The Online World And Law Enforcement
United States Attorney's Office, WDNY
USDOJ Computer Crimes and Intellectual Property Section
 
Internet Resources and Services
The physical layer
What the internet offers
     Electronic Mail (E-mail)
     The World Wide Web
     Usenet Newsgroups and Similar Facilities
     Internet Relay Chat (IRC) and Similar Communications Facilities
     File Transfer Protocol (FTP)
    Emerging Resources
Illegal Online Activity
Computer as Weapon
     Theft of Information
     Theft of Services
     Damage to Systems
Computer as Instrumentality of Traditional Offense
Computers as Storage Devices

Internet Resources and Services

"The Internet" is a phrase with multiple meanings. It refers to a physical infrastructure (computers, data transmission cables, and related network hardware); to the data available on the physical network (including not only text but also graphics, audio, and video files as well as applications programs) and the means of locating and retrieving that data; or even to the people who use the physical network. This section offers a brief overview of the different aspects of the Internet (and other online facilities) relevant to law enforcement investigations, along with an explanation of the relationships among these component parts.

           The Physical Layer

At its most basic level, the Internet is a worldwide network of hundreds of thousands of computers. It includes computers owned by universities, nonprofit organizations, governments, corporations and individuals. The types of computers (ranging from PC's to large mainframes) and communications links (from standard phone lines to satellite hookups) vary widely, as do the types of software used. These computers share only one common characteristic: they communicate with each other using a single standard protocol.

There is no central authority that controls the Internet or access to it. Instead, the network is administered in a largely decentralized fashion, with each site collaborating primarily with its closest neighbors. This arrangement reflects a deliberate decision in designing the Internet's domestic predecessor, the Defense Department's Advanced Research Projects Agency network (ARPANET), to create a decentralized network able to remain in operation even when an individual site is disabled (by hostile foreign action, for example).

Each Internet site has a unique two-part name that normally reflects the site owner's identity. For example, the International Business Machines site is IBM.COM, where the .COM suffix indicates a commercial organization. Other common suffixes are. EDU (for universities), .GOV (U.S. government), .MIL (U.S. military), .NET (for network access providers, and .ORG (nonprofit and other miscellaneous entities). In addition, many sites outside the U.S. have name suffixes indicating the location of the machine and/or its owner-organization, such as .UK (United Kingdom) and .DE (Germany). However, many foreign sites do not have geographical identifiers in their names; thus, one cannot assume that a .COM site belongs to a company in the U.S. Further, even where a site does have a geography-based suffix (such as .US), there is no guarantee that the computers associated with that site are in fact located in the specified country.

Within the U.S., public access to the Internet is provided primarily by "Internet service providers" (ISPs) such as the Microsoft Network (MSN), America Online, and MCI, as well as scores of smaller providers serving various regional or metropolitan areas. In addition, many municipalities have established so-called "freenets" offering free or low-cost Internet access to local residents. Many users also have access through their employers or educational institutions.

It is worth emphasizing what the Internet is not. First, it is not a commercial service per se, although many commercial information services can be reached on the Internet. For example, the LEXIS/NEXIS information databases can be accessed via an Internet connection (assuming the user has previously established an account and obtained a password).

Second, the Internet is largely distance from bulletin-board (BBS's). Historically, a BBS is a single freestanding computer reachable only by a direct telephone dial-up (i.e., using a modem to call the BBS over a regular telephone line). BBS's commonly offer electronic mail, public discussion forums, and file archives. These last two are often devoted to one or more specialized areas of interest, sometimes including illegal activities. Because BBS's are often operated by hobbyists, user fees and access policies vary widely.

        What the Internet Offers

The Internet offers a wide variety of resources for investigating (and, conversely, committing) criminal activity. The main facilities for locating, retrieving, or exchanging information are electronic mail, the World Wide Web, Usenet newsgroups, Internet Relay Chat (IRC) and similar chat room facilities, and FTP (file transfer protocol).

                              Electronic Mail (E-mail)

The most widely used Internet application, electronic mail allows a user to send information to any other person who has an Internet address. Addresses are conventionally written in the form username@site, where site is the name of the recipient's host computer (e.g., ibm.com) and username is a series of letters and/or numbers uniquely identifying the recipient.

