Law Enforcement × 2

The previous chapter dealt with the use of new technologies by criminals; this chapter deals with the other side of the picture. I begin by looking at ways in which new technologies can be used to enforce the law and some associated risks. I then go on – via a brief detour to the eighteenth century – to consider how technologies discussed in earlier chapters may affect not only how law is enforced but by whom.


Criminals are not the only ones who can use new technologies; cops can too. Insofar as enforcing law is a good thing, new technologies that make it easier are a good thing. But the ability to enforce the law is not an unmixed blessing – the easier it is to enforce laws, the easier it is to enforce bad laws.

There are two different ways in which our institutions can prevent governments from doing bad things. One is by making particular bad acts illegal. The other is by making them impossible. That distinction appeared back in Chapter 3, when I argued that unregulated encryption could serve as the twenty-first-century version of the Second Amendment – a way of limiting the ability of governments to control their citizens.

For a less exotic example, consider the Fourth Amendment’s restrictions on searches – the requirement of a warrant issued upon showing of reasonable cause. At least some searches under current law – wiretaps, for instance – can be done without the victim even knowing about it. What’s the harm? If you have nothing to hide, why should you object?

One answer is that the ability to search anyone at anytime, to tap any phone, puts too much power in the hands of law enforcement agents. Among other things, it lets them collect information irrelevant to crimes but useful for blackmailing people into doing what they are told. For similar reasons, the United States, practically alone among developed nations, has never set up a national system of required ID cards – although that may have changed by the time this book is published. Such a system would make law enforcement a little easier. It would also make abuses by law enforcement easier.

The underlying theory, which I think everyone understands although few put it into words, is that a government with only a little power can only do things that most of the population approves of. With a lot of power, it can do things that most people disapprove of – including, in the long run, converting a nominal democracy into a de facto dictatorship. Hence the delicate balance intended to provide government with enough power to prevent most murder and robbery but not much more. How might new technologies available for law enforcement affect that balance?


A police officer stops me and demands to search my car. I ask him why. He replies that my description fits closely the description of a man wanted for murder. Thirty years ago, that would have been a convincing argument. It is less convincing today. The reason is not that police officers know less but that they know more.

In the average year, there are about 20,000 murders in the United States. With 20,000 murders and (I am guessing) several thousand wanted suspects, practically everyone fits the description of at least one of them. Thirty years ago, police officers would have had information only on those in their immediate area. Today they can access a databank listing all of them.

Consider the same problem as it might show up in a courtroom. A rape/murder is committed in a big city. The jury is told that the defendant’s DNA matches that of the perpetrator – well enough so that there is only a one in a million probability that the match would happen by chance. Obviously he is guilty – those odds easily satisfy the requirements of “beyond a reasonable doubt.”

There are two problems with that conclusion. The first is that the one-in-a-million statement is false. The reason it is false has to do not with DNA but with people. The figure was calculated on the assumption that all tests were done correctly. But we have plenty of evidence from past cases that the odds that someone in the process, whether the police officer who sent in the evidence or the lab technician who tested it, was either incompetent or dishonest are a great deal higher than one in a million.1

The second problem is not yet relevant but soon may be. To see it, imagine that we have done DNA tests on everyone in the country in order to set up a national database of DNA information, perhaps as part of a new nationwide system of ID cards. Under defense questioning, more information comes out. The way the police located the suspect was by going through the DNA database. His DNA matched the evidence, he had no alibi, so they arrested him.

Now the odds that he is guilty shift down dramatically. The chance that the DNA of someone chosen at random would match the sample as closely as his did is only one in a million. But the database contains information on seventy million men in the relevant age group. By pure chance, about seventy of them will match. All we know about the defendant is that he is one of those seventy, does not have an alibi, and lives close enough to where the crime happened so that he could conceivably have committed it. There might easily be three or four people who meet all of those conditions, so the fact that the defendant is one of them is very weak evidence that he is guilty.

