Challenges to Internet Investigations

February 1, 2003

Insp. Mike Ryan
Organized Crime Agency of B.C.
February, 2003

The investigational requirements in respect to the Internet appear to arise from two potentially different environments.

The first is the use of the Internet to commit offences as the result of its unique capability as a very efficient communication device.  This is the use of the  Internet to transfer information which is by the nature of its content or connotation of it meaning, illegal or serving to advance an illegal act.  Considering the use of the Internet from only this perspective, examples of such unlawful acts would be the distribution of child pornography, hatred, stolen information, or the conveying of criminally relevant information such as directions in furtherance of a drug transaction, or information to advance a theft.    

The other environment, is where the Internet is used in the broader sense to support or advance  more completely, most of the elements of a criminal offence.  Examples of these are instances of operating illegal gaming operations, fraudulent marketing schemes where goods are pledged but not delivered, stock market frauds, and large scale money laundering.

Both of these environments detail very different resource requirements and investigational challenges.  Traditional investigational methods can be more easily applied to deal with first situation where the Internet is used to assist in the commission of the offence, but the second environment engages a broader discussion. 

In either scenario, all investigational efforts must be complaint with Canadian Charter of Rights guarantees and proper evidence gathering methods.  The public aspect of just the world wide web is widely considered to be analogous with displays such as newspapers, magazines and radio or TV, and therefore unlikely to generate any serious or reasonable expectation of privacy.

However certain web locations do establish that expectation.   While it would likely be insufficient to simply post a banner stating that the content of a web site is "private" or "confidential" and thereby remove it from the public domain, investigators must be cognizant of even the simple situation where the user has to obtain a password to gain access.  In instances where the user is issued a password by the administrator of a web site, access may arguably attract an expectation that the administrator intended to limit the communication to a select individual, or group of individuals. This may be for commercial, fraternal, or associational purposes, but in this respect any web site operating behind a firewall, limiting access by an authenticated login processes, does likely attract an expectation of privacy.

Also, it is possible for the expectation of privacy to change - midstream - by the adoption of  a limitation to access, and with unexpected consequences.  Using the analogy of police surveillance,  while observing the actions of a suspect in a public place, the surveillance generally ends unless judicially authorized otherwise, when the suspect enters a private place.  Here, the Internet demonstrates that unique characteristic of being simultaneously, the most  public and the most private of places.  Current technology, and to an even greater degree the developments of future technology, will permit Internet surveillance to continue anywhere, and at anytime.  Either by the inadvertence of the investigator, or by deliberate mischief of the accused, "privacy traps" might be encountered which could either render evidence inadmissible, or through the speed of technological development present serious challenges to law enforcement in attempting to secure the appropriate judicial authorizations.

If this analysis is correct, the challenge to the investigator is to recognize the heightened privacy interest and to expeditiously obtain an authorization before continuing.  Also, it is of more than passing concern that developing legal challenges to the propriety of police surveillance in the physical world, do impact Internet surveillance by police.  In future, it may even surpass that physical world.

The distinction made earlier in regard to the degree to which the investigation finds itself dependent upon evidence recoverable over the Internet, raises issues of evidence gathering, data storage, reproduction and disclosure, and presentation for court. 

Evidence gathering at a basic level, where the Internet has been used only to facilitate a criminal offence, has been accomplished by converting the screen image to a digital stream transferable to a DVD, hard copy screen prints and then augmenting those with extensive investigational reports.   In the second environment where the Internet is used to advance more completely, most of the elements of the offence, the challenge is not only to capture the information being transmitted through this communication medium, but to demonstrate the configuration and control of the system by some entity, its profitability, its management and control systems, all leading ultimately to proof of criminal responsibility. 

Obviously it is in this second scenario which creates the greater challenges for law enforcement.  Consistent with the Canadian Charter of Rights and Freedoms, and the necessity for law enforcement to gather evidence within acceptable boundaries, this discussion breaks down further than just into non-invasive and invasive investigational methods.

On the non-invasive side there are trace route analysis, name server look up and whois queries, all of which attempt to identify location and control points of the suspected system.  Something as simple as a "time query" can be useful when the suspect system is supposedly located in another geographic area, when the response to this query indicates that the server is located within your own longitudinal time zone.  This may suggest that the operating system is not located where the suspect(s) would have you believe.

