Segment 2 Of 3 Previous Hearing Segment(1) Next Hearing Segment(3)
SPEAKERS CONTENTS INSERTS
Page 87 PREV PAGE TOP OF DOC Segment 2 Of 3
FIGHTING CYBER CRIME:
EFFORTS BY FEDERAL LAW ENFORCEMENT
TUESDAY, JUNE 12, 2001
House of Representatives,
Subcommittee on Crime,
Committee on the Judiciary,
Washington, DC.
The Subcommittee met, pursuant to notice, at 4 p.m., in Room 2237, Rayburn House Office Building, Hon. Lamar Smith [Chairman of the Subcommittee] presiding.
Mr. SMITH. The Subcommittee on Crime will come to order. We welcome all the witnesses today. We look forward to your testimony. As you know, this is an important subject, a subject and a hearing that is going to give us ideas for future legislation. I'm going to recognize myself for an opening statement and other Members for an opening statement, and then we will proceed with your testimony.
This is the Crime Subcommittee's second of three hearings on cyber crime. Today we will hear testimony from the Criminal Division of the Department of Justice, the Federal Bureau of Investigation and the U.S. Secret Service on the role and needs of Federal law-enforcement in this effort. In addition, we will hear from the Center for Democracy and Technology, CDT, about online privacy concerns related to law-enforcement efforts to protect the public.
Page 88 PREV PAGE TOP OF DOC Segment 2 Of 3
The growth of the Internet has improved our economy, medicine and technology. Unfortunately, it has brought new opportunities for criminal activity, as well. Often, people think cyber crime simply refers to hacking, viruses and other intrusion tactics. Cyber crime, however, threatens more than our businesses, economy or national infrastructure. Cyber crime affects us individuals, as well. Reprehensible crimes, such as child pornography and cyber stalking, terrorize our children and our families.
At the first hearing in this series, on May 24th, the Texas Deputy Attorney General for Criminal Justice testified that, quote, ''One of the biggest problems is that computer criminals are targeting the most vulnerable of our society, children.'' He pointed out that, according to the Federal Bureau of Investigation, child pornography was virtually extinct prior to the advent of the Internet. Now it is a serious plague on our society that must be stopped.
Adults also experience the dark side of the Internet revolution. Using computer technology, criminal types steal life savings and even identities of unsuspecting individuals. These pose serious threats to the lives and the livelihoods of many individuals. But in addressing these areas of crime, law-enforcement officers face several challenges. Identifying a sophisticated criminal can be difficult. Once they are identified, bringing a criminal to justice may be problematic for jurisdictional reasons.
The criminal may be in a different State or even another country, and then law enforcement officials must deal with extradition issues. Also, retrieving the information stored on a computer and using it for prosecution may be difficult if it requires highly technical skills not normally taught to investigators or prosecutors. As long as there is technology, cyber crime will exist, yet cyber crime must be curtailed as much as possible so that technology can legitimately continue to enrich our lives and strengthen our economy.
Page 89 PREV PAGE TOP OF DOC Segment 2 Of 3
Congress understands that law-enforcement officials must have the appropriate training and equipment to fight fire with fire, or computer technology with computer technology; but in doing so, law-enforcement must remain cognizant of the need to protect the law-abiding public's privacy while protecting the public. The public must understand that law-enforcement does need to use technology to deal with this new emerging threat to our children, our economy and our national security.
This hearing will focus on those efforts and challenges. We look forward to hearing how to balance the concerns of law-enforcement officials and the need to protect privacy and find common ground to fight the growing trend of cyber crime. Before I recognize Mr. Scott, the Ranking Member, for an opening statement, I would like to congratulate the FBI, the Department of Justice and the Secret Service on the successful Internet fraud investigation named Operation Cyber Law. Their efforts brought about criminal charges against approximately 90 individuals and companies that defrauded 56,000 people out of more than $117 million.
With that congratulations, I will now recognize Mr. Scott for his opening statement.
[The prepared statement of Mr. Smith follows:]
PREPARED STATEMENT OF THE HONORABLE LAMAR SMITH, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS
This is the Crime Subcommittee's second of three hearings on cyber crime. Today, we will hear testimony from the Criminal Division of the Department of Justice, the Federal Bureau of Investigation and the U.S. Secret Service on the role and needs of federal law enforcement in this effort.
Page 90 PREV PAGE TOP OF DOC Segment 2 Of 3
In addition, we will hear from the Center of Democracy and Technology (CDT) about on-line privacy concerns related to law enforcement efforts to protect the public.
The growth of the Internet has improved our economy, medicine and technology. Unfortunately, it has brought new opportunities for criminal activity, too. Often people think cyber crime simply refers to hacking, viruses and other intrusion tactics.
Cyber crime, however, threatens more than our businesses, economy or national infrastructure. Cyber crime affects us as individuals, too.
Reprehensible Crimes, such as child pornography and cyber stalking, terrorize our children and our families.
At the first hearing in this series on May 24th, the Texas Deputy Attorney General for Criminal Justice testified that ''one of the biggest problems is that computer criminals are targeting the most vulnerable of our society—children.'' He pointed out that according to the Federal Bureau of Investigation, child pornography was virtually extinct prior to the advent of the Internet. Now it is a serious plague on our society that must be stopped.
Adults also experience the dark side of the Internet revolution. Using computer technology, criminal types steal life savings and even identities of unsuspecting individuals. These pose serious threats to the lives and the livelihoods of many individuals.
But in addressing these areas of crime, law enforcement faces several challenges.
Page 91 PREV PAGE TOP OF DOC Segment 2 Of 3
Identifying a sophisticated criminal can be difficult. Once they are identified, bringing the criminal to justice may be problematic for jurisdictional reasons. The criminal may be in a different state or even another country and then law enforcement officials must deal with extradition issues.
Also, retrieving the information stored on a computer and using it for prosecution may be difficult if it requires highly technical skills not normally taught to investigators or prosecutors.
As long as there is technology, cyber crime will exist. Yet cyber crime must be curtailed as much as possible so that technology can legitimately continue to enrich our lives and strengthen our economy.
Congress understands that law enforcement officials must have the appropriate training and equipment to fight fire with fire, or computer technology with computer technology. But in doing so, law enforcement must remain cognizant of the need to protect the law-abiding public's privacy while protecting the public.
And the public must understand that law enforcement does need to use technology to deal with this new emerging threat to our children, our economy and our national security.
This hearing will focus on those efforts and challenges. We look forward to hearing how to balance the concerns of law enforcement officials and the need to protect privacy and find common ground to fight the growing trend of cyber crime.
Page 92 PREV PAGE TOP OF DOC Segment 2 Of 3
Before I recognize Bobby Scott, the ranking Member, for an opening statement, I would like to congratulate the FBI, the Department of Justice, and the Secret Service on the successful Internet fraud investigation named ''Operation Cyber Loss.'' Their efforts brought about criminal charges against approximately 90 individuals and companies that defrauded 56,000 people out of more than $117 million. With that, I recognize Mr. Scott.
Mr. SCOTT. Thank you. Mr. Chairman. I am pleased to join you in convening the second hearing on the issue of cyber crime. In the first hearing, we heard about State and local law-enforcement efforts to combat cyber crime. Today we will focus on Federal law-enforcement's efforts to combat cyber crime and we will hear from Federal agencies most involved in the issue, and one of our watchdog entities, working to ensure that we do not lose sight of our basic rights and protections as citizens in our zeal to address the menace posed by cyber crime.
Given the jurisdictional issues involved in crimes undertaken by way of electronic communications, the Federal Government will be in a better position to address such crimes in many instances and State and local law-enforcement entities. However, the nature of cyber crime remains the same despite the different medium: theft, fraud, forgery, destruction of property and so forth, violation of laws already on the books at State and local levels. So it is no surprise that we heard from State and local law-enforcement witnesses at the last hearing, that much of the role that they envision for the Federal Government in fighting cyber crime focuses on their need for resources, training, cooperation and assistance, not Federal usurpation of the enforcement effort.
Page 93 PREV PAGE TOP OF DOC Segment 2 Of 3
Of course, in any case of criminal activity, including cases of cyber crime, we are all better off with the emphasis being placed on crime prevention, as opposed to placing it on after-the-fact solutions. Thus, identifying ways to prevent cyber crime through better system security, crime prevention education programs for users and businesses, and early detection of and attention to potential problems should provide our best defense to cyber crime.
The rapid advancements we're seeing in information technology in the context of the World Wide Web not only challenges our ability to enforce traditional criminal laws, but also challenges our ability to protect and enforce basic rights of privacy and the other civil liberties our Constitution guarantees to us. Therefore, we should look at updating our law-enforcement capacities in this context, and it is just as incumbent upon us to make sure that these basic guarantees are not eviscerated or seriously compromised.
We must never lose sight of the fact that the enduring success of our system lies in the delicate balance our founding fathers struck in giving our Government strong authority to provide for the general welfare while protecting the sanctity of individual rights and the freedoms of law-abiding citizens from undue Government intrusion. It is interesting, Mr. Chairman, that we had a Supreme Court case just yesterday that addressed that issue. So, Mr. Chairman, I look forward to the testimony, to learn more about the challenges and activities of our primary law-enforcement Federal agencies in addressing the issue of cyber crime, as well as the challenges we face in preserving our civil liberties in the context of the World Wide Web.
Thank you, Mr. Chairman.
Mr. SMITH. Thank you, Mr. Scott.
Page 94 PREV PAGE TOP OF DOC Segment 2 Of 3
Do any other Members wish to be recognized for an opening statement? The gentlemen from North Carolina, Mr. Coble, is recognized.
Mr. COBLE. Mr. Chairman, I will be very brief. I have no formalized statement, and I may have to go to another meeting; but Mr. Assistant Attorney General, I put this question to the Attorney General last week, when we examined him up here, and I'm repeating this just for emphasis. I am concerned about your updating the Subcommittee on the extent to which prosecution of intellectual property crimes is becoming or has become a priority for the Department of Justice, A, and, B, if you all are using the provisions of the NET Act to pursue cyber pirates, or is it just a dead law? I'm hoping not the latter—and what could we do to help in regard to these two matters?
If I am not here at the conclusion of your testimony, if you can touch on that, I would be appreciative.
Mr. CHERTOFF. I will do that.
Mr. COBLE. Thank you, Mr. Chairman.
Mr. SMITH. Thank you, Mr. Coble, and I will incorporate those in my questions, so we will have the answers for you in that regard. If no other Members wish to be recognized, we will go to our witnesses and I will introduce them. They are Mr. Michael Chertoff, Assistant Attorney General, Criminal Division, U.S. Department of Justice; Mr. Thomas A. Kubic, Deputy Assistant Director, Criminal Investigative Division, Federal Bureau of Investigation; James A. Savage, Jr., Deputy Special Agent in Charge, Financial Crimes Division, United States Secret Service; and Mr. Allen B. Davidson, Associate Director, Center for Democracy and Technology.
