International Collaboration for Darkweb-Related Investigations

In April 2023, the most recent meeting of the United Nations Office on Drugs and Crime took place on the potential Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes. This meeting focused on international cooperation to unite countries to address the constant increase in cybercrimes worldwide. However, as exposed in the press, it is arduous to obtain the unanimous agreement of the member countries on subjects as legally and culturally complex as personal data transfer, judicial extradition, joint police investigations, access to cross-border data and special investigations techniques.   

As we all know, the advent of crimes involving technology is causing serious harm to society. Criminals have mobilized communication technologies that ensure their anonymity on the Internet, such as the darkweb, to escape the legal system. Yes, many criminals escape the control of law enforcement because of the inability of the latter to identify them. It is partially caused by the lack of human and financial resources as well as the deficiency of the training offered to police officers. Faced with this serious problem, researchers have tried to identify solutions to improve the police response to cybercrimes.   

One proposed solution is to incite law enforcement agencies to collaborate internationally and not work in silos so they can join their intelligence and legal power.   

What is collaboration?   

Collaborating is easier said than done; making people work together requires motivation, skills, resources, time and many more components. Even if collaboration is often seen as a synonym for cooperation or mistaken with coordination when we speak, they have different scientific meanings. Some studies describe cooperation, coordination, and collaboration with the help of a continuum to better visualize and conceptualize these terms.   

In short, this continuum is characterized by the strength of the ties which refers to the interaction between two counterparts. Mandell initially created this continuum in 2001, and it has been refined by many other researchers since.   

In this conceptualization, cooperation is defined by sporadic links between actors. It is even characterized by a power relationship, i.e., one party requests or orders something and the other complies with the request.   

Coordination refers to more durable and stable links, for example, when security agencies have an employee, whose job is to connect with other agencies. The new National Cybercrime Coordination Center (NC3) is an example of an institution responsible for coordinating police investigations of cybercrime in Canada by establishing stable links between the many police forces.   

Collaboration is considered a high-level and high-intensity interaction born out of the desire to achieve common goals by working as a team. Multiple definitions are available for collaboration in the public sector, private security agencies or law enforcement. Notably, for collaboration to work successfully, the various parties implicated need to share similar goals. Common interests and goals lead to a fundamental trust from which collaboration can emerge.  

A broad, international dataset 

The data comes from interviews collected by the Darknet and Anonymous Research Center for a larger research project on the disruption of darkweb offenders’ activities funded by PMI Impact in 2020 and 2021. As part of this project, 14 police investigators and 6 sergeant investigators were interviewed. The participants come from five countries: Canada (45%), Sweden (5%), the United Kingdom (25%), the United States (10%) and Australia (15%). They were recruited using professional and personal contacts from the research team as well as through LinkedIn. The interviews took place remotely via Zoom and were transcribed anonymously12. To analyze the content, we used a thematic analysis framework to identify the main themes in the interviews through an iterative and inductive process that were coded in the QDA Miner Software tool.   

What motivates investigators to collaborate?  

Five main motivations for collaborating internationally within the framework of police investigations were identified.   

• Information sharing: Police agencies benefit from sharing information with their colleagues in the same country and internationally. This is critical for maximizing the impact of criminal intelligence collection, and, as such, this practice is encouraged in many organizations. From the participant’s perspective, exchanging information with colleagues is not a choice; they must do it to complete their investigations successfully. Although most participants perceived information sharing as accessible and effective, some countries appear less inclined to share information causing the response time to information-sharing requests to differ significantly depending on the country. Information sharing goes above and beyond criminal intelligence since police agencies also share technical information to support each other. This can compensate for the lack of training.  
• Investigation efficiency: Cybercrime investigations are long and complex, and collaborations can help speed up investigators’ discovery rate. Collaboration is also essential to decrease the number of investigations being led by different agencies on the same offenders and thus better use their resources.   
• Offenders’ identification: Simply put, law enforcement needs to identify offenders to arrest them. Collaboration becomes a crucial way of identifying suspects via the accumulation of evidence. In the specific case of cybercrimes involving the use of cryptocurrencies and mixing services, the identification of suspects becomes considerably more difficult due to the pseudo-anonymity of users.  
• Victims’ identification: Besides arresting offenders, investigators strongly desire to identify, support victims, and ensure the population’s safety. For sexual offences committed on darkweb forums, for example, identifying victims can stop the victimization. In some cases, they need to request physical assistance in another country to complete their mandate and remove the child or adult victims from being physically or sexually abused.
• Arrest/prosecution: Law enforcement has the desire to arrest, charge or prosecute suspects identified on the darkweb. This is often done by transferring a case, with all the information and intelligence compiled, to another police organization with legal power over that jurisdiction/localization. Collaboration becomes a method of securing legal action, physical arrests, or criminal sentences like fines against cybercriminals. Some countries that are more resistant to collaboration do not benefit from them, and, in turn, this leads to criminals fleeing the justice system.   

