‘Oh we can’t actually do anything about that’: The problematic nature of jurisdiction for online fraud victims

Abstract

One of the most pressing challenges with policing online fraud relates to jurisdiction. Policing is traditionally based on territoriality, but the internet has changed this. Offenders in one country can target a victim in a second country, who is requested to send money to a third or fourth country.

This article examines online fraud victims’ reporting to police. Specifically, it demonstrates the misconceptions that exist regarding jurisdiction, namely the relationship between the Australian Federal Police and state/territory police. A clear disconnect emerges between understandings and expectations of who can investigate what relating to online fraud. The Australian Cybercrime Online Reporting Network’s establishment in 2014 is a positive step but this has not fixed the issue entirely.

Overall, the article argues that the jurisdictional challenges experienced by police are not understood by victims, and improvement is needed regarding awareness of victims and police alike, to reduce unnecessary, additional trauma to victims.

Keywords

Jurisdiction online fraud police transnational crime victims

Introduction

Historically, crime has been a ‘face-to-face’ event, where the victim and offender were in close proximity to each other (Brenner, 2006: 194). However, technology has opened up the avenues for communication on a global scale. A prime example of this relates to online fraud. Fraud itself is not new (Grabosky and Smith, 1998), however technology has changed the ways in which it is perpetrated (Yar, 2013). Traditional crime that was ‘once conducted face-to-face can now be carried out remotely from across the country or even across the world’ (Finklea, 2013: 5). This creates significant implications for policing, particularly as it relates to the ability to investigate, arrest and prosecute alleged offenders.

Online fraud victimization can be understood as:

an individual who has responded through the use of the internet to a dishonest invitation, request, notification or offer by providing personal information or money which has led to the suffering of a financial or non-financial loss of some kind. (Cross et al., 2014: 1)

There are many types of online fraud, which can include a variety of ‘plotlines’ (Cross and Kelly, 2016). For the current article, advance fee fraud (AFF) and romance fraud are the most relevant, based on the victimization experiences of those involved in the study (see further details in the methodology section).

AFF occurs when a person is promised a larger sum of money in return for sending smaller amounts (Ross and Smith, 2011). Popular guises for AFF include lottery, investment opportunities and inheritance schemes. Victims will be asked to send money (often in escalating amounts) over a period of time, to ensure the release of their promised funds (such as winnings, investment or inheritance). These types of frauds can operate for a short period of time, but can also endure over a prolonged period (in some cases, several years). While AFF is generally perceived to be simplistic and easily identifiable, it is becoming increasingly sophisticated and complex (Cross and Kelly, 2016).

Romance fraud occurs through what the victim perceives to be a genuine relationship (Rege, 2009). Offenders will use dating sites (or other social media platforms) to initiate a relationship (romantic or otherwise). At some point, the victim will be asked to send money (as a result of illness, criminal justice matters or travel costs to visit by the offender). In some cases, offenders will use blackmail and extortion in order to maintain their control over victims and ensure money is sent (Cross et al., 2016). Romance fraud is built around the heightened levels of trust and rapport developed between the victim and the offender and uses the guise of love, romance and a legitimate relationship to convince victims to send large amounts of money. Romance fraud can have devastating consequences on victims, who are argued to suffer a ‘double hit’, whereby they not only lose money, but must also grieve the loss of what they perceived to be a genuine relationship (Whitty and Buchanan, 2012).

It is difficult to establish an accurate understanding of incidence and cost of victimization. The Australian Competition and Consumer Commission (ACCC, 2018, 2017 respectively) reported that Australians lost over AUD$340 million to fraud in 2017, which is up from AUD$299 million in 2016. In 2017, AUD$64 million was lost to investment fraud and AUD$42 million was lost to romance fraud. The extent of fraud is also evident in other countries. Notably in England and Wales, the Office for National Statistics (ONS) included the offence categories of fraud and cybercrime for the first time in 2016. This almost doubled the crime statistics from 6.3 million traditional offences recorded with an additional 5.8 million fraud and cybercrime offences (ONS, 2016). However, given that research indicates that fraud has one of the lowest reporting rates across all crime types (Button et al., 2014; Copes et al., 2001; Van Wyk and Mason, 2001), the above are likely to be representative of only a minority of actual losses.

Levi (2017) provides a useful overview of several countries and how each has attempted to record levels of fraud victimization (both online and offline). There are distinct shortcomings highlighted in the ways that fraud is measured and understood, however this should not be seen as a result of the internet, but as a continued consequence of a low priority afforded to fraud regardless of the medium involved (Levi, 2017). Worldwide, it is acknowledged that fraud is not the priority of police (Button et al., 2012), and Australia is not exempt from this. It is arguable that while there is a strong focus on other cyber-enabled crimes (such as child exploitation materials) this is not evident for online fraud offences. This is further reinforced by Button (2012: 286) who notes that ‘cross-border fraud has received little attention in terms of estimating the size of the problem’. Australia is also not exempt from this lack of focus on cross-border fraud (within states and territories).

Within Australia, the policing of online fraud (and cybercrime more broadly) is characterized by negativity and dissatisfaction from victims (Cross et al., 2016). In terms of jurisdiction in Australia, each state and territory has a police agency that is founded upon geographical borders and is therefore responsible for crimes which occur within their physical boundaries (the only exception is the Australian Capital Territory, where members of the Australian Federal Police (AFP) provide local policing services). These police agencies are given power and authority through state/territory-based legislation. Further, the AFP is empowered under Commonwealth legislation to investigate a much more restricted scope of offences: ‘[w]e investigate crimes against the Commonwealth and the national interest. Of primary importance is the fight against terrorism and transnational crime, illicit drug trafficking, serious fraud, people smuggling, major and organised crime and money laundering’ (AFP, nd). While the AFP has a dedicated commitment to cybercrime and fraud offences, this generally does not encompass individual victimization. Rather the AFP targets higher level, organized crime schemes directed at government agencies and public servants. On the AFP website, under ‘fraud’, it states the following:

Under the Commonwealth Fraud Control Guidelines, the AFP has primary law enforcement responsibility for investigating serious or complex fraud against the Commonwealth.

