Printed with permission from Syngress, a division of Elsevier. Copyright 2008. “Scene of the Cybercrime, 2e” by Debra Littlejohn Shinder and Michael Cross. For more information about this title and other similar books, please visit www.elsevierdirect.com.
Today we live and work in a world of global connectivity. We can exchange casual conversation or conduct multimillion-dollar monetary transactions with people on the other side of the planet quickly and inexpensively. The proliferation of personal computers, easy access to the Internet, and a booming market for related new communications devices have changed the way we spend our leisure time and the way we do business.
The ways in which criminals commit crimes is also changing. Universal digital accessibility opens up new opportunities for the unscrupulous. Millions of dollars are lost by both businesses and consumers to computer-savvy criminals. Worse, computers and networks can be used to harass victims or set them up for violent attacks—even to coordinate and carry out terrorist activities that threaten us all. Unfortunately, in many cases law enforcement agencies have lagged behind these criminals, lacking the technology and the trained personnel to address this new and growing threat, which has been aptly termed cybercrime.
Even though interest and awareness of the cybercrime phenomenon has grown in recent years, many Information Technology (IT) professionals and law enforcement officers have lacked the tools and expertise needed to tackle the problem. To make matters worse, old laws didn’t quite fit the crimes being committed, new laws hadn’t quite caught up to the reality of what was happening, and there were few court precedents to look to for guidance. Furthermore, debates over privacy issues hampered the ability of enforcement agents to gather the evidence needed to prosecute these new cases. Finally, there was a certain amount of antipathy—or at the least, distrust—between the two most important players in any effective fight against cybercrime: law enforcement agents and computer professionals. Yet close cooperation between the two is crucial if we are to control the cybercrime problem and make the Internet a safe “place” for its users.
Law enforcement personnel understand the criminal mindset and know the basics of gathering evidence and bringing offenders to justice. IT personnel understand computers and networks, how they work, and how to track down information on them. Each has half of the key to defeating the cybercriminal. This book’s goal is to bring the two elements together, to show how they both can and must work together in defending against, detecting, and prosecuting people who use modern technology to harm individuals, organizations, businesses, and society.
Cybercrime is broad and generic term that refers to crimes committed using computers and the Internet, and can generally be defined as a subcategory of computer crime. If this sounds strange, consider that whether someone commits Internet fraud or mail fraud, both fall under a larger category of fraud. The difference between the two is the mechanism that was used to victimize people. Cybercrime refers to criminal offenses committed using the Internet or another computer network as a component of the crime. Computers and networks can be involved in crimes in several different ways:
• The computer or network can be the tool of the crime (used to commit the crime)
• The computer or network can be the target of the crime (the “victim”)
• The computer or network can be used for incidental purposes related to the crime (for example, to keep records of illegal drug sales)
While it is useful to provide a general definition to be used in discussion, criminal offenses consist of specific acts or omissions, together with a specified culpable mental state. To be enforceable, laws must also be specific. In many instances, pieces of legislation contain definitions of terms. This is necessary to avoid confusion, argument, and litigation over the applicability of a law or regulation. These definitions should be as narrow as possible, but legislators don’t always do a good job of defining terms (and sometimes don’t define them at all, leaving it up to law enforcement agencies to guess, until the courts ultimately make a decision).
To illustrate this, we can look at the Council of Europe’s Convention on Cybercrime treaty, which can be viewed at http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm.The treaty attempts to standardize European laws concerning crime on the Internet, but one of the biggest criticisms of the treaty is its use of overly broad definitions. For example, the definition of the term service provider is so vague that it could be applied to someone who sets up a two-computer home network, and the definition of computer data, because it refers to any representation of facts, information, or concepts in any form suitable for processing in a computer system, would include almost every possible form of communication, including handwritten documents and the spoken word (which can be processed by handwriting and speech recognition software). Likewise, the U.S. Department of Justice (DoJ) has been criticized for a definition of computer crime that specifies “any violation of criminal law that involved the knowledge of computer technology for its perpetration, investigation, or prosecution” (reported in the August 2002 FBI Law Enforcement Bulletin). Under such a definition, virtually any crime could be classified as a computer crime, simply because a detective might have searched a computer database as part of conducting an investigation.