Although most e-mail consists entirely of text, it is possible to send messages that contain one or more other types of documents such as graphic image files, digital audio, or executable programs.

Various electronic "mailing lists" (sometimes referred to as "listservs") exist for discussion of a wide variety of topics. Each member of the list (which may have as many as a thousand or more subscribers) has the ability to send e-mail to all the other members at the same time. Some mailing lists are moderated, meaning that the manager(s) of the list screens submissions for suitability before they are distributed to the members. The degree of public access also varies from list to list: some lists are invitation-only, others are open to all comers, and the traffic on some lists can even be read by nonsubscribers via archives kept on the World Wide Web (see below) or stored elsewhere.

                           The World Wide Web

The Wold Wide Web is a vast collections of electronic files residing on computers throughout the Internet. A Web page may contain text, graphics, video, or audio in any combination. It may also include hypertext links (also called "hot links" or "clickable links") to other Web pages anywhere on the Internet. Users visit web pages by means of a "browser" program (such as Netscape Navigator or Microsoft Internet Explorer) that allows them to move freely among Web pages by clicking the computer mouse on the available links. Although most pages on the Web are freely viewable to anyone with access to a browser, some sites require a password.

As the collective creation of thousands of web page contributors, the Web has no central index. However, a number of extensive commercial indexes (all updated regularly) enable users to perform keyword searches to local sites concerning a given subject. Among the more popular search engines are Yahoo, Hotbot, Alta Vista, Infoseek, and Open Text, all of which are available on the Web itself.

                            Usenet Newsgroups and Similar Facilities

The Internet is also home to several thousand discussion groups known collectively as "Usenet". These discussion groups-also called "newsgroups"-allow users to post public messages (including replies to earlier messages) on a variety of topics. Interaction does not take place in real time: it more closely resembles a sequence of open letters than a muliparty telephone conversation.

Each newsgroup has a period-punctuated name that indicates its subject. For instance, talk.politics.misc is for miscellaneous political discussion. As with mailing lists, a newsgroup may be moderated, in which case postings are screened by one or more moderators for suitability. Even for moderated newsgroups, however, there is no way to restrict the group's readership, meaning that there are no private newsgroups. In theory, each newsgroup article is circulated to thousands of computers worldwide, and is therefore accessible to almost anyone on the Internet. Moreover, online archives (indexed on the World Wide Web) now exist for nearly all Usenet groups.

BBS's generally offer a comparable public discussion mechanism (which is the historical reason for calling such systems "bulletin boards"). Unlike Usenet articles, however, messages posted on a BBS are not typically distributed to other sites, and thus normally are accessible only to users of that system.

                           Internet Relay Chat (IRC) and Similar Communications Facilities

Internet Relay Chat (IRC) is a method for real-time discussion among multiple users. In each "channel" (discussion forum), participants are able to engage in the online equivalent of a party-line conversation, with response time limited only by one's typing speed. Discussion transcripts are not automatically created or stored unless an individual participant takes steps to do so. IRC channels, like mailing lists, may be either open to the public or invitation-only.

Note that IRC channels are used for discussions spanning multiple Internet sites. Many commercial services provide a similar facility for internal discussions among their members. On America Online, for example, these forums are called "chat rooms." As with IRC, these provider-specific discussion forums may generally be either open to the public or invitation-only.

In addition, services such as "ICQ" (I seek you) and "DCC" (direct channel chat) allow for private, one-to-one real-time chat activity.

                            File Transfer Protocol (FTP)

FTP is an older program used to transfer files (such as executable programs) directly from one computer system to another over the Internet. Its primary application is in retrieving files from publicly accessible archives; as a result, much of its usefulness has been taken over by the emergence of the World Wide Web. In fact, most Web browser programs are designed to be able to fetch documents from FTP archives.

                            Emerging Resources

As the Internet-especially the World Wide Web- continues to grow and evolve, new tools and resources for locating and retrieving information on the Internet are likely to emerge. For example, a number of software developers are working to create "intelligent agents," programs that can be customized by individual users to actively seek out information on one or more specified topics.