White-collar criminal activity frequently involves breaches of State and Commonwealth criminal and regulatory legislation.

AFP investigations of crime against the Commonwealth can contribute to the reduction or cessation of activities beyond those targeted by a particular investigation resulting in increased compliance with Commonwealth legislation and enhanced revenue and expenditure outcomes for the Commonwealth. (AFP, nd)

To further illustrate this, under ‘cybercrime’ on their website (specifically ‘online fraud and scams’), it states the following:

Online fraud is the jurisdiction of the state or territory police if the victim is not a Commonwealth Government department or a Commonwealth Authority.

The Australian Federal Police investigates frauds committed against a Commonwealth Government department or a Commonwealth Authority.

In general, state or territory police jurisdiction exists:

in the state or territory where the offender has committed the crime, and

in the state or territory where the victim has been defrauded – this includes situations where the offender is located overseas. (AFP, nd)

The focus of the AFP on fraud and cybercrime matters which only affect the Common-wealth government is an important point in the context of this article. As previously stated, there are challenges surrounding the policing of online fraud. The negative experiences associated with the reporting of online fraud to agencies across the ‘fraud justice network’ (being the multitude of agencies that victims can report incidents of fraud to, such as police, banks, consumer protection agencies to name a few) (Button et al., 2012) have also been clearly demonstrated (Cross et al., 2016). The problem of jurisdiction is closely associated with both of these points.

To date, no existing research has sought to examine specifically how the concept of jurisdiction has contributed to these negative experiences on the part of online fraud victims and how misconceptions around jurisdiction are driving these adverse and harmful outcomes. Further, there has been no research which has examined jurisdiction from the perspective of victims themselves, rather existing research predominantly targets police and other agencies.

This article addresses this gap in the knowledge, using victim narratives to demonstrate inaccurate understandings of how jurisdiction works in relation to online fraud. It also attempts to deconstruct how these misconceptions appear to be perpetuated by victims, police and other agencies alike. Specifically, this article will examine the problems associated with jurisdiction in Australia and the relationship among AFP, state/territory police, other organizations in the Australian fraud justice network and international policing agencies. It seeks to answer the questions of how the role of the AFP is understood with regards to the investigation of online fraud offences, and how this understanding influences victim expectations and experiences of reporting online fraud.

In order to achieve this, the article will first discuss the concept of jurisdiction and highlight the problems associated with applying it to cybercrime (such as online fraud). Second, the article will use victim narratives to outline the key misunderstandings of jurisdiction evident in the current research. Third, the article will discuss how the establishment of the Australian Cybercrime Online Reporting Network (ACORN) as the central reporting agency for cybercrime (and online fraud) in Australia assists to overcome some of the barriers faced by victims, but does not solve the problem in and of itself. Finally, the article concludes with a need to better improve understandings of jurisdiction and how it operates in Australia, across both victims and police, to try and align expectations with reality and reduce some of the additional trauma suffered by victims through a lack of accurate knowledge. However, it is to an overview of jurisdiction and the problematic nature of understanding this in the online world that the article now turns.

The Problem of Jurisdiction and Cybercrime

Jurisdiction can be defined as ‘a government’s general power to exercise authority over persons and things. This general power encompasses three distinct concepts: jurisdiction to prescribe, jurisdiction to adjudicate and jurisdiction to enforce’ (Brenner, 2006: 190). Further to this ‘jurisdiction is an aspect of a State’s sovereignty and is confined geographically’ (Bigos, 2005: 586). The concept of jurisdiction is integral to both criminal and civil cases, in that it determines if the criminal justice system (through representatives of the courts or police for example) have the ability to exercise their power and authority in a particular situation (see Clough, 2015). The concept of jurisdiction is particularly challenging and problematic when applied to the cybercrime (in this case, online fraud) as the following paragraphs will demonstrate.

As noted earlier, traditionally crimes have been committed by offenders against victims in close proximity. In these scenarios, the offender and the victim are in the same physical and geographical location, and it is easy to identify which police agency has the authority to investigate the matter and prosecute. This is commonly referred to as the principle of territoriality. As Hodgson (2008: 320) notes, ‘courts at the turn of the twentieth century strongly advocated the territoriality principle to strictly limit the assumption of criminal jurisdiction to crimes which occurred entirely within the jurisdiction’. While Hodgson is specifically referring to British courts with this statement, it is arguably relevant for other countries.

The territoriality principle can be seen as a way of enforcing the sovereignty of a nation and exerting control over those within its borders:

The exercise of […] jurisdiction has historically been based primarily on the notion of territory […] a sovereign can therefore prescribe what behaviours are acceptable within its territory, adjudicate claims that persons in its territory violated these prescriptions and punish them for their non-compliance […] it followed from this that no sovereign could apply its criminal laws to conduct that took place in the territory of another sovereign. (Brenner, 2006: 191)

Traditionally, the territoriality principle can be seen to have functioned effectively to determine the relevant jurisdiction for criminal and/or civil offences. In this way, territoriality has been understood as ‘the cornerstone of all thinking on jurisdictional claims’ (Svantesson, 2016: 8). However, the evolution of the internet poses significant challenges to the concept of territoriality, through its transnational nature and influence of globalization (Schultz, 2008: 799). This is apparent in relation to cybercrime.