Another factor that makes a hard-and-fast definition of cybercrime difficult is the jurisdictional dilemma. Laws in different jurisdictions define terms differently, and it is important for law enforcement officers who investigate cybercrime, as well as network administrators who want to become involved in prosecuting cybercrimes that are committed against their networks, to become familiar with the applicable laws. In the case of most crimes in the United States, that means getting acquainted with local ordinances and state statutes that pertain to the offense. Generally, criminal behavior is subject to the jurisdiction in which it occurs. For example, if someone assaults you, you would file charges with the local police in the city or town where the assault actually took place.
Because cybercrimes often occur in the virtual “place” we call cyberspace, it becomes more difficult to know what laws apply. In many cases, offender and victim are hundreds or thousands of miles apart and might never set foot in the same state or even the same country. Because laws can differ drastically in different geographic jurisdictions, an act that is outlawed in one location could be legal in another.
What can you do if someone in California, which has liberal obscenity laws, makes pornographic pictures available over the Internet to someone in Tennessee, where prevailing community standards—on which the state’s laws are based—are much more conservative? Which state has jurisdiction? Can you successfully prosecute someone under state law for commission of a crime in a state where that person has never been? As a matter of fact, that was the subject of a landmark case, U.S. v. Thomas and Thomas (see the “CyberLaw Review” sidebar in this section).
U.S. v. Thomas and Thomas
Robert and Carleen Thomas, residents of California, were charged with violation of the obscenity laws in Tennessee when a Memphis law enforcement officer downloaded sexually explicit materials from their California Bulletin Board Service (BBS) to a computer in Tennessee. This was the first time prosecutors had brought charges in an obscenity case in the location where the material was downloaded rather than where it originated. The accused were convicted, and they appealed; the appeals court upheld the conviction and sentences; the U.S. Supreme Court rejected their appeal.
Even if the act that was committed is illegal across jurisdictions, however, you might find that no one wants to prosecute because of the geographic nightmare involved in doing so (see the “On the Scene” sidebar in this section for an example of one officer’s experience).
On the Scene
Real Life Experiences
From Wes Edens, Criminal Investigator and Computer Forensics Examiner
Here’s how the typical multijurisdictional case complicates the life of a working police detective. Put yourself in this detective’s shoes: Bob Smith, who lives in your jurisdiction in Oklahoma, reports that he has had some fraudulent purchases on his credit card. In addition, he has been informed that two accounts have been opened using his information via the Internet at two banks: Netbank, based in Georgia, and Wingspan, which was recently bought by Bank One.
The suspect(s) applied for a loan to buy a car in Dallas, Texas. As a result, the suspects changed Bob’s address on his credit profile to 123 Somewhere Street, Dallas. This is a nonexistent address.
In the course of your investigation, you contact Netbank (Georgia) and they inform you that they do not keep Internet Protocol (IP) addresses of people opening accounts online. You obtain a copy of the online credit application. It contains all of Bob Smith’s credit information, but the address is now 321 Elsewhere Street, Dallas. It is also a nonexistent address.
You contact all the companies at which purchases have been made with Bob’s bogus credit cards. Half won’t speak to you unless you have paperwork, and half of those say that the paperwork has to be from a court in the state where they are located, not where you are. Now you have to find police departments in five different states that are willing to help you generate court papers to get records. Since you have filed no charges and the victim (and presumably the suspect) do not live in their jurisdiction, most of these organizations are reluctant to get involved.
You get the paperwork from half of the companies. Of 10, only one actually has an IP address. It is an American Online (AOL) account, which means it could have been accessed from anywhere in the world, further complicating the jurisdictional nightmare, but you press on. You get a subpoena for AOL, requesting the subscriber information for that IP address at that date and time. Three weeks later, AOL informs you that they keep logs for only 21 days, so you’re out of luck because the target IP date and time occurred two months ago.
You run down the 15 phone numbers used on the various suspect accounts and applications. All 15 are different. Three are in Dallas, two in Fort Worth, and the remainder are either disconnected numbers or are in a random spattering of towns across south Texas. There is no apparent connection between any of the numbers. You get the addresses used to ship the purchased items. Every address is different; three are in Dallas, two in Fort Worth. Several are either pay-by-the-week rentals or “flop houses” where people come and go as in a bus station. A couple are mail drops. You subpoena those records, only to find that all the information they contain is bogus.
You decide to visit with your boss and explain to him that you need to travel to another state for a few days to solve this $1500 caper. He listens intently until you start mentioning going to Georgia, Maryland, and Texas. You then tell him you also have three other such cases that involve nine other states, and you’ll probably have to go to all those locations, too. You can hear him laughing as he walks out the door.
