Adapting cybersecurity practice to reduce wildlife cybercrime

Abstract

Wildlife trafficking is driving many species to extinction and is overwhelming law enforcement efforts to stop it. At least a 2-fold increase in the number of traffickers who are put out of business is needed to help avoid these extinctions. A cybersecurity-based solution described in this article consists of a large international confederation of criminal investigators collecting intelligence on persons involved in wildlife trafficking, analyzing it, and then recommending to law enforcement (a) cybercriminals to detain, (b) cybercriminals to surveil, and (c) where and when to intercept cybercriminal-initiated wire transfers and shipments of wildlife products. Wildlife traffickers nowadays often use the internet to commit their cybercrimes. Prosecuting such crimes is challenging. Indeed, one of the top five challenges in cybersecurity is to develop methods for pursuing cybercriminals and bringing them to justice through the acquisition of digital evidence that links specific individuals to specific illegal acts. The proposed confederation finds two lists of wildlife cybercriminals to remove. The first is found by computing centrality measures on the statistically estimated (reconstructed) current social network of wildlife cybercriminals to identify those criminals whose removal would, according to social network theory, maximally disrupt the syndicate’s operations. This list contains criminals identified as kingpins, and/or information brokers. The second list consists of those m criminals whose removal results in the largest simulator-computed drop in poaching of the trafficked species over the next year. Database access control is a form of information security (InfoSec), or data security—a chief component of cybersecurity. Here, a distributed form of information security is developed for keeping a confederation’s criminal intelligence database secure from unauthorized access and insider threats. This procedure uses only peer-to-peer transactions. The illegal trade in rhino horn is used to illustrate how this confederation would use criminal intelligence from several countries to first build a simulation of the political–ecological system that contains the trafficking operation, and then use this statistically fitted simulator to identify those traffickers to remove, wire transfers to block, and wildlife product shipments to seize. All software to implement this federated database and its access control procedure is freely available.

Introduction

Biodiversity loss through wildlife product trafficking is happening at a cataclysmic rate that dwarfs current wildlife law enforcement efforts to arrest and prosecute wildlife crime suspects. For instance, during 2015–2020, INTERPOL aided law enforcement agencies in seizing many tons of wildlife being smuggled into various countries [1]. These law enforcement achievements are exemplary. During the last 50 years, however, the African elephant population declined by 75% [2]. And in just 10 years, the white rhinoceros (Ceratotherium simum) population declined by 24% due to poaching [3], while the illegal trade in rhino horn continued unabated [4,5].

Currently, the IUCN Red List contains 134 425 species of which 37 480 are at risk of extinction [2]. One study reports 958 of these 37 480 species are in danger due to trade [6]. A meta-analysis shows 506 species experiencing population declines exclusively due to trade [7]. About 6000 species, endangered or otherwise are being trafficked [8]. And, by accounting for the trade practice of substituting a similar species for a species that becomes too rare to harvest, Scheffers et al. [9] find that 11 702 vertebrate species face extinction from trade. The situation is also acute with regard to plants. Lavorgna and Sajeva [10] find that illegal trade in rare plants is driving many of them to extinction. Tittensor et al. [11] find that the volume of illegal wildlife trade is between 28 and 150% of legal wildlife trade. These figures are derived from seizure data at ports of entry. Because of the large number of shipping containers and the small number of customs inspectors, it is estimated that the volume of wildlife contained in seizures of shipments at ports of entry is only ∼10% of the total volume of wildlife traded illegally [12]. Between 30 and 90% of all live animals shipped illegally die in transit [13]. The effect on biodiversity from wildlife trafficking therefore, is most likely much higher than these sources can provide evidence for.

Habitat loss is often pointed to as the principal driver of biodiversity loss [14]. But a comprehensive study of biodiversity loss drivers finds no statistical difference between loss of habitat and direct exploitation, i.e. intentional harvesting of wildlife either legally or illegally [15]. While stricter regulations on legal exploitation such as the reduction of harvesting quotas might offer hope for some species, such regulations may negatively affect trafficked species as traffickers pursue profit opportunities that such regulation unintentionally provides. Thus, thousands of species will be lost unless wildlife trafficking is significantly reduced.

The US Fish and Wildlife Service has only 250 special agents pursuing wildlife crime investigations [16]. The US Drug Enforcement Administration on the other hand, has 2200 special agents [17]. And at ports of entry, the US Fish and wildlife Service is overwhelmed with the volume and frequency of wildlife shipments relative to their number of inspectors [18]. Because wildlife trafficking is the fourth most lucrative business of organized crime after firearms, narcotics, and humans [19], it is not unreasonable to assume that the number of wildlife criminals and number of wildlife crimes are about the same as the number of narcotics criminals and narcotics crimes, respectively. It would then follow that for the USA alone, at least a 10-fold increase in the amount of wildlife crime policing and interdiction is needed to help bring biodiversity losses down far enough to at least slow if not stop the mass extinction event that is currently underway [20].

Countries that are not as wealthy as the USA are experiencing even greater shortages of wildlife crime law enforcement. For instance, de Vries [21] concludes that Canada, having scarce law enforcement resources, needs to increase its cooperation with US law enforcement agencies in order to successfully prosecute international wildlife crimes. And specifically, such cooperation should be centered around the sharing of criminal intelligence. Jiao et al. [22] call for greater sharing of criminal intelligence between China and countries in Southeast Asia to curb wildlife crime. In many countries, corruption is a major driver of illegal wildlife trade and needs to be a part of all investigations of wildlife crimes [23].

Emphasis needs to be on the people involved in wildlife trafficking rather than on shipments of wildlife products—be they live plants, live animals, or parts thereof (e.g. logs, bones, bile, tusks, horns, claws, or scales). This is because the person who crated the illegal shipment of wildlife or wildlife products is usually untraceable [24,25] and hence, intelligence on seized illicit shipments of wildlife or wildlife products is of limited use in an investigation of a particular trafficking suspect. Any project aimed at achieving such a massive increase in wildlife crime investigations and prosecutions will require at least an order of magnitude more law enforcement professionals who not only pursue wildlife crime cases but also share their criminal intelligence with each other. Any smaller effort will fail to stop these extinctions. It is unlikely, however, that a large number of internationally dispersed law enforcement professionals would agree to join a single, hierarchally managed policing organization—much less agree to surrender their own criminal intelligence to such an organization. Yet, in order to achieve a 10-fold increase in the number of traffickers put out of business, the combined intelligence from all of these investigators is needed to first, identify those traffickers causing the most damage, and then second, to bring enough evidence to bear on their prosecution so that they stop trafficking for a long time.