A process referred to as packet sniffing can analysis the data traffic generated between two or more computers, and can determine the number of computers in use, where they are located and the type of processes they are performing.   As Canadian law enforcement requires a judicial authorization to record a private communication even if one party consents, most investigators are encouraged to obtain at the minimum a General Warrant under subsection 487.01 of the Criminal Code of Canada, before engaging in this process.  However an argument exists that the packets being observed are not "communication" per se, but rather electronic representations of the routing that the communication is taking through the Internet.

Clearly, on the more invasive side there are tools which could only be used under judicial authorization .  Evidence gathering in these areas is dependent upon the all the forgoing techniques and other system engineering tools, so as to surreptitiously enter the suspect system and chart its components. 

It should be noted however, that these engineering tools were not designed with law enforcement in mind.  Many tools operate recursively, just as water flows when filling an ice cube tray, from one compartment to the next.  The problem is that police investigators will need to avoid certain compartments which their legal authorization does not give them the right to access, and in other instances to  return to some compartments which are notionally contrary to the direction of the flowing water.

Now consider the problem from the perspective that some of these compartments will be located in different countries, and that it is then easy to inadvertently awaken international sovereignty issues.  This creates the challenge of drafting extremely accurate and detailed applications for judicial authorizations, and for governments to secure international "data recovery" agreements (perhaps under the Mutual Legal Assistance in Criminal Matters Act) which would address the when, what, and how of remotely accessing private information held in another county and possibly by its citizens.

Still other invasive techniques may include installing hidden programing which would be triggered when certain events occur.  These Internet "call home" features equally require proper crafting of the judicial authorization, but it is also necessary to ensure that residual damage is not inflicted upon innocent third parties who may be reliant upon the suspect system, or be down stream Internet users.

Having to that point, been involved primarily in information collection, the gathering of evidence can present containment and data storage concerns.  In Canada (due to the rules created by R. v. Stinchcombe), the necessity to disclose all investigational material can create the need for data silos which far exceed the capacity of even the best equipped law enforcement units.

The containment and preservation of evidence is an issue when ever a computer system can be remotely accessed.   The term is "a root war" and refers to the battle which ensues when control of an operating system is in dispute.  Either by direct Internet access, or by pre-programmed codes activated by a cellular phone from anywhere in the world, it is possible for suspects to interrupt or re-route systems.  Law enforcement have relied upon pre-dawn lightning raids orchestrated while the suspect is asleep, in order to obtain containment when this problem is expected. In a local case where a root war did occur, it was only after advising defence counsel who were on scene at the search site, that investigators would immediately crash the system in order to preserve the evidence (thereby causing irreparable damage) did the suspect cease attempting to thwart the investigation.

Having achieved containment and to return to our analogy, we have assumed to this point that the compartments in our ice cube tray are all the same size.  But consider what might occur where some are comparatively as large as a kitchen sink or a bathtub, and it is necessary to gather all of the evidence which they contain.  The need for pre-search planning cannot be over stated, as investigational budgets and resources could be easily expended without even having approached  the objective.

The eventual development of search techniques which permit the online transfer of seized data, either with or without the suspect's knowledge, to commercial storage silos which have been contracted for that specific purpose, may not be that far off.   Privatized storage of data for court exhibit purposes will become necessary as it is unlikely that even the best equipped police lab will be able to stay abreast of new programming and the individual customization which occurs to each system.  Data, once captured must be held secure and uncontaminated with all configuration codes and original parameters intact.

Its been suggested that in technical terms, a developmental year is actually only three or four months in real time.  Government in its legislative capacity, and the investigational partnerships formed to effectively deal with Internet crime, must consider the speed with which technology is effecting change to operating systems.  Long term law enforcement initiatives and strategies will be derailed, as criminal computer systems are updated at the rate dictated by commercial realities, and police investigational tools are updated at the rate of government funding.  Lagging behind both, is the capacity of the law to develop when only reactive legislative changes are the order of the day.

Once the evidence is gathered, costly and time consuming reconstructive work is required to ensure that the elements supporting a prosecution can be accurately presented in court.  This creates a lag between the successful completion of a long term investigation, and the training and experience required in order to remain current in the field.  Disclosure and presentation of evidence in electronic format is an entire other area of discussion.

No discussion of the challenges to Internet investigations would be complete without some consideration of what criminal activity the future may bring.  In a recently released survey  by KPMG Investigation and Security Inc. of the top one thousand companies for 1999 as ranked by the Globe and Mail, it was suggested that most respondents had embraced e-commerce or expected to do so in the near future, and viewed the greatest threat to be via the Internet and other external sources.  Interestingly respondents did not consider the internal threats to their e-commerce systems as significant.  External access to  confidential customer information and denial of service attacks were the corporate concerns, with the protection of credit card numbers and personal information being the greatest concern to their clients.  Encryption technology was considered to be the best preventative security measure.  The challenges to law enforcement, presented by encryption technology, will be immense.

