Cybercrime
The word cybercrime was coined in the late 90s, as the Internet spread across North America. A sub group of the G8 group of nations was formed following a meeting in Lyon, France, in order to study emerging problems of criminality that were being fostered by or migrating to the Internet. This “Lyon’s group” was using the term to describe, in a very loose way, all kinds of crime being perpetrated on the net or on new telecommunications networks which were rapidly falling in cost.
Simultaneously, and led by players in the Lyons group, the Council of Europe started drafting a Convention on Cybercrime [1]. This convention, which was first presented for public view in 2000, incorporated a new array of surveillance techniques which law enforcement agencies considered were necessary to fight “cybercrime”. How was cybercrime defined? The final version of this Convention, passed in November 2001 after the events of 911, does not define the term. It is used as a catch-all term for the problems which increased computing power, cheap communications, and the phenomenon of the Internet have raised for police and intelligence agencies. The convention describes the various provisions and subject areas where new law is required as follows:
Title 1 - Offences against the confidentiality, integrity and availability of computer data and systems.
Title 2 - Computer-related offences [forgery and fraud].
Title 3 - Content-related offences [pornography].
Title 4 - Offences related to infringements of copyrigh and related rights.
Title 5 - Ancillary liability and sanctions [aiding and abetting, corporate liability].
Cybercrime : the Pandora’s box
The provisions respecting the crimes are actually quite brief; the bulk of the Convention is taken up with procedural law and international cooperation. Successful prosecution demanded new techniques for gathering evidence, ensuring its integrity, and sharing across borders. Expedited data preservation orders, electronic warrants, real time data capture, retention of traffic data all spelled intrusion to civil liberties. Increased reliance on mutual legal assistance treaties, even where there was no dual criminality, opened up a Pandora’s Box of potential criminal charges being laid from regimes around the world. While the Cybercrime Convention has now clearly enunciated the problems inherent in global criminal investigation, the methods of maintaining privacy and human rights have not been addressed.
In the beginning, there was great confusion. Cybercrime was applied to new types of criminality, such as cyber porn, or the distribution of photographic images which violate certain (but not all) countries’ laws with respect to unacceptable pornography or exploitive material. Because the Internet knows no boundaries, it was becoming much easier for individuals to distribute material across borders, sometimes without leaving traces as to the originator. Breaking into computer systems, or “hacking” was also a new crime, and one that many countries had not yet made a criminal offense. One of the purposes of the Cybercrime Treaty was to establish and agree the provisions that ought to be in the legislation of signatories, in order to fight new criminal activity in a well coordinated way. Online gambling was another issue; virtual racetracks were popping up on the Internet, and although countries varied enormously in their approach to gambling, enough developed countries were counting on gambling revenue in government budgets or tourism economies, that the emergence of virtual competitors operating from tax havens was a real concern.
Data retention, cryptography: two main security issues at stake
Prior to the cybercrime treaty’s emergence to public view, civil libertarians around the world had been busy fighting various domestic moves to introduce mandatory data retention, or the storage of telecommunications and Internet traffic logs, for the purposes of investigating crime. Data retention was seen as part of a package of controls, which the FBI had first advanced in about 1992 as being necessary to fight crime on the new “information highway” as we called it back in the early days of the Internet.
Throughout the nineties, Internet activists, technical experts, and private companies had rallied to fight the imposition of controls on cryptography, including key escrow schemes, where the government would hold a copy of all cryptographic keys in order that they might more easily investigate criminal activity and evidence. The most famous of these was the US “Clipper chip”, a scheme which not only proposed that the government holds the keys to encryption, but which advanced a closed or proprietary algorithm that no experts were allowed to take apart and test.
Security is an arms race, with algorithms and the security controls necessary for their successful implementation being attacked as fast as they are brought forward, so the only security measures experts trust are systems that have been exposed to attack and survived the test. Originally, cryptography was the domain of the military and national security experts, but increasingly civilians were studying it and it was coming into public use.
In 1991 peace activist and cryptography expert Phil Zimmerman released on Usenet a cryptography program called Pretty Good Privacy, or PGP, thus making it potentially available in countries where the US refused to export strong cryptography. The US government launched a Grand Jury investigation which lasted three years, until it was dropped without criminal charges being laid in January 1996. Phil became a hero in the “Net” community, as he had worked to help political dissidents in countries like Latvia encrypt their communications and avoid surveillance by the state, but for a period of three years he faced a possible prison term for the export of cryptography.