Wildlife traffickers nowadays often use the internet to conduct their crimes [26]. When wildlife traffickers use the internet to arrange transactions, make payments, or receive payments, they can be viewed as cybercriminals. Acquiring sufficient evidence on such a cybercriminal to successfully prosecute them and thereby shutdown their activities is difficult at best but essentially impossible without detailed data on their activities. Indeed, pursuing cybercriminals and bringing them to justice through the acquisition of digital evidence that links a specific individual to a specific illegal act was listed as one of the top five cybersecurity challenges for 2021 [27]. To successfully attack such an international problem, cybersecurity practice needs to adapt. For instance, many cybersecurity professionals work in a hierarchical organizational structure wherein policies are developed by senior management and implemented under the supervision of security operations center managers [28]. Reducing wildlife cybercrime, however, will need peer-to-peer management of a large number of independent wildlife trafficking investigators who work across many countries and who require that they retain control over who they trust [29, 30].

This article develops a new approach to conducting investigations into such wildlife cybercrime [31] that adapts cybersecurity practice in the areas of online, federated criminal intelligence databases; social network analysis of cybercriminals; and access management in peer-to-peer systems. These new practices take the form of an international confederation of wildlife crime investigation professionals who maintain a federated database [32] of wildlife crime intelligence (hereafter, simply intelligence) and use it to disrupt illegal activities that lead to biodiversity loss. Maintaining the security of this database and hence, the trust of a large number of investigators is addressed herein through a peer-to-peer database access control procedure. Database access control is a form of information security (InfoSec), or data security—a chief component of cybersecurity. InfoSec entails ensuring the confidentiality, integrity, and availability of data. Here, a distributed method is developed for keeping an intelligence database secure from unauthorized external access and from insider threats.

Traffickers often organize themselves into syndicates. One definition of a syndicate is “a loose organization of racketeers in control of organized crime” [33]. Disrupting the operations of a wildlife trafficking syndicate (WTS) can lead to reduced poaching of a trafficked species. This reduced rate of poaching in-turn, can temporarily cause that species’ ratio of births to deaths to rise and hence buy time for it. Let a player be a person who is an active participant in a WTS. UN {[8], Chapter 8} identifies six different levels of players in a WTS: poachers,runners,intermediaries,exporters,importers/wholesalers, and retail traders. Here, these six levels are simplified by subsuming poachers and runners into poachers, subsuming roots (see below), snakes (see below), and intermediaries into middlemen, renaming exporters, traders, and subsuming importers/wholesalers and retail traders into retailers.

According to the Environmental Investigation Agency [34], a WTS operates as follows. Poachers harvest the wildlife product. Then, runners deliver the product to middlemen or intermediaries who in-turn, sell them to roots who have bribed port authority police to allow them to ship the product on to retailers in countries where wildlife products are consumed. Along the way, traders coordinate the various transactions with either payments in hard currency or, for larger transactions, with wire transfers between bank accounts. Wire transfers are also used by retailers to pay traders. Snakes come in two varieties: those who are paid by traders to tip-off poachers as to the whereabouts of targeted plants/animals (often, corrupted antipoaching rangers), and those government officials who are on the take with a WTS [35]. These latter individuals may work inside their government to impair law enforcement’s efforts to disrupt the WTS’s operations [23].

A WTS can be disrupted either by removing its kingpins and/or information brokers; seizing cash used by the syndicate to fund its operations and transact its business [34]; or seizing its shipments of wildlife products [36]. An information broker is a player who controls messaging between many different pairs of players [32]. For the specific disruption activity of targeted arrests of suspected traffickers, a larger reduction in poaching for the expenditure of the fewest resources can be had by arresting the syndicate’s relatively few middlemen, traders, and retailers rather than the many on-the-ground poachers. This is because higher-level players typically control much of the syndicate’s cash and coordinate many of its activities.

Example

Consider the poaching of rhinos for their horns. Horns are poached by chopping off a rhino’s pair of horns after it has been shot with a hunting rifle. Arrest records and mobile phone transmission data are used to reconstruct the local component of the rhino horn trafficking syndicate operating around Kruger National Park (KNP) circa December 2014 (Fig. 1).

Centrality measures [37] from social network analysis (SNA) are computed on a unimodal social network [38] model of this WTS, called here, the WTS network. These measures help to identify players who are either kingpins or information brokers. Computation of each player’s eigenvector centrality identifies players h9 and h240 as probable kingpins, and computation of each player’s betweenness centrality identifies h9 and h97 as probable information brokers (Fig. 2). This actionable intelligence report [32] is given to law enforcement along with the following action recommendations. First, detain h240, then h9, and finally, h97. Second, serveil h1727 and h3.

Wildlife trafficking is transnational

An essential characteristic of a WTS is its transnational operation: Key players may reside in countries far removed from where wildlife is poached. For instance, in the above example, the list of players needs to be completed with data on players who operate outside of Africa. Local law enforcement is often unaware of who these individuals are—and for those they do know about, are usually unable to gather much intelligence on them nor muster enough evidence for successful extradition and/or prosecution proceedings.

Consider, for instance, the following scenario. Domestic law enforcement agency Z is unaware of relevant intelligence held by an agency located in another country—and only discovers this information by querying a database that contains all such intelligence. In particular, this agency learns that a trafficker, hiding in another country, is controlling a poaching and shipment operation in agency Z’s country. This scenario suggests that domestic law enforcement agencies need to have much greater and more immediate access to intelligence held by law enforcement agencies in other countries.

Roadblocks

Below are the main reasons why wildlife trafficking is not being controlled at a sustainable level.

1. Wildlife crime investigations often fail. Reasons for such failures include the following:

   • current levels of financial support for international wildlife crime investigations are inadequate for the scale of the problem [39,40];

   • corrupt government officials are paid by traffickers to get shipments through customs and to shield them from criminal investigations [23,40];

   • law enforcement agencies do not trust each other enough to share their intelligence [41].

2. Policies aimed at curbing wildlife trafficking do not account for the political situation that traffickers take advantage of. For instance, wildlife crime laws are not uniform across countries [8,42, 43].

3. Policies aimed at curbing wildlife trafficking are not tailored to the impact of anthropogenic actions on the population dynamics of a trafficked species. For instance, severe antipoaching laws are passed when in reality, habitat destruction is the main driver of a particular species’ demise [44, 45].

A solution

The solution described in this article consists of a large international confederation of law enforcement professionals collecting intelligence on persons involved in wildlife trafficking, analyzing it, and then recommending to law enforcement (a) players to detain, (b) players to surveil, and (c) where and when to intercept WTS-initiated wire transfers and shipments of wildlife products. The confederation would create this actionable intelligence report by feeding its intelligence into first, a federated,relational database, and from there, into the Ecosystem Management Tool (EMT) software system of {Haas [46], Chapter 1}.