You decide to go visit with the DA just for the heck of it. You explain the case thus far, and she asks: What crime was committed here? (Your answer: “Well, none that I know of for sure.”) Does the suspect live here? (Probably not.) Can we show that any exchange of money or physical contact between suspect and victim took place here? (No, not really.) Do you have any idea where the suspect is? (Probably in Texas.) Were any of the purchases made in Oklahoma? (No.) Why are you conducting this investigation? (Because the victim is standing in my office.)
The DA tells you that the victim needs to report this crime to the Texas authorities. You give the victim a list of seven different agencies in Texas, one in Georgia, and one in Maryland. You tell him that he needs to contact them. He calls you back three days later and says that they want him to go to each place to fill out a crime report and he can’t afford to take off two weeks and travel 2000 miles to report that he is a victim. You suggest he call the FBI, even though deep down you know that they are not going to touch a $1500 fraud case.
You give up on that case and pick up the other three identity-theft cases that landed on your desk while you were spinning your wheels on this one. You note that all three were done entirely through the Internet and, like the first one, they all involve a multitude of states.
While we’ll discuss jurisdictional issues in greater depth in Chapter 16, “Building the Cybercrime Case,” it is important that we also take notice of the other edge of this double-edged sword. Legislation in different states or countries may be in direct conflict or diverge from the intent of different laws or constitutional rights. For example, in 2001, a number of non-member States of the Council of Europe signed the Convention on Cybercrime treaty that we discussed earlier.These included Canada, Japan and the United States. The treaty was ratified by the U.S. Senate in 2006 and put it into force on January 1, 2007, improving international cooperation in cybercrime investigations. However, this has created some controversy, as the treaty doesn’t require dual criminality, where an act must be criminal under the laws of both countries. This would enable one country to spy on the Internet activities of citizens of another country, where no laws have been broken.Under the terms of the treaty, a service provider would need to cooperate with search and seizures (without reimbursement), and may be prevented from deleting logs or other data related to a person who is law abiding in that country.
While the potential infringement on a person’s rights may seem like something out of George Orwell’s 1984, we would do well to remember that sacrificing privacy and certain freedoms has become a norm in the 21st century. For better or worse, the Internet has largely grown beyond the anonymous free-for-all that was seen in its early years. Fears of terrorism, identity theft, predators on the Internet, and other criminal activity have brought about new laws, and it will take years to iron out the inconsistencies in courts, political debates, and public forums like the Internet. While cybercrime once sounded like the stuff of futuristic science fiction novels, law enforcement, computer professionals, and the general public have grown to recognize it as a contemporary problem.
• The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center, and provides a way to report Internet crimes online. They began as the Internet Fraud Complain Center (IFCC), and during their first year of operation (May 2000 and May 2001), their Web site received 30,503 complaints of Internet fraud. Changing their name to reflect the broadened scope of Internet crimes, in June 2007, they received their one millionth complaint, with 461,096 of the cases reported to them being referred to federal, state and local law enforcement. Of this, these cases reflected an estimated loss of $647.1 million dollars, or a median loss of $270 per complainant. Annual reports reporting these figures can be found on the IC3 Web site (www.ic3.gov/media/annualreports.aspx)
• In their 2007 Annual Report, the IC3 reported that the majority of cybercrime complaints (44.9%) involved cases of Internet auction fraud, where people would bid online for various items. Of these complaints 19% involved situations where people had paid for items but never received the merchandise, or where the merchandise had been sent to a bidder and payment was never received. (www.fbi.gov/majcases/fraud/internetschemes.htm)
• According to the Computer Security Institute’s Computer Crime and Security Survey for 2007, 494 computer security professionals in U.S. corporations, government agencies, universities, financial and medical institutions reported that fraud was the greatest source of financial losses, with losses resulting from virus attacks falling into second place for the first time in seven years. In addition to this, 29% of the organizations suffered a computer intrusion that they reported to law enforcement. (www.gocsi.com)
• According to the Cybersnitch Voluntary Online Crime Reporting System, the most reported Internet-related crime is child pornography, with other crimes ranging from desktop forgery to such potentially violent crimes as electronic stalking and terrorist threats. (A full list of reported cybercrimes is available at www.cybersnitch.net/csinfo/csdatabase.asp.)