Consider the same problem in a very different context, one that has existed for the past twenty years or so. An economist interested in crime has a theory that the death penalty increases the risk to police of being killed, since cornered murder suspects have nothing to lose. To test that theory, he runs a regression, a statistical procedure designed to see how different factors affect the number of police killed in the line of duty. The death penalty is not the only factor, so he includes additional terms for variables such as the fraction of the population in high-crime age groups, racial mix, poverty level, and the like. When he publishes his results, he reports that the regression fits the theory’s prediction at the .05 level: there is only one chance in twenty that the result would fit as well as it did by pure chance.

What the economist does not mention in the article is that the reported regression was one of sixty that he ran – varying which other factors were included, how they were measured, how they were assumed to interact. With sixty regressions, the fact that at least one came out as predicted does not tell us very much – by pure chance, about three of them should.

Fifty years ago, running a regression was a lot of work – done by hand or, if you were lucky, on an electric calculating machine that did addition, multiplication, and not much else. Doing sixty of them was not a practical option, so the fact that someone’s regression fit his theory at the .05 level was evidence that the theory was right. Today, any academic – practically any schoolchild – has access to a computer that can do sixty regressions in a few minutes. That makes it easy to do a specification search, to try lots of different regressions, each specifying the relationship a little differently, until you find one that works. You can even find statistical packages that do it for you.

So the fact that your article reports a successful regression no longer provides much support for your theory. At the very least, you have to report the different specifications you tried, give a verbal summary of how they came out, and detailed results for a few of them. If you really want to persuade people you have to make your dataset freely available, ideally over the internet, and let other people run as many regressions on it in as many different ways as they want until they convince themselves that the relationship you found is really there, not an illusion created by carefully selecting which results you reported.2

All of these examples – the police stop on suspicion, the DNA evidence, the specification search – involve the same issue. By increasing access to information you make it easier to find evidence for the right answer. But you also make it easier to find evidence for the wrong answer.

If you are the one looking for evidence, the additional information is an asset. The researcher can report the specification search and use its results to improve the theory. The traffic cop can check the database of wanted suspects, see that the person whose description I fit was last reported on the other side of the country, and decide not to bother stopping me. The police, having located several suspects who fit the DNA evidence, can engage in a serious attempt to see if one of them is guilty and only make an arrest if there is enough additional evidence to convict. Develop the technology a little further and the police, unable to find a match for the suspect’s DNA in their database, can instead search it for his relatives – and, having found plausible candidates, continue their investigation from there.

But in each case, the additional information also makes it easier to generate bogus evidence. The traffic cop who actually wants to stop me because of the color of my skin or my out-of-state plates, or in the hope of finding something illegal and being offered a bribe not to report it, can honestly claim that I met the description of a wanted man. The district attorney who wants a good conviction rate before his next campaign for high office can report the DNA fit and omit any explanation of how it was obtained and what it really means. And the academic researcher, desperate for publications to bolster his petition for tenure, can selectively remember only those regressions that came out right. If we want to prevent such behavior we must alter our rules and customs accordingly, raising the standard for how much evidence it takes in order to reflect how much easier it has become to produce evidence – even for things that are not true.


The hero of The President’s Analyst (James Coburn), having spent much of the film evading various bad guys who want to kidnap him and use him to influence his star patient, has temporarily escaped his pursuers and made it to a phone booth. He calls up a friendly CIA agent (Godfrey Cambridge) to come rescue him. When he tries to leave the booth, the door won’t open. Down the road comes a phone company truck loaded with booths. The truck’s crane picks up the one containing the analyst, deposits it in the back, replaces it with an empty booth, and drives off. A minute later a helicopter descends containing the CIA agent and a KGB agent who is his temporary ally. They look in astonishment at the empty phone booth. The American speaks first:

It can’t be. Every phone in America tapped?”

The response (you will have to imagine the accent)

Vhere do you think you are – Russia?”

A great scene in a very funny movie. But it may not be a joke much longer.

Fast forward to the debate over the digital wiretap bill, legislation pushed by the FBI to require phone companies to provide law enforcement agents facilities to tap digital phone lines. One point made by critics of the legislation was that the FBI appeared to be demanding the ability to simultaneously tap about 1 phone out of 100. While that figure was probably an exaggeration – there was disagreement as to the exact meaning of the capacity the FBI was asking for – it was not much of an exaggeration.