Confederation members would include individuals working in source countries, transport countries, and consumption countries. The confederation’s ability to share intelligence across different countries would allow them to discover players who are attempting to hide their identity in some of the countries that they operate in. This ability in-turn, would allow the confederation to help law enforcement agencies to disrupt the WTS. The confederation would accomplish this by performing a deduplication analysis on their intelligence.

The confederation would control access to their intelligence database with the Global Authorization Derivation (GLAD) database access control tool [47] (hereafter, simply the GLAD access control tool).

Elements of this solution are not new. For instance, nations routinely apply confiscation and sanctions to disrupt activities that are against their wishes. One example is the suite of sanctions levied by the USA against Iran [48]. Another is the routine practice by US law enforcement personnel of conducting in-country raids in order to seize drug contraband in Central America [49]. Another precedent is the Regional Information Sharing Systems (RISS) database [50]. This database, similar to the one proposed in this article, enables local, state, federal, and tribal law enforcement agencies in the USA to share intelligence with each other. The RISS confederation uses a regional structure to allow 9400 law enforcement agency members to share many types of intelligence across the US RISS membership is through a regional vetting process.

Materials and methods

Disrupting a WTS

A confederation to disrupt wildlife trafficking

An international group of wildlife crime investigators and analysts would self-select into a confederation. These confederation members (hereafter, simply members) would be otherwise employed at either law enforcement agencies, conservation-focused NGOs, private criminal investigation consultancies, or non-governmental, for-profit firms. These individuals would bring to the confederation a variety of crime-fighting specialties including detective skills, intelligence analysis, and forensic accounting [51, 52].

Say that this confederation is focused on the survival of a particular plant or animal. The confederation first models and then disrupts a transnational trafficking syndicate that is trading in this species. The confederation is aware that such syndicates usually offer a diverse product line including narcotics, humans, arms, wildlife, and wildlife products [53].

To support these modeling and disruption tasks, the confederation maintains a federated database of both open access data and secure intelligence. Open access data include news articles about poaching events; wildlife crime suspect arrests; trials involving defendants suspected of being players; or seizures of wildlife product shipments. The confederation builds a model of the political–ecological system that contains the WTS in the form of a political–ecological simulator (hereafter, simulator) {[46, 54], Chapter 1}. The parameters of this simulator are statistically fitted to observations queried from the confederation’s database.

The confederation uses this fitted simulator to produce an actionable intelligence report. This report is distributed to law enforcement agencies and contains several recommended actions as follows.

1. Detain list: A list of those players that the confederation recommends law enforcement detain for maximal disruption effect.

2. Surveil list: A list of those players the confederation recommends be placed under surveillance for purposes of gathering evidence and/or information on pending wildlife crime activities.

3. Interdict list: A list of predicted WTS actions along with where and when these actions will take place. The confederation recommends law enforcement interdict these actions.

4. Recovery time: An estimate of how long the WTS will take to recover from the removal of those players in the Detain list. Law enforcement uses this information to plan detention, surveillance, and interdiction operations.

How these components are found is described next.

Actionable intelligence 1: players to remove or serveil

The Detain list is composed of two sublists: one derived from social network theory, and one derived from ecosystem impacts. The SNA-derived sublist is found by computing centrality measures on the statistically estimated (reconstructed) current WTS network to identify a sublist of players whose removal would, according to social network theory, maximally disrupt the network’s operations. This sublist typically contains players identified as kingpins, and/or information brokers.

This SNA-derived sublist, however, does not take into account the direct effect on the ecosystem due to the removal of certain players. These effects are, however, captured by the simulator because it contains dynamic mechanisms that govern both interactions of the WTS with other groups involved in the ecosystem that hosts the trafficked species—and interactions between all of these groups and the ecosystem. This makes the simulator a more complete model of the political–ecological system than the WTS network, alone. Also, theoretical work in social network theory [55] suggests that removing kingpins (those with high eigenvector centrality) may disrupt the syndicate’s operations for only a short time, i.e. a WTS is resilient and therefore, will need to be repeatedly disrupted [32,56]. Further, empirical evidence from real criminal networks suggests that because of how WTS operations are spread out among its players, such a network’s operations are difficult to disrupt unless many players below the level of trader are removed [57,58].

For these reasons, a second sublist is found of those m players whose removal results in the largest simulator-computed drop in poaching of the trafficked species over the next year. This sublist is found with the newly developed optimal removal algorithm (Appendix).

The Surveil list is found through computations on the reconstructed WTS network at the current time and as it existed 4 months previously. These computations yield (a) those players likely to succeed detained players; (b) those players who are influential but attempting to conceal themselves from law enforcement; (c) the network’s rising stars; and (d) those players who make up tightly connected communities [59]. The productivity of a WTS is built from the bottom up by the functioning of these communities—each of whom is efficient due to their high internal connectivity.

Actionable intelligence 2: interdictions

When the simulator is run forward in time, a list is created of WTS actions that are indexed by date. This list holds predictions of future poaching events, future wire transfers, and future wildlife product shipments. These event predictions constitute the Interdict list.

Some of the money that flows through a WTS can be legally blocked. Many monetary (wire) transfers between players are SWIFT system requests that are usually routed through New York city banks [60]. The US Treasury’s OFAC can force banks to block or reject SWIFT transactions of narcotics traffickers [60]. If certain players were added to the OFAC’s list of Specially Designated Nationals (SDNs), examining the financial transaction records of these players would help to identify player-initiated wire transfers to block. Doing so would directly disrupt wildlife trafficking. Step one in this endeavor is to acquire evidence that a player initiating a wire transfer is also a narcotics trafficker [53]. Thus, to use this blocking strategy, the confederation would need members who have access to narcotics trafficking intelligence.

Actionable intelligence 3: recovery time

Let the Recovery time, γ be the number of weeks after a disruption by law enforcement before the network regains 90% of its connectedness. Connectedness is measured by the connectedness index: The largest eigenvalue of the network’s adjacency matrix [32]. At least one disruption operation by law enforcement needs to have been executed before γ can be estimated.

Confederation attractiveness, logistics, and selection protocol

Law enforcement agencies and individual law enforcement professionals would want to share their intelligence by joining a confederation for the following reasons. First, by doing so, they gain access to intelligence on suspects of interest to them that they might not be able to acquire otherwise. Such access would help increase their conviction rate for only a modest increase in their operating budget. Second, joining a confederation does not require that they give up control over who can access any intelligence that they collect through their own investigations.

The confederation’s physical footprint is (a) a small logistics office; (b) some number of nodes located throughout the world that house local intelligence databases maintained by some of the confederation’s members; and (c) some number of members who are not affiliated with any of the confederation’s nodes. The logistics office maintains a database of members and their database access privileges as described in the section “Controlling database access,” below.