Several new "information push" services mark a step on the road toward full-fledged intelligent agents. At fixed intervals specified by the user, these services automatically access one or more remote host computers on the Internet and fetch information for viewing on the user's computer (sometimes as a screen saver display or as a "ticker" occupying part of the screen). The type of information retrieved is highly configurable: for example, a user may request regular updates on certain stock prices and market indexes, updates of a certain frequently changing Web page, or current wire service stories on a wide variety of topics.

Similarly, as bandwidth availability increases, the Internet will be used with increasing frequency to transmit real-time voice and video communications. Investigators are encouraged to consult with CCIPS in investigations involving emerging communications technologies, as some are likely to raise novel legal issues.

Illegal Online Activity

The vast majority of online users are law-abiding and responsible, and their activities many of which involve the exercise of First Amendment rights of free speech and association should not ordinarily be of concern to law enforcement agencies. At the same time, the Internet and other online environments are no more immune to criminal conduct than is the physical world. These media provide new opportunities for the coordination and commission of a variety of illegal acts. The following is an overview of the types of criminal methods and conduct investigators have encountered and are likely to encounter online.

Computers can play three different roles in criminal activity. First, a computer may be used as a weapon, where the criminal's objective is to steal information or services from, or cause damage to the target system. Second, computers can be used as tools to facilitate an offense, such as electronic fraud. Finally, a computer may be used as a storage device for evidence or contraband. A single case may involve all three types of computer use.

                  Computer As Weapon

True "computer crime" involves using a computer to attack a victim computer, generally to acquire information stored on that target, to use the target system without payment (theft of service), or to damage the system. Most (but not all) such violations involve gaining unauthorized access to the target system (i.e., "hacking" into it).

                           Theft of Information

Offenses involving theft of information may take a variety of forms, depending on the nature of the system attacked. Sensitive information stored on law enforcement and military computers offers a tempting target to many parties, including subjects of criminal investigations, terrorist organizations, and foreign intelligence operatives.

Hackers also target non-governmental systems to obtain proprietary information or other valuable information. For example, in one case a hacker gained access to a hotel reservation system to steal credit card numbers. Other cases may fall into the broad category of intellectual property theft. This includes not only the theft of trade secrets, but also much more common offenses involving the unauthorized duplication of copyrighted materials, especially software programs.

Sometimes an attacker's motivation is to learn private information about another individual, whether as a means to an end (e.g. to extort money or to embarrass the victim through public disclosure) or simply to satisfy personal curiosity. Targets in this category include systems containing medical records, telephone customer records (such as call records or unlisted directory information), or consumer credit report information.

                            Theft of Services

A second class of violations involves gaining unauthorized access to a system for the purpose of obtaining unpaid-for services. For instance, an offender may use his computer to break into a telephone switching system (including a private system, such as a PBX) in order to steal long-distance calling services. (This type of telephone equipment manipulation is often referred to as "phone phreaking" or simply "phreaking"). In some cases, hackers have used the resources of compromised systems to perform intensive computational tasks such as cracking encrypted passwords stolen from other sites.

The most common theft-of-service offense is associated with the practice of "weaving," in which a hacker traverses multiple systems (and possibly multiple telecommunications networks, such as the Internet or cellular and land line telephone networks) to conceal his true identity and location. In this scenario, the sole reason for breaking into a given computer may be to use it as a stepping-stone for attacks on other systems.

                            Damage to Systems

Even where an attacker's objective is not to obtain information from the target computer or to use it, he may have any of several other goals in mind. Perhaps most obvious is the case where the attacker intends to destroy or modify data important to the owner or user(s) of the victim system. Malicious attacks of this type are often carried out by disgruntled ex-employees seeking to retaliate for perceived unfair treatment. See, e.g., Sablan v. United States. 02 F.3d 865 (9th Cir. 1996) (shortly after dismissal, ex-employee of bank modified or deleted files on computer system).