The internet ‘functions independently of state borders, which results in the existence of jurisdictional struggles’ (Kulesza, 2012: 353). With the internet, the victim and offender may not be in the same place. As expressed by Speer (2000: 260):

the location of the offenders in relation to the scene of the crime is the characteristic of cybercrime that differentiates itself most from others […] the criminal usually is not present at the [cyber] crime scene thus making apprehension difficult.

The principle of territoriality is complex when faced with the intricacy of transnational crimes or those which may incorporate a number of different jurisdictions. Factors which may be taken into consideration when seeking to determine or prioritize jurisdictional claims include: place of commission of the crime; custody of the perpetrator; harm; nationality (victim and offender); strength of the case against the perpetrator; punishment (Brenner, 2006: 194–206). Consideration may also be afforded to the country where a relevant website is located, where the internet service provider is located or where the server is located (Suri and Chhabra in Fletcher, 2007: 198).

The challenges specifically for police resulting from the ambiguity surrounding jurisdiction are immense. This predominantly revolves around their (in)ability to investigate, arrest and prosecute potential offenders, when they cannot claim authority or legitimate jurisdiction to enable such actions. ‘While criminals may operate across jurisdictional boundaries, law enforcement cannot’ (Finklea, 2013: 10) and the same can be said for data in that it ‘no longer respects international boundaries’ either (Daskal, 2016: 3). There are several scholars who have identified how the globalized nature of offending requires police approaches that are outside the scope of their ‘traditional, reactive law enforcement response’ (Levi et al., 2017: 92). Further to this, the globalized and transnational nature of crime means that policing is no longer a static function, but one which is increasingly characterized by ‘diversification and uncertainty’ (Ransley and Mazerolle, 2009: 367). In this way, ‘prior models of policing could focus on relatively known and stable categories of offences and offenders, and on traditional, reactive responses to them […] Existing models of policing generally do not have these attributes’ (Ransley and Mazerolle, 2009: 367).

One of the contributing factors to this is the centrality of territory as it applies to policing:

Historically the nature of policing in society has been intricately tied to spatial arrangements […] These physical territories are defined in a multitude of ways, including the separation between public and private domains, police jurisdictions, the creation of specific service zones within jurisdictions and so on. (Huey, 2002: 244)

Hence, police culture and understandings of police work have been founded upon geographical boundaries and physical territory. This is evident in many policing models, such as hot-spot policing, community policing, Neighbourhood Watch initiatives and, most notably, street or beat policing. It is difficult to apply these conceptual understandings of policing physical domains into a virtual space (Huey, 2002: 243). The understanding of borders and territory differs between online and offline worlds:

The relatively clear boundaries and turf lines within the physical world are not replicated in the virtual realm […] Within cyberspace, however the notion of a border is much more nebulous […] because the same geographic borders that exist in the real world do not exist in the cyber world. (Finklea, 2013: 4–5)

The challenge around transferring existing police approaches to the online world is also evident through understandings of what constitutes a threat to security, as ‘the institutionalised focus of security and law enforcement agencies on tracking the physical location and sources of security threats is a major impediment towards successfully combating cybercrime’ (Speer, 2000: 259). As noted by Broadhurst (2006: 408) ‘the cross-national nature of most computer related crimes have rendered many time-honoured methods of policing both the domestically and in cross-border situations ineffective even in advanced nations’.

Even in instances where territoriality is established and jurisdiction is identifiable, there are still a number of barriers which may preclude a satisfactory outcome. There are processes in place to facilitate cooperation between police across different countries, usually through what is termed a ‘Mutual Legal Assistance Treaty’ (MLAT). This is an agreement between countries which allows for police to share intelligence and work with each other on a particular case. However, ‘even when dealing with cooperative jurisdictions, slow and cumbersome mutual legal assistance treaty processes can significantly hamper investigations and the disproportionate effort involved in even modest cases is a constraint in times of austerity’ (Jeffray, 2015: 4). A lack of familiarity or consistency with legal requirements across relevant countries, coupled with the time taken to process and execute the request, means that these are not always effective (Menon and Siew, 2012: 246). Stemming from this, the potential for extradition of an alleged offender from one country to another, even with cooperation, means that ‘dual criminality’ must be in place, ‘that is the offence must be an offence under the laws of both jurisdictions, usually subject to a minimum level of penalty, commonly a maximum penalty of at least twelve months imprisonment’ (Clough, 2015: 487). Given the inconsistency and lack of common understandings and legal provisions across different jurisdictions concerning cybercrime, this can be a significant barrier.

It is important to also realize that the problems with jurisdiction are not restricted to inter-country investigations. Rather they are also evident within countries, based on local borders (such as state, province and territory borders). This exists within Australia (as will be noted later in the analysis) but also occurs in countries such as the UK, Canada and the USA. While not requiring MLATs for these intra-country requests, there are still challenges for police in obtaining assistance from their fellow police agencies.

Lastly, there are challenges regarding the resources required to commence some of these collaborative investigations, and there are sometimes issues with the level of skills and training of police required to undertake particular tasks (Jeffray, 2015: 5). Despite jurisdictional issues in and of themselves not being a problem in these scenarios, there are still other barriers which are evident and impede police.