Equitable and sustainable membership dues

The confederation maintains its logistics office through annual dues. Each year, this office prepares a budget whose total size is e. Say that there are n members of whom m have verified revenues (income) that are below an income threshold c. For instance, c could be set to twice the US Federal Poverty Level (FPL) for a one-person household. Then for 2023, c would be 27,180 USD [61]. Members whose income is ≥c pay rc in dues, where r is the sliding scale dues rate for members whose income is <c. Members whose income is <c pay rI_i in dues, where I_i < c, i = 1, …, m is member i’s income. This latter formula is derived from the break even budget equation $e\ge (n-m)rc+\sum _{i=1}^{m}r{I}_i$⁠, where $r=e/[(n-m)c+\sum _{i=1}^m{I}_i]$⁠.

This hybrid flat-rate/sliding scale membership dues structure is one way to balance (a) the need to break even every year [63,64]; (b) the desire to have most members pay an equal amount of dues to discourage unequal power relationships among members; and (c) the need to make membership feasible for individuals or agencies who have minimal financial resources but for whom confederation membership would be mutually beneficial.

Logistics office services

The only activities of the confederation’s logistics office are:

1. maintaining communications between all members;

2. maintaining the logistics node of the confederation’s database and the GLAD access control tool;

3. processing membership applications and associated corruption auditor reports;

4. preparing the annual budget and billing members for dues;

5. inviting, cooperating with, and paying a licensed financial auditing firm to conduct the confederation’s annual financial audit.

There are no other decisions that this office is authorized by members to perform. Hence, the confederation’s management system is a form of rule-based management [62]. All other management decisions are made by individual members, all of whom are peers.

The logistics node holds a minimal amount of information consisting of the following:

1. Member contact information.

2. Each member’s corruption index value and information technology (IT) security index value (see below).

3. Contact information for the corruption auditor.

4. EMT software including all database software.

5. The confederation’s budget and financial audit report.

Evaluating candidates for confederation membership

A concern members would have about a candidate is whether he/she would leak intelligence they receive from queries against the confederation’s database with players or anyone else outside the confederation. Such leaking is not necessarily the result of a one-time bribe: There may be a snake on the candidate’s staff who is paid by a WTS to provide them with information about ongoing investigations of the syndicate. But countries that have the most valuable intelligence may also have the most corrupt law enforcement agencies. And, these countries may also lack secure IT systems in their law enforcement agencies simply because they cannot afford more secure ones. Trust therefore, is seen as being two dimensional: a corruption dimension and an electronic data security dimension.

How can a confederation attract new members who have valuable intelligence without sacrificing intelligence security? One solution is as follows. To assess the trustworthiness of a candidate for admission into the confederation, the confederation hires a corruption auditor of their choice and pays them using the candidate’s membership application fee. This auditor investigates the candidate and arrives at values for a corruption index, and an IT security index. The corruption index, CI is 0 if, over the previous 5 years, the auditor can find no reports of the candidate leaking intelligence, and no reports of bribery of the candidate’s staff. CI equals 0.2 if there are two to three such reports, 0.5 if there are four to five, 0.8 if there are six to seven, and 1.0 if there are more than seven. This index is motivated by one proposed by Linhartová and Volejníková [65]. The IT security index is the pr metric of Yusuf et al. [66] defined to be the probability that a cyber attacker is able to penetrate the candidate’s IT system and successfully download intelligence.

As one way to combine these two dimensions into a single trust metric, let a trust index, TR be defined as 1 − max {CI, pr}. Law enforcement professionals would join the confederation with the understanding that they will be separated from the confederation if their trust index falls below 0.4 and/or all of their database access authorizations are revoked.

The confederation’s database

This database is used to maintain the simulator of the political–ecological system that the WTS is operating within, and a social network model of the WTS, itself. Observations on the simulator are called action histories {[46], Chapter 9} consisting of time-stamped actions taken by groups within the political–ecological system, and time-stamped values of ecosystem metrics such as the abundance of a trafficked species. Observations on the WTS are time- and player-stamped. Connecting each observed WTS action to a player implements the model of a WTS as one social network and two networks of inanimate objects: the network of shipping ports, and the network of bank accounts. A shipping port is represented by the associated root, and a bank account is represented by the associated trader or retailer. Hence, the WTS network consists of only players, i.e. it is a strictly unimodal social network. Each vertex in the network is either an observed, named player or an archetypal stand-in for one.

A relational database models these two data streams through the components of entities, relationships, and attributes. An entity corresponds to something in the real world. An attribute is a measurable property of an entity. A particular case of an entity is an entity instance [67]. An entity instance has a value on each of its attributes.

Entities

The confederation’s database consists of both open access data and secure intelligence acquired by members during the course of their investigation and surveillance operations. Extending the work of Haas and Ferreira [32], database entities are players, vehicles, firearms, bank accounts, wire transfers, and wildlife product shipments.

Attributes for these entities include

1. personal information on all players including their names, addresses, and phone numbers;

2. bank account numbers involved in a wire transfer between players; and

3. locations of where wildlife product shipments were seized along with the product type and amount.

Federal agencies that are required by law to keep their data secret, such as the US Department of Defense or the US National Security Agency, would need to first declassify any data they wished to contribute to the confederation’s database.

Database construction and visualization

The file create_logistics.sql (Table 1) creates the logistics node’s database of confederation members along with their database user privileges (hereafter, privileges). This structured query language (SQL) script file is written in MySQL, a freely-available, multi-platform relational database management system (RDBMS) [68]. An SQL script file (hereafter, simply SQL script) is a text file. The SQL script create_node.sql (Table 1) creates an intelligence database on a single node and adds individual players plus player-to-player links to it. All of Table 1’s SQL scripts can be run with few modifications within other RDBMSs including Microsoft’s SQL Server^TM [69].

The three PowerShell^TM scripts in Table 1 help to automate database use and maintenance tasks. PowerShell is a modern, freely-available scripting language used to manage multi-user computing systems, and communicate between computers. It has been ported to many platforms including Windows, Mac, and Linux [70].

The entity relationship diagram of this federated database is drawn with MySQL Workbench [68] (Figs 3 and 4).

Data formats and database querying

A challenge with a federated database is that different nodes may use different data formats. This in-turn, can make it difficult to combine data from different nodes. As Hasselbring [71] discusses, wrappers can be used. These are local programs that re-format database variables (entities and attributes) into the format of each node. When a query is run against the database, table and attribute names are translated from a set of generic names into the names used by each node.