Page 95 PREV PAGE TOP OF DOC Segment 2 Of 3
Again. we welcome you all, and Mr. Chertoff, if you will begin——
STATEMENT OF MICHAEL CHERTOFF, ASSISTANT ATTORNEY GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE
Mr. CHERTOFF. Thank you, Mr. Chairman. Mr. Chairman and Members of the Subcommittee, thank you for giving me this opportunity to testify about the Department of Justice's efforts to fight cyber crime or computer crime. Although I have been Assistant Attorney General for the Criminal Division for only little more than a week, it is clear to me already that this issue being considered by the Committee today is one of singular importance, and I commend the Committee for holding this hearing.
Let me give you a few real world examples of what we face with the cyber crime problem. These are drawn from real cases. A woman places a notice or appears to place a notice on the Internet that says, quote, ''It is my fantasy to be raped. Here is my name, home address and telephone number.'' In fact, this posting was not sent by the woman, but by a man who wanted to punish or harass the woman for some personal spurning of his romantic advances. Over the next few weeks, six strangers knock on her door in the middle of the night, attempting to respond to the posting. Luckily, the woman manages to convince them that the Internet notices were hoaxes.
I will give you another example. A virus is released in a foreign country. Within days, it has disrupted the communications of hundreds of thousands of computers across the Internet, causing losses estimated in the billions of dollars. The virus is designed so that after it infects a computer, it will access the user's computer passwords and relay them electronically back to the foreign country.
Page 96 PREV PAGE TOP OF DOC Segment 2 Of 3
A third example, an organized group of hackers from Russia and Eastern Europe commit a series of intrusions into more than 40 banks and e-commerce companies in the United States. The hackers steal over one million credit card numbers from the company's databases and then sell them to organized crime. The hackers then extort the companies, threatening to disclose their confidential information or damage their computer systems.
These scenarios are not alarmist speculation. They are based on actual events and cases, and these are crimes that affect the privacy, safety and security of Americans. The Justice Department is taking many steps to respond to the daunting challenges posed by computer crime. In response to this escalating problem, law-enforcement agencies have devoted significant resources to developing teams of investigators and forensic experts who have the specialized skills needed for cyber crime investigations.
The FBI and Secret Service, which are represented here today, have particularly important investigative responsibilities with respect to Internet and computer-related crimes, and they have been in the forefront of this effort, as has the Department of Defense and NASA. On the prosecution side, I am pleased that the Criminal Division has played a particular important role in combating cyber crime.
The centerpiece of our effort is the Criminal Division's Computer Crime and Intellectual Property Section. The attorneys in this section focus exclusively on issues relating to computer and intellectual property crime, allowing them to serve as a nationally-recognized source of advice and expertise on cyber crime law. In addition to responding daily for requests for information and advice from the field, CCIPS' attorneys coordinate multidistrict cases, like the denial-of-service attacks last year, and work extensively with international counterparts to improve legal and operational support for multinational cases.
Page 97 PREV PAGE TOP OF DOC Segment 2 Of 3
As well in the Criminal Division, other sections have had to develop computer expertise as traditional forms of crime have moved on to the Internet. As you have noted, Mr. Chairman, the Fraud Section has developed special programs to deal with the dramatic growth in Internet fraud, which is affecting all of us in this country, various types of fraudulent online schemes, and our Child Exploitation and Obscenity Section has strongly promoted the department's efforts against one of the most distrubing facets of cyber crime, the exploitation and abuse of children by online sexual predators and through the distribution of child pornography over the Internet.
We recognize, Mr. Chairman, that our success in this area depends on building networks of cooperation. We're working closely with State and local law-enforcement on operations and training. We're working with international law-enforcement because we realize that cyber crime recognizes no international boundaries. We're working with the private sector to promote information-sharing on our vulnerabilities. Our efforts in these regards are, not surprisingly, documented on the Web site, the CCIPS web site, www.cybercrime.gov.
Mr. Chairman, while the department does all it can to combat cyber crime, Congress can lend substantial assistance to our efforts. In particular, I would like to highlight three areas that merit particular attention. First, Congress should examine the substantive computer crime law, the Computer Fraud and Abuse Act. Given recent virus attacks that have caused damages in the billions of dollars, Congress should assure that the act's coverage is comprehensive and that the penalties for these crimes are commensurate with the harms caused.
Second, Congress should examine the procedural laws that govern law-enforcement investigations in the electronic environment. For example, the statute that governs pen registers and trap and trace devices should be clarified to assure that the privacy protections afforded the users of telephones will equally protect e-mail communications. Similarly, antiquated rules which govern the procedure for tracing a communication when it passes out of the jurisdiction of the local court that issued the pen trap order, should be examined and revised.
Page 98 PREV PAGE TOP OF DOC Segment 2 Of 3
Under current law, law-enforcement authorities must apply for the identical order in multiple jurisdictions, causing burdens and delays that benefit no one but criminals. Congress should look at the possibility of a single order that would cover these kinds of requests comprehensively.
Third, a perceived or possible conflict between the Cable Act and the record-keeping statutes that govern telephone companies and Internet service providers has created roadblocks for important law-enforcement investigations, now that cable companies are offering telephone and Internet service. Congress should consider clarifying these laws to ensure that the rules governing law-enforcement access to the records of a service provider—a service provider's customers—do not depend on whether the service happens to be transmitted over cable lines, telephone lines or some other medium.
Finally, there is the critical issue of resources. The department can work effectively to combat cyber crime only if we have adequate resources to hire, equip and train investigators and prosecutors. We stand ready to assist you in any way we can as you consider these pressing issues.
Mr. Chairman, all of us are deeply concerned about the safety and security——
Mr. SMITH. Mr. Chertoff, this being the second week that you've been head of the Criminal Division, we have given you a little extra time. But we need to conclude if we can.
Page 99 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. CHERTOFF. I appreciate that, Mr. Chairman. I simply want to say we're all concerned about safety and security. We want to balance it with privacy. That concludes my prepared statement. I am, of course, pleased to answer any questions.
[The prepared statement of Mr. Chertoff follows:]
PREPARED STATEMENT OF MICHAEL CHERTOFF
Mr. Chairman and Members of the Subcommittee, thank you for this opportunity to testify about the Department of Justice's efforts to fight cybercrime. The issue before this Subcommittee today is one of singular importance, and I commend the Subcommittee for holding this hearing.
In my testimony today, I would like to outline briefly the nature of the cybercrime problem and the Department's current efforts to combat that problem. As this is only my second week as head of the Criminal Division, I have not yet had the opportunity to undertake a full review of the problem and how we can best confront it. However, it is clear to me that cybercrime is an extremely serious threat, and that its complexity and constant evolution present a tremendous challenge to law enforcement.
THE NATURE AND SEVERITY OF CYBERCRIME
Over the last decade, use of computers and the Internet has grown exponentially. Indeed, for many individuals it is an integral part of their daily lives. With little more than a click of a mouse, people can communicate, transfer information, engage in commerce, and expand their educational opportunities. Unfortunately, criminals exploit these same technologies to commit crimes and harm the safety, security, and privacy of us all. Indeed, as more people go online, more criminals are realizing that online crime can be lucrative, especially given the amount of valuable commercial and personal information now being stored electronically.
Page 100 PREV PAGE TOP OF DOC Segment 2 Of 3
So-called ''cybercrime'' can be divided into two categories. On the one hand, we are seeing the migration of ''traditional'' crimes from the physical to the online world. These crimes include threats, child pornography, fraud, gambling, extortion, and theft of intellectual property. Simply put, criminals are migrating online because they can reach more victims quickly, can collaborate with other criminals, can disguise their identities, and can use the global nature of the Internet to remain anonymous.
On the other hand, the Internet has spawned an entirely new set of criminal activity that targets computer networks themselves. Included in this category are such crimes as hacking, releasing viruses, and shutting down computers by flooding them with unwanted information (so-called ''denial of service'' attacks). Our vulnerability to—and the damages caused by—this type of crime are astonishingly high.
For example, in May of last year, the ''I Love You'' Virus began to infect computers on the Internet. Within a short period of time, it had disrupted the communications of hundreds of thousands of computers, causing losses estimated in the billions of dollars. Just as disturbing, this virus demonstrated a new capability: when it infected a computer, it accessed the user's computer passwords and sent them electronically to a computer in a foreign country. The implications of this virus—and the many viruses that have followed it—are staggering.
In March of this year, the FBI's National Infrastructure Protection Center issued a warning that an organized group of hackers from Russia and Eastern Europe had committed a series of intrusions into more than forty banks and e-commerce companies in the United States. The hackers stole over 1,000,000 credit card numbers from the companies' data bases. They then embarked on extortion of many of the companies, threatening to disclose confidential information or damage the victims' computer systems. Evidence suggests that the hackers then sold many of the credit card numbers to organized crime groups.
Page 101 PREV PAGE TOP OF DOC Segment 2 Of 3
This crime—the investigation into which the Treasury Department participated and which has to date resulted in two arrests—has grave implications. Not only did it cause financial losses for the companies, but it harmed the privacy and security of the ordinary citizens whose credit cards numbers and personal data were stolen. Individuals victimized by these sorts of crimes rightfully fear the ramifications of criminals' gaining access to their private financial and personal data. Moreover, this kind of crime strikes at the confidence of consumers, threatening the vital growth of e-commerce.
Network crimes not only affect the security of individuals and businesses, they can also threaten our nation's critical infrastructures. Our power and water supply systems, telecommunications networks, financial sector, and critical government services, such as emergency and national defense services, all rely on computer networks. This reliance on computer networks creates new vulnerabilities.
For example, for a real-world terrorist to blow up a dam, he would need tons of explosives, a delivery system, and a surreptitious means of evading armed security guards. For a cyberterrorist, the same devastating result could be achieved by hacking into the control network and commanding the computer to open the floodgates. This is not a purely hypothetical scenario. Several years ago, a juvenile hacker gained unauthorized access to the computers controlling the operations of the Roosevelt Dam in Arizona.
Although there are as yet no definitive statistics on the scope of the problem, there is no doubt that the number of crimes involving computers and the Internet is rising dramatically. For example, the CERT Coordination Center, which was created to warn about computer attacks and viruses, received over 21,000 network crime incident reports last year. This is more than double the number of reports it received the year before. Similarly, a survey conducted by the FBI and the Computer Security Institute recently revealed substantial increases in computer crime. Over 85 percent of the companies and government agencies surveyed reported computer security breaches within the preceding twelve months, up from 70 percent last year. Moreover, researchers at the University of California at San Diego recently reported a methodology that enabled them to count the numbers of denial of service attacks. Their research revealed that 4,000 attacks occur every week. Responding to these threats is a daunting challenge.
