There’s a gap between what people expect when they report cybercrime, and what police can deliver
Two thirds of victims of cybercrime were not satisfied with the outcome of their reported offence, according an evaluation of the Australian Cybercrime Online Reporting Network (ACORN) that has finally been made public.
There is also a relatively low public awareness of the service and little evidence to support increased reporting or reduced repeat victimisation.
The ACORN was set up in November 2014 and the evaluation by the Australian Institute of Criminology (AIC) was carried out two years later, but the report was not published when completed.
Given my own research, I was curious to know the findings, so I launched a Freedom of Information request. After a lengthy process, the report was released last month.
Up front, the report’s findings regarding the ACORN are not overly positive but it is important to see these in context.
What is the ACORN?
The ACORN is an online self-reporting mechanism for cybercrime offences in Australia. It is hosted by the Australian Criminal Intelligence Commission (ACIC) but works with all Australian police agencies.
The ACORN targets four main offence categories:
- online scams or fraud
- issues buying and selling online
- attacks on computer system or viruses
- cyber bullying, sexting, online harassment or stalking.
Importantly, the ACORN does not investigate any of the reports itself. It operates as a referral mechanism based on a series of rules such as the jurisdiction of the alleged offender or victim, or where the money has been sent.
The ACORN had received more than 65,000 reports from individuals when the AIC was asked to do its evaluation of the service.
The evaluation found a lack of satisfaction with the outcome of reporting via the ACORN. While there was support for the process itself, most victims were not satisfied with the outcome of their report.
This finding affirms my latest research that examined victim satisfaction with reporting fraud and the motivation behind reporting.
Many victims report to achieve an outcome, and see justice served through the criminal justice system. But we know that for cybercrime offences, this is not usually the case.
There are many legitimate reasons why police are not able to investigate cybercrime offences and achieve similar results to offline offences. The inherent lack of borders on the internet poses genuine challenges for police to identify, arrest and prosecute offenders.
This does not change the fact that victims are reporting cybercrimes with an expectation that police will be able to achieve this. The inability of police to deliver on these expectations creates large levels of victim dissatisfaction.
The evaluation says many senior police were correct in flagging this concern prior to the introduction of the ACORN.
In terms of investigations, available data found less than 1% of ACORN reports resulted in an investigation that successfully identified an offender, and less than 1% of further reports resulted in a successful prosecution. Of the victims surveyed, only three reported that they were notified their offender had been apprehended.
Clearly, arrest and prosecution is not a likely outcome.
The quality of information
Most police agencies have changed their policies to refer all cybercrime victims to the ACORN rather than allowing police to take a complaint in person.
Removing the interaction between a victim and a police officer arguably reduces the quality of the data. From my experience, victims provide details important to them, which may not be those relevant to police. The evaluation confirms this, saying many reports “contained insufficient information to justify further investigation”.
Many incidents reported through the ACORN were only attempts, as no money or details were lost on the part of the person reporting. These attempts are more appropriate to report through Scamwatch.
Many victims do not report the amount of money they actually lost, but rather the amount they believe they were entitled to. The evaluation also found that some victims exaggerated the amount of money lost in order to increase the chance that police would investigate.
Some victims reported the same incident multiple times in order to try and get a response from police.
In addition, 37% of survey respondents reported their incident to police via another means in addition to the ACORN. This included in person or over the phone. In this way, the ACORN is not always simplifying the process to report cybercrime, but may be duplicating it and causing further confusion.
While these points are understandable, it exacerbates the challenges faced by police in processing complaints in a timely manner.
The reporting of other offences
The finding of most concern is the reporting of offences that do not fit within the main categories of the ACORN. These include offences against children and those relating to family, domestic and sexual violence.
Police have rightly prioritised the need to screen these reports and take appropriate actions. But in doing this, their ability to focus on cybercrime incidents is diminished.
Clearly a self-report, online mechanism is not appropriate for these offences and work on how to overcome this is critical.
Lessons from this evaluation
It would be unfair to blame police for all of the negative findings in the evaluation report. Instead, it points to some of the bigger conversations and decisions needed to improve responses to cybercrime at a macro level.
The ACORN is reportedly undergoing improvements to the system based on the evaluation findings, but these are not yet publicly known.
The large disparity between the expectations of those reporting cybercrime compared to the reality of what police can deliver, needs immediate attention in terms of educating people about the limitations and constraints on what is realistic in their case.
The communication between police and those reporting also needs to be improved. From my research, victims overwhelmingly wish to be acknowledged on what has happened, and appreciate honesty in what can and cannot be done in their case. This stems any unrealistic expectations and alleviates the uncertainty of their case.
The evaluation brings sharply into focus the challenge of gaining justice for victims of cybercrimes. It is arguably clear the current criminal justice system is not the most appropriate vehicle for this. But this raises an ongoing question I personally struggle with, is there a viable alternative?