Wrappers are implemented as follows. First, the logistics node maintains a PowerShell script that contains (a) the URLs of all current nodes; and (b) the map between each generic name of a database table or attribute—and those names used by individual nodes, e.g. fedquery.ps1 (Table 1). Second, a member formats his/her query as an SQL script using generic names for table and attribute names. Then, the member submits this script on the logistics node by entering the following at a Windows, Mac OS, or Linux command prompt:

powershell ./fedquery.ps1 example_query.sql > query_result.txt,

where example_query.sql (Table 1) is one such query.

If the query contains SQL commands that are not globally authorized for that member, the script returns INSUFFICIENT AUTHORIZATION and the query fails. In this case, the member needs to either abandon the query or modify it so that it does not exceed his/her global authorizations. If the query is successful, the member receives a concatenated file of the results of the query applied against every node’s database.

Because this access control tool is automatic, the database can be maintained and queries processed by a small staff of database support personnel employed across the confederation’s nodes.

Controlling database access

Law enforcement agencies hesitate to share their intelligence mainly because of individual officer unwillingness and an organizational culture that views intelligence sharing negatively [41]. Trust by organization A toward organization B builds over many interactions through time between A and B wherein what B says they will do turns out to be what B actually does. Trust is easily broken: If B intentionally misleads A just once, A will lose trust in B for a long time. This is particularly true when A and B are intelligence agencies [29]. Throughout these interactions, A and B may enjoy a congenial relationship on the surface. For instance, after then US President Trump revealed items of Israeli security intelligence to the Russians, the Israelis quietly changed their protocols for sharing security intelligence with the USA [72]. These negative attitudes toward intelligence sharing stem in-part from a concern that once released, intelligence may fall into the wrong hands—and there is no way for a node (in the case of a confederation) to prevent this from happening once they release the requested intelligence.

Nodes, however, need to trust members enough to share the names of players and associated intelligence. Simply de-identifying players before sharing information on them [73] overcomes this reluctance to share but renders the confederation useless. This is because without the use of shared names across nodes, accurately reconstructing a WTS network would be difficult—increasing the likelihood that key players are omitted from the Detain and Surveil lists. Worse, if player names in these lists are encrypted, they would be useless since law enforcement would have no way of knowing who the confederation recommends to detain or serveil. Because of these two reasons, a node that is distrustful of a particular member, can only opt-out of contributing intelligence to that member’s query. But if all nodes opt-out of every query, the confederation has nothing to offer law enforcement for purposes of disrupting a WTS.

Lefebvre [29] finds that the most productive trust relationship among intelligence agencies is bilateral rather than multilateral. The GLAD access control tool described next tempers a bilateral trust relationship within a node–member pair if a second node reports that the member is not to be trusted. This protocol for intelligence sharing is more conservative than the one used by RISS [50].

The GLAD access control tool

This tool automates the task of deciding who may access what in a federated database and enforces all restrictions imposed by nodes for access to their local databases. The tool consists of three modules: A local security module that specifies the local authorization policy of each node; a global security module that runs algorithms developed by the authors to combine all exported local authorizations into global ones; and a dictionary module that executes operations on nodes as per requests from members who are authorized to do so. The GLAD access control tool can be configured to implement a strictly conservative access authorization strategy that ensures global authorizations derived from exported local authorizations do not result in a member being given global access privileges that exceed the lowest level of privileges given to that member across all nodes.

The logistics node stores a copy of each node’s local table of member authorizations along with the global authorizations table. The global security module, maintained on the logistics node, runs whenever any node updates their local authorizations table. This global update procedure is as follows (parenthetical SQL scripts appear in Table 1).

1. Say that at some point, node 2 decides that one or more members need to have their privileges changed. They do this by first, editing an SQL script template that lists these new privileges and then second, emailing this SQL script to the logistics node (required_changes.sql).

2. The logistics node administrator runs this emailed SQL script against the logistics node’s database and then, based on all of these updated per-node member authorization tables, runs a second SQL script that produces an updated global authorizations table (compute_glad.sql). This table encodes the strictly conservative access authorization strategy of the GLAD access control tool.

3. Next, the logistics node administrator runs a third SQL script (update_privileges.sql). By reading the updated global authorizations table, this SQL script creates a fourth SQL script that the logistics node administrator emails to each node asking them to run it against their local database (global_privileges.sql). When run on a node, this fourth SQL script first removes all privileges on all members, and then issues SQL GRANT commands as necessary to give each member their global authorizations on that node’s database.

4. Finally, node 2 delivers a report to all members that justifies the changes they made to member privileges. Upon receipt of this report, all members vote to accept the report. If <90% of the members accept the report, node 2 is removed from the confederation and the authorizations of the member(s) in question are restored to their former levels.

For example, if the old policy granted UPDATE, and SELECT privileges to a particular member but now, node 2 has shortened this list to only SELECT, the new set of global privileges for that member is SELECT alone. Hence, because the global authorization update procedure runs every time any node updates its local authorizations, when a member runs a query against each node, he/she will acquire only that data that he/she is authorized to acquire under his/her set of global authorizations.

Security advantages of the GLAD access control tool

As a condition of continued confederation membership, all nodes would need to agree to maintain member privileges on their local databases via the GLAD access control tool. Nodes would be motivated to agree to this condition because once a node discovers a security breach and updates their local authorization table accordingly, all other nodes are immediately protected against this breach. Further, the reporting requirement of Step 4 keeps all members up to date on security threats to the confederation’s database.

If a node, after emailing the logistics node a list of required changes to the privileges of one or more members, does not quickly receive the expected return email, that node would know that the logistics node has been compromised and hence would immediately remove themselves from the confederation. This fail-safe procedure provides an ongoing diagnostic on the reliability of the logistics node and the GLAD access control tool that it is charged with administering.

This node-driven update protocol ensures that the security concerns of nodes are accurately reflected in their set of local authorizations and in the set of derived, global authorizations. Further, this protocol enforces full authorization autonomy wherein the global security module makes no modifications to local authorizations before using them to update global authorizations. Hence, a node does not surrender any control over who may access their data when they join a federated database that is secured by this implementation of the GLAD access control tool.

Another fail-safe feature of the GLAD access control tool is that a member bent on leaking confederation intelligence would need all nodes to grant him/her the SELECT privilege before they could do so. On the other hand, a single malicious node could remove all authorizations in their local security module from every member in order to deny all members access to the confederation’s database. Step 4 of the GLAD access control tool guards against this second type of an insider threat [74].

A node may have individuals who are not members but have sufficient privileges to modify, insert data into, and delete data from that node’s database. Such individuals would have no access to databases maintained by other nodes. But conversely, would not have their local privileges managed by the GLAD access control tool.