Page 102 PREV PAGE TOP OF DOC Segment 2 Of 3
JUSTICE DEPARTMENT RESPONSES TO CYBERCRIME
While there is little question that combating cybercrime is a tremendous challenge, it is one the Justice Department must be prepared to meet. I can assure you that the Department is committed to arresting and prosecuting those individuals who operate in cyberspace to threaten the security and privacy of our citizens, to disrupt and damage commerce, and to compromise the integrity and availability of the Internet itself. I am very encouraged by the extent to which our investigators and prosecutors have been building a good enforcement foundation. One need only look at the many success stories reflected on the website of the Computer Crime and Intellectual Property Section, www.cybercrime.gov, to see their efforts in this area.
From my perspective, as I begin my assessment of our cybercrime efforts and the direction they should take in the future, at least three themes or elements seem to emerge as particularly important to success in confronting cybercrime: developing specialized expertise, building teamwork and partnerships, and assuring we have legal authorities which are both effective and appropriate in the unique and ever-evolving setting of computers and the Internet.
DEVELOPING SPECIALIZED EXPERTISE
Combating computer crime requires a team of professionals, including investigators, forensic experts, and prosecutors, all of whom have technical expertise. In addition to traditional investigative skills, cybercrime investigators must be well versed in the intricacies of technology to insure that evidence is not lost or overlooked. Forensic experts must know how to handle electronic evidence to protect its integrity for later use at trial, as well as how to recover and analyze digital evidence from computers with hard drives that store gigabytes of data. And prosecutors must understand the jargon and complexities of high-technology crimes and be able to translate technical evidence into a form understandable to a judge and jury.
Page 103 PREV PAGE TOP OF DOC Segment 2 Of 3
In response to the escalating problem, our law enforcement agencies have devoted significant resources to developing cadres of investigators and forensic experts who have the specialized skills needed for cybercrime investigations. The FBI and Secret Service, which have particularly important investigative responsibilities with respect to Internet and computer-related crimes, have certainly been in the forefront of this effort.
On the prosecution side, I am pleased that the Criminal Division has played a particularly important role, not only as a source of specialized cybercrime expertise, but as a key player in the training of local, state and federal agents and prosecutors in the laws governing cybercrime.
At the center of this effort is the Criminal Division's Computer Crime and Intellectual Property Section (''CCIPS''). This team of attorneys focuses exclusively on issues relating to computer and intellectual property crime, allowing them to serve as the nationally recognized source of advice and expertise on cybercrime law. In addition to responding daily to requests for information and advice from the field, CCIPS coordinates multi-district cases, and works extensively with international counterparts to improve legal and operational support for multi-national cases, such as the nationwide investigation of the distributed denial of service attacks in February 2000 that eventually led to the arrest of an individual in Canada. The Section's important outreach and education mission includes publication of significant reference materials for prosecutors such as Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations and Prosecuting Intellectual Property Crimes and an extensive training program in which, last year alone, CCIPS' twenty-one attorneys gave over 200 presentations to prosecutors, agents, judges, technical experts, and government and industry groups.
Page 104 PREV PAGE TOP OF DOC Segment 2 Of 3
A particularly important aspect of developing, and then sharing expertise in the field is our nationwide network of federal prosecutors called Computer and Telecommunications Coordinators (or ''CTCs'')—at least one from each district—who serve as the district's prosecutorial expert on computer crime cases. The CTC initiative was started by CCIPS in 1995, and has been strongly supported by our U.S. Attorneys. CCIPS trains and supports these coordinators specially, so that they, in turn, can serve as a resource for their offices and the law enforcement authorities and concerned industry in their regions of the country.
In the Criminal Division, specialized expertise in combating cybercrime is not confined to CCIPS. Other sections have developed this expertise as traditional forms of criminality have moved onto the Internet.
For example, the Department has seen dramatic growth in various types of fraudulent online schemes, and the Criminal Division's Fraud Section has played a critical role in the Justice Department's response, including overseeing a Department-wide Internet Fraud Initiative begun in 1999. Its work to date has included (1) advising and supporting federal prosecutors throughout the country, including maintenance of an Internet fraud brief bank; (2) developing specialized training on Internet fraud for courses at the Department's National Advocacy Center; (3) publishing extensive materials on the Department's website, www.internetfraud.usdoj.gov, in order to promote public understanding of Internet fraud schemes and how to deal with them; and (4) supporting improvements in federal agencies' investigative and analytical resources, including the Internet Fraud Complaint Center, a joint project of the FBI and the National White Collar Crime Center. The Department has also been involved in the related problem of identity theft, in part by providing national coordination of governmental efforts through the Identity Theft Subcommittee of the Attorney General's Council on White Collar Crime.
Page 105 PREV PAGE TOP OF DOC Segment 2 Of 3
Of course, one of the most disturbing facets of cybercrime is the exploitation and abuse of children, whether through distribution of child pornography over the Internet or through the horrific conduct of sexual predators who operate online. The FBI, the U.S. Attorneys' Offices, and the Division's Child Exploitation and Obscenity Section have developed special expertise in investigating and prosecuting these crimes and currently devote significant resources to the online aspects of child pornography and luring cases. Moreover, in this area and others, the Department's Office of Legal Education, in conjunction with various components of the Criminal Division, regularly sponsors classes regarding computer crime and electronic evidence.
BUILDING PARTNERSHIPS
As I noted at the beginning of my statement, the second element which seems particularly important to our efforts against cybercrime is partnership building. Of course, from years as a prosecutor, I know that teamwork is essential to any successful crime-fighting effort. But it strikes me that in the area of cybercrime the need for effective partnerships, is not only especially important but also requires partnerships well outside the traditional law enforcement community.
Certainly the complexity of cybercrime and the breadth, or potential breadth of its impact, are part of the reason. However, another factor is the diversity of interests at play in the cyberworld, and hence in our efforts to combat cybercrime. These include, among others, law enforcement interests, national security interests, privacy interests, and commerical interests. Without partnership, or at least dialogue, we will allow those interests to conflict and collide in ways destructive of our efforts to combat cybercrime.
Page 106 PREV PAGE TOP OF DOC Segment 2 Of 3
I would like to briefly describe some of the efforts already underway in the Department to build partnerships at the national and international levels and to engage consumers, organizations and business in a cooperative effort against Internet and computer related crime.
Because of the borderless and real-time nature of the Internet, and thus of cybercrime, we at the federal level need effective partnerships with our law enforcement colleagues at the federal, state and local levels, as well as overseas. A good example of cooperation of the federal level, ''Operation Cyber Loss,'' is described in detail in the testimony of FBI Deputy Assistant Director Kubic.
Certainly, within the United States, an important part of our partnership with state and local counterparts is supporting them in developing the specialized expertise I have already described as so important to our cybercrime efforts. For example, the Department founded and funds the National Cybercrime Training Partnership, a ground-breaking consortium of federal, state, and local entities dedicated to improving the technical competence of law enforcement agents and prosecutors. In addition, we have worked with the National Association of Attorneys General to create a 50-state list of state and local computer crime specialists, posted on the web, so that agents and prosecutors from one jurisdiction can call upon their colleagues in another jurisdiction for assistance in cybercrime matters. Also, our AUSAs specializing in cybercrime—the CTCs—are working in their jurisdictions to train state and local agents and prosecutors.
The challenges on the international level are greater. When we deal with a transborder cybercrime, we need foreign law enforcement counterparts who not only have the necessary technical expertise, but who are accessible and responsive, and who have the necessary legal authority to cooperate with us and assist us in our investigations and prosecutions. The Criminal Division has played a central role in attempting to build these sorts of partnerships internationally, and I expect it to continue to do so.
Page 107 PREV PAGE TOP OF DOC Segment 2 Of 3
For example, within the larger law enforcement frame work of the G-8's Lyon Group, there is a Subgroup on High-tech Crime which, from its inception, has been chaired by a senior attorney from CCIPS. One of its important accomplishments was the development of a ''24/7 network'' which allows law enforcement contacts in each participating country to reach out—24 hours a day, seven days a week—to counterparts in other countries for rapid assistance in investigating computer crime and preserving electronic evidence. The Subgroup has also to date sponsored many meetings, including three major conferences, that have brought together government and private sector representatives of all the G-8 countries to discuss cybercrime issues.
As part of our efforts to forge an effective framework for international partnership, the Department, and in particular the Criminal Division, has been engaged in the lengthy and still ongoing process of negotiating a cybercrime treaty in the Council of Europe. Since those negotiations have not yet concluded, I believe it would be premature to discuss the treaty in detail. Nonetheless, if a solid text emerges, it would be a significant legal instrument to assist us in combating cybercrime.
One aspect of our work on the treaty I do want to note especially, however, is the extent to which we have sought to engage the private sector, some elements of which had expressed concerns about aspects of the evolving draft and about the process at the Council of Europe, whose proceedings in this context have not been open to the public. The United States delegation pressed hard for the COE to depart from past practice and publish working drafts of the text, which it began to do more than a year ago. Thereafter, representatives of the Justice Department, along with those from the State and Commerce Departments—the agencies that form our delegation—met on numerous occasions with industry and privacy groups to hear their concerns. As a result, our delegation worked hard, and with a large measure of success, to obtain a number of changes to the treaty sought by industry and privacy groups.
Page 108 PREV PAGE TOP OF DOC Segment 2 Of 3
Of course, our dialogue with industry on the international front is part of a much broader partnership between law enforcement and industry to combat cybercrime and protect the nation's critical infrastructures.
As the builders and owners of the infrastructure that supports cyberspace, private sector companies have primary responsibility for securing and protecting the Internet. CCIPS, the National Infrastructure Protection Center (NIPC), and the CTC network have engaged in regular outreach to industry to ensure that communications channels are open between government and the private sector and to encourage cooperation on efforts to prevent and combat computer and intellectual property crimes. For example, the NIPC, in conjunction with the private sector, has developed the ''InfraGard'' initiative to expand direct contacts between government and private sector infrastructure owners and operators, and to share information about computer intrusions, vulnerabilities, and infrastructure threats.
