide between realspace and cyberspace erodes. With wireless networking, omnipresent cameras, and ubiquitous access to data, these two realms are heading toward merger. Architectural concepts offer a vantage point from which to view this coming collision.

This brief Essay sketches out design solutions to the problem of security in cyberspace. It begins by introducing four principles of realspace crime prevention through architecture. Offline, design can (1) create opportunities for natural surveillance, meaning visibility and susceptibility to monitoring by residents, neighbors, and bystanders; (2) instill a sense of territoriality so that residents develop proprietary attitudes and outsiders feel deterred from entering private space; (3) build communities; and (4) protect targets of crime. (4)

After introducing these concepts, the Essay discusses analogues to each principle in cyberspace. Naturally, the online and offline realms are not symmetric, but the animating rationales for the four principles can be translated to cyberspace. Some of the outlined modifications to digital architecture are major and will invariably provoke technical and legal concerns; others are more minor and can be implemented quickly to control computer crime. For example, we will see how natural surveillance principles suggest new virtues of open source platforms, such as Linux, and how territoriality outlines a strong case for moving away from digital anonymity toward pseudonymity. The goal of building communities will similarly expose some new advantages for the original, and now eroding, end-to-end architecture of the Internet--a design choice that eschewed barriers between computers and rejected preferences for certain types of content. Principles of community and target protection will illuminate why installing firewalls (which are simply pieces of hardware and software that prevent specified communications (5)) at end points will provide strong protection, why some computer programs subtly cue criminal acts, and why the government should keep some computer crimes secret.

Throughout this Essay, each Section will employ the realspace architect's understanding of context to explain why many meta-claims in contemporary cyberlaw are too grand. These claims are proliferating and track the same binary formula: "open sources are more/less secure," "digital anonymity should be encouraged/prohibited," "end-to-end networks are more/less efficient," "peer-to-peer technologies are a threat/blessing," etc. (6) Systematic predictions are possible about the benefits of open sources, end-to-end (e2e) networks, and the like, but caution is warranted before applying these predictions across the board. Such caution is a staple of crime prevention in realspace, as the four design principles are often in tension with each other. As this Essay progresses, these tensions will become evident in the cyberspace context as well.

In total, these architectural lessons will help us chart an alternative course to the federal government's tepid approach to computer crime. In February of this year, after a year and a half of promising a revolutionary approach, the White House released its National Strategy To Secure Cyberspace. (7) Unfortunately, the Strategy consists of little beyond an unbridled faith in "the market itself" to prevent cybercrime. (8) By leaving the bulk of crime prevention to market forces, the government will encourage private barricades to develop--the equivalent of digital gated communities--with terrible consequences for the Net in general and interconnectivity in particular. Just as safety on the street depends in part on public police and public architecture, so, too, in cyberspace.

I. DIGITAL DESIGN PRINCIPLES TO PREVENT CRIME

Today, the damage caused by computer crime runs in the billions of dollars each year, making it one of the most economically damaging forms of crime in human history. (9) Yet the extent of cybercrime today is still constrained by the costs of computers, bandwidth, and attaining computing skill, all of which are likely to diminish over time. As a result of these and other factors, we will soon face the possibility that the Net will become as unsafe as the downtown city street. The city-street analogy is worth thinking about, for some downtown streets effectively control crime. In any number of cities today, people simply avoid the streets at night altogether, making it difficult for them to be attacked. In others, lights or barricades make it more difficult to perpetrate crime. And in still others, police patrols provide a backdrop of safety that scares criminals away and encourages residents to come out of doors. What do these methods of control suggest about cyberspace?

This Part applies four principles of design and crime prevention to explain how changes to digital code can have a dramatic effect on crime rates. In order to ease consideration of these changes, I will be speaking generically about "crime," rather than singling out its particular variants, such as viruses, worms, denial of service attacks, unauthorized access, unauthorized use, and identity theft. (10) This simplification at times will obscure specific architectural solutions, yet the Essay's design is meant to underscore how, in both realspace and cyberspace, architectural changes have the potential to minimize a large number of crimes at once.

A. Natural Surveillance

Natural surveillance refers to the use of architecture to create spaces that are easily viewed by residents, neighbors, and bystanders. The most sophisticated proponent of this approach was Jane Jacobs, who reasoned that "eyes on the street" would control crime. (11) Using Greenwich Village as a model, Jacobs argued that if people could be brought out onto city streets and if the design of city blocks facilitated visibility, the crime rate would drop. Jacobs did not disaggregate types of crime; rather, she felt that much of it could be prevented best by ordinary people, not professional police officers and security guards. (12) Yet a natural, and sometimes self-defeating, impulse is to close space off to prevent crime, rather than to open it up. The gated community is one such modern manifestation. (13)

In cyberspace, however, crime prevention is predominantly a less visible, professional enterprise. Much software today is "closed source," meaning that the programs' underlying computer code is hidden from its users. Just as closure in realspace can increase crime rates, so, too, in cyberspace. Because the underlying code is examined only by professionals (and often only by the firm developing the software), the number of people who can discover its vulnerabilities and repair them is far lower.