Charting the Online Population
While it is difficult to have an accurate total for the number of people using the Internet, the Web site www.internetworldstats.com estimates that by the end of 2007, there were 1,319,872,109 online. The CIA World Factbook (https://www.cia.gov/library/publications/the-world-factbook/fields/2153.html) reveals the increase in Internet users, showing that two years previous, there were only 1,018,057,389 people online. The CIA also provides a breakdown of users by country, showing that the European Union, United States and China have the largest number of Internet users in the world. As the global population becomes more and more “connected,” the opportunities for criminals to use the Net to violate the law will expand, and cybercrime will touch more and more lives.
Although almost anyone has the potential to be affected by cybercrime, two groups of people must deal with this phenomenon on an ongoing basis:
• Information technology professionals, who are most often responsible for providing the first line of defense and for discovering cybercrime when it does occur
• Law enforcement professionals, who are responsible for sorting through a bewildering array of legal, jurisdictional, and practical issues in their attempts to bring cybercriminals to justice
Although it is imperative to the success of any war against cybercrime that these two groups work together, often they are at odds, as neither has a real understanding of what the other does or of the scope of their own roles in the cybercrime-fighting process. Police may have misgivings about civilians being involved in an investigation, while private sector businesses may want to avoid bad publicity or the headache of being ensnared in legal processes. These and other issues hinder the efforts to catch and prosecute cybercriminals, and create an atmosphere where cybercrime can thrive.
Differentiating Crimes That Use the Net from Crimes That Depend on the Net
In many cases, crimes that we would call cybercrimes under our general definition are really just the “same old stuff,” except that a computer network is somehow involved. That is, a person could use the Internet to run a pyramid scheme or chain letters, set up clients for prostitution services, take bets for illegal gambling, or acquire pornographic pictures of minors. All these acts are already criminal in certain jurisdictions and could be committed without the use of the computer network. The “cyber” aspect is not a necessary element of the offense; it merely provides the means to commit the crime. The computer network gives criminals a new way to commit the same old crimes. Existing statutes that prohibit these acts can be applied to people who use a computer to commit them as well as to those who commit them without the use of a computer or network.
In other cases, the crime is unique and came into existence with the advent of the Internet. Unauthorized access is an example; while it might be likened to breaking and entering a home or business building, the elements that comprise unauthorized computer access and physical breaking and entering are different. By statutory definition, breaking and entering generally require physical entry onto a premise, an element that is not present in the cyberspace version of the crime. Thus, new statutes had to be written prohibiting this specific behavior.
Theft of Intangible Property
Theft of intangible property, such as computer data, poses a problem under the traditional theft statutes of many U.S. jurisdictions. A common statutory definition of theft is “unlawful appropriation of the property of another without the effective consent of the owner, with the intent to deprive the owner of the property.” (This definition is taken from the Texas Penal Code, Section 31.03.)
This definition works well with tangible property; if I steal your diamond necklace or your new Dell laptop, my intent to deprive you of the use of the property is clear. However, I can “steal” your company’s financial records or the first four chapters of the great American novel you’re writing without depriving you of the property or its use at all. If I were prosecuted under the theft statute, my defense attorney could argue that the last element of the offense wasn’t met. This is the reason new statutes had to be written to cover theft of intangible or intellectual properties, which are not objects that can be in the possession of only one person at a time.
“Traditional” intellectual property laws (copyright, trademark, and the like) are civil laws, not prosecuted in criminal court other than under special newer laws pertaining to only narrowly defined types of intellectual property such as software and music. Some federal laws prohibit theft of data, but the FBI and federal agencies have jurisdiction only in certain circumstances, such as when the data is stolen from federal government computers or when it constitutes a trade secret. In most cases, it’s up to the state to prosecute. States can’t bring charges under federal law, only under their state statutes. Until recently, many states didn’t have statutes that covered data theft because it didn’t fit under traditional theft statutes and they didn’t have “theft of intellectual property” statutes.
Working Toward a Standard Definition of Cybercrime
Why is it so important for us to develop a standard definition of cybercrime? Unless we all use the same—or at least substantially similar—definitions, it is impossible for IT personnel, users and victims, police officers, detectives, prosecutors, and judges to discuss the offense intelligently. As we saw when discussing the European Convention on Cybercrime treaty, poor or omitted definitions of technology can create issues that can impact the rights and business practices of law-abiding citizens. In addition to this, as we’ll discuss later in this chapter, it is impossible to collect meaningful statistics that can be used to analyze crime patterns and trends. If we can’t agree on what something is, then we can’t compile statistics on it.