Consumers, as the users of the infrastructure, also play an important role in securing the Internet. In the real world, most people understand their responsibilities regarding property: one should take appropriate steps to lock one's doors, but one should not enter other peoples' homes without permission even if they leave their doors unlocked. The Department has been working with the private sector and consumers to promote the same kind of safety precautions and ethics in the online world. One program we initiated with the Information Technology Association of America is the Cybercitizen Partnership, a national campaign to raise awareness about using computers responsibly and to provide educational resources to empower concerned citizens. The Partnership has developed a website, www.cybercitizenship.org, which provides information to parents, teachers, and children about online ethics.
Page 109 PREV PAGE TOP OF DOC Segment 2 Of 3
Certainly, one of the partnerships most important to our cybercrime efforts—one I believe we strengthen through hearings such as this—is the partnership between the Executive and Legislative branches. Of course, it is in the context of this partnership that we will focus on the third important element in our fight against cybercrime, and that is assuring that we have appropriate and effective legal tools.
ASSURING AN EFFECTIVE LEGAL FRAMEWORK
Given my very recent arrival as head of the Criminal Division, I am not in a position today to make specific recommendations about legislation. However, we are looking at this area closely, and are aware that members of Congress are doing so as well.
What I would like to do is to describe in general terms certain areas where our career investigators and prosecutors have raised concerns about our current legal framework for investigating and prosecuting cybercrime. For example, the adequacy of the penalties for certain computer crimes has been questioned, particularly in the aftermath of the ''Melissa'' virus case. In that case, even though the defendant caused tens of millions, if not billions of dollars of damage. the maximum penalty was five years imprisonment. Also, some prosecutors have expressed concern that the particular statutory approach for computing the minimum thresholds of damage in computer hacking cases, may in fact allow some significant criminals to go unpunished.
There have also been questions about whether procedural statutes, some enacted more than a decade ago, have withstood the changes brought about by the advance of technology. The Pen Register and Trap and Trace Statute is a good example. The ''pen/trap statute'' establishes a set of procedures by which law enforcement authorities can collect the non-content information associated with a communication. For telephones, this means the source or destination of calls placed to or from a particular phone. Congress enacted this statute in 1986 to protect privacy by requiring that the law enforcement authorities apply for a court order, allowing only government attorneys (not agents) to apply for such orders, and creating a criminal offense for any who use pen/trap devices without authority.
Page 110 PREV PAGE TOP OF DOC Segment 2 Of 3
With the advances in technology, law enforcement authorities and the courts have applied the pen/trap statute to new communications media, such as e-mail. In this context, pen/trap devices can uncover the source—but not the content—of a particular Internet communication. For example, law enforcement authorities obtained a pen/trap order on an e-mail account that was central to locating and arresting James Kopp, who had evaded arrest for three years after being indicted for killing a doctor in front of his wife and child in their home near Buffalo, New York, in 1998.
Although numerous courts across the country have applied the pen/trap statue to communications on computer networks, no federal district or appellate court has explicitly ruled on its propriety. However, certain litigants have begun to challenge the application of the pen/trap statute to such electronic communications. The pen/trap statute protects privacy and is an important investigative tool. Its application to the cyberworld is vital.
Also, this legislation was passed in an era when telecommunication networks were configured in such a way that, in most cases, the information sought could be obtained by issuing an order to a single carrier. With deregulation, however, a single communication may now be carried by multiple providers. For example, a telephone call may be carried by a competitive local exchange carrier, which passes it to a switch to a local Bell Operating Company, which passes it to a long distance carrier, which hands it to a local exchange carrier elsewhere in the U.S., which in turn may finally hand it to a cellular carrier. Under the structure of the current statute, where a court may only authorize the installation of a pen register or trap device ''within the jurisdiction of the court,'' identifying the ultimate source may require obtaining information from a host of providers located throughout the country—each requiring a separate order. Indeed, in one case the Justice Department needed four separate orders to trace a hacker's communications. You can imagine the concern of our investigators and prosecutors about complying with this procedure when confronted with an urgent need for information to prevent a serious crime or trace one in progress.
Page 111 PREV PAGE TOP OF DOC Segment 2 Of 3
Another procedural statute that Congress should consider examining is the Cable Communications Policy Act (the ''Cable Act'') (47 U.S.C. §551). Technological advances—and uncertainty about the Cable Act's application to them—have created roadblocks for important law enforcement investigations.
In 1984, Congress passed the Cable Act to regulate government access to records pertaining to cable television service. Of course, at that time, cable companies did not offer Internet access or telephone service. Today, they do. Yet a totally separate legal regime governs government access to records pertaining to telephones and the Internet. These laws include the wiretap statute (18 U.S.C. §2510 et seq.), the Electronic Communications Privacy Act (''ECPA'') (18 U.S.C. §2701 et seq.), and the pen/trap statute (18 U.S.C. §3121 et seq.). Cable companies have expressed concern that they may expose themselves to liability for violating the Cable Act if they comply with subpoenas and court orders for telephone or Internet records. This complication has at times delayed or frustrated time-sensitive investigations. It makes little sense for the rules governing law enforcement access to the records of communications customers to depend on the method by which the customer connects to the Internet.
These are only a few of the legislative issues we are now reviewing. I know there are other areas of concern, for example, with respect to further protections for children and safeguarding personal information from unauthorized and even criminal use. Moreover, part of our agenda will inevitably concern resources. Future budget requests for the Division will make adequate resources for our efforts against cybercrime a priority.
Page 112 PREV PAGE TOP OF DOC Segment 2 Of 3
Conclusion
Mr. Chairman, I want to thank you again for this opportunity to testify about our efforts to fight crime on the Internet. Citizens are deeply concerned about their safety and security when using the Internet, and we unfortunately have already encountered many examples of serious crimes against individuals and businesses and serious invasions of their privacy by criminals. Enhancing the ability of law enforcement to fight cybercrime both promotes Internet users' safety and security and enhances their privacy by deterring and punishing criminals. The Department of Justice stands ready to work with the Members of this Subcommittee to achieve these important goals.
Mr. Chairman, that concludes my prepared statement. I would be pleased to answer any questions that you may have at this time.
Mr. SMITH. Thank you, Mr. Chertoff.
Mr. Kubic?
STATEMENT OF THOMAS T. KUBIC, PRINCIPAL DEPUTY ASSISTANT DIRECTOR, CRIMINAL INVESTIGATIVE DIVISION, FEDERAL BUREAU OF INVESTIGATION
Mr. KUBIC. Good afternoon, Mr. Chairman and Members of the Subcommittee. I, too, am pleased to be with you today and to discuss some of the work of the FBI, as well as do what I can to enlighten the Committee on the issue of cyber crime today. Rather than repeat some things which already have been covered, I would submit for the record my full statement at this time.
Page 113 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. SMITH. Without objection, any witness will have their full statement made a part of the record.
Mr. KUBIC. Thank you. I would like to make just a few points. The first is that, cyber crimes are, in fact, unique. The cyber criminal operating in that environment stands much less of a chance of being apprehended and located than many other criminals that we are constantly faced with. The crime is committed oftentimes without the knowledge of the individual who is being victimized, as is the case when computer time is stolen.
Additionally, during the initial stages of a computer crime investigation, it is often difficult to ascertain the objective of the crime or the motive of the crime. So we don't know, at the start these intrusions, for example, if the effort is to steal intellectual property or if the effort is to launch a virus or, in fact, it is just a mere theft to steal credit cards. These problems are not quite as vexing in the real world. Considering the example of a bank robbery, it is very clear when a man enters the bank with a gun, to steal, that he is there to rob the bank, and he leaves behind an awful lot of physical evidence, which is not always the case in the cyber world of investigations.
What little evidence is left in a cyber crime is very perishable and often is gone before the investigators arrive on the scene. Thus, it is the nature of cyber crime which leads to the need for extra or special expertise on the part of the investigators, as well as continuing training throughout the course of the cycle of the investigator's career.
The second point I would like to make is that cyber crimes are evolving, as Assistant Attorney General Chertoff has pointed out. This is an area where there are new crimes that are being conceived of and committed by cyber criminals on a regular basis. Additionally, the rapidly developing technology leaves us in a situation where law-enforcement does play a good bit of catchup in order to stay current and to develop techniques to save and preserve the evidence it has found.
Page 114 PREV PAGE TOP OF DOC Segment 2 Of 3
With regard to the FBI's response, there have been two major initiatives. The first was the National Infrastructure Protection Center, which I believe you may be very familiar with. That mission, of NIPC, established 3 years ago, was to identify intrusions, to get word out as to the nature of those, so that security people in the private sector can understand what the issue is, what the vulnerabilities are, and fix those.
There are, in fact, NIPC-trained agent in all 56 FBI field offices; 16 of those offices have full squads devoted to the investigation of intrusions. During the course of the investigation, if it is determined that it is a white-collar crime case, that is, the motive of the intrusion is to steal money, additional resources are brought into the mix, particularly white-collar crime investigators.
The second is the Internet Fraud Complaint Center, and I think that the Chairman has noted some of the results of that investigation or that effort. Established a little more than a year ago, the Internet Fraud Complaint Center serves as a clearinghouse where, in fact, complaints can be received, analyzed and investigative reports submitted to not only Federal investigators, but also State and local investigators.
There is no question that to effectively combat computer crime or cyber crime, it needs a marriage, a task force approach, with not only prosecutors who are skilled and knowledgeable of the law, but also investigators, State, local and Federal. The FBI is, in fact, committed to the safety and security of the cyber world and those who either shop or conduct business in the cyber world, as well as those who visit just to obtain information.
Page 115 PREV PAGE TOP OF DOC Segment 2 Of 3
Thank you, Mr. Chairman.
[The prepared statement of Mr. Kubic follows:]
PREPARED STATEMENT OF THOMAS T. KUBIC
GOOD MORNING MR. CHAIRMAN AND MEMBERS OF THE SUBCOMMITTEE ON CRIME. I AM PLEASED TO APPEAR TODAY ON BEHALF OF THE FEDERAL BUREAU OF INVESTIGATION AND SHARE WITH YOUR SUBCOMMITTEE THE FBI'S EFFORTS TO ADDRESS CYBER CRIME.
LET ME BEGIN BY EMPHASIZING THAT THE FBI PLACES A HIGH PRIORITY ON INVESTIGATING CYBER CRIME MATTERS AND IS COMMITTED TO WORKING WITH THIS SUBCOMMITTEE AND ALL OF CONGRESS TO ENSURE THAT LAW ENFORCEMENT AND THE PRIVATE SECTOR HAVE THE NECESSARY TOOLS AND PROTECTIONS TO COMBAT THESE CRIMES. IT IS ONLY WITH THE EFFECTIVE COORDINATION AND COOPERATION BETWEEN ALL LEVELS OF GOVERNMENT AND PRIVATE SECTOR COMPANIES THAT EFFORTS TO COMBAT CYBER CRIME WILL SUCCEED. THE FBI RECOGNIZES AND APPRECIATES THE INTEREST AND EFFORTS OF PRIVATE SECTOR COMPANIES IN PREVENTING CYBER CRIME AS WELL AS THEIR WILLINGNESS TO WORK WITH LAW ENFORCEMENT TO ADDRESS THE PROBLEM.
