To protect and serve: the police and breach notification
I sometimes wonder what is the purpose of the police: is it to protect the public or to catch criminals. The problem is that these two functions are often mutually exclusive — definitely in the short-term.
You could argue that by catching criminals you are protecting the public from their potential future crimes. You could also argue that catching this actual criminal might deter that potential criminal — and that again you are protecting the public from potential future crimes.
The weakness in this argument is that a criminal doesn’t become a criminal until after the crime is committed. By definition, catching a criminal means that you have failed to protect the public.
A clear definition of primary purpose will therefore affect basic police operations, and have a fundamental effect on the public.
Here’s an example; but it will involve a small leap of faith to begin with — I forget the precise source. I hope, however, you can trust my memory. It was a chat between two very successful hackers. One of them said words to the effect, “I watch the news because that’s how I learn when my hack has been discovered.”
Basically, that’s the time for him to get out, cover his tracks and lie low.
It follows that if there is no news of the breach, law enforcement has a greater opportunity to apprehend the criminal who might just hang around on the network long enough for the forensic investigators to gather incriminating evidence.
But at what potential cost to the public? Bill Snyder got caught up in the Vendini breach earlier this year, and wrote about it on CIO:
I got an email from Vendini on May 23 that says: “We regret to inform you that on April 25, 2013, Vendini, Inc. detected an unauthorized intrusion into its systems.” Excuse me? April 25? That’s nearly a month between the discovery of the hack and the arrival of that email, which means the bad guys had weeks to pillage my accounts, and hundreds of thousands, maybe millions, of people who have used the service. (Vendini also posted the message online.)
Why didn’t the company notify us? Says Vendini: “We are actively cooperating with federal law enforcement, and this notification to you was delayed specifically to support law enforcement’s investigation.”
Online Ticketer Vendini Hit by Hack, Warns Customers a Month Later
If this is true, it is an example of police action that prioritizes apprehension of the criminal over protection of the public. Had protection been the priority, then the breach notification would have been instant, regardless of making the potential apprehension potentially more difficult.
It’s a difficult one.
Well, actually, for me — no it is not. The absolutely prime, overriding, fundamental purpose of the police should be to protect the public. I would suggest that the loss of focus by the police — where success is now viewed as a league table of people locked up rather than the fulfillment of protecting and serving the public — is key to the increasingly macho and manipulative law enforcement agencies we now have.