As the FBI pointed out, that did not mean they would be using all of that capacity. To be able to tap 1% of the phones in any particular place – say a place with lots of drug dealers – they needed the ability to tap 1% of the phones in every place. And the 1% figure would only apply in parts of the country where the FBI thought it might need such a capacity and included not only wiretaps but also less intrusive forms of surveillance, such as keeping track of who called whom but not of what they said.

At the time they made the request, wiretaps were running at a rate of under 1,000 a year – not all at the same time. Even after giving the FBI the benefit of all possible doubt, the capacity they asked for was only needed if they were contemplating an enormous increase in telephone surveillance.

The FBI defended the legislation as necessary to maintain the status quo, to keep developments in communications technology from reducing the ability of law enforcement to engage in court-ordered interceptions. Critics argued that there was no evidence such a problem existed. My own suspicion is that the proposal was indeed motivated by technology – but not that technology.

The first step is to ask why, if phone taps are as useful as law enforcement spokesmen claim, there are so few of them and they produce so few convictions. The figure for 1995 was a total of 1,058 authorized interceptions at all levels, federal, state, and local. They were responsible for a total of 494 convictions, mostly for drug offenses. Total drug convictions for that year, at the federal level alone, were over 16,000.

The answer is not the reluctance of courts to authorize wiretaps. The National Security Agency, after all, gets its wiretaps authorized by a special court, widely reported to have never turned down a request. The answer is that wiretaps are very expensive. Some rough calculations by Robin Hanson3 suggest that on average, in 1993, they cost more than $50,000 each. Most of that was the cost of labor, police officers’ time listening to 1.7 million conversations at a cost of about $32 per conversation. That problem has been solved. Software to convert speech into text is now widely available on the market. Using such software, you can have a computer listen, convert the speech to text, search the text for keywords and phrases, and notify a human being if it gets a hit. Current commercial software is not very reliable unless it has first been trained to the user’s voice. But an error level that would be intolerable for using a computer to take dictation is more than adequate to pick up keywords in a conversation. And the software is getting better.

Computers work cheap. If we assume that the average American spends half an hour a day on the phone – a number created out of thin air by averaging in two hours for teenagers and ten minutes for everyone else – that gives, on average, about six million phone conversations at any one time. Taking advantage of the wonders of mass production, it should be possible to produce enough dedicated computers to handle all of that for less than a billion dollars. And it’s getting cheaper every year.

Every phone in America.

A Legal Digression: My Brief for the Bad Guys

Law enforcement agencies still have to get court orders for all of those wiretaps; however friendly the courts may be, persuading judges that every phone in the country needs to be tapped, including theirs, might be a problem.

Or perhaps not. A computer wiretap is not really an invasion of privacy – nobody is listening. Why should it require a search warrant? If I were an attorney for the FBI facing a friendly judge, I would argue that a computerized tap is at most equivalent to a pen register, which keeps track of who calls whom and does not currently require a warrant. The tap only rises to the level of a search when a human being listens to the recorded conversation. Before doing so, the human being will, of course, go to a judge, offer the judge the computer’s report on keywords and phrases detected, and use that evidence to obtain a warrant. Thus law enforcement will be free to tap all our phones without requiring permission from the court system – until, of course, it finds evidence that we are doing something wrong. If we are doing nothing wrong, only a computer will hear our words, so why worry? What do we have to hide?

Living ID Cards

In the wake of the attack on the World Trade Center there has been political pressure to establish a national system of ID cards; currently (defined by when I write not when you read) it is unclear whether it will succeed. In the long run, it may not matter very much. Each of us already has a variety of built-in identification cards – face, fingerprints, retinal patterns, DNA. Given adequate technologies for reading that information, a paper card is superfluous. In low-density populations, face alone is enough. Nobody needs to ask a neighbor for identification because everybody already knows everybody else.

That system breaks down in the big city because we are not equipped to store and search a million faces. But we could be. Facial recognition software exists and is getting better. There is no technical reason why, sometime fairly soon, someone, most probably law enforcement, could not compile a database containing every face in the country. Point the camera at someone and read off name, age, citizenship, criminal history, and whatever else is in the database.