Data set formation and WTS network parameter estimation

To build an actionable intelligence report at time t₀, a member queries the confederation’s database for two data sets. The first, labeled $D_{t_{current}}$ consists of intelligence acquired over the interval (t_current − t_SNA, t_current). The second, labeled $D_{t_{current}-t_{\mathrm{S}\mathrm{N}\mathrm{A}}}$ consists of intelligence acquired over the interval (t_current − 2t_SNA, t_current − t_SNA). The value of t_SNA is the amount of time that the network needs to evolve new leaders after law enforcement has disrupted its operations. Limited experience with a real criminal network suggests t_SNA should be no >6 months [75]. A player or link is included in a data set only if some activity on the player or link is observed in that data set’s observation interval. These player and link expiration rules are needed because players have a high mortality rate [76].

Next, using a method given by Haas and Ferreira [32], each of these networks is reconstructed with a deduplicated network data set (see below) by estimating a set of hidden links, and each player’s level. Observed links based on messages are weighted by call frequency, links based on wildlife product shipments are weighted by shipment size, and links based on wire transfers are weighted by the USD amount of the transfer. Because these are unimodel social networks, links can be estimated between any two players be they individuals, shipping ports, or bank accounts. These two reconstructed networks are then used to compute the SNA-based components of the actionable intelligence report.

Deduplication of WTS network data

Before data queried from the confederation’s database can be used to reconstruct a WTS network, deduplication algorithms need to be run to discover pairs of players in the database who are, in reality, the same person. The primary concern here is that such duplication is the result of players using assumed identities in different countries in an attempt to hide their identities from law enforcement. Nodes in different countries would tend to enter intelligence on such players into their local databases using these assumed identities. Hence, a major advantage of building a federated database of intelligence on an international WTS can be hamstrung unless there is a way to discover those players attempting to hide from law enforcement through the use of assumed identities.

Of course, there are other, non-evasive reasons why duplicates may be present in the database. These include (a) data entry errors due to human mistakes or data migration from different databases; (b) the use of default values on attributes that are not observed; and (c) different nodes entering names that vary in their spelling [77, 78].

After a member has executed a query against the confederation’s database that has generated a file containing the requested data, he/she searches for duplicates by running the id relation {[46], Chapter 5} deduplicate_players on this file. The algorithm employed is as follows.

1. Compute attribute similarity measure values for all player pairs on the attributes of name and town. Attribute similarity is computed with a measure based on the Levenshtein distance [79]. Also, compute relational similarity measure values using each player’s contacts and vehicles relations. Do this by computing for a pair of players, two Jaccard similarity index values [80]: one using those contacts that the pair has in common, and one using those vehicles that the pair has in common.

2. Using the attribute, and relational similarity measures computed in the previous step, compute for the i, j^th pair of players, the total similarity score $s_{total}(i,j)=\sum _{k=1}^4{s}_k(i,j)$⁠, where s_k(i, j) is their k^th similarity measure.

3. Declare a pair to be a duplicate if their total similarity score exceeds a threshold value, e.g. 0.9.

Running this algorithm produces a list of players who are duplicated across the database—either within database nodes or between them. Bhattacharya and Getoor [81] call the use of relational similarity measures in the computation of s_total(), a naive relational entity resolution scheme.

Effects on WTS operations

The simulator is an agent-based model of all groups affecting the at-risk ecosystem as described in ref. [54]. A submodel is constructed for each player level. These are called WTS submodels. Each of these agents make risk–benefit assessments as they weigh different actions that they might take. These agents receive input actions such as wildlife product requests and law enforcement operations. Given these inputs, they implement actions that include poaching, wire transfers, and wildlife product shipments.

The WTS network is embedded in the simulator by having an individual level-i player implement the action computed by a level-i WTS submodel, i = 1, …, 4 (poacher, middleman, trader, retailer). Thus, player decision making is simulated with group decision making submodels that capture the unique goals and audiences that a player at a particular level is using to make decisions.

An example of this embedding is the modeling of a direct effect on plant/animal abundance with the following causal chain.

A particular retailer pays a particular trader → this trader pays a particular middleman → this particular middleman pays a particular poacher → this particular poacher poaches l plants/animals of an endangered species → the ecosystem submodel reduces abundance of the targeted species by the amount l.

In this chain, the poacher submodel executes a poaching action only if a request for wildlife products by a middleman is the input action to the poachers submodel. Otherwise, poaching is not the output action. Removing all traders breaks this chain because in this case, there are no requests for wildlife products–—and hence, no poaching events.

This particular synthesis of agent-based modeling and social networks is new. Its agent-based foundation predates a like approach taken by ref. [49] in their modeling of the effect of US interdiction raids on the expansion of a Central American cocaine trafficking syndicate.

The simulator’s disaggregation procedure

To implement this embedding, a disaggregation procedure is needed because a WTS submodel is an aggregated model of a group’s decision making wherein it is assumed that one un-named member of group actually implements the output action computed (chosen) by the submodel. This group member is selected as follows.

Let n_i be the number of level-i players in the confederation’s database at time t₀. Select a player as follows.

1. If n_i = 0, do not select a player. In this case, the WTS submodel does not post any action.

2. If a player is named in an observed action, use that player.

3. If an observed action is location-specific, randomly choose a player from that location.

4. Otherwise, randomly select a player from the set of all players who are at the submodel’s level, e.g. if the trader submodel is to post an action, randomly select a trader-level player. Let the selection probability for the j^th player in level-i, be $p_{\mathrm{s}\mathrm{e}\mathrm{l}\mathrm{e}\mathrm{c}\mathrm{t}}^{(ij)}\equiv {\xi }_{ij}/(\sum _{k=1}^{n_i}{\xi }_{ik})$⁠, where ξ_ij is player ij’s eigenvector centrality.

Effects of player removals

The simulator is used to assess future effects on an ecosystem due to the removal of particular sets of players. To this end, the statistically fitted simulator is run over a future time period, (t_current, t_end), where t_current is the current (present) time. At each time point in this period, each level-i WTS submodel first computes an output action, and then selects a level-i player to implement it using the above, 4-step procedure.

Let m_i ≤ n_i, i = 1, …, 4 be the number of level-i players that are recommended by the confederation for removal. Let the total number of players removed be $m\equiv \sum _{i=1}^4{m}_i$⁠. Working with law enforcement, a feasible time is found for this removal operation. Call this time point, t_r ∈ (t_current, t_end). A set of m players to remove is found by randomly selecting m players from the current list of active players in the confederation’s database regardless of their level, SNA measures, or attribute values.

Effects on WTS operations due to the removal of a particular set of m₁ poachers is as follows. As recorded in the confederation’s database, let β_j be the number of times poacher j has participated in a poaching raid. Let $\hat{\beta }$ be the average of this value over all poachers in the confederation’s database. Let $\widehat{{\beta }_r}$ be the average of this value over the set of m₁ poachers selected for removal. When the poacher submodel decides to poach some plants/animals, this event is not implemented in the IBM with probability $min\{1,m_1\widehat{{\beta }_r}/[\hat{\beta }(n_1-m_1+1)]\}$⁠.