The policing of online fraud (and other financial and economic crimes) is not immune from these difficulties experienced by cybercrime more broadly. There are several barriers which have been identified in the ability of police to target these specific crimes, which mirror many of those previously cited. These include the multiple jurisdictions likely to be involved; the lack of effective co-operation with multiple law enforcement bodies; the legal challenges of jurisdiction and who should prosecute; securing the interest of law enforcement who may not have any victims in their own jurisdiction (and little interest in fraud overall); and the values of different law enforcement bodies (Button, 2012: 290). While these challenges are not insurmountable, they do make it difficult for police to respond to online fraud offences in a timely manner, and in the way that often the public expects. As a result,

Threats posed by cybercrime frequently elude more traditional approaches to policing […] police struggle to meet an expectation of protection from the public, due not just to resources and skills but to a perceived lack of actionable intelligence on emerging cyber threats. (Levi et al., 2017: 90)

Ultimately, this leads to a questioning of the importance and continued relevance of territoriality as a central and preferred means of deciding relevant jurisdiction for cybercrime offences (including online fraud). There is a clear observation that ‘strict territoriality is ill-equipped for today’s modern society, which is characterised by constant, fluid and substantial cross-border interaction’ (Svantesson, 2016: 8).

Notwithstanding, there is one example where law enforcement has been able to set up a model to overcome some of these jurisdiction and territoriality problems: Europol and the establishment of its Joint Cybercrime Action Taskforce (J-CAT). Launched in 2014 as a result of many of the frustrations previously detailed on the ability of law enforcement to investigate and prosecute crimes in a virtual environment, the J-CAT comprises a number of member states from the EU, as well as the USA, Canada, Australia and Colombia. The physical location of representatives from each participating country, in the same office hosted by Europol, enables the team to work together in a manner that enables successful investigations and prosecutions to take place. As noted by Reitano et al. (2015: 144) ‘somewhat ironically, in designing J-CAT it was recognised that a single physical space was needed to be created to combat cybercrime, a virtual crime’. The J-CAT provides a strong example of how agencies have worked together and found a collaborative model that seeks to overcome issues facing police globally in their targeting of cybercrime (including online fraud).

However, the J-CAT stands somewhat alone when it comes to global best practice. Overall, it is clear that existing understandings of territoriality are problematic when applied to crimes which occur in an online environment. There are challenges in the ways that territoriality is conceived as relying heavily on physical borders and geographical locations, which do not translate well into a virtual environment. This has implications for police, in that they struggle to assert their powers to investigate an offence, and there are many factors which may be taken into consideration to determine if police (or the wider criminal justice system) have legitimate authority. Even if this is established, there are genuine reasons why these may still not be enacted. For this reason, there is a need to ‘recognise that the territoriality principle, and the associated but partially clashing concept of territorial sovereignty, no longer serve as useful starting points for the analysis of jurisdictional claims’ (Svantesson, 2015: 70).

It is unsurprising that given the complexity and uncertainly experienced by police and other actors in the criminal justice system, victims of cybercrime also experience challenges and negativity surrounding their attempts to initiate a police response. The following sections of this article examine the experiences specific to online fraud victims, and how the aforementioned challenges surrounding jurisdiction impact on their ability to report online fraud across the fraud justice network in Australia. However, before engaging in this analysis, the article turns to the methodology of the project as a whole.

Methodology

The current article examines one aspect of a larger research project which examined the reporting experiences and support needs of a group of Australian online fraud victims (Cross et al., 2016). A qualitative research approach was used, which employed semi-structured interviews with 80 online fraud victims across Australia who had reported a loss of at least AUD$10,000 (for comprehensive details on the recruitment, eligibility criteria and data collection for this study, see Cross et al., 2016). Invitations to participate in this project were sent by the Australian Competition and Consumer Commission (ACCC) (Australia’s federal consumer protection agency) to all eligible victims across Sydney, Melbourne, Brisbane, Perth and Adelaide (Australia’s five most populated cities).

All interviews were conducted together by the first two authors of the original study (Cross and Richards). In most cases these took place in person, with the researchers travelling to each city. A small number were interviewed via telephone for personal or practical reasons. With the permission of interviewees, interviews were digitally recorded.

Data analysis

Interviews were transcribed verbatim and imported into NVIVO for coding. Coding was undertaken by both researchers (Cross and Richards), and involved open and axial coding. The researchers developed a framework for axial coding during and following the fieldwork phase of the research, but also coded the interview transcripts for themes that emerged during the coding phase. For the current article, one code relating to the negative experiences of reporting fraud by victims was used, or that describing the ‘merry-go-round’ effect, where victims were passed from one agency to another. This category was agreed upon by the researchers prior to the coding of the data the first time. Excerpts within this original category were further coded by the author for aspects relevant to the current article focused on jurisdiction.

In addition, all of the original interview transcripts were recoded by the author against each instance of the phrases ‘Federal Police’ and ‘AFP’ (being the common terms that victims used to describe the AFP). This was undertaken through using the search function in NVivo. Each instance of these phrases was coded to highlight how victims understood the role of the AFP, their expectations of the AFP and their experiences of contacting the AFP. The results of both coding approaches are used to answer the question of how victims understood the role of the AFP in investigating online fraud, as well as how this influenced their expectations and experiences of reporting online fraud.

An overview of the participants

The 80 participants in the full study ranged in age from 30 to 77 years, with a mean age of 56. Forty-six (58%) were male and thirty-four (42%) were female. Participants identified as being from a wide range of countries of birth, predominantly Australia (68%), the UK (11%) and New Zealand (5%). Participants were victims of a variety of online fraud, however approximately one-third were romance fraud, one-third were investment fraud (a specific type of AFF as detailed above) and the remaining third were other types of schemes (hence why both romance fraud and investment fraud were detailed in the introduction as being relevant to the victimization experiences of those in the current study). However, in many cases, the classification of fraud type was not straightforward and encompassed a variety of approaches (as highlighted in Cross and Kelly, 2016).

The remainder of this article uses these victim narratives to illustrate how they understood the concept of jurisdiction in relation to their victimization, particularly as it relates to their (in)ability to report their incident to police in Australia (across both state/territory and the AFP).