This standoff over the export of cryptography continued for several years, because it was a classic no-win situation: It was certainly true that if a white collar crime, for instance, could be completely hidden by an individual using strong unbreakable cryptography, it was equally true that a company needed to protect itself from industrial espionage and criminal tampering with its own records by using the same strong crypto. Eventually the Clipper chip died, and the United States and the other G8 countries softened their cryptography controls, at about the same time as the Cybercrime Treaty emerged. The climate between Internet activists and experts, however, by this time had been somewhat poisoned with distrust, by the actions of governments in attempting to shut down privacy and encryption on the net. A fundamental power struggle had been set up, between the state, who wanted to be able to read everything that went over telecommunications networks, especially the Internet, and the individual (as represented by civil liberties groups), who did not perceive that the government was actually trying to protect him, but was instead making a power grab at the start of the new information age, and setting up surveillance systems that would proliferate and threaten our liberties.
Cybercrime is not virtual
So what is cybercrime? First, what is cyberspace? The term was coined by sience fiction writer William Gibson by 1982, and applied to the Internet by Howard Rheingold, so it took off as a label for this new communications infrastructure.
But sometimes we forget that it does not really exist. What exists is a network, and a lot of servers and equipment. Communications over the Internet appear to be ephemeral and evaporate, and in the minds of the public that is the gestalt that operates. Perhaps this is because of the frailty of the average individual’s own relationship with their computers and email programs. Who has not lost a document when they forgot to save it, or had their calendar and email disappear? In fact, a good investigator with forensic tools can find and resurrect just about everything, because unlike the analog world, the digital world leaves transactional information behind for every bit and byte that is sent. These tools and skills are not available to the average consumer, so the concept of cyberspace, a kind of magical hyperspace from which data comes and goes, seems to fit.
When the first efforts to draft the Cybercrime Treaty started, most law enforcement agencies were also behind the technological curve. They did not know how to investigate, how to seize evidence on computers without contaminating it, how to preserve data in case the owner had sent out a kill program to destroy it, how to track down the originators of a message, particularly when encrypted or using anonymizers. These are non-trivial problems, and part of the early work of law enforcement agencies was an effort to slow down the train and draw attention to their own needs for resources to attack a new problem. Since it is usually easier to get new resources to fight a new problem rather than the escalation of the old one, it is not surprising that new terms were coined. However, it is not clear that “Cybercrime” is a useful term, and it may be totally misleading. Crime takes place in the real world, usually involving real people and real money. Focusing on that aspect of the problem, rather than on the more ephemeral aspects of how the communications are sent, is important.
There are three aspects to “Cybercrime”
There is the new crime of cracking, invading, or snooping into other people or organizations’ computer systems. Opinions differed as to whether merely looking was a crime, especially since earlier hackers [2] often detected security flaws and felt they were being upstanding public citizens in reporting them. Clearly entering a system with criminal intent is another matter.
Then there are situations where the crime is old but the system is new, such as Internet fraud scams. Marketing fraud has been around for millennia, telephone scams have been around for decades, and now we have Internet scams. The same is true for pornography and copyright fraud.
The third element is about investigation, where the computer serves as a repository of evidence, necessary for successful prosecution of whatever crime is being transacted. What used to be recorded in paper records is unlikely to be recorded except digitally now, and can be destroyed or encrypted remotely.
A hunting dog with a good nose appears to inhabit a parallel universe... she may live with us and walk down the same street, but experiences something totally different from what a human does, a world rich with information at the chemical level. Man has now constructed a world where silicon chips generate new information, sending it around the world in electronic digital streams, and we are unable to detect it without the aid of computers. Nevertheless this parallel digital world exists, and the digital bits form a new kind of evidence. Digital bits also form a new kind of risk to the individual, because a person who knows how to tamper with the digital evidence can create a new digital persona. This is a fourth type of crime, it is more subtle than the others, and is best known when it presents itself as identity theft. If this trend persists, Cybercrime may well become a useful term to describe offences against the digital persona.
The digital persona
What is the digital persona, and is it a useful term? The expression has been used over the last decade at least, to describe the impression that a person leaves on the Internet. Dr. Roger Clarke has described it well in the abstract to an early paper on the subject. [3]
The digital persona is a model of the individual established through the collection, storage, and analysis of data about that person. It is a very useful and even necessary concept for developing an understanding of the behaviour of the new, networked world. This paper introduces the notion, traces its origins and provides examples of its application. It is suggested that an understanding of many aspects of network behaviour will be enabled or enhanced by using the notion.