I WOULD LIKE TO FIRST PROVIDE AN FBI PERSPECTIVE AS TO THE EXTENT OF THE CYBER CRIME PROBLEM ALONG WITH THE UNIQUE CHALLENGES FACED BY LAW ENFORCEMENT IN ADDRESSING IT, AND THEN GIVE YOU AN OVERVIEW OF WHAT THE FBI IS DOING TO ADDRESS THE PROBLEM INCLUDING DETAILS CONCERNING THE INTERNET FRAUD COMPLAINT CENTER AND A RECENT NATIONWIDE INTERNET FRAUD OPERATION.
THE INTERNET IS CHANGING THE WORLD AS WE KNOW IT, AND PROMISES TO CHANGE HOW WE BUY THINGS, HOW WE COMMUNICATE, WHERE WE GET ENTERTAINMENT, NEWS, AND WEATHER, WHERE WE WORK, AND MUCH, MUCH MORE WHILE BRINGING ENORMOUS BENEFITS TO SOCIETY. THE GROWTH AND UTILIZATION OF THE INTERNET AS A COMMUNICATIONS AND COMMERCE TOOL IS UNSURPASSED IN MODERN HISTORY. CURRENT TRENDS REFLECT THIS REMARKABLE GROWTH:
Page 116 PREV PAGE TOP OF DOC Segment 2 Of 3
INTERNET USERS IN THE U.S. REACHED 65 MILLION IN 1998, OVER 100 MILLION IN 1999, AND ARE EXPECTED TO EXCEED 200 MILLION THIS YEAR.(see footnote 2)
BUSINESS-TO-BUSINESS E-COMMERCE TOTALED OVER $100 BILLION IN 1999 (MORE THAN DOUBLING FROM 1998) AND IS EXPECTED TO GROW TO OVER ONE TRILLION DOLLARS BY 2003. WORLDWIDE NET COMMERCE, BOTH BUSINESS-TO-BUSINESS AND BUSINESS-TO-CONSUMER, WILL HIT AN ESTIMATED $6.8 TRILLION IN 2004.(see footnote 3)
THE VAST MAJORITY OF COMMUNICATION AND COMMERCE CONDUCTED VIA THE INTERNET IS FOR LAWFUL PURPOSES. HOWEVER, THE INTERNET IS INCREASINGLY UTILIZED TO FOSTER FRAUDULENT SCHEMES. JUST AS PRIOR TECHNOLOGICAL ADVANCES HAVE BROUGHT DRAMATIC IMPROVEMENTS FOR SOCIETY, THEY HAVE ALSO CREATED NEW OPPORTUNITIES FOR WRONGDOING. THE UNIQUE CHALLENGES FACING LAW ENFORCEMENT IN ADDRESSING CYBER CRIME REVOLVE AROUND THE NEBULOUS NATURE OF CYBER CRIME. THE INITIAL STAGES OF A CYBER CRIME INVESTIGATION INVOLVE A HIGH DEGREE OF UNCERTAINTY. IT IS OFTEN DIFFICULT TO QUICKLY IDENTIFY AND ASSESS WHAT TYPE OF CRIME, IF ANY, HAS BEEN COMMITTED. FOR EXAMPLE, WHEN THE FBI RECEIVES A COMPLAINT INDICATING THAT A BUSINESS HAS EXPERIENCED SOME TYPE OF INTRUSION INVOLVING ITS COMPUTER NETWORK, THE POSSIBLE CRIMES COMMITTED ARE INDETERMINATE. IT COULD BE A MALICIOUS HACKING INCIDENT AIMED AT DAMAGING OR SABOTAGING THE NETWORK, A POSSIBLE TERRORIST ATTACK, SOME FORM OF ESPIONAGE, A DENIAL OF SERVICE ATTACK, AS WELL AS ANY MYRIAD FORM OR COMBINATION OF TRADITIONAL CRIMES SUCH AS FRAUDS OR EXTORTIONS. CONTRAST THIS WITH A MORE TRADITIONAL CRIME IN THE PHYSICAL WORLD SUCH AS A BANK ROBBERY. WHEN A SUBJECT WALKS INTO A BANK WITH A GUN DEMANDS MONEY, THE TYPE OF CRIME BEING COMMITTED IS ABUNDANTLY CLEAR TO EVERYONE. MOREOVER, IN A BANK ROBBERY, THERE IS TYPICALLY A NUMBER OF PHYSICAL TYPES OF EVIDENTIARY VALUE SUCH AS FINGERPRINTS, SHOE IMPRESSIONS, SURVEILLANCE VIDEO AND/OR PHOTOGRAPHS, MONEY TAKEN, AND SEVERAL WITNESSES. NONE OF THIS IS AVAILABLE IN THE COMMISSION OF AN ON-LINE CRIME. WHAT LITTLE EVIDENCE IS AVAILABLE IN AN ON-LINE CRIME WILL USUALLY NOT EXIST FOR LONG. WITHOUT AN IMMEDIATE RESPONSE BY SKILLED CYBER INVESTIGATORS, IT WILL OFTEN BE FOREVER LOST.
Page 117 PREV PAGE TOP OF DOC Segment 2 Of 3
THIS ELUSIVE NATURE OF CYBER CRIME TRANSLATES INTO A CRITICAL NEED FOR HIGH LEVELS OF EXPERTISE IN INVESTIGATING CYBER CRIME MATTERS. IT IS RARELY CLEAR AT THE OUTSET OF AN INVESTIGATION AS TO THE ULTIMATE PURPOSE BEHIND A COMPUTER INTRUSION. HOWEVER, OUR INVESTIGATIONS HAVE DEVELOPED EVIDENCE THAT IN A MAJORITY OF CASES, THE PURPOSE OF INTRUSIONS IS TO FACILITATE ONGOING CRIMINAL ACTIVITY AND SEEK FINANCIAL GAIN.
BY WAY OF EXAMPLE, ON MARCH 1, 2000, A COMPUTER HACKER ALLEGEDLY COMPROMISED MULTIPLE E-COMMERCE WEB SITES IN THE U.S., CANADA, THAILAND, JAPAN AND THE UNITED KINGDOM, AND APPARENTLY STOLE AS MANY AS 28,000 CREDIT CARD NUMBERS WITH LOSSES ESTIMATED TO BE AT LEAST $3.5 MILLION. THOUSANDS OF CREDIT CARD NUMBERS AND EXPIRATION DATES WERE POSTED TO VARIOUS INTERNET WEB SITES. AFTER AN EXTENSIVE INVESTIGATION, ON MARCH 23, 2000, THE FBI ASSISTED THE DYFED POWYS (WALES, UK) POLICE SERVICE IN A SEARCH AT THE RESIDENCE OF THE SUBJECT WHO WAS THEN ARRESTED IN THE UK ALONG WITH A CO-CONSPIRATOR UNDER THE UK'S COMPUTER MISUSE ACT OF 1990.
THIS CASE WAS PREDICATED ON THE INVESTIGATIVE WORK BY THE FBI, THE DYFED POWYS POLICE SERVICE IN THE UNITED KINGDOM, INTERNET SECURITY CONSULTANTS, THE ROYAL CANADIAN MOUNTED POLICE (RCMP), AND THE INTERNATIONAL BANKING AND CREDIT CARD INDUSTRY. THIS CASE ILLUSTRATES THE BENEFITS OF LAW ENFORCEMENT AND PRIVATE INDUSTRY, AROUND THE WORLD, WORKING TOGETHER IN PARTNERSHIP ON COMPUTER CRIME INVESTIGATIONS. LOSS ESTIMATES ARE STILL BEING DETERMINED.
AS WORLDWIDE DEPENDENCE ON TECHNOLOGY INCREASES, HIGH-TECH CRIME IS BECOMING AN INCREASINGLY ATTRACTIVE SOURCE OF REVENUE FOR ORGANIZED CRIME GROUPS, AS WELL AS AN ATTRACTIVE OPTION FOR THEM TO MAKE COMMERCIAL AND FINANCIAL TRANSACTIONS THAT SUPPORT CRIMINAL ACTIVITY. CRIMINAL ACTIVITY IN THE CYBER WORLD PRESENTS A DAUNTING CHALLENGE AT ALL LEVELS OF LAW ENFORCEMENT. IN THE PAST, A NATION'S BORDER ACTED AS A BARRIER TO THE DEVELOPMENT OF MANY CRIMINAL ENTERPRISES, ORGANIZATIONS AND CONSPIRACIES. OVER THE PAST FIVE YEARS, THE ADVENT OF THE INTERNET AS A BUSINESS AND COMMUNICATION TOOL HAS ERASED THESE BORDERS. CYBER CRIMINALS AND ORGANIZATIONS POSE SIGNIFICANT THREATS TO GLOBAL COMMERCE AND SOCIETY.
Page 118 PREV PAGE TOP OF DOC Segment 2 Of 3
THE USE OF THE INTERNET FOR CRIMINAL PURPOSES IS ONE OF THE MOST CRITICAL CHALLENGES FACING THE FBI AND LAW ENFORCEMENT IN GENERAL. UNDERSTANDING AND USING THE INTERNET TO COMBAT INTERNET FRAUD IS ESSENTIAL FOR LAW ENFORCEMENT. THE FRAUD BEING COMMITTED OVER THE INTERNET IS THE SAME TYPE OF WHITE COLLAR FRAUD THE FBI HAS TRADITIONALLY INVESTIGATED BUT POSES ADDITIONAL CONCERNS AND CHALLENGES BECAUSE OF THE NEW ENVIRONMENT IN WHICH IT IS LOCATED. THE ACCESSABILITY OF SUCH AN IMMENSE AUDIENCE COUPLED WITH THE ANONYMITY OF THE SUBJECT, REQUIRE A DIFFERENT APPROACH. THE INTERNET IS A PERFECT VEHICLE TO LOCATE VICTIMS AND PROVIDE THE ENVIRONMENT WHERE THE VICTIMS DON'T SEE OR SPEAK TO THE FRAUDSTERS. THE INTERNET ENVIRONMENT OFTEN CREATES A FALSE SENSE OF SECURITY AMONG USERS LEADING THEM TO CHECK OUT OPPORTUNITIES FOUND ON THE INTERNET LESS THOROUGHLY THAN THEY MIGHT OTHERWISE. ANYONE IN THE PRIVACY OF THEIR OWN HOME CAN CREATE A VERY PERSUASIVE VEHICLE FOR FRAUD OVER THE INTERNET. THE EXPENSES ASSOCIATED WITH THE OPERATION OF A ''HOME PAGE'' AND THE USE OF ELECTRONIC MAIL (E-MAIL) ARE MINIMAL. CON ARTISTS DO NOT REQUIRE THE CAPITAL TO SEND OUT MAILERS, HIRE PEOPLE TO RESPOND TO THE MAILERS, FINANCE AND OPERATE TOLL FREE NUMBERS. THIS TECHNOLOGY HAS EVOLVED EXPONENTIALLY OVER THE PAST FEW YEARS AND WILL CONTINUE TO EVOLVE AT A TREMENDOUS RATE.