Victim Narratives on Cybercrime Jurisdiction

Earlier in the article, the complexities of applying jurisdiction to online offences were highlighted from the literature. The following section builds from this and examines how victims understood jurisdiction to apply to their individual case of online fraud victimization, and how they sought to gain assistance from police (across both state/territory and federal levels). In total, there were 26 interviews where victims specifically mentioned the AFP or Federal Police. It is these interviews that the following analysis draws upon.

The following section demonstrates four points: first, the myth that an international offence is the responsibility of the AFP; second, the issues involved with multiple jurisdictions across both national and international borders; third, the practical issues surrounding multiple jurisdictions for victims; and fourth, the relationship between Australian and international law enforcement agencies. In combination, the issues arising from jurisdiction regarding these four points will be demonstrated to have contributed to an overwhelmingly negative experience in the reporting process. In many cases, this unnecessarily caused additional harm or exacerbated existing trauma to online fraud victims.

Myth: International crime is the responsibility of the AFP

The first issue to emerge relates to the assumption that if the crime has an international element then this is automatically the jurisdiction of the AFP. This was evident in the following comments:

I rang the Federal Police on the basis that I thought it was a federal matter [based on internet searches]. (interview 4)

Well Federal Police are supposed to do things like that. Aren’t they? If it’s an international matter the Federal Police are supposed to be the ones that act rather than the state police. (interview 36)

I rang my friend and he just said straight away, ‘Look, it’s fraud. Don’t contact them [offender/s]. Ring the AFP.’ (interview 61)

These quotes illustrate the assumption that because the fraud they were involved in had an international element (in all of these cases, the victim had sent money overseas), the AFP should be the appropriate agency to take their complaint. As demonstrated in the introduction to this article, the AFP has a restricted ambit and does not respond to individual online fraud victimization. Therefore, in all of these cases, when victims attempted to report to the AFP and were unsuccessful, this caused additional distress as they could not understand why the AFP would not initiate an investigation.

However, what is also concerning was that this assumption appeared to also be held by state/territory police. There were several instances where victims detailed how their local police had advised them to make a complaint to the AFP, based on the fact it was a transnational offence:

So I went to the police, local police station. The guy there said that he did not think anything could be done but maybe the Australian police could do something – the Federal Police. So he got in touch with someone he knew through there and he came back to me and said no sorry they can’t do anything either. (interview 42)

She [local police officer] said ‘oh we can’t actually do anything about that, you need to contact the Federal Police about that’. (interview 49)

I rang a police officer and spoke to them on the phone, and [they] said because it’s an international situation, the only police department in Australia that you could report to would be the Federal Police. They did not want to take it any further. The state did not want to take it any further. (interview 60)

Each of these occasions saw victims attempt to report their victimization to local state/territory police, however they were directed to the AFP based on the fact it was an international matter. Given the inaccuracy of these referrals, it is not surprising that victims who attempted to follow this advice were met with a negative response from the AFP and in many cases sent back to state/territory police. It is unknown as to the reasoning behind these decisions by state/territory police, as to whether they are based on a genuine misunderstanding of jurisdiction and how it applies to online fraud offences, or whether they were simply trying to avoid taking responsibility for jurisdiction of the offence and take a complaint from victims.

Jurisdiction is not just an international issue

The above shows how the transnational nature of most online fraud offences works against victims being able to report their incident to state/territory police. However, the challenges surrounding jurisdiction were not only evident with regards to international crimes. For many victims, in addition to having an overseas element, there were also several Australian jurisdictions that were relevant to their case. In these instances, victims again struggled to find a police agency who would accept their complaint based on the concept of jurisdiction:

I went to the [first state/territory] police. They said ring the [second state/territory] police. I ring the [second state/territory] police, they say the people you were dealing with were in [third state/territory]. I ring the [third state/territory] police, they say, ‘No, no. Their office is there, but they come from [second state/territory].’ Everyone’s just pushed it around. Not one of them has wanted to know about it. (interview 63)

In my case it has made it a little more complicated that it was a [first state/territory] account – maybe the [first state/territory] police would have looked into it. They seemed keen to shove it onto [second state/territory], and they are done with it, and gets put at the bottom of a pile somewhere there. (interview 17)

The aforementioned issues of identifying relevant jurisdiction are highlighted in the following excerpt of a couple who were victims of investment fraud and were trying to ascertain which police agency they should contact.

Participant 2:

As soon as they go across state borders, it was ‘No, no, no. They’re over in [first state/territory] …’

Participant 1:

Well, we don’t actually know where they are.

Participant 2:

The package [letter] came from [first state/territory]. The registered office is in [second state territory].

Participant 1:

The director lives in [first state/territory].

Participant 2:

The director was in [third state/territory] and we’re in [fourth state/territory].

Participant 1:

We don’t even know who they are or where they are. (interview 59)

The inability of victims to find an agency who would listen to them and acknowledge their complaint led to increasing levels of anger and frustration for many.

Practicalities surrounding the problem of jurisdiction

Further to this, there appear to be logistical issues involved in making complaints across different jurisdictions. For a small number of victims, phone calls to police agencies (in Australia and overseas) were met with favourable outcomes. However, the victim was required to report to the police station in person and this therefore had practical challenges for victims in terms of not being able to travel interstate or internationally:

I flew to [Australian state capital city] to give this guy money and I had to then report it to the [corresponding state/territory] police. (interview 23)

It was basically, ‘that is [another state/territory] you have got to go back there’. [I said] You know, I can’t that is why I am seeing you. You know, it’s [another state/territory], I can’t just jump in a car and toddle off. I can’t do that, that is why I am seeing you. And it was ‘sorry mate you have got to contact them. See you later.’ It was short, sharp and direct. (interview 33)

I actually phoned the [Asian] police and reported it to them. They phoned me back and I spoke to a detective. He said, ‘Look, I’m sorry, but internationally we can’t take a report over the phone.’ He said, ‘You’ll have to come here to actually lodge the report.’ I thought, ‘I’m not going to [Asian country] and chasing one of their residents there who had my money and fraudulently tried to take it from me.’ (interview 60)

Overall, it is evident that the complexities around identifying which organization has the relevant jurisdiction to take a complaint, and physically being able to lodge this complaint are challenging tasks for many online fraud victims. This is further highlighted in the following section on mutual legal assistance.