Crime analysis allows agencies to allocate resources more effectively and to plan their own strategies for responding to problems. It is difficult for agency heads to justify the need for additional budget items (specialized personnel, training, equipment, and the like) to appropriations committees and governing bodies without hard data to back up the requests. Standard definitions and meaningful statistical data are also needed to educate the public about the threat of cybercrime and involve communities in combating it. Crime analysis is the foundation of crime prevention; understanding the types of crime that are occurring, where and when they are happening, and who is involved is necessary in order to develop proactive prevention plans.
Even though we have no standard definitions to invoke, let’s look at how cybercrime is defined by some of the most prominent authorities.
U.S. Federal and State Statutes
We have already mentioned the somewhat broad definition of computer crime adopted by the U.S. Department of Justice. Individual federal agencies (and task forces within those agencies) have their own definitions. For example, the FBI investigates violations of the federal Computer Fraud and Abuse Act, which lists specific categories of computer and network-related crimes:
• Public switched telephone network (PSTN) intrusions
• Major computer network intrusions
• Network integrity violations
• Privacy violations
• Industrial/corporate espionage
• Software piracy
• Other crimes in which computers play a major role in committing the offense
USA PATRIOT Act and Protect America Act
Many aspects of the Computer Fraud and Abuse Act were amended by the USA PATRIOT Act, which increased penalties and allowed the prosecution of individuals who intended to cause damage, as opposed to those actually causing damage. The USA PATRIOT Act is an acronym for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism. As its clumsy and cumbersome title indicates, it was created after the September 11, 2001 terrorist attacks on the United States, and pushed through the U.S. Senate to give law enforcement enhanced authority over monitoring private communications and accessing personal information.
Another Act that was signed into law by President Bush in August of 2007 is the Protect America Act (nicknamed by many as PATRIOT II). It also provides greater authority to law enforcement, and allows the government to perform such actions as:
• Access the credit reports of a citizen without a subpoena
• Conduct domestic wiretaps without a court order for 15 days after an attack on the United States or congressional authorization of use of force
• Criminalize the use of encryption software used in the commission or planning of a felony
• Extend authorization periods used for wiretaps or Internet surveillance
The focus of the Protect America Act was to update the Foreign Surveillance Act and deal with shortcomings in the law that don’t address modern technology. However, these Acts were controversial enough to require the U.S. Department of Justice to create www.lifeandliberty.gov, a Web site is designed to provide information and disclaim arguments against these two Acts.
Title 18 of the U.S. Code, in Chapter 47, Section 1030, defines a number of fraudulent and related activities that can be prosecuted under federal law in connection with computers. Most pertain to crimes involving data that is protected under federal law (such as national security information), involving government agencies, involving the banking/financial system, or involving intrastate or international commerce or “protected” computers. Defining and prosecuting crimes that don’t fall into these categories usually is the province of each state.
Most U.S. states have laws pertaining to computer crime. These statutes are generally enforced by state and local police and might contain their own definitions of terms. For example, the Texas Penal Code’s Computer Crimes section (which is available to view at http://tlo2.tlc.state.tx.us/statutes/pe.toc.htm) defines only two offenses:
• Online Solicitation of a Minor (Texas Penal Code Section 33.021)
• Breach of Computer Security (Texas Penal Code Section 33.02), which is defined as “knowingly accessing a computer, computer network, or computer system without the effective consent of the owner.” The classification and penalty grade of the offense is increased according to the dollar amount of loss to the system owner or benefit to the offender.
Section 502 of the California Penal Code (Section 502), on the other hand, defines a list of eight acts that constitute computer crime, including altering, damaging, deleting, or otherwise using computer data to execute a scheme to defraud; deceiving, extorting, or wrongfully controlling or obtaining money, property, or data; using computer services without permission; disrupting computer services; assisting another in unlawfully accessing a computer; or introducing contaminants (such as viruses) into a system or network. Additional sections of the penal code also address other computer and Internet-related crimes, such as those dealing with child pornography and other crimes that may incorporate the use of a computer. However, as stated earlier, these are not necessarily dependent on the use of computers or other technologies.
Depending on the state, the definition of computer crime under state law differs. Once again, the jurisdictional question rears its ugly head. If the multijurisdictional nature of cybercrime prevents us from even defining it, how can we expect to effectively prosecute it?