This mechanism represents the hypotheses that (a) the more poachers, the less effect the removal of m₁ of them has on the event poach some plants/animals; and (b) the prowess of an individual poacher is captured by how many poaching raids he/she has been on. Because there are so many poachers, the best that law enforcement can hope for is to stop a single, planned poaching raid by removing those poachers who would most likely have successfully executed their next planned poaching raid. Modeling a pause in poaching due to the removal of a few poachers is unrealistic because of the large number of poachers, their high recruitment rate, and their wide dispersal around the borders of many wildlife reserves in developing countries.

Effects on WTS operations due to the removal of a particular set of m₂ middlemen, m₃ traders, and m₄ retailers is as follows. Drawing from the confederations database, let a_j be the number of times middleman, trader, or retailer j has been arrested. Let b_j be the number of wildlife product shipments linked to middleman, trader, or retailer j. Let f_j and v_j be middleman, trader or retailer j’s number of firearms, and vehicles, respectively. Let α_j = a_j + b_j + f_j + v_j. Let $\widehat{{\alpha }_i}$ be the average value of α over all middlemen (i = 2), traders (i = 3), or retailers (i = 4) in the confederation’s database. Let $\widehat{{\alpha }_r^{(i)}}$ be the average value of α over the selected set of m_i middlemen, traders, or retailers to remove. The removal operation causes the middlemen, traders, or retailers submodel to not post actions during the time period (⁠$t_r,t_r+t_{d_i}$⁠), where $t_{d_i}=\widehat{{\alpha }_r^{(i)}}/[\gamma \widehat{{\alpha }_i}(n_i-m_i+1)]$⁠. During this delay, if i = 4, retailers do not offer to purchase wildlife products from traders; if i = 3, traders do not request wildlife products from middlemen; and if i = 2, middlemen do not request poachers to poach members of the targeted species.

The hypotheses that this delay interval represents are (a) the more level-i players, the quicker the network can recover from a removal operation; and (b) the interval’s length is proportional to the length of a player’s criminal record, the amount of business he/she has recently transacted, the number of firearms linked to them, and the number of vehicles linked to them. This mechanism leverages the information contained in the network’s resiliency index.

Keeping t_r fixed, the optimal removal algorithm (Appendix) randomly selects a set of m players to remove each time it re-runs the simulator over (t_current, t_end). Hence, each such removal set results in potentially different impacts on the plant/animal population that in-turn, lead to different expected plant/animal abundance values at time t_end.

Results

Methods developed above are applied to the political–ecological system that encompasses rhino horn trafficking. An early model of this system [82] contains submodels of poachers, antipoaching forces, middlemen, horn consumers, and an individual-based model (IBM) of the KNP rhino population. This model is enlarged by adding to it a traders submodel; and a submodel of those retailers operating in countries where rhino horn is consumed. The path taken by a rhino horn in this model is:

IBM → poachers → middlemen → traders → retailers → consumers.

A hypothetical example is described next that illustrates the workings of the confederation described above. See ref. [83] for all files employed in this example.

A hypothetical WTS

Say that in reality, there exists a WTS network as shown in Fig. 5. Table 2 contains this network’s centrality measures.

Because player t1 has a high ratio of betweenness centrality to degree centrality, this player may be attempting to hide his/her importance to the WTS.

A confederation has managed to gather some intelligence on this WTS (Table 3). The confederation controls access to the database that holds this intelligence with the GLAD access control tool wherein the authorization strategy has been set to strictly conservative.

Controlling access to intelligence

Member John Doe has been enjoying full access privilege by all nodes. But recently, node 2 has learned that John Doe is adding false information to the confederation’s database. This knowledge has led node 2 to revoke John Doe’s INSERT privilege. Node 2 does this by emailing an SQL script to the logistics node (Fig. 6). Upon receipt of this email, the logistics node administrator updates John Doe’s GLAD authorizations on all nodes (Figs 6 and 7). At some later time, John Doe submits a query against the confederation’s database that attempts to add a new phone number to player m3 (example_query.sql). This query fails because GLAD’s strictly conservative authorization strategy uses the lowest level of data access authorizations for this user across all nodes—and that lowest level is the set of privileges dictated by node 2 (Fig. 6).

This example shows that a single node is able to reduce a member’s access to the confederation’s database.

Deduplicating players

The intelligence contains the player t11 who in reality, is player t1 (Table 3). The deduplication algorithm (section “Deduplication of WTS network data”) is run on this intelligence with the threshold parameter set to 0.5. This duplication is detected (Fig. 8).

Actionable intelligence

SNA computations

First, the WTS network is reconstructed with this deduplicated intelligence using the following id relation

report estimate reconstruct_social_network(players.dat 1 1000).

This reconstructed network is used to find those players who should be removed according to social network theory. This is accomplished by running the relation

report evaluate evaluate_network()

on the intelligence file player.dat wherein t11 has been removed. These players form the first sublist of the Detain list in the confederation’s actionable intelligence report (Figs 10 and 11).

The report’s recommended sequence of arrests [32] implement the idea that the network’s kingpin (highest eigenvector centrality) should be removed first followed by the network’s central information broker (highest betweenness centrality). This sequence of arrests is designed to first remove the network’s leader before the network has time to hide him or her—and then cripple the network’s communications by removing its most important communicator.

This relation also generates a run of the Raghavan et al. [59] community discovery algorithm. This run returns two communities: {t1, t2, r1, r2, m3, m4} and {m1, m2, p2, p1}. These communities are intuitively consistent with the network’s connectivity (Fig. 5).

Simulator computations

Next, an observed actions history is collected and used to estimate the simulator’s parameters. The actions history generated by this fitted simulator (Fig. 9) exhibits a re-occurring episode [67]: traders bid for rhino horn—then middlemen sponsor poaching raid— then poachers sell many rhino horns—then middlemen sell rhino horns.

This fitted simulator is used by the optimal removal algorithm to find the three players whose removal will reduce the poaching rate the most. These players are added to the Detain list. The relation that performs this search is

report evaluate remove_players(3 1),

where m = 3, and r = 1 (Appendix). During this search, the highest average number of poached rhinos was 1560. The algorithm converged after 209 function evaluations to a solution that gave the smallest number of poached rhinos (488) by removing players t1, p2, and m1 on 1 January 2012 over the study interval (1 January 2011, 1 January 2014). t1 is the only player who owns a vehicle.

Actionable intelligence report

The confederation sends its actionable intelligence report (Figs 10 and 11) to law enforcement. The report recommends that the WTS kingpin, t1 be arrested. In particular, reflecting the reality of this WTS, the report identifies player t1 as someone attempting to hide his/her importance to the WTS since this player has a high ratio of betweenness centrality to degree centrality. t1 may be acting as a liaison between the network’s two communities.