The relationship between Australian and international law enforcement

One instance in the current sample involved an online fraud victim who had sent money overseas, and was able to contact overseas law enforcement officers, who expressed the willingness to take a complaint and initiate an investigation. In this circumstance, the overseas law enforcement officer told the victim that they could only look into the matter if they received a referral from the relevant Australian police agency. When the victim was unable to get their local state/territory police to take their complaint in order to be forwarded to the overseas agency, they were understandably upset:

So I rang the [overseas law enforcement agency], they have an office here in the [state/territory], they said ‘yep look it falls under internet fraud of course we will look into it, we will investigate but we need to be treated by the Federal Police’. And they [AFP] would not do anything about it. Even though the guys, in the [overseas country] they were happy to look into it, yet the Aussies, they did absolutely nothing about it. (interview 18)

There was one other interview where the victim was unable to get a local police officer to take her complaint seriously; however, she was able to report it to authorities overseas, who appeared to take action on her behalf:

And I said ‘look I’m so and so, I’m calling from Australia.’ Without one second’s heartbeat, he [police officer] gave me a number straight away. He said ‘I’m so sorry to hear this, this is a huge problem in [overseas city].’ He gave me a case number then and there, email, calls, the works. I said ‘look, I’m so thankful to you’… I’m thinking, why didn’t Australia do the same? (interview 40)

This last example was one of the very few cases where some sort of positive action was initiated. Both of these examples highlight the difficulties associated with the involvement of multiple jurisdictions, particularly when they are overseas based. The official processes required of police to formally initiate cooperation and collaborative investigations are cumbersome and not necessarily appropriate for the speed at which online fraud offending is occurring. Whether or not police can (or should) be circumventing these procedures in favour of more informal and timely responses is a matter beyond the scope of this article. Regardless, there is an impact on the individual victim arising from the cumbersome nature of the systemic issues identified.

The Implications of Jurisdictional Issues on Victims of Online Fraud

The victim narratives presented in the above section highlight the difficulties encountered by some online fraud victims in Australia. It is clear that the complexities and problems detailed in the academic literature strongly resonate with victims at a practical level. This was particularly the case for how the concept of ‘territoriality’ played out across many victim experiences. Given that the internet does not have the same physical borders evident in terrestrial crimes (Finklea, 2013: 4), there is no consistent understanding of how to apply this to an online offence. For example, as stated victims in one jurisdiction were often sent to other jurisdictions (both domestically and overseas), on the basis of where the money went; where the offender was believed to have resided; or where a business or organization was registered. Each of these (including the location of the victim) fit within the scope of factors that can be considered to determine who has relevant jurisdiction (Brenner, 2006: 194–206). However, it was the inconsistency and vagueness that continued to frustrate victims in their attempt to lodge a complaint.

It was also clear that there is a lack of appropriate training within police agencies within Australia. Jeffray (2015) notes the difficulties that arise with police having the level of skills to undertake relevant tasks, and this was apparent in the current research. This was further evident in a lack of knowledge on an accurate understanding of the role of the AFP with regards to individual fraud victimization, and a lack of willingness on the part of state police to accept a complaint from a victim. This may also reflect the influence of police culture, which has historically been founded upon geographical boundaries (Huey, 2002: 244). There is a difficulty for police to conceptually translate this to online offences and this was evident in much of the confusion that surrounded which was the appropriate jurisdiction to report to. The continued passing and referral of victims from one agency to another (often as a result of inaccurate advice) is understandably also a source of frustration and anger for victims.

For many, their experiences in seeking to report their fraud incurred additional trauma or exacerbated existing harm they had suffered (Cross, 2018; Cross et al., 2016). The complexity of how territoriality manifested itself with regards to each victim seeking to lodge a complaint regarding their fraud victimization was almost entirely negative. It demonstrates how the challenges posed by crimes in a virtual environment have a real and substantial impact on victims and their ability to seek redress. Some of this was unnecessary and should have been avoided (such as the inaccurate advice to go to the AFP in several instances).

It is worth noting, however, that there were two victims who did know the limits of the AFP based on searches of their website and understood that their ambit did not involve individual fraud victimization. This was evident in the following:

On the [AFP] police site it seems to say that if I was a federal or state employee for the government, they would follow it through. (interview 49)

The Federal Police only get involved as government partners in scams, not individuals. I went to the [AFP web] site and, basically, they’re not interested. (interview 59)

The above quotes demonstrate that it is possible to create an accurate awareness of the limitations of the AFP in terms of what categories of crimes they investigate and against what type of victim. While this does not overcome the complexities associated with territoriality and how it was relevant to their case, it does highlight how accurate and realistic expectations of how police can respond to fraud can reduce the likelihood of additional trauma being suffered through the reporting process.

In terms of improving the situation for online fraud victims in Australia, there has been a significant development since the individuals involved in the current study sought to report their online fraud victimization. In November 2014, the Australian Cybercrime Online Reporting Network (ACORN) was established as the central reporting mechanism for cybercrime in Australia. ACORN is a self-report web tool that allows victims across the country to report their incidents. In this way, the establishment of ACORN removes the requirement for police at a state and territory level to determine the appropriate jurisdiction for the crime. There are other international examples such as ActionFraud (UK), the Canadian Anti-Fraud Centre (Canada) and the IC3 (USA), where a central reporting model has been implemented. The establishment of a central reporting tool means that victims should not find themselves being passed between the state/territory and Federal Police anymore. Instead there are a number of predetermined business rules that determine which jurisdiction an ACORN complaint is directed to.