How do investigators collaborate at a local, regional, and international level?   

We’ve identified three types of collaboration that our participants experienced through their investigations on darkweb related cases. All these types were experienced at various levels of policing, meaning they are not restricted by a specific level of law enforcement agencies. However, some agencies might experience more difficulty or ease with collaboration because of their culture, structure, or available resources.   

• Formal: Formal collaboration involves an explicit, established, and rigid process of structured agreements for collaboration between various levels of police agencies. These formal collaborations also include official international collaboration agencies such as Europol (i.e., JCAT or EC3) or Interpol and/or by having official partnerships or agreements between agencies. Also, formal collaboration can be initiated from the need to accomplish a dual investigation through an MLAT agreement, for example.  
  
• Informal: Informal collaborations are created through the accumulation of contacts outside their agency and contacts exchanges within the organization and are used to share information, tools, or knowledge. Informal collaboration comes from the need to act fast and to escape some bureaucratic steps that come with formal collaboration. Although information shared informally can’t be taken into court, they are a valuable tool for investigation but have limited legal utility.     
• Private: Private collaborations concern those between law enforcement and private companies. These are especially useful and necessary to obtain legal and digital evidence that can be legally brought to court. This type of partnership can occur within local, regional, or multinational companies. In our sample, they essentially represented banks or large corporations. Although private-public collaborations are not always easy nor in the interest of private companies, participants’ experiences suggest that their success seems to vary on a case-by-case basis.   

Conclusion   

Our results primarily showed that not only do investigators need to collaborate to achieve their duty, but they also decide how to do so. Investigators may choose to undertake different types of collaboration depending on the motivations that initiated their interest in taking such actions. However, our results demonstrated no directional lines nor a causal relationship between a motivation and a type. Investigators make their decision based on their needs, resources, and abilities. For example, our participants described using private collaborations to identify suspects, informal collaborations to obtain knowledge about a new cryptomarket, and formal collaborations to transfer files to police agencies with the legal power to arrest a suspect in a remote jurisdiction. All these examples show that behind each type of collaboration mobilized is a motivation that pushed the investigator to take specific actions in a dynamic decision process. Our results expose that all three types of collaboration are necessary when dealing with crimes committed with anonymizing technologies. Thus, we propose an illustrated way to understand why and how collaboration occurs.    

Figure 2. Dynamic conceptualization of identified sub-themes 

In sum, here are three take away from this research:   

1. Collaboration empowers investigators: Through the different types of collaboration presented, investigators can gain control and power over the offenders, even if they are in another jurisdiction. Collaboration enables law enforcement to share intelligence and practical knowledge, be more efficient, identify suspects, help victims, and apply executive-legislative power on offenders.  
   
2. Conflictual goals and collaboration? In short, the divergence between the parties’ interests can cause the complete absence of collaboration. This has been exposed in our results by failed collaborations because countries had different political priorities or companies had divergent goals than the ones the police have. For example, the private sector is known to be profit-driven, while the police aim for public safety. This influences how both parties behave and how motivated or hesitant they are to work with each other. Our research thus showed the importance of having or finding common ground to achieve successful collaborations. 
   
3. Law enforcement and the private sector: should we aim for more collaboration?  The police seek private-sector collaboration to collect evidence and intelligence. Based on our findings, the interactions between the two parties can become collaborations, in the sense that private companies can also benefit from police support once they are under cyberattack. Participants generally expressed having to undertake legal procedures, with lawyers and judges’ permission to obtain cooperation from private companies.  Even if there is a reluctance to collaborate among some companies, our participants seemed optimistic about future relationships between the police and private companies. 

About the author:
Each year, Ecole Cyber awards different Cybertalent trophies to young people who have demonstrated their commitment and involvement in the field of cybersecurity. Marie-Pier Villeneuve-Dubuc (M.Sc.) is one of the award winners from 2021 and is currently a PhD student at Deakin University and Université de Montréal. She has worked on various research projects related to cybercrimes but is particularly interested in researching ways to improve international collaborations to increase the cyber-resilience of our societies. 

Dive Deeper: Want to explore further? Check out the author’s master’s thesis: Read the Thesis