Comments in the July 2000 issue of  Scientific American, attributed to recently paroled computer hacker Kevin Mitnick, who stole the OS source code worth $80 million dollars, are that the heart of most of his exploits was social rather than technical.  Mitnick states that in fully sixty percent of his attacks, he was successful through "social engineering" methods which allowed him access by playing one division of a large company off against another, or by using jargon that only an employee would know.  The epidemic of e-mail viruses which are triggered by the user's curiosity to alluring names such as "I Love You" seem to make the point.  Similarly, this same kind of camouflage does cause an individual to unknowingly install a program that sends all of their data to their competitor.

Internet crime of the future may be very different when we consider that the U.S. Department of State has confirmed that there are now 191 virtual countries which make dubious claims to nationhood.¹ While some may be the creation of college kids with too much time on their hands, or arise from a political-science class experiment gone wrong, others have a more questionable intent.

In at least one instance ² a religious origin was purported, with land claims, with a written constitution, appointment of offices of president, secretary general and the creation of a legislative branch, complete with a separation of executive powers between church, state, and a judicial branch.  Interestingly, this particular virtual country claimed to have originated from a royal decree made on the 19th of July 2030 BC, but this is questionable as the month of  July was not established until 44 BC when Julius Caesar named it after himself in what is now known as the Julian Calendar.

Some virtual countries claim to have passed laws with regard to citizenship and naturalization, taxes and financial reporting, the authority to grant licenses, foreign exchange transactions, bankruptcy and trust laws, domestic and foreign banking, securities underwriting, and some claim representation by ambassadors and consul generals in other countries.  Some have even gone so far as to declare war consistent with declarations made by the United Nations Security Counsel.  Perhaps, not surprising, several have found it opportune to also claim having pasted legislation permitting the licensing of lawyers.

Such presumptuous statements may also have other purposes.  Consider one report from the Australian Federal Police Transaction Reports and Analysis Center (AUSTRAC) which raises concern in regard to the risk of money laundering through these virtual countries.  The services offered by these virtual countries have been linked to scams in California, Latin America and the Pacific region.  Arrests have been made where hundreds of Filipinos, Chinese and Bangladeshis paid up to $3,500 for worthless travel documents which were held out to be "internationally recognized travel documents".  Still others paid to obtain "government jobs" on semi-volcanic knolls located in the Pacific Ocean.  Get-rich-quick investment schemes have been associated to a series of world wide swindles, when virtual-bank assets supposedly backed by U.S. Treasury Bonds turned out to be worthless financial instruments. ³

Still others offer offshore insurance companies, also with phoney financial support, located on sandbars located at the mouth of large rivers, created by the last hurricane that came through and destined to disappear with the next.  Some of these suggest an Aboriginal origin, in an attempt to ensure that their claim is rooted in an historical event which is difficult to substantiate, and which cannot be easily dismissed. 

By obtaining company registrations in jurisdictions which do not restrict the use of  words such as "Bank " from company names, it is possible for the virtual country to at least apply for an account at a real bank in any jurisdiction.  The result is potential access to the credibility of the financial sector, by a corporate entity which is nothing more than a shoe-box of official looking documents in an offshore safe-haven. 

The magic of the Internet then allows visual images to be attached to create the visual impression of credibility and stability.      In a local example, documents seized at the Vancouver International Airport suggested that accompanying bearer bonds had been issued by a bank in a nation which is emerging from the Former Soviet Union.  The associated web site presented images of tall and stately buildings, with green lawns, but in an area of the world which is war torn and troubled by political instability.  Aside from the fact the IP address registered to that web site indicated that it was being operated out of Philadelphia, an enlargement of an Ohio licence plate on a vehicle parked beside the bank, suggested that there were some serious inaccuracies.

We are at risk of seeing the creation of "data havens" which will emerge in remote geographical regions, and will market Internet secrecy at a price.  Probably the only reason that these have not more fully developed to date, is that the necessary communication infrastructure has not yet reached many remote regions which would be willing to enter into this industry.  Experience to date has been that attempts by organized crime to locate large Internet systems in these remote areas is initially effective, but inevitably these operators have been driven off.  This is not due to regulation or the threat of prosecution, but because their systems have grown so successful that they cannot continue without improved infrastructure and technical support.  Relocation becomes necessary, for all or a major part of the system must be closer to the center lane of the communication highway, in order to sustain itself.  This too will change.