Further, most police agencies now have policies in place where they will not accept an online fraud complaint at the local police station, and will refer individuals to the ACORN website. While this raises other issues, which are beyond the scope of this article, in terms of victims attempting to navigate the system to identify the appropriate law enforcement agency with relevant jurisdictional authority, this is a step forward. It removes the uncertainty of who to report to, and also removes the inability of victims to lodge a complaint (given it is a self-report, online tool). This can overcome some of the frustration experienced by victims in the current study.

However, while the establishment of ACORN seeks to streamline the reporting process for online fraud from a victim perspective, it does little to rectify the jurisdictional issues that still exist from a police perspective. Currently there is no public information available as to how each ACORN complaint is processed and the business rules involved in determining which police agency receives the complaint. There are also different processes in place to determine how each state and territory police agency responds to any complaints. A Freedom of Information request submitted by the Australian Broadcasting Corporation (ABC) for this information was denied through an exemption based on ‘operational matters’ (McGrath, 2016). While there are genuine challenges and difficulties in investigating online fraud cases (incorporating both jurisdictional and non-jurisdictional issues such as lack of resources and knowledge of police officers), a lack of accountability and transparency continues to have a negative effect on victims of online fraud who report through this new system (McGrath, 2016; Wordsworth, 2017). While it is unreasonable to expect police to investigate each online fraud offence (given the high volume of offences which are perpetrated on a daily basis across the country), providing greater detail about how each complaint is processed may assist online fraud victims to gain an accurate understanding of their case and realistically what (if anything) can be done. Ironically, the establishment of ACORN may have actually enhanced citizen expectations around what can be done to investigate online fraud, while in reality, the actual capacity for police to do this has remained unchanged.

Conclusion

This article has examined the concept of jurisdiction and how it applies to online fraud. In particular, it used the narratives of online fraud victims to demonstrate how these individuals understand jurisdiction as relevant to their case, and how this impacted their reporting experience. It sought to answer the questions of how jurisdiction is understood within the context of online fraud and how this influences the expectations and experiences of victims in reporting online fraud. The overall negativity of reporting online fraud is well established (Button et al., 2009; Cross et al., 2016), and this article has highlighted how jurisdictional matters contribute to the additional trauma suffered by victims as well as exacerbating existing harm they have incurred. In many cases, victims are traumatized first by their offender, and second by the system itself in their attempts to seek some kind of response by police or other agencies across the ‘fraud justice network’ (Button et al., 2012).

It is evident that the current approach to jurisdiction for cybercrime in Australia (and globally) is problematic and dysfunctional. This impacts on a variety of stakeholder groups, including the police, the courts and as this article has visibly demonstrated, the victims themselves. The results presented in this article highlight the need for immediate change to address some of the issues as identified here. While the establishment of ACORN in Australia is a positive step to overcome some of the jurisdictional issues encountered by online fraud victims, it is not a complete solution. There is a clear need to better educate the public and the police about the responsibilities of police agencies in Australia. This includes the restricted scope of the AFP in the types of offences that they have authority to investigate. Further to this, it would be beneficial to provide greater transparency to victims who report to ACORN about how their matter is handled within the system and which police jurisdiction (if any) it is referred to.

It is imperative that some of the issues stemming from the complexity of jurisdictional claims for cybercrime offences (including that of online fraud) are given the priority and attention they deserve. The challenges associated with jurisdiction as it applies to online fraud are redundant to the victim who expects some form of response and action to be taken as a result of their complaint. There is a need to collaboratively improve the response to online fraud victims and work towards a better way of overcoming jurisdictional barriers. At present, the only group benefitting from the current approach to jurisdictional matters relating to online fraud is the criminals.

Footnotes

Acknowledgements

The author wishes to acknowledge Dr Kelly Richards and Dr Russell Smith who were part of the research team who undertook the original project. Some parts of this article are taken from the original research report that this article is based upon (methodology and participant quotes). The views presented in this article are of the author alone and do not represent the Australian Institute of Criminology, the Criminology Research Advisory Council or the Australian government. All errors and omissions are the sole responsibility of the author.

Declaration of Conflicting Interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This research was supported by Criminology Research Grant 29/13-14.

ORCID iD

Cassandra Cross

Author biography

Cassandra Cross is a senior lecturer, School of Justice, Faculty of Law, Queensland University of Technology. Her research focuses on fraud, identity theft and cybercrime. She is the co-author of the book entitled Cyber Frauds, Scams and Their Victims.

References

Australian Competition and Consumer Commission (ACCC) (2017) Targeting scams: Report of the ACCC on scams activity 2016. Canberra: ACCC.

Australian Competition and Consumer Commission (ACCC) (2018) Targeting scams: Report of the ACCC on scams activity 2017. Canberra: ACCC.

Australian Federal Police (nd) Our organisation. Available at: https://www.afp.gov.au/about-us/our-organisation (accessed 2 August 2017).

Bigos

(2005) Jurisdiction over cross-border wrongs on the internet. International and Comparative Law Quarterly 54(3): 585–620.

Brenner

(2006) Cybercrime jurisdiction. Crime, Law and Social Change 46(4–5): 189–206.

Broadhurst

(2006) Developments in the global law enforcement of cyber-crime. Policing: An International Journal of Police Strategies and Management 29(2): 408–433.

Button

(2012) Cross-border fraud and the case for an ‘Interfraud’. Policing: An International Journal of Police Strategies and Management 35(2): 285–303.

