Cover Story US
News & World Report
Policing Cyberspace
By Vic Sussman 1-23-95
Cops want more power to fight cybercriminals. As their
techno-battle escalates, what will happen to American traditions of privacy
and property?
If ever a buzzword buzzed too much for traditionbound law enforcement,
it's cybercop. It kicks up images of the clanking earnestness of a laser-guided
RoboCop. Agents snickered when senior instructor Kevin
Manson first used the word a couple of years ago at the Federal
Law Enforcement Training Center near Brunswick, Ga. Nobody at FLETC laughs
much anymore. They are too busy training cybercops. "The day is coming
very fast," says FLETC's director, Charles Rinkevich, "when every cop will
be issued a badge, a gun and a laptop."
Adding a high-speed modem, cellular phone, cryptography textbooks
and a bulletproof vest to that arsenal might also be prudent because "crime
involving high technology is going to go off the boards," predicts FBI
Special Agent William Tafoya, the man who created the bureau's home page
on the Internet, the worldwide computer network. "It won't be long before
the bad guys outstrip our ability to keep up with them." These crimes are
worrisome precisely because they use the advantages of cyberspace that
have made it a revolutionary, liberating form of communication: its ability
to link millions of computer and modem owners around the world; its technological
breakthroughs, such as digital encoding, that allow average citizens to
use sophisticated encryption to protect their data, and its wide-open culture,
where cops and other agents of government are more often than not thought
to be the enemy.
No one knows exactly how much computer crime there really is,
though FLETC's experts agree that the damage starts in the billions of
dollars and will surely surge upward. The size and scope of cybercrimes
are limited only by the bad guys' imagination, technical skill and gall.
But here are the crimes that worry authorities the most:
White-collar crime. Virtually every white-collar crime has a computer
or telecommunications link, says Carlton Fitzpatrick, branch chief of FLETC's
Financial Fraud Institute. Sometimes the crimes are simple, such as the
case ofthe bookkeeper at a bicycle store who frequently entered incoming
checks as returned merchandise, then cashed the checks. Even more damaging
are cases involving skilled computerists. The FBI says that Kevin Mitnick,
currently America's most wanted computer criminal, has stolen software
from cellular-phone companies, caused millions of dollars in damage to
computer operations and boldly tapped FBI agents' calls.
Theft. Given the expanse of computer networks, even seemingly
small crimes can have big payoffs. "Salami slicing," for example, involves
a thief who regularly makes electronic transfers of small change from thousands
of accounts to his own. Most people don't balance their ledgers to the
penny, so the thief makes out, well, like a bandit. A more targeted approach
involves pilfering industrial secrets. Last November, someone infiltrated
Internet-linked computers owned by General Electric and stole research
materials and passwords.
Stolen services. Swiping and reselling long-distance calling codes
is a big business, says Bob Gibbs, a Financial Fraud Institute senior instructor,
as is breaking into private phone networks and selling long-distance access.
One university discovered this the hard way when its monthly phone bill,
a staggering $200,000, arrived in a box instead of an envelope. Smuggling.
Drug dealers launder their proceeds through cyberspace and use the Internet
to relay messages. Moreover, they cover up secret communications by cracking
into corporate voice-mail systems and by operating their own cellular-telephone
networks. Terrorism. Since computers are the nerve centers of the world's
financial transactions and communications systems, there are any number
of nightmarish possibilities. Authorities especially worry that a cracker
-- cyberspeak for a malevolent hacker -- might penetrate FedWire, the Federal
Reserve's electronic funds-transfer system, or vital telephone switching
stations. Key New York phone systems did go down temporarily in 1992, and
though it has been chalked up to a software problem, some FLETC cybercops
still wonder if it didn't involve a cracker testing his muscles.
Child pornography. There is a lot of it out there. Jefferson County,
Ky., police Lt. Bill Baker broke a major kiddie-porn ring in England even
though he never left Kentucky. An E-mailed tip from a source in Switzerland
led Baker to an Internet site in Birmingham, England. After about three
months of investigation that involved downloading 60 pages of file names
related to child porn and 400 images, Baker called on Interpol, New Scotland
Yard and police in Birmingham, who arrested the distributor. To combat
once and future cybercrimes, FLETC's Financial Fraud Institute conducts
some 14 programs, regularly updated to keep pace with wrinkles in crime.
Agents learn how to analyze evidence, track credit card fraud and apply
constitutional search-and-seizure techniques when they find evidence of
crimes on computer bulletin board systems, or BBSs. This is a new world
for law enforcement, says Dan Duncan, a FLETC Legal Division senior instructor,
because "cops have always followed a paper trail, and now there may not
be one."