INTERNET FRAUD DOES NOT HAVE TRADITIONAL BOUNDARIES AS SEEN IN THE TRADITIONAL SCHEMES. NO ONE KNOWS THE FULL EXTENT OF THE FRAUD BEING COMMITTED ON THE INTERNET. NOT ALL VICTIMS REPORT FRAUD, AND THOSE WHO DO, DO NOT REPORT IT TO ONE CENTRAL REPOSITORY. FOR TRADITIONAL FRAUD SCHEMES THE FBI HAS SYSTEMS IN PLACE TO IDENTIFY AND TRACK FRAUD THROUGHOUT THE COUNTRY. FOR EXAMPLE, A CON MAN OPENS UP SHOP IN CHICAGO, FINDS A LOCATION, OBTAINS PHONES, HIRES PERSONNEL, AND BEGINS TO DEFRAUD PEOPLE. WHEN VICTIMS DON'T RECEIVE WHAT THEY WERE PROMISED AND REALIZE THAT THEY HAVE BEEN DEFRAUDED, THEY WILL CONTACT THEIR LOCAL FIELD OFFICE OF THE FBI, AND PROVIDE THE COMPLAINT INFORMATION, WHICH WILL BE FORWARDED TO THE CHICAGO OFFICE (WHERE THE FRAUD IS OCCURRING). THE FBI IN CHICAGO RECEIVES A NUMBER OF THESE COMPLAINTS AND INITIATES AN INVESTIGATION. FRAUD OVER THE INTERNET DOES NOT NEED A PHYSICAL LOCATION, NOR PERSONNEL, NOR TELEPHONES. INTERNET FRAUD IS DISJOINTED, AND SPREAD THROUGHOUT THE COUNTRY AND OTHER COUNTRIES. THE TRADITIONAL METHODS OF DETECTING, REPORTING, AND INVESTIGATING FRAUD FAIL IN THIS VIRTUAL ENVIRONMENT. VICTIMS OF FRAUD HAVE BEEN UNSURE OF HOW OR WHERE TO REPORT WHAT THEY SEE OR WHAT THEY HAVE EXPERIENCED ON THE INTERNET. LAW ENFORCEMENT AGENCIES HAVE RECEIVED COMPLAINTS IN A PIECEMEAL FASHION, MOST NOT REACHING A LEVEL TO ADVANCE THE COMPLAINT TO AN INVESTIGATION. ANOTHER PROBLEM IS VENUE. WITHOUT SOME TECHNICAL INVESTIGATORY STEPS IT IS DIFFICULT TO IDENTIFY THE LOCATION OF A WEBSITE OR THE ORIGIN OF AN E-MAIL.
Page 119 PREV PAGE TOP OF DOC Segment 2 Of 3
THE INTERNET PROVIDES CRIMINALS WITH A TREMENDOUS WAY TO LOCATE NUMEROUS VICTIMS AT MINIMAL COSTS. THE VICTIMS OF INTERNET FRAUD NEVER SEE OR SPEAK TO THE SUBJECTS, AND OFTEN DON'T KNOW WHERE THE SUBJECTS ARE ACTUALLY LOCATED. CRIMES COMMITTED USING COMPUTERS AS A COMMUNICATION OR STORAGE DEVICE HAVE DIFFERENT PERSONNEL AND RESOURCE IMPLICATIONS THAN SIMILAR OFFENSES COMMITTED WITHOUT THESE TOOLS. ELECTRONIC DATA IS PERISHABLE—EASILY DELETED, MANIPULATED AND MODIFIED WITH LITTLE EFFORT. THE VERY NATURE OF THE INTERNET AND THE RAPID PACE OF TECHNOLOGICAL CHANGE IN OUR SOCIETY RESULT IN OTHERWISE TRADITIONAL FRAUD SCHEMES BECOMING MAGNIFIED WHEN THESE TOOLS ARE UTILIZED AS PART OF THE SCHEME. THE INTERNET PRESENTS NEW AND SIGNIFICANT INVESTIGATORY CHALLENGES FOR LAW ENFORCEMENT AT ALL LEVELS. THESE CHALLENGES INCLUDE: THE NEED TO TRACK DOWN SOPHISTICATED USERS WHO COMMIT UNLAWFUL ACTS ON THE INTERNET WHILE HIDING THEIR IDENTITIES; THE NEED FOR CLOSE COORDINATION AMONG LAW ENFORCEMENT AGENCIES; AND THE NEED FOR TRAINED AND WELL-EQUIPPED PERSONNEL TO GATHER EVIDENCE, INVESTIGATE, AND PROSECUTE THESE CASES. VICTIMS ARE OFTEN SCATTERED AROUND THE COUNTRY IN DIFFERENT JURISDICTIONS OR COUNTRIES THAN THE SUBJECT(S). SUBJECTS LOCATED IN OTHER COUNTRIES ARE INCREASINGLY TARGETING VICTIMS IN THE U.S. UTILIZING THE INTERNET. EVIDENCE CAN BE STORED REMOTELY IN LOCATIONS NOT IN PHYSICAL PROXIMITY TO EITHER THEIR OWNER OR THE LOCATION OF CRIMINAL ACTIVITY. IN ADDITION, LOSSES SUFFERED BY VICTIMS IN INDIVIDUAL JURISDICTIONS MAY NOT MEET PROSECUTIVE THRESHOLDS EVEN THOUGH TOTAL LOSSES THROUGH THE SAME SCHEME MAY BE SUBSTANTIAL. IN ORDER TO SUBPOENA RECORDS, UTILIZE ELECTRONIC SURVEILLANCE, EXECUTE SEARCH WARRANTS, SEIZE EVIDENCE AND EXAMINE IT IN FOREIGN COUNTRIES, THE FBI MUST RELY UPON LOCAL AUTHORITIES FOR ASSISTANCE. IN SOME CASES, LOCAL POLICE FORCES DO NOT UNDERSTAND OR CANNOT COPE WITH TECHNOLOGY. IN OTHER CASES, THESE NATIONS SIMPLY DO NOT HAVE ADEQUATE LAWS REGARDING CYBER CRIME AND ARE THEREFORE LIMITED IN THEIR ABILITY TO PROVIDE ASSISTANCE. OUR LEGAL ATTACHE PROGRAM PROVIDES CRITICAL CONTRIBUTIONS IN THESE MATTERS.
Page 120 PREV PAGE TOP OF DOC Segment 2 Of 3
CYBER CRIME EXISTS ACROSS FBI PROGRAM BOUNDARIES AND WITHOUT REGARD TO INTERNATIONAL BORDERS. AMONG THE FBI PROGRAM AREAS IMPACTED BY CYBER CRIME ARE: SECURITIES AND COMMODITIES TRANSACTIONS, PRIME BANK SCHEMES, TELEMARKETING SCHEMES, ONLINE BANKING FRAUDS, GOVERNMENT PROGRAM AND PRIVATE HEALTH CARE FRAUD SCHEMES, ONLINE PHARMACY SCHEMES, ONLINE AUCTION FRAUDS, IDENTITY THEFT, INTELLECTUAL PROPERTY THEFT, BUSINESS-TO-BUSINESS FRAUDS, NON-DELIVERY OF SERVICES, SO-CALLED NIGERIAN LETTER SOLICITATIONS, CREDIT CARD FRAUD, E-COMMERCE AND TRADING, E-COMMERCE AND GOVERNMENT PROCUREMENT, ONLINE GAMBLING, ORGANIZED CRIME/DRUGS, TERRORISM, FUGITIVES, PURCHASE AND SALE OF STOLEN/COUNTERFEIT MERCHANDISE, CHILD PORNOGRAPHY, DENIAL OF SERVICE ATTACKS, INTRUSIONS, MONEY LAUNDERING, AND AS A BUSINESS TOOL TO TRANSACT CRIMINAL ACTIVITY.
CRIMINALS COMMONLY USE COMPUTERS TO COMMUNICATE, STORE INFORMATION, AND PERFORM FINANCIAL AND OTHER TRANSACTIONS. INFORMATION WHICH AT ONE TIME WAS MAINTAINED IN PAPER FILES NOW RESIDES IN DIGITAL FORMAT ON HARD DRIVES AND NETWORKS, AND INFORMATION THAT ONCE WAS TRANSMITTED AS ANALOG VOICE OVER TELEPHONE CONNECTIONS IS NOW TRANSMITTED IN DIGITAL FORMAT OVER THE INTERNET. THE RESULT IS THAT THESE DEVICES OFTEN CONTAIN CRITICAL EVIDENCE OF CRIMINAL ACTIVITY NOT ONLY WITH RESPECT TO COMPUTER CRIMES, BUT ALSO WITH RESPECT TO CONVENTIONAL CRIMES WHERE USE OF A COMPUTER IS MERELY INCIDENTAL TO THE CRIME.