Button

Lewis

Tapley

(2009) A better deal for fraud victims. London: Centre for Counter Fraud Studies.

Button

Lewis

Tapley

(2012) The ‘fraud justice network’ and the infrastructure of support for the individual fraud victims in England and Wales. Criminology and Criminal Justice 13(1): 37–61.

10.

Button

McNaugton-Nicolls

Kerr

, et al. (2014) Online frauds: Learning from victims why they fall for these scams. Australian and New Zealand Journal of Criminology 47(3): 391–408.

11.

Clough

(2015) Principles of Cybercrime. Cambridge: Cambridge University Press.

12.

Copes

Kerley

Mason

, et al. (2001) Reporting behavior of fraud victims and Black’s theory of law: An empirical assessment. Justice Quarterly 18(2): 343–363.

13.

Cross

(2018) Expectations vs reality: Responding to online fraud across the fraud justice network. International Journal of Law, Crime and Justice 55: 1–12.

14.

Cross

Kelly

(2016) The problem of ‘white noise’: Examining current prevention approaches to online fraud. Journal of Financial Crime 23(4): 806–828.

15.

Cross

Richards

Smith

(2016) Improving responses to online fraud victims: An examination of reporting and support. Final report. Canberra: Criminology Research Grants.

16.

Cross

Smith

Richards

(2014) The challenges of responding to victims of online fraud. Trends and Issues in Crime and Criminal Justice, No. 474. Canberra: Australian Institute of Criminology.

17.

Daskal

(2016) Law enforcement access to data across borders: The evolving security and rights issues. Journal of National Security and Policy 8(3): 1–10.

18.

Finklea

(2013) The interplay of borders, turf, cyberspace and jurisdiction: Issues confronting US law enforcement. Congressional Research Service Report for Congress. Washington, DC: Congressional Research Service.

19.

Fletcher

(2007) Challenges for regulating financial fraud in cyberspace. Journal of Financial Crime 14(2): 190–207.

20.

Grabosky

Smith

(1998) Crime in the Digital Age: Controlling Telecommunications and Cyberspace Illegalities. Sydney: The Federation Press.

21.

Hodgson

(2008) From famine to feat: The prosecution of multi-jurisdictional financial crime in the electronic age. Journal of Financial Crime 15(3): 320–337.

22.

Huey

(2002) Policing the abstract: Some observations on policing cyberspace. Canadian Journal of Criminology 44(3): 242–254.

23.

Jeffray

(2015) Caught in the net: The law enforcement response to international cybercrime. Australian Strategic Police Institute International Cyber Police Centre Special Report, March 2015: 3–10.

24.

Kulesza

(2012) International internet law. Global Change, Peace and Security 24(3): 351–364.

25.

Levi

(2017) Assessing trends, scale and nature of economic cybercrimes: Overview and issues. Crime, Law and Social Change 67(1): 3–20.

26.

Levi

Doig

Gundur

, et al. (2017) Cyberfraud and the implications for effective risk-based responses: Themes from UK research. Crime, Law and Social Change 67(1): 77–96.

27.

McGrath

(2016) Woman tricked into laundering money ‘ignored’ when she reported it to cyber crime agency. Available at: http://www.abc.net.au/news/2016-10-07/woman-tricked-into-laundering-money-ignored-when-she-reported-it/7885242 (accessed 2 August 2017).

28.

Menon

Siew

(2012) Key challenges in tackling economic and cyber crimes: Creating a multilateral platform for international co-operation. Journal of Money Laundering Control 15(3): 243–256.

29.

Office for National Statistics (ONS) (2016) Overview of fraud statistics: Year ending March 2016. Available at: https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/articles/overviewoffraudstatistics/yearendingmarch2016 (accessed 21 November 2018).

30.

Ransley

Mazerolle

(2009) Policing in an era of uncertainty. Police Practice and Research: An International Journal 10(4): 365–381.

31.

Rege

(2009) What’s love got to do with it? Exploring online dating scams and identity. International Journal of Cyber Criminology 3(2): 494–512.

32.

Reitano

Oerting

Hunter

(2015) Innovations in international cooperation to counter cybercrime: The Joint Cybercrime Action Taskforce. The European Review of Organised Crime 2(2): 142–154.

33.

Ross

Smith

(2011) Risk factors for advance fee fraud victimization. Trends and Issues in Crime and Criminal Justice, No. 420. Canberra: Australian Institute of Criminology.

34.

Schultz

(2008) Carving up the internet: Jurisdiction, legal orders, and the private/public international law interface. European Journal of International Law 19(4): 799–839.

35.

Speer

(2000) Redefining borders: The challenges of cybercrime. Crime, Law and Social Change 34: 259–273.

36.

Svantesson

(2015) A new jurisprudential framework for jurisdiction beyond the Harvard Draft. AJIL Unbound 109: 69–74.

37.

Svantesson

(2016) Internet jurisdiction: Today and in the future. Precedent 132: 4–9.

38.

Van Wyk

Mason

(2001) Investigating vulnerability and reporting behavior for consumer fraud victimization: Opportunity as a social aspect for age. Journal of Contemporary Criminal Justice 17(4): 328–345.

39.

Whitty

Buchanan

(2012) The psychology of the online dating romance scam. Leicester: University of Leicester. Available at: https://www2.le.ac.uk/departments/media/people/monica-whitty/Whitty_romance_scam_report.pdf (accessed 2 August 2017).

40.

Wordsworth

(2017) Cybercrime victims on their own as police fail to follow up cases, helpline head says. Available at: http://www.abc.net.au/news/2017-02-27/cybercrime-victims-on-their-own-as-police-fail-to-follow-cases/8306814 (accessed 2 August 2017).

41.

Yar

(2013) Cybercrime and Society. London: SAGE.