Closed source programs, while an understandable reaction to the fear of crime, are often counterproductive. Computer platforms such as Linux (an open source alternative to Microsoft's Windows operating system) will have major security advantages because they can harness the power of natural surveillance in ways that closed platforms, such as Windows, cannot. Because more people can see the code, the likelihood that security vulnerabilities will be quickly discovered and patched rises. (14) President Clinton's Technical Advisory Committee, for example, recognized that "access by developers to source code allows for a thorough examination that decreases the potential for embedded trap doors and/or Trojan horses." (15) Closure of code, like gated communities in realspace, may create a false sense of security. (16) And programmers who work together within a firm may develop groupthink and miss vulnerabilities while having an incentive to hide their mistakes from the outside world if they think they won't get caught. (17) Open source software, by expanding the pool of people who view the code, can harness the benefits of a diverse, far-flung group of minds and eyes to improve security.

In two senses, natural surveillance operates differently online than it does offline. First, natural surveillance primarily works offline when the public watches potential offenders and disrupts specific criminal activity. Online, however, it works when professionals and program users eye the code. Their gaze is not directed to any particular offender; rather, it is directed at the architecture itself. This shift in gaze reveals an important fact about cyberspace--because code is omnipresent and cheap to alter (compared to bricks and mortar in realspace), it plays a larger role in regulation of behavior online than offline. (18) This is both a blessing and a curse: It can help programs, particularly open source ones, adapt when vulnerabilities are found, but the ease with which architecture is changed can also facilitate exit and network fragmentation. Second, users who examine code for vulnerabilities cannot be equated with realspace bystanders. Only a small fraction of people can read source code, and those who do are most likely to do so when they expect some sort of reward, either an enhanced reputation or improved software product. As such, the pool of people available for natural surveillance online is smaller than it is offline. That fact does not spell the end of open source as a security model, for, as we shall see, sometimes smaller pools can bolster security by facilitating reputational rewards. But, when considered alongside the problem that open source programs make security holes in applications visible to potential cybercriminals, (19) one must pause before proclaiming that one side or the other has won the security debate.

For these reasons, the generic and far too ideological debate in the literature over whether open source is inherently more or less secure than closed source (20) fails to capture the nuances of space and design principles. Any good architect will admit that what works is often a matter of context. (21) Even Jacobs's vaunted natural surveillance, for example, fails in certain settings, which explains why houses in remote locations need fences, dogs, and other mechanisms to prevent trespass. The need for contextualization does not preclude predictions; it simply means that one must understand the conditions necessary for a given design to succeed. If the potential for natural surveillance is low, as it is with the remote house and its cyberspace counterpart, closure will provide a better security model than will openness. (22) With fewer users, moreover, closure may also bolster security because the chance of a malicious individual discovering a vulnerability is lower as well. As the number of users declines, the chance that a vulnerability will be discovered diminishes while the ability to track users increases. (23)

The upshot is that open source operating systems, such as Linux, will have security advantages over their closed competitors, but that more specialized applications with few users (and therefore a low number of eyeballs gazing at the code) may be less secure as open source products than as their closed counterparts. (24) Indeed, the weakness of the Microsoft platform was suggested, in a round-about way, by Microsoft Vice President Jim Allchin, who testified in antitrust proceedings that revealing Microsoft's source code to competitors "could damage national security and even threaten the U.S. war effort in Afghanistan." (25) Security by obscurity is no way to run sensitive systems, particularly in an era where infiltration of Microsoft by rogue employees, hacking, and brute force attacks using distributed computing power are not fanciful. (26)

B. Territoriality

A second realspace crime-prevention technique is to construct landscapes and buildings that evince territoriality, a signal of stewardship of an area. (27) Concerns about territoriality must be balanced against the need for natural surveillance, so that spaces are neither too open nor too closed. If they are too closed, bystanders and residents cannot self-police; if they are too open, intrusion and crime could increase. The goal of territoriality is to ensure that people begin to know each other and develop a sense of caring for an individual place. Compare, for example, a dormitory design that features a single grand entrance with one that uses an entryway system. The entryway students, with fewer students per door, are more likely to know and monitor each other and more likely to intervene in times of trouble. (28)

In cyberspace, the vast numbers of people who traverse individual areas such as websites make it difficult to promote caring through partial closure. Instead, a cyberspace solution must try to capture territoriality's root benefits without doing damage to the Net's principal design innovation--its openness. (29) Territoriality in realspace is principally important because it permits bystanders to recognize intruders and intervene against them. In cyberspace, recognition of intruders, let alone intervention, is hampered by the fact that the Internet Protocol is built not to know a user's identity. Both small and large approaches to digital architecture, however, can help alleviate this problem.

Consider, in the small category, Internet Protocol logging (IP logging). Every computer on the Internet has a specific address, designated by a series of numbers, so that the network can route data to it. While some IP addresses are "dynamic" and …

Questia, a part of Gale, Cengage Learning. www.questia.com
Publication information: Article title: Digital Architecture as Crime Control. Contributors: Katyal, Neal Kumar - Author. Journal title: The Yale Law Journal. Volume: 112. Issue: 8 Publication date: June 2003. Page number: 2261+. © 2009 Yale University, School of Law. COPYRIGHT 2003 Gale Group.

This material is protected by copyright and, with the exception of fair use, may not be further copied, distributed or transmitted in any form or by any means.