IN ADDITION TO THE BASIC INVESTIGATIVE STEPS REQUIRED IN ANY INVESTIGATION, CYBER CRIME INVESTIGATIONS REQUIRE THAT NEW TYPES OF QUESTIONS BE ASKED, NEW CLUES LOOKED FOR, AND NEW RULES BE FOLLOWED CONCERNING THE COLLECTION AND PRESERVATION OF EVIDENCE. IN ORDER TO SUCCESSFULLY CONDUCT THESE INVESTIGATIONS, INVESTIGATORS REQUIRE SIGNIFICANTLY ADVANCED SKILLS. REGARDLESS OF WHETHER THE COMPUTER SYSTEM ITSELF IS THE TARGET OF CRIMINAL ACTIVITY OR THE COMPUTER SYSTEM (OR INTERNET) IS USED IN FURTHERANCE OF A CRIME, THE FACT THAT A COMPUTER IS INVOLVED BRINGS INTO PLAY AND CREATES A NECESSITY AND REQUIREMENT FOR A QUALIFIED PERSON TO COMPETENTLY HANDLE THE COMPUTER-RELATED AND INTERNET ISSUES. COMPUTER ANALYSIS AND RESPONSE TEAM (CART) RESOURCES ARE HEAVILY RELIED UPON BY FIELD OFFICES TO RESPOND TO THE WIDE VARIETY OF COMPUTER FACILITATED CRIMES. THE FBI HAS SUPPORTED LOCAL REGIONAL COMPUTER FORENSIC LABS (RCFL) INITIATIVES IN SAN DIEGO AND DALLAS. THESE COOPERATIVE VENTURES BETWEEN THE FBI, DEA AND OTHER FEDERAL AGENCIES, AND STATE AND LOCAL LAW ENFORCEMENT PROVIDE COMPUTER FORENSIC SUPPORT TO ALL LAW ENFORCEMENT AGENCIES WITHIN THEIR RESPECTIVE TERRITORIES. THE DEVELOPMENT OF SUCH REGIONAL LABS IS, IN OUR VIEW, VERY IMPORTANT, BOTH IN ORDER TO LEVERAGE LAW ENFORCEMENT RESOURCES AND TO ENSURE THE DEVELOPMENT AND IMPLEMENTATION OF SOUND NATIONAL STANDARDS FOR COMPUTER FORENSICS.
Page 121 PREV PAGE TOP OF DOC Segment 2 Of 3
TO THIS POINT, WE HAVE DISCUSSED IN GENERAL THE POTENTIAL THREAT POSED BY CYBER CRIME, WHY IT HAS BECOME AND WILL CONTINUE TO BE ONE OF THE MOST SIGNIFICANT CRIME PROBLEMS , AND BRIEFLY DESCRIBED SOME OF THE MYRIAD FACETS OF CYBER CRIME. I WOULD LIKE TO NOW FOCUS THE DISCUSSION ON WHAT THE FBI IS DOING TO ADDRESS THE AREA OF CYBER CRIME.
INTERNET FRAUD COMPLAINT CENTER (IFCC)
THE DEVELOPMENT OF A PROACTIVE STRATEGY TO INVESTIGATE INTERNET FRAUD THROUGH THE ESTABLISHMENT OF AN INTERNET FRAUD COMPLAINT CENTER (IFCC) AS A CENTRAL REPOSITORY FOR CRIMINAL COMPLAINTS WAS ESSENTIAL. THE IFCC IS A JOINT OPERATION WITH THE FBI AND THE NATIONAL WHITE COLLAR CRIME CENTER (NW3C). THE NW3C IS A NON-PROFIT ORGANIZATION WHICH IS PARTIALLY FUNDED BY THE DEPARTMENT OF JUSTICE. THE MISSION OF NW3C IS TO PROVIDE A NATIONWIDE SUPPORT SYSTEM FOR THE PREVENTION, INVESTIGATION AND PROSECUTION OF ECONOMIC CRIMES. A LITTLE OVER A YEAR AGO, ON MAY 8, 2000, THE IFCC OPENED ITS DOORS TO COMBAT THE GROWING PROBLEM OF CRIMINAL FRAUD OVER THE INTERNET. THE IFCC WAS NECESSARY TO ADEQUATELY IDENTIFY, TRACK, AND PROSECUTE NEW FRAUDULENT SCHEMES ON THE INTERNET ON A NATIONAL AND INTERNATIONAL LEVEL. IT SERVES AS A CLEARINGHOUSE FOR THE RECEIPT, ANALYSIS, AND DISSEMINATION OF CRIMINAL COMPLAINTS CONCERNING FRAUDS PERPETRATED OVER THE INTERNET. IFCC PERSONNEL COLLECT, ANALYZE, EVALUATE, AND DISSEMINATE INTERNET FRAUD COMPLAINTS TO THE APPROPRIATE LAW ENFORCEMENT AGENCY. THE IFCC PROVIDES A MECHANISM BY WHICH THE MOST EGREGIOUS SCHEMES ARE IDENTIFIED AND ADDRESSED THROUGH A CRIMINAL INVESTIGATIVE EFFORT.
THE IFCC PROVIDES A CENTRAL ANALYTICAL REPOSITORY FOR CRIMINAL COMPLAINTS REGARDING INTERNET FRAUD, AND IT ACTS AS A RESOURCE FOR ENFORCEMENT AGENCIES AT ALL LEVELS OF GOVERNMENT TO INCLUDE REGULATORY AGENCIES. IT PROVIDES ANALYTICAL SUPPORT, AND AIDS IN DEVELOPING AND PROVIDING TRAINING MODULES TO ADDRESS INTERNET FRAUD. THE FBI AND THE NATIONAL WHITE COLLAR CRIME CENTER (NW3C) COSPONSOR THE IFCC. THIS PARTNERSHIP IS MUTUALLY BENEFICIAL FOR BOTH ENTITIES IN THAT IT ALLOWS BOTH AGENCIES TO SHARE STAFFING RESPONSIBILITIES AND, BY FORWARDING COMPLAINTS TO FBI FIELD DIVISIONS, UTILIZE THE FBI'S INVESTIGATIVE RESOURCES TO ADDRESS THIS NEW TECHNO CRIME.
Page 122 PREV PAGE TOP OF DOC Segment 2 Of 3
THE IFCC IDENTIFIES CURRENT CRIME PROBLEMS, AND DEVELOPS INVESTIGATIVE TECHNIQUES TO ADDRESS NEWLY IDENTIFIED CRIME TRENDS. THE INFORMATION OBTAINED FROM THE DATA COLLECTED IS PROVIDING THE FOUNDATION FOR THE DEVELOPMENT OF A NATIONAL STRATEGIC PLAN TO ADDRESS INTERNET FRAUD.
IFCC'S MISSION IS TO DEVELOP A NATIONAL STRATEGIC PLAN TO ADDRESS FRAUD OVER THE INTERNET, AND TO PROVIDE SUPPORT TO LAW ENFORCEMENT AND REGULATORY AGENCIES AT ALL LEVELS OF GOVERNMENT FOR FRAUD THAT OCCURS OVER THE INTERNET.
IFCC'S PURPOSE IS THE FOLLOWING:
TO DEVELOP A NATIONAL STRATEGY TO ADDRESS INTERNET FRAUD;
TO DEVELOP CRIMINAL INTERNET FRAUD CASES AND REFER FOR CRIMINAL PROSECUTIONS COMPANIES AND INDIVIDUALS RESPONSIBLE;
TO REDUCE THE AMOUNT OF ECONOMIC LOSS BY INTERNET FRAUD THROUGHOUT THE UNITED STATES;
TO PROVIDE AN ANALYTICAL REPOSITORY FOR INTERNET FRAUD COMPLAINTS;
TO RECEIVE, ANALYZE AND REFER ALL FRAUDULENT ACTIVITY IDENTIFIED ON THE INTERNET;
TO IDENTIFY CURRENT CRIME TRENDS OVER THE INTERNET;
Page 123 PREV PAGE TOP OF DOC Segment 2 Of 3
TO DEVELOP INVESTIGATIVE TECHNIQUES TO ADDRESS THOSE IDENTIFIED CRIME PROBLEMS;
TO TRACK FRAUD FACILITATED BY THE INTERNET AND PROVIDE ANALYTICAL SUPPORT OF INTERNET CRIME TRENDS;
TO ACT AS AN INVESTIGATIVE RESOURCE FOR INTERNET FRAUD;
TO DEVELOP TRAINING MODULES TO INVESTIGATE INTERNET FRAUD;
TO DEVELOP INFORMATION PACKETS FROM COMPLAINTS GENERATED AND FORWARD THAT INFORMATION TO THE APPROPRIATE LAW ENFORCEMENT AGENCIES.
PUBLIC AWARENESS OF THE EXISTENCE AND PURPOSE OF THE IFCC IS PARAMOUNT TO THE SUCCESS OF THIS EFFORT. THE IFCC PROVIDES A CONVENIENT AND EASY WAY FOR THE PUBLIC TO ALERT AUTHORITIES OF A SUSPECTED CRIMINAL ACTIVITY OR CIVIL VIOLATION. VICTIMS OF INTERNET CRIME ARE ABLE TO GO DIRECTLY TO THE IFCC WEB SITE (WWW.IFCCFBI.GOV) TO SUBMIT THEIR COMPLAINT INFORMATION, RELIEVING CONSIDERABLE FRUSTRATION FOR THE VICTIM IN TRYING TO DECIDE WHICH LAW ENFORCEMENT AGENCY SHOULD RECEIVE THE COMPLAINT. THE FBI WEB PAGE ALSO AIDS IN THIS EFFORT. A DETAILED EXPLANATION OF THE COMPLAINT CENTER, ITS PURPOSE AND CONTACT NUMBERS, IS PROVIDED SO THAT CONSUMERS CAN REPORT INTERNET FRAUD. THE FBI WEB PAGE PROVIDES VICTIMS WITH A HYPERLINK TO THE IFCC WEB PAGE. MANY OTHER WEB SITES WHICH PROVIDE INFORMATION ON FRAUD MATTERS CONTAIN LINKS TO THE IFCC WEB SITE (E.G., THE DEPARTMENT OF JUSTICE SITE, WWW.INTERNETFRAUD.USDOJ.GOV).
THE FBI HAS ALSO ESTABLISHED AN INTERNET FRAUD COUNCIL WORKING GROUP CONSISTING OF FEDERAL AND STATE LAW ENFORCEMENT AGENCIES, INTERNATIONAL LAW ENFORCEMENT AGENCIES, FEDERAL AND STATE ENFORCEMENT AGENCIES, AND REPRESENTATIVES OF THE PRIVATE BUSINESS SECTOR. THE GROUP'S PURPOSE IS TO CREATE A NETWORK TO SHARE INFORMATION, DISCUSS PERTINENT ISSUES, RECOMMEND LEGISLATIVE SOLUTIONS, AND OBTAIN THE MAXIMUM BENEFIT FOR ALL PARTICIPATING MEMBERS.