When they start rooting around for crime, new cybercops are entering
a pretty unfriendly environment. Cyberspace, especially the Internet, is
full of those who embrace a frontier culture that is hostile to authority
and fearful that any intrusions of police or government will destroy their
self-regulating world. The clash between the subculture of computerists
and cops often stems from law enforcement's inexperience. The Internet
buzzes with stories of cops who "arrest the equipment" by barging into
BBS operations to haul off all the electronic gear, as ifthe machines possessed
criminal minds.
Still, keeping up with wise guys in cyberspace will tax the imaginations
and budgets of law enforcement agencies and put revolutionary pressures
on America's notions of privacy, property and the limits of free speech.
The rights of everyone are at stake. What follows is a look at perhaps
the most crucial issues that will emerge as a profoundly new chapter in
human communication unravels.
INVASIONS OF PRIVACY
Once upon a time, only Santa Claus knew whether you had been good or
bad. But jolly supernaturalism has been supplanted by aggressive data processing:
Your chances of finding work, getting a mortgage or qualifying for health
insurance may be up for grabs, because almost anybody with a computer,
modem and telephone can surf through cyberspace into the deepest recesses
of your private life. A fairly accurate profile of your financial status,
tastes and credit history can be gleaned from such disparate things as
your ZIP code, Social Security number and records of credit-card usage.
Even more personal information will be available as commercial
transactions increase through online services. And that raises the most
pressing cyberspace issues for everyday Americans, says Phil Agre, a communications
professor at the University of California at San Diego. Such transactions
will increase as the Internet grows more popular. Those records, enriched
with demographic information and perhaps Social Security numbers, will
be routinely sold to marketers, says Agre. He asks: "Who will have access
to the complete transaction data?"
Suppose you have a history of buying junk food or large amounts
of over-the-counter drugs. Could an insurance company obtain that information
and decide you are a poor health risk? If records showing purchases of
cigarettes, liquor and red meat were collated with your medical records,
would the picture look even worse? Computer networking and sophisticated
data processing are making it easier and cheaper for businesses and the
government to collect such personal data, says Esther Dyson, of EDventure
Holdings, which observes the computer industry. "It's really simple to
call up amazing stuff about anybody," she says. But legal access to data
is only part of the problem. Another difficulty is unauthorized peeking
into personal records, which Dyson says occurs with alarming regularity
because company safeguards are often laughable. Knowing a person's Social
Security number is usually enough to get into medical and financial records.
A second problem is that wrong and harmful "facts" can creep into the databases.
Malicious tipsters can poison a person's record with innuendo, and it takes
much effort to correct the mistake.
In this environment, it is virtually inevitable that Americans
will demand stronger privacy protections. The United States has a law barring
release of video rental records but no strong laws against scanning personal
medical data. "Many European countries have privacy commissions, and they
find it strange that we don't," notes Anne Branscomb, author of Who Owns
Information? and a law professor at the University of Pennsylvania. She
urges laws that give citizens the right to control data about themselves.
The new Congress will soon begin deliberations over proposals that would
offer privacy protections for Americans' medical, credit and telecommunications
data. Similar proposals have not gotten off the ground in previous Congresses,
but handicappers say passage of a bill limiting the release of confidential
medical records is much more likely in this Congress as is a measure to
limit online service providers' ability to sell membership data. The potent
telemarketing industry probably has the power, though, to soften a proposal
barring the sale of personal data to commercial vendors without a person's
consent, according to Evan Hendricks, publisher of the newsletter Privacy
Times.
ENCRYPTING DATA
Cybercops especially worry that outlaws are now able to use powerful
cryptography to send and receive uncrackable secret communications. That
could make some investigations impossible and create a breed of "cryptocriminals,"
says FLETC's Manson. But there is widespread agreement across the Internet
and among entrepreneurs hoping to do business in cyberspace that cryptography
is necessary for privacy in a networked universe. Besides businesses, which
will need cryptography for transmitting sensitive information, the other
market for cryptography is the millions who use electronic mail. "Without
encryption, E-mail is no more secure than a postcard," says cryptographer
Bruce Schneier, author of E-mail Security: How to Keep Your Electronic
Messages Private. E-mail passes from machine to machine, and many people
in the middle can read it. Systems are also vulnerable to break-ins, and
passwords are commonly stolen. Some may decide they don't need the high
level of privacy cryptography affords, especially given the additional
effort encrypting data requires. But as Internet communication becomes
common, people will want private contact with business associates, physicians,
attorneys, accountants and lovers.