The most recent interdictable actions in the actions history are used to build the Interdict list. Here, this the single action middlemen sell rhino horn. Middleman m3 is predicted to execute this action. Because this player is located in town B, country Y, the confederation recommends a stake-out operation be planned to intercept this sale at that location.

Discussion

A functioning confederation as developed herein would have direct and measurable impacts on biodiversity conservation. Several challenges, however, remain.

Corrupt officials may impede a confederation’s operations

Sections “Evaluating candidates for confederation membership” and “Controlling database access” discuss one way to stop corrupt confederation members from undermining the confederation’s operations. But there is another source of corruption effects on a confederation: Government officials outside of the confederation who work in law enforcement, prosecution, and the judiciary. These officials may be persuaded by trafficker bribes, intimidation, political pressure, or conflicts of interest to drop wildlife trafficking investigations {[84], Page 4}. In the worst case, these officials may shutdown those investigations being pursued by a confederation and stop the confederation’s efforts to disrupt a WTS. Legislation outlawing governmental corruption, however, may not always be effective. For example, Koehler [85] finds that the Foreign Corrupt Practices Act (FCPA) has a mixed record in reducing the amount of bribery that US businesses need to engage in to conduct business in many countries.

A confederation could employ several strategies to ward off these attacks including the following.

1. The confederation could call upon governments of those countries who are able to influence the government employing these corrupt officials. Such influence would take the form of diplomatic contacts, economic inducements, or sanctions. Recent evidence suggests that international businesses are joining private anti-bribery clubs that give government officials incentives to forgo bribes before they provide governmental services to these businesses [86]. Confederation members should join such clubs in those countries where they are pursuing wildlife trafficking investigations.

2. Using the example of the bribes paid by Oskar Schindler to the Nazis to spare the lives of a group of Jews (the so-called Schindlerjuden), Nichols [42] argues that there is one case where a bribe is justified: When a human life cannot be saved any other way. A similar argument could be made to justify a confederation’s use of bribes to allow wildlife crime investigations to continue.

3. A confederation should avoid relationships that give a government some amount of control over it. For instance, a confederation should avoid housing its logistics office on government property, and avoid using a government’s IT hardware, software, and support staff.

The challenge of leaked/inadmissible intelligence

A procedure based on the GLAD access control tool has been described for how a confederation would maintain the confidentiality of its intelligence. Even so, there would be nonzero risks associated with (a) leaked intelligence causing a violation of a targeted suspect’s right to privacy, and (b) intelligence being declared inadmissible in court due to inappropriate collection methods and/or leaks.

One way a confederation could protect itself against legal attacks by players aimed at suppressing investigations into possible wildlife crimes, is to maintain a fund to fight lawsuits brought by players against members for alleged breach of privacy, inadmissible evidence, or libel stemming from confederation investigations. This fund would support the services of law firms specializing in environmental law. Such firms include the Southern Environmental Law Center (SELC) [87].

The challenge of uneven wildlife crime legislation

Transnational wildlife crime investigations may also encounter difficulties in supporting successful prosecutions because of differing wildlife crime legislation across countries. A recent United Nations report explains that

Wildlife crime related to CITES trade violation is clearly defined by CITES requirements, but outside trade violations, wildlife crime varies from country to country and some actions involving wildlife may be a criminal offence in one country but not in another {[8], Page 89}.

A prominent example of this difficulty is the potential reversal of the ban on rhino horn trading in China. At the moment, this ban is in-place but could be lifted at any time [43]. If this ban is lifted, how will it be possible for instance, to prosecute a Chinese rhino horn retailer?

At its heart, this is an international politics issue in that what is needed is a harmonization of wildlife crime laws across countries.

Differences from Interpol

The proposed confederation is qualitatively different than Interpol. These differences include the following.

1. The proposed confederation would focus on the collection and analysis of wildlife trafficking intelligence.

2. The proposed confederation would issue only specific recommendations to law enforcement: arrest, surveil, or interdict.

3. The proposed confederation’s database would be federated rather than controlled by a single entity {[52], Page 61}. Interpol’s General Secretariat makes closed-door decisions on what data may or may not be included in its databases [88].

4. Any confederation member could unilaterally block any other member’s access to the confederation’s database.

5. The proposed confederation would be nonhierarchical, i.e. it would have no president and no governing board.

6. The proposed confederation would only issue notices in the form of actionable intelligence reports that are created out of its own analysis of its own intelligence. Interpol’s practice of issuing red notices that are not required to carry evidential support from Interpol data can lead to accusations of corruption. Specifically, that such notices are being issued to intimidate critics of authoritarian regimes [89,90].

7. A member can be voted out of the confederation as a result of loss of trust or the perception by a majority of the confederation’s members that he/she is using the confederation for political gain. On the contrary, Toby Cadman, a British barrister working on Syria-related war crimes prosecutions, notes that “Interpol’s systems are opaque, with no real oversight or accountability, and routinely abused by states like Syria.” [91].

Future work

The detection of overlapping communities in a WTS network would increase the realism of the network’s predicted community structure because criminal communities, being social systems, have players who act as liaisons between communities and hence, belong to more than one community. This could be accomplished with the algorithm of Lu et al. [92].

Currently, the simulator’s submodels do not include spatial location. As intelligence on player locations is gathered, the simulator could be fitted to intelligence on player actions that are spatio-temporally indexed. Doing so would allow the fitted simulator to produce spatio-temporal predictions of actions by particular players. Such predictions would result in more interdiction operations that successfully intercept the predicted wire transfer or wildlife product shipment.

A necessary step toward implementing a confederation in the real world is to survey law enforcement professionals to find out what they think of this proposed confederation.

Acknowledgement

The author thanks two anonymous reviewers for comments that improved the manuscript.

Author contributions

Timothy C. Haas (Conceptualization, Data curation, Formal analysis, Investigation, Methodology, Resources, Software, Validation, Visualization, Writing – original draft, and Writing – review & editing).

Conflict of interest statement. The author declares that there is no conflict of interest.

Funding

No external funding sources to declare.

References

Appendix: optimal removal algorithm

Using the Simulated Annealing (SA) optimization algorithm [93], select at random, sets of players to remove from the simulator’s WTS network—each time computing the per-year poaching rate. Stop performing these random draws when a set is found that causes the largest predicted drop in this rate. A candidate set of m players to remove is formed by randomly selecting r < m “swap-in” players from the current set of m “swapped-out” players, and an equal number of “swap-out” players from the current WTS network—and then removing from the network, these r “swap-out” players, and putting back into the network these r “swap-in” players.