Faces are an imperfect form of identification since there are ways to change your appearance. Fingerprints are better. There already exist commercial devices to recognize fingerprints, used to control access to laptop computers. I do not know how close we are to an inexpensive fingerprint reader matched with a filing system, but it does not seem like an inherently difficult problem. Nor does the equivalent, using a scan of retinal patterns. Cheap DNA recognition is a little further off, but there too, technology has been progressing rapidly.

We could make laws forbidding law enforcement bodies from compiling and using such databases, but it does not seem likely that we will, given the obvious usefulness of the technology for the job we want them to do. Even if we did forbid it, enforcing the ban against both law enforcement and everyone else would be difficult. When the Social Security system was set up, the legislation explicitly forbade the use of the Social Security number as a national identifier. Nonetheless, the federal government – and a lot of other people – routinely ask you for it. Even if there is no official national database of faces, each police department will have its own collection of faces that interest it. If expanding that collection is cheap – and it will be – “interest” will become a weaker and weaker requirement. And there is nothing to stop different police departments from talking to each other.


A few chapters back, I raised the question of whether unauthorized access to a computer ought to be treated as a tort or a crime. It is now time to return to that issue in a broader context.

Most of us think of law enforcement as almost entirely the province of government. In fact it is not and, so far as I know, never has been.4 In the United States, total employment in private crime prevention – security guards, burglar alarm installers, and the like – has long been greater than in public law enforcement. Catching and prosecuting criminals is mostly done by agents of government, but that is only because crime is defined as the particular sort of offense that is prosecuted by the government. The same action – killing your wife, for example – can be prosecuted either by the state as a crime or by private parties as a tort, as O.J. Simpson discovered.

That fact suggests that we might not need criminal law. Perhaps we could manage, even manage better, with a system in which all wrongs were privately prosecuted by the victim or the victim’s agents. Such systems have existed in the past. They may again.

A Brief Temporal Digression

Consider, for one of my favorite examples, criminal prosecution in eighteenth-century England. On paper, their legal system made the same distinction between crimes and torts that ours does. A crime was an offense against the Crown – the case was Rex v. Friedman.

The Crown owned the case but it did not prosecute it. England in the eighteenth century had no police as we understand the word – no professionals employed by government to catch and convict criminals. There were constables, sometimes unpaid, with powers of arrest, but figuring out whom to arrest was not part of their job description. It was not until the 1830s that the situation changed, when Robert Peel created the first English police force.

Not only were there no police, there were no public prosecutors either; the equivalent of the district attorney in the modern American system did not exist in England until the 1870s, although for some decades prior to that police officers functioned as de facto prosecutors. With neither police nor public prosecutors, criminal prosecution was necessarily private. The legal rule was that any Englishman could prosecute any crime. In practice, prosecution was usually by the victim or his agent.

That raises an obvious puzzle. When I sue someone under tort law, I have the hope of winning and being paid damages, with luck more than enough to cover my legal bills. A private prosecutor under criminal law had no such incentive. If he got a conviction the criminal would be hanged, transported, permitted to enlist in the armed services, or pardoned, none of which put any money in the prosecutor’s pocket. So why did anyone bother to prosecute?

One answer is that the victim prosecuted in order to deter – not crimes in general but crimes against himself. That makes sense if he is a repeat player, such as the owner of a store or factory at continual risk from thieves. Hang one and the others will get the message. That is why, even today in a system where prosecution is nominally entirely public, department stores have signs announcing that they prosecute shoplifters. Arguably it is why Intel prosecuted Randy Schwartz.

Most potential victims were not repeat players. For them, the eighteenth-century English came up with an ingenious solution: societies for the prosecution of felons. There were thousands of them. The members of each contributed a small sum to a pooled fund, available to pay the cost of prosecuting a felony committed against any member of the society. The names of the members were published in the newspaper for the felons to read. Potential victims thus precommitted themselves to prosecute. They had made deterrence into a private good.