A more insidious type of damage takes place in cases where the attacker compromises a system in furtherance of a larger scheme. The most well-known examples of this type of attack have involved telephone network computers. In one case, a hacker manipulated telephone switching equipment to guarantee that he would be the winning caller in several call-in contests held by local radio stations. The fruits of his scheme included two Porsches and $30,000 in cash.

Internet-connected computers are subject to similar types of attacks. Routers-computers that direct data packets traveling on the Internet-are analogous to telephone switches, and are thus tempting targets for skilled hackers interested in disrupting, or even rerouting, communications traffic on the network.

On many occasions, hackers have installed "sniffer" programs that illegally intercept user passwords during the login process. Because users often employ the same password on more than one computer system (contrary to prudent security practice), intercepting a user's password often provides a hacker easy access to other computer systems where that user has accounts. That access, in turn, greatly simplifies the hacker's task of compromising those other systems.

In the category of attacks known collectively as "denial of service", the objective is to disable the target system without necessarily gaining access to it. One technically straightforward method of accomplishing this objective is "mailbombing," the practice of sending large volumes of e-mail to a single site (or user account) in order to clog the mail server or even cause the target host to crash. Other methods, ranging from simply tying up incoming phone lines all the way to more sophisticated attacks using low-level data transmission protocols, may also be used to achieve the same end; rendering the target system unavailable for normal use.

              Computer as Instrumentality of Traditional Offense

Computers may be an instrument in the perpetration of a traditional offense, such as a fraudulent marketing scheme. Frauds commonly attempted online include:

Vehicles used to promote these frauds include the World Wide Web, Usenet (where solicitations are often posted indiscriminately to hundreds of newsgroups), Internet Relay Chat, and direct e-mail.

Online gambling operations, some of which may be illegal under 18 U.S.C. 1084, have also become increasingly common. Made available most frequently on the Web, often from offshore, these operations range from simple lottery sites to sports betting operations or even full-blown "virtual casinos" offering a range of gaming activities. Aside from the potential illegality of the gambling transmissions themselves, there is also tremendous potential for fraud by the "house," as by rigging probabilities (in craps, for example), inspecting players' cards, or even refusing to pay stakes to winners. While most current operations obtain players' credit card numbers as a means of payment, the anticipated increase in the use of "digital cash" is likely to simplify online transactions and fuel growth in the gambling arena.

Online resources are also an inviting medium for would-be traffickers in obscene materials and child pornography. Cyberspace offers these individuals a number of advantages over the physical world, including (a) the ability to be anonymous or to use a pseudonym instead of a real name, (b) the ease of locating and communicating with like-minded persons, and (c) the speed and ease of exchanging digitally stored images over long distances at minimal cost. Internet Relay Chat and/or chat rooms are common meeting grounds, with images distributed variously over Usenet, the Web, or via electronic mail. Individuals may also exploit the identity-concealing aspects of cyberspace to converse (and even arrange for in-person encounters) with intended victims.

Additionally, criminals illegally use electronic distribution methods to reproduce materials protected by copyright. Online copyright piracy is an ever-increasing threat to creators of software, music, books, and movies.

While these crimes are those most commonly encountered in the online realm, it is worth emphasizing that online facilities may be used in the furtherance of a broad range of traditional criminal activity. Electronic mail and chat sessions can be used to plan or coordinate almost any type of unlawful act, or even to communicate threats or extortionate demands to victims. As robust encryption methods become more widespread, criminals can be expected to use this technology to evade detection in the planning and execution of their illegal activities.

              Computers as Storage Devices

The third role a computer can play in criminal activity is that of passive storage medium. In many cases, this use will be ancillary to the system's other role as the victim of an intrusion.

For example, after compromising a system a hacker will often create a special directory for storing files. These files may include hacking software tools, password files (or password lists) for other sites, or lists of stolen credit card numbers. By hiding these types of information on a remote system, a hacker makes it more difficult to tie these articles to him in the event he comes under law enforcement scrutiny.

Hackers may also use these storage locations as "dead drops" or even clearinghouses for distribution of password lists, credit card and calling card numbers, proprietary corporate information, pornographic image files, or "warez" (pirated commercial software).