The digital persona is also a potentially threatening, demeaning, and perhaps socially dangerous phenomenon. One area in which its more threatening aspects require consideration is in data surveillance, the monitoring of people through their data. Data surveillance provides an economically efficient means of exercising control over the behaviour of individuals and societies. The manner in which the digital persona contributes to an understanding of particular dataveillance techniques such as computer matching and profiling is discussed, and risks inherent in monitoring of digital personae are outlined.
We have actually come a disturbing distance down the road he points to in the paper by this time, eleven years later. Clarke identifies the digital persona as a construct, useful for understanding the shadow we cast in the digital world of cyberspace, and distinguishes between passive, active, and autonomous personae. He defines it as: the digital persona is a model of an individual’s public personality based on data and maintained by transactions, and intended for use as a proxy for the individual.
Useful as a construct to identify individuals for the purpose of addressing them (email addresses for instance) or identifying them as persons with permissions to perform a function (pay bills online, plan travel), the bits soon develop a set of habits and personality that are as real as the human behind them. Governments and business now rely on them as a way of “knowing their customer” and electronic evidence or personae soon become more trusted than the individuals themselves. However, frailties in security are now demonstrating how ill placed that trust may be. “Phishing” [4] and “Pharming attacks”, or the spoofing of email and websites, are luring people to give personal information over the Internet, and the fraudulent actors then use that data to persuade a merchant, government, or bank to believe they are the real person. Even more complex in today’s environment, thieves are putting together amalgams of data to create fictitious but likely people.
Out there in Cyberspace, there could be any number of these constructs operating, usually for criminal purposes, but not always. Law enforcement officers posing as children in chat rooms are luring would-be child abusers into arrest. Mystery shoppers are testing customer service. Adults around the world are creating persona on Internet dating sites, to hide their true identity until they have achieved a level of trust with the strangers they are talking to.
As we move into a world where digital surveillance of human beings is growing exponentially, we need to wonder where we are heading. Soon RFID chips on the clothes we wear and the identity cards we hold, will communicate with the environment we inhabit, and built in transmitters will track our movements. If someone successfully spoofs these trails, a real human will be fighting in court with a digital persona, carefully constructed outside the control of the individual concerned. Attempts to link these trails to the individual through the use of biometrics, may solve the problem, or it may actually worsen it. Civil liberties experts worry about the encroachment of biometric readers into our everyday lives, claiming they are unreliable and produce far too many false positives and false negatives. A recent successful experiment to spoof finger readers by lifting fingerprints and applying them to fake fingers molded out of jelly like gummi bears has confirmed these suspicions, but done little to slow down the rollout of systems [5].
Roger Clarke, in his paper on the digital persona, has pointed out the Jungian construct of the self, with the anima turned inside to face the unconscious, and the persona facing the world. As the digital persona grows in social and economic importance, it attracts the attention of criminals. Faced with a digital arms race to control one’s own individual persona, rather than leave it in the hands of the market or the criminals, what is happening to the anima? If in fact the individual is forced to disassociate with his or her persona, just to cope with the prospects of constant surveillance and threat which we are now enduring, it does not augur well for our collective sanity.
References
[1] http://conventions.coe.int/Treaty/e...
[2] “Crackers” or “black hat hackers” should not be confused with hackers. A correct definition of hacker is given by Wikipedia:
“Hacker is a term used to describe people proficient in computers, who employ a tactical, rather than strategic, approach
to computer programming, administration, or security, as well as their culture (hacker culture). Popular media and the general population use hacker to mean a black hat hacker, that is, a network security hacker who partakes in illegal activity or lacks in ethics. In computer programming, hacker means a programmer who hacks or reaches a goal by employing a series of modifications to exploit or extend existing code or resources. In computer security, hacker translates to a person able to exploit a system or gain unauthorized access through skill and tactics. This usually refers to a black hat hacker.”
http://en.wikipedia.org/wiki/Hacker
[3] The Digital Persona and its Application to Data Surveillance,
http://www.anu.edu.au/people/Roger.... html
[4] Definition of Phishing: “In computing, phishing (also known as carding and spoofing) is the act of attempting to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business with a real need for such information in a seemingly official electronic notification or message (most often an email, or an instant message). It is a form of social engineering attack. The term phishing comes from the fact that Internet scammers are using increasingly sophisticated lures as they «fish» for users’ financial information and password data.” http://en.wikipedia.org/wiki/Phishing
[5] (Matsumoto et al., 2002) Matsumoto T., Matsumoto H., Yamada K., Hoshino S.; Impact of artificial “gummy” Fingers on Fingerprint Systems; Proc. of SPIE, vol. 4677, pp. 275-289, Feb. 2002.