If we were to confine the discussion to only money laundering, its an easy reach to see where the riss lie.  Money laundering can be generally described as operating through three phases - placement - layering - and integration.  These describe the act of placing ill gotten gains into the financial system (the point where the offender is most vulnerable to detection), the act of layering the proceeds of crime into a myriad of international investment vehicles, and finally integrating the now co-mingled funds into daily use.

The creation of virtual criminal entities which may be relied upon by legitimate deposit taking institutions, even if only momentarily, is sufficient to place large amounts of criminal capital into the financial system.  Its not necessary even to reach into the realm of virtual counties, to recognize the opportunity for laundering vast amounts of criminal proceeds.  Consider Internet gambling for example.

Internet gaming systems have been for some time now, available on a franchise basis from centralized operators, who sell "virtual casinos" which appears to be licensed in some remove jurisdiction that licenses this activity.  The investor simply supplies the investment capital (perhaps $100,000) and then relies upon the operator who designs a system to a theme chosen by the investor.  All operating systems, technical support, odds and betting line feeds, credit card validation, game servers, random number generators, customer service and support, accounting, and wager payments remain the responsibility of the centralized operator.  That operator collects the investors' money and some portion of the winnings, as much as 10% to 40% based upon the volume of traffic through the casino. 

The need for "the investor" has to be questioned under these circumstances - the centralized operator seems to be sharing its technological advantage with little return - why not operate the casino without the investor and collect all the revenues?   The hook is that the operator is attempting to insulate itself from prosecution by foisting that liability onto the investor.  The centralized operator will purport not to accept wagers from the North American gaming public, and attempt to place the investor between itself and that criminal liability.

The investor is informed that accepting wagers over the Internet  from certain jurisdictions may be illegal, but the investor is also informed that he or she is the owner of a "gaming license" in a jurisdiction where such activity is legal, or at least not  prosecuted.  Under the assurances of the operator, that the gaming system is operating in that remote jurisdiction, the investor is lead to believe that he or she have found a loop hole, and instructs the operator to accept wagers from North America.  As the casino is "owned" by the investor, the operator claims to have dodged criminal prosecution.

Aside from the risk of cheating and shrewd accounting practices which may not be in the best interests of the naive investor, this Internet industry presents significant opportunities for organized crime.  Where either the centralized operator or the investor, are in fact criminal organizations, which are seeking a portal to place proceeds of crime into the financial system, this presents the opportunity to literally shovel money into the financial system.  The credit card interface associated to these systems, are contracts with credit card validation companies, and they accept credit cards from all over the world. 

In addition, it is a simple matter for the gambling public to more directly launder money through these systems.  By creating more than one Internet identity and having credit cards in a number of different names, the launderer simply sits at home and places wagers of an equal amount on both sides of a gaming event.  The loss (referred to as the  "vig") is the acceptable cost of doing business if one can now claim to have received some quantity of money as gambling winnings. 

If the centralized operator or the investor were fronts for international terrorist groups, political acts of violence could actually be funded from revenue earned from the Internet entertainment paid for by the unsuspecting citizens that the terrorist group intended to attack.

The challenge for law enforcement is to establish true partnerships within the public and private sectors, and to expand its investigational horizons into areas where it has not ventured before.  The challenge for government is to recognize the need for this type of work, to fund it adequately, and to establish international agreements which will allow information exchange and evidence gathering. The challenge for legislators is to make laws broadly designed to permit enforcement of to go where technology is taking us.

(Presented at the Cyber-Crime Conference, Richmond B.C. February 2003)

¹ Proximal Consulting Newsletter April 2000, www.proximalconsulting.com.

² Dominion of Melchizedek at www.melchizedek.com ,   (The Melchizedek king of Salem blessed Abraham, the righteous king of peace and history’s first monotheistic teacher of the Most High God.) The ancient homeland of the Dominion of Melchizedek is the land south of Lebanon, west of Jordan and north of Egypt, with its capital as Jerusalem,

³ Bertil Lintner (lintner@loxinfo.co.th), Thailand based correspondent and author who has written extensively about the international drug trade and organized crime, from an article as part of a larger project supported by a grant from the John D. and Catherine T. MacArthur Foundation.