The increasing use of encryption leaves cops in the lurch unless
they have a way to break the code. "We are totally, enthusiastically supportive
of encryption technology for the public," says Jim Kallstrom, the FBI special
agent in charge of the Special Operations Division in the New York office.
"We merely think that criminals, terrorists, child abductors, perverts
and bombers should not have an environment free from law enforcement or
a search warrant. I think most victims of crime agree." Kallstrom sees
the Clipper chip -- which is supposed to offer phone privacy to consumers
while providing police access -- as a good way to give the public powerful
encryption while still preserving law enforcement's ability to conduct
electronic surveillance. The FBI won a round last year when Congress passed
the Digital Telephony Act, which requires future telecommunications systems
to be accessible to wiretaps. But officials have not persuaded Congress
or industry to back Clipper. Many opponents agree with the Electronic Privacy
Information Center's Marc Rotenberg, who calls Clipper part of the "Information
Snooperhighway."
Law enforcers are also deeply worried about another aspect of cyberspace
that offers absolute anonymity to anyone who wants it. Anonymous re-mailers
-- free E-mail forwarding sites in Europe and elsewhere -- can convert
return addresses to pseudonyms and render E-mail untraceable. Anonymity
is crucial for whistleblowers and people expressing unpopular views against
repressive governments, but it raises other problems, says the FBI's Tafoya.
Anonymous re-mailers outside the reach of American authorities are being
used by electronic vandals to bedevil their victims with threatening messages
or "mail bombs" composed of thousands of gibberish messages. They either
clog a victim's mailbox or jam his computer system. Child pornographers
also use anonymous re-mailers.
The simple truth, though, is that no legislative act can stop
the spread of cryptography, according to Lance Hoffman, a computer-security
expert and professor at George Washington University. "There are 394 foreign
encryption products; over 150 use DES -- strong encryption," says Hoffman.
"And all are legal to import."
Cryptography will become even more popular once cybersurfers discover
digital cash, which is the electronic equivalent of real money that resides
in a computer. David Chaum, the developer of DigiCash, a Dutch-owned company,
says his creation combines the benefits of anonymous legal tender with
the speed and convenience of online commerce. There is no risky exchange
of credit-card information. DigiCash is electronically transferred like
actual cash, while powerful cryptography makes it theft- and counterfeit-proof,
says Chaum. DigiCash can prevent consumers' names and personal habits from
funneling into databases. Schneier thinks the enhanced confidentiality
of electronic lucre will be good for society, but suggests that "criminals
will love digital cash. Anybody can use it to transfer money for legal
or illegal purposes." Many people believe the widespread use of E-cash
will be one more aspect of the Internet that erodes the power of central
government control.
FREEDOM OF SPEECH
The advent of space-age telecommunications raises enormous questions
about the future of government regulation of media. Though the First Amendment
asserts there should be no law abridging freedom of speech or the press,
there have been laws aplenty in the last three generations that regulate
speech on new kinds of technology. Different restrictions apply to telephones,
radio and TV stations and cable TV. But cyberspace is a convergence of
media and the blurring of distinctions between transmission modes. "With
the advent of fiber-optic [cables], it is conceivable that a single transmission
medium could become the conduit for newspapers, electronic mail, local
and network broadcasting, video rentals, cable television and a host of
other information services," says Robert Corn-Revere, a former Federal
Communications Commission official who now practices First Amendment law.
He argues that the day is passing when government can justify licensing
and regulating media.
Modern telecommunications knows no borders and has few limits.
For the first time in history, almost every recipient of information has
the potential to become a publisher of information, says Jonathan Emord,
an attorney and author of Freedom, Technology and the First Amendment.
The liberating potential of that technology is exhilarating as it unleashes
information and breaks down communications hierarchies. But it also creates
a situation where Americans can be offended or otherwise victimized by
information from people sitting at computers in foreign lands beyond the
reach of U.S. authorities. "Right now, cyberspace is like a neighborhood
without a police department," says FLETC's Fitzpatrick.
One of the most pressing dangers, says Fitzpatrick, is that people
bound by hate and racism are no longer separated by time and distance.
They can share their frustrations at nightly, computerized meetings. "What
some people call hate crimes are going to increase, and the networks are
going to feed them," predicts Fitzpatrick. "I believe in the First Amendment.