That set of institutions was eventually abandoned. One possible explanation is that, in order for it to work, criminals had to know their victims, at least well enough to know whether the victim either had a reputation for prosecuting or was a member of a prosecution association. As England became increasingly urbanized, crime became increasingly anonymous. It did no good to join a prosecution association and publish your membership in the local paper if the burglar didn’t know your name.5 Another possible explanation, argued by some scholars, is that the police were introduced as a solution to other problems – perhaps reforming the poor, perhaps providing government with the ability to make sure that the French Revolution, or something similar, did not happen in England.6

Forward Into the Past

One consequence of modern information-processing technology is the end of anonymity, at least in realspace. Public information about you is now truly public; not only is it out there, anyone who wants it can find it. In an earlier chapter, I discussed that in the context of privacy. Privacy through obscurity is no longer an option. We can now see a different consequence. In the nineteenth century, big cities made victims anonymous. With nobody anonymous anymore, we are back in the eighteenth century.

Consider our earlier discussion of how to handle unauthorized access to computers. One problem with using tort law is inadequate incentive to prosecute, since the random cracker may not be able to pay a large enough sum in damages to cover the cost of finding and suing him. That problem was solved 250 years ago. Under criminal law there were no damages to collect, so eighteenth-century Englishmen found a different incentive – private deterrence.

Imagine the online version of a society for the prosecution of felons. Subscribers pay an annual fee, in exchange for which they are guaranteed prosecutorial services if someone accesses their computer in ways that impose costs on them. The names of subscribers and their IP addresses are posted on a web page, for prudent crackers to read and avoid. If the benefit of deterrence is worth the cost, there should be lots of customers. If it is not, why provide deterrence at the taxpayers’ expense?

There remains one problem. Under ordinary tort law, the penalty is either the damage done or the largest amount the offender can pay, whichever is less. If computer intruders are hard to catch, that penalty might not be adequate to deter them. One time out of ten, the intruder must pay for the damage if he can. The other nine times he goes free.

Criminal law solves that problem by permitting penalties larger, sometimes much larger, than the damage done, thus making up for the fact that only some fraction of offenders are caught, convicted, and punished. Punitive damages in tort law achieve the same effect. But punitive damages are, and criminal punishment is not, limited by the assets of the offender – the criminal law can impose nonmonetary punishments such as imprisonment.

So we have two possibilities for private enforcement of legal rules against unauthorized access. One is to use ordinary tort law, with private deterrence as the incentive to prosecute. That works so long as the assets of offenders are large enough so that taking them via a tort suit is an adequate punishment to deter most offenses. The other is to go all the way back to the eighteenth century – private prosecution with criminal penalties.

I have discussed the problems with private prosecution – what are the advantages? The main one is the advantage that private enterprise usually has over state enterprise. The proprietors of an online prosecution firm are selling a service to their customers on a competitive market. The better they do their job, the more likely they are to make money. If costs are high and quality low, they will not have the option of getting bailed out by the taxpayers.

The argument applies to more than the defense of computers against unwanted intruders. Information-processing technology eliminates the anonymity that urbanization created; in that respect, at least, it puts us back in villages. Doing so eliminates what was arguably the chief reason for the shift from private to public prosecution. Of all crime.

Private Enforcement Online

My interest in the future of private enforcement online was in part inspired by history and economic theory, in part by news stories about criminals who were caught by their victims, using the internet to coordinate their efforts – open source crime control, as discussed in an earlier chapter.

Such stories suggest another way in which modern technology may make private law enforcement more practical than it has been in the recent past. Many crimes involve a single criminal but multiple victims. Each victim has reasons, practical and moral, to want the criminal caught, but no one victim can do the job on his or her own. The internet, by drastically reducing the cost of finding fellow victims and coordinating with them, helps solve that problem.


1  Houston provides one example of such problems, or see multiple examples in Scheck, Neufeld, and Dwyer, 2000.

2 A recent example of such a process is provided by the controversy set off by the Lott and Mustard paper on the effects of laws permitting the concealed carry of handguns.

3 Hanson, 1994.

4 Although Imperial China may have come close. See Bodde and Morris, 1973.

5 See Part III of Friedman (1995).

6 For an essay arguing that existing institutions were dealing adequately with the problems of urbanization and explaining the shift to public policing in other terms, see Davies, 2002.