Cybercrime

08.24.13

Who’s Policing the Internet Police?

Are law enforcement officers invading our privacy and bending the rules when they take to the Internet to fight crime?

A woman, home alone at night, receives an instant message from a mysterious stranger who claims to know her. He accurately describes the room she’s sitting in, gives her some personal details that no one else could possibly be privy to, and, as her horror mounts, sends her private nude photos of herself, threatening to release them if she doesn’t engage in cyber sex with him. When she messages her boyfriend, the stranger can read her screen. When she contacts campus security, the stranger can hear their conversation. The calls, as the story goes, are coming from inside the house.

Far from campfire fiction, this real-life incident is one of the many described by Nate Anderson in his first book, The Internet Police, in which he records a thorough history of the constantly evolving chess match between those who would use the Internet for all manner of mischief, and the people who try to stop them. As a chronicler of digital crime, Anderson, writer and senior editor at tech news outfit Ars Technica is well-versed in the ways that bad guys can use the Interest to steal from or otherwise harm their victims, but the book is hardly a call to invest the authorities with expanded powers to combat them. Using cases that range from the fall of young Russian spam-kings to the takedown of wildly fraudulent online snake-oil salesmen (remember Enzyte?) Anderson shows how the growth of Internet technology is outstripping not only the laws created to govern it, but even the understanding of how existing laws should be applied. Consensus on how big-time rights, such as that to privacy, should be applied to modes of communication like the mail and telephone were hard-fought but have served us well for many years. In this new landscape, though, we need to be equally vigilant against the ‘bad guys’ expanding their access into our bank accounts as we are against the ‘good guys’ expanding their ability to monitor and control us.

Take the incident mentioned above: The bogeyman in this case was a paraplegic misanthrope who used remote access tool (RAT) software that gave him complete control over his victim’s computer, allowing him to turn on her webcam, listen to her through the computer’s microphone, and see everything that happened on her screen. It is a scary enough proposition in the hands of an Internet misfit, but law enforcement has access to very similar capabilities, as one Ohio woman learned in 2008, when a police officer showed up on her doorstep holding printouts of her intimate chat logs and topless photos of her taken through her own webcam. She had purchased a laptop from someone who turned out to have stolen it, and when the recovery software that was installed on the machine was activated, investigators had the same access to her personal life as net-savvy sexual predators. (They, in fact, exhibited similar behavior, in using those photos and logs to traumatize and elicit a reaction. An invasion of privacy lawsuit was settled right before it would have gone to trial.) A stolen laptop was recovered, yes, but one would have to exhibit a particularly long Orwellian streak to consider it a complete victory for justice.

Or take the example of Enzyte, the “natural male enhancement pill” the commercials for which, featuring the perpetually-enhanced “Smiling Bob,” were ubiquitous in the mid-2000s. If you were a customer (and surely you, male reader, were not), you would have probably noticed two things: first, that your maleness was probably not enhanced. The herbal faux-pharmaceuticals were advertised as formulated by two different doctors who, it would be discovered on the witness stand, simply did not exist. The second thing you would notice was that your credit card had been entered into a re-enrollment program that billed you for a new shipment of Enzyte every two months, even though you were not told, and even, in some cases, if you had expressly declined. Using these and other shady business practices, Steven Warshak, the company’s owner, was able to rake in massive sales—$250 million in 2004 alone.

We need to be equally vigilant against the “bad guys” expanding their access into our bank accounts as we are against the “good guys” expanding their ability to monitor and control us.

Warshak’s empire was eventually felled by his own private emails, which display a near farcical level of fraudulence. (In one, he explained to employees how he came up with his creative marketing strategies: “GET 3-4 BOTTLES OF WINE… THEN SIT AROUND AND MAKE SHIT UP!! THAT’S WHAT I DO.”)  27,000 thousand emails were seized by government investigators. There was only one problem: they hadn’t had a warrant. What they had done instead of seizing Warshak’s computer or tapping his Internet connection was to simply send a letter to his Internet provider, NuVox, and instruct them to preserve and cache copies of all of his future mail. Later, with court orders but still without warrants, they simply retrieved this key, gift-wrapped evidence. As Anderson rightfully asks, “If the government had to get warrants to open a suspect’s postal mail or to search his home, why didn’t [they] need a warrant to seize e-mail stored on a third-party server? Wasn’t this an “unreasonable search and seizure” under the Fourth Amendment?”

Federal appellate judges agreed, in a decision based largely on the common-sense intuition that just because an email is transferred through a third-party server does not mean that the sender expects those emails to be transmitted into the public sphere.  A good decision for you and I and those who would expect that the government not have unfettered access to our private communications; less good for Warshak, who still received a long prison sentence and massive fines. The court upheld his original conviction, stating that the violation of his constitutional rights had been “mostly harmless.”

The real conflict on the cybercrime stage is the ideological debate between two camps: Internet exceptionalists and non-exceptionalists. Exceptionalists believe that due to the uniquely chaotic properties of the Internet, the laws governing it and how it is policed should necessarily be fundamentally different from the policing of crime in the physical sphere. Their non-exceptionalist counterparts simply believe that crime is crime is crime, and that to think otherwise is little more than sophistry, a surrender to clear-cut illegality such as intellectual property theft. Anderson gives a fair shake to both sides. The Internet doesn’t dilute the moral or social culpability of the crimes that it’s used to commit, but to employ traditional methods to fight them would be quixotic. You can be an exceptional non-exceptionalist about this: Internet crime is functionally, if not metaphysically, different from regular crime, but it’s so pervasive that the role of “Internet police” must fall to the plain old police. As connectivity becomes more and more essential to the every-day functioning of citizens, corporations, and nations, “Internet crime” will seem less and less like a special designation. For now, you may want to take the example of many of those who work in Internet security, and put a piece of tape over your webcam.

Concerns over lesser crimes and police indiscretion seem almost quaint, though, when one considers that the Internet is now an essential tool not only for communication and commerce but for revolution and war. On this larger scale, the action is less Law and Order and more Mission Impossible. (In the Internet security world, sensitive data is often spoken of as being “exfiltrated,” like a freed hostage being hustled toward a Blackhawk.) We have seen how valuable tools such as Twitter and Facebook have been in overthrowing unpopular regimes in just the last few years, and those leaders with an interest in keeping their citizens from organizing have taken note. During the 2011 Tunsian protests against authoritarian leader Ben Ali, the government, which required all citizens to access the Internet internationally through a central hub, was able to slip in a small bit of code as information traveled between Facebook and those who were trying to access it, without directly hacking either party. The surreptitious program gathered the protesters’ passwords, and they were locked out. This was all done using “packet-sniffing” technology—so named for its ability to monitor a large amount of flowing information while only altering specific targets—largely pioneered by the FBI. There are some restrictions against the exportation of these technologies, but that didn’t stop the Syrian government from obtaining packet-sniffers developed by a California company. Ask yourself: when a government is in the business of repressing its people, what’s more valuable? A shipment of jet fighters, or behavior-tracking software?

We often hear of the “democratizing” power of the Internet, but the diffusion of power to the people does not follow necessarily from increased technology. We need Internet police, to be sure; the commons, whether in physical digital space, is both a tool towards and a reward of freedom, and needs to be protected. But as all long-standing democracies have learned, it is just as important that the police be policed, Internet or otherwise. Who exactly that task should fall to remains to be seen.