But sometimes it can be a noose society hangs itself with." Of course,
the antidote to offensive speech, noted Supreme Court Justice Louis Brandeis,
is more speech, and the Internet is still an equal-opportunity soapbox.
Messages on public bulletin boards can be challenged and rebutted, which
widens debate. Moreover, users can go where they choose on the Internet.
So, those offended by discussions are always free to start their own groups.
Of all the material floating between computers, pornography best
illustrates the difficulties of trying to apply old rules and laws to cyberspace.
Late last year, a jury in Memphis, Tenn., convicted a Milpitas, Calif.,
couple of violating obscenity laws. Using a computer and modem in Memphis,
a postal inspector downloaded pictures from the couple's California-based
BBS. The couple were tried in Memphis, and a jury found that the pictures
violated local community standards. But the pictures, which existed only
as data stored on a hard drive, were voluntarily extracted from a computer
sitting in a community where the images were not illegal. People create
their own communities in cyberspace, based on affinity rather than geography.
This means the courts will have to unravel when, where and how potential
crimes should be investigated.
Ultimately, there are no easy solutions to such problems because
the First Amendment, designed to protect offensive speech, has always cut
both ways: It encourages robust and healthy discussion, but it also allows
everyone a platform. Mike Godwin, legal counsel for the Electronic Frontier
Foundation, which promotes civil liberties in cyberspace, says: "I think
we're still in the turmoil that comes when a new medium is presented to
the public and to the government. There's a tendency to first embrace it
and then to fear it. And the question is, how will we respond to the fear?"
INTELLECTUAL PROPERTY
John Perry Barlow, an Internet visionary, kicked up controversy last
year when he suggested in a widely read Wired magazine article that traditional
notions of copyright were dead in cyberspace. "Digital technology is detaching
information from the physical plane," he wrote, "where property law of
all sorts has always found definition." The government's top copyright
officer, Marybeth Peters, partially concedes the point, saying, "The Internet
is the world's biggest copying machine." But she says that doesn't mean
copyright is useless, just that it needs to work differently in a world
where "property" is as evanescent as dots of light dancing on a computer
screen.
One way, suggests Peters, will be to provide access to data only
to those who pay. An example is WestLaw, an online law database. Students
use an electronic card that gives them access to the system, and their
law school pays the fee. Other information systems now being developed
use encryption, selling the access key to users. But once someone gets
a first look at data, sound or graphics files, it is easy to make copies
-- an economic nightmare for software developers.
Trade war. Ken Wasch, executive director of the Software Publishers
Association, says pirated software costs the industry $9 billion a year.
The issue is hot enough to spark a U.S.-China trade war. The Clinton administration
recently threatened to raise tariffs on some Chinese products unless China
stops its global trade in illegally copied CDs, books, movies and computer
software.
Wasch believes copyright law is elastic enough to protect material
regardless of media, and that software should be protected as a "literary
work." But he agrees that some updating is in order: "We don't want to
criminalize someone giving a copy to another person." But a recent court
case shows how complicated the issues are: Late last month, a U.S. District
Court judge in Boston dismissed charges of wire fraud against an MIT student
who ran a bulletin board allowing users to extract copies of more than
$1 million in software at no charge. While calling the student's actions
"heedlessly irresponsible," the judge said the government's charges would
make even legitimate copying, such as that done for backup purposes, illegal.
Intellectual-property expert Branscomb agrees. "You cannot take an old
law intended for telegraphy and telephony and turn it into a mechanism
for criminalizing behavior that Congress has not addressed directly," she
said.
The only solid protection for ideas flying through cyberspace
is their originality and style, which was the point of copyright in the
first place, maintains Internet guru Barlow. If you are creative and have
something worthwhile to say, the public "will to pay to hear your latest
thoughts or your latest research. Value comes back to you by increasing
your celebrity and people's awareness of your work," he says. Bringing
copyright laws crafted in 1787 up to warp speed in cyberspace will be difficult
at best, especially on the Net, where information is routinely traded for
more information and no money changes hands. Besides, says Barlow, collecting
tolls on an information highway is the wrong concept. "The Internet is
nothing like a superhighway. It's an organism."
Selling secrets. Almost anybody with a computer and modem can peek into
your private life. New, sophisticated protections seem likely.
Hiding data. Police say they need the capacity to unlock information
guarded by crytography, a technology whose use is rapidly spreading.
Speaking freely. New rules will have to be crafted to safeguard free
speech and to determine what kinds of cyberspeech should be made illegal.
Making money. When ideas are easy to copy and distribute globally, the
old ways of protecting things like books and software won't curb theft.