Page 124 PREV PAGE TOP OF DOC Segment 2 Of 3
DURING THE START-UP PHASE OF IFCC, THE ENTIRE STAFF PROCESSED INCOMING COMPLAINTS AND FORWARDED THEM TO LAW ENFORCEMENT AGENCIES. IN ITS FIRST YEAR OF OPERATION, THE IFCC RECEIVED 36,410 COMPLAINTS, OF THOSE COMPLAINTS, 5,907 WERE INVALID, INCOMPLETE OR DUPLICATIVE, RESULTING IN 30,503 VALID CRIMINAL COMPLAINTS. THOSE COMPLAINTS WERE REFERRED TO AN AVERAGE OF TWO TO THREE LAW ENFORCEMENT AGENCIES. THIS REFERRAL PROCESS HAS SPAWNED HUNDREDS OF CRIMINAL INVESTIGATIONS THROUGHOUT THE COUNTRY. THE FBI STAFF AT THE IFCC HAVE BEGUN TO USE THE DATA TO IDENTIFY
MULTIPLE VICTIMS, VARIOUS CRIME TRENDS AND SAME SUBJECT CASES THUS INITIATING THE INVESTIGATIVE PHASE OF THE CENTER'S OPERATIONS. THIS PROCESS WASN'T FULLY FUNCTIONAL UNTIL JANUARY 1, 2001. UTILIZING THIS PROCESS IN WHICH THE IFCC STAFF DRAFT INTERNET INVESTIGATIVE REPORTS AND FORWARDS THOSE REPORTS TO MULTIPLE LAW ENFORCEMENT AGENCIES, THE IFCC HAS INVESTIGATED AND REFERRED 545 INVESTIGATIVE REPORTS ENCOMPASSING OVER 3,000 COMPLAINTS TO 51 0F 56 FBI FIELD DIVISIONS AND 1,507 LOCAL AND STATE LAW ENFORCEMENT AGENCIES. IFCC HAS ALSO REFERRED 41 CASES ENCOMPASSING OVER 200 COMPLAINTS TO INTERNATIONAL LAW ENFORCEMENT AGENCIES. THE IFCC HAS RECEIVED COMPLAINTS OF VICTIMS FROM 89 DIFFERENT COUNTRIES.
AUCTION FRAUD IS BY FAR THE MOST REPORTED INTERNET FRAUD, COMPRISING NEARLY TWO-THIRDS OF ALL COMPLAINTS. PAYMENT FOR MERCHANDISE THAT WAS NEVER DELIVERED ACCOUNTS FOR 22% OF COMPLAINTS, AND CREDIT AND DEBIT CARD FRAUD MAKEUP ALMOST 5% OF COMPLAINTS. ANOTHER 5% OF COMPLAINTS STEM FROM VARIOUS TYPES OF INVESTMENT FRAUDS AND CONFIDENCE FRAUD SCHEMES SUCH AS HOME IMPROVEMENT SCAMS AND MULTI-LEVEL MARKETING SCHEMES. IT HAS BEEN THE EXPERIENCE OF THE FBI THAT FURTHER INVESTIGATION INTO THESE COMPLAINTS OFTEN REVEALS A VARIETY OF FRAUDS BEING PERPETRATED BY SUBJECTS. SUBJECTS ENGAGED IN ONE TYPE OF FRAUD SCHEME SUCH AS ON-LINE AUCTION FRAUD ARE FREQUENTLY INVOLVED IN OTHER TYPES OF FRAUD SCHEMES SUCH AS BANK FRAUD, INVESTMENT FRAUDS AND/OR PONZI/PYRAMID SCHEMES.
Page 125 PREV PAGE TOP OF DOC Segment 2 Of 3
BUSINESSES THAT CONDUCT A SIGNIFICANT AMOUNT OF COMMERCE OVER THE INTERNET ARE EXPOSED TO LOSSES IN THE MILLIONS OF DOLLARS DUE TO VARIOUS FRAUD SCHEMES. WITH ASSISTANCE FROM THE PRIVATE SECTOR, THE IFCC IS DEVELOPING A BUSINESS-FRIENDLY SYSTEM FOR RAPID DATA TRANSFER OF MULTIPLE COMPLAINTS IN AN EFFORT TO BETTER SERVE THESE CRIME VICTIM-COMPANIES' NEEDS. THIS PROCESS WILL PERMIT THE INTERNET COMPANIES THAT ARE EXPERIENCING THESE LOSSES TO FILE BULK COMPLAINTS AND THOSE COMPLAINTS WILL THEN BE DISTRIBUTED BY IFCC TO THE APPROPRIATE LAW ENFORCEMENT AGENCIES.
IN EFFECT, THE IFCC OPERATES AS PART OF A CYBER COMMUNITY WATCH IN WHICH THE SELF POLICING EFFORTS OF HONEST AND VIGILANT INTERNET USERS AND INTERNET SERVICE PROVIDERS RESULT IN POTENTIAL FRAUDULENT ACTIVITY OVER THE INTERNET BEING BROUGHT TO THE ATTENTION OF LAW ENFORCEMENT THROUGH THE IFCC. THE IFCC DOES MUCH MORE THAN JUST COLLECT COMPLAINT INFORMATION. IT ENSURES THAT THE INFORMATION, ALONG WITH ADDITIONAL INVESTIGATIVE INFORMATION DEVELOPED BY IFCC PERSONNEL, IS DISSEMINATED TO THE APPROPRIATE AGENCIES, AND THAT IDENTIFIED FRAUD SCHEMES CAN BE PREVENTED OR MITIGATED. WHILE OTHER AGENCIES HAVE FRAUD DATABASES THAT COMPLEMENT THAT OF THE IFCC, ONLY THE IFCC PROACTIVELY PROVIDES SUCH INFORMATION TO APPROPRIATE LAW ENFORCEMENT AGENCIES. THE IFCC PROCESSES ALL COMPLAINTS IT RECEIVES REGARDLESS OF THE ALLEGED DOLLAR LOSS. MANY OF THE COMPLAINTS RECEIVED DO NOT ALLEGE LOSSES WHICH MEET MINIMUM DOLLAR THRESHOLDS FOR FEDERAL PROSECUTION, BUT THEY CAN OFTEN BE SUCCESSFULLY WORKED BY LOCAL LAW ENFORCEMENT AGENCIES. AT A MINIMUM, THEY FORM PART OF A DATABASE WHICH ENABLES IFCC TO POTENTIALLY CONNECT THEM WITH A WIDESPREAD FRAUD SCHEME AND/OR ORGANIZED CRIMINAL GROUP. IN THIS LIGHT, ALL COMPLAINTS ALLEGING FRAUD OVER THE INTERNET ARE IMPORTANT. NO VICTIM SHOULD FEEL LIKE ANY LOSS THEY SUFFERED IS TOO INSIGNIFICANT TO REPORT. IT IS ONLY BY VICTIMS AND BUSINESSES REPORTING POTENTIALLY FRAUDULENT ACTIVITY THAT LAW ENFORCEMENT BECOMES AWARE OF IT AND CAN TAKE ACTION. THIS POINT IS MADE CLEAR BY ACTION TAKEN RECENTLY BY THE FBI AND OTHER LAW ENFORCEMENT AGENCIES IN OPERATION CYBER LOSS.
Page 126 PREV PAGE TOP OF DOC Segment 2 Of 3
OPERATION CYBER LOSS
THE SUCCESS OF THE IFCC WAS DEMONSTRATED THROUGH IFCC'S KEY ROLE IN OPERATION CYBER LOSS. THE FBI AND THE DEPARTMENT OF JUSTICE ANNOUNCED ON MAY 23, 2001 A NATIONWIDE INVESTIGATION INTO INTERNET FRAUD, CODE NAMED ''OPERATION CYBER LOSS,'' INITIATED BY THE FBI'S INTERNET FRAUD COMPLAINT CENTER (IFCC) AND COORDINATED BY FBI OFFICES, U.S. POSTAL INSPECTION SERVICE (USPIS), INTERNAL REVENUE SERVICE—CRIMINAL INVESTIGATIVE DIVISION, U.S. CUSTOMS SERVICE, UNITED STATES SECRET SERVICE, AND NUMEROUS STATE AND LOCAL LAW ENFORCEMENT ENTITIES. THE INTERNET FRAUD SCHEMES EXPOSED AS PART OF THIS INVESTIGATION REPRESENT OVER 56,000 VICTIMS NATIONWIDE WHO SUFFERED CUMULATIVE LOSSES IN EXCESS OF $117 MILLION. AMONG THE INTERNET FRAUD SCHEMES HIGHLIGHTED BY OPERATION CYBER LOSS WERE THOSE INVOLVING ON-LINE AUCTION FRAUD, SYSTEMIC NON-DELIVERY OF MERCHANDISE PURCHASED OVER THE INTERNET, CREDIT/DEBIT CARD FRAUD, IDENTITY THEFT, VARIOUS INVESTMENT AND SECURITIES FRAUDS, MULTI-LEVEL MARKETING AND PONZI/PYRAMID SCHEMES. APPROXIMATELY 90 SUBJECTS HAVE BEEN CHARGED AS A RESULT OF OPERATION CYBER LOSS FOR WIRE FRAUD, MAIL FRAUD, CONSPIRACY TO COMMIT FRAUD, MONEY LAUNDERING, BANK FRAUD, AND INTELLECTUAL PROPERTY RIGHTS (SOFTWARE PIRACY). TWENTY-SIX DIFFERENT FBI FIELD OFFICES THROUGHOUT THE COUNTRY HAVE BEEN INVOLVED IN THE CYBER LOSS INVESTIGATION. AS IS TRUE OF INTERNET FRAUD IN GENERAL, SUBJECTS AND VICTIMS INVOLVED IN THIS OPERATION WERE SCATTERED THROUGHOUT THE WORLD. ACTION TAKEN IN CONNECTION WITH THIS OPERATION REPRESENTS ONLY A SMALL FRACTION OF CASES REFERRED BY THE IFCC AND ONLY REPRESENT CASES CULMINATING IN SIGNIFICANT PROSECUTIVE ACTION.
THE SCHEMES IDENTIFIED AS PART OF OPERATION CYBER-LOSS VARY WIDELY IN TYPE AND COMPLEXITY. THEY TEND TO BE MULTI-JURISDICTIONAL WITH SUBJECTS AND VICTIMS SCATTERED ACROSS THE UNITED STATES AND THE WORLD. WHILE MANY OF THE SCHEMES INVOLVED AN ELEMENT OF ON-LINE AUCTION FRAUD, THIS WAS OFTEN ONLY ONE ASPECT OF A SUBJECT'S FRAUDULENT ACTIVITIES. THE CASES REFLECT THE NATURE OF FRAUDSTERS TO MIGRATE FROM ONE FRAUDULENT SCHEME TO ANOTHER, AND IS INDICATIVE OF CRIMINAL BEHAVIOR THAT WOULD ONLY CONTINUE TO EXPAND IF LEFT UNADDRESSED.
Page 127 PREV PAGE TOP OF DOC Segment 2 Of 3
THE FBI RECOGNIZES THAT THE IFCC AND INITIATIVES SUCH AS OPERATION CYBER LOSS, WHILE IMPORTANT FIRST STEPS IN ADDRESSING INTERNET FRAUD, REPRESENT MERELY THE TIP OF THE ICEBERG WHEN IT COMES TO THE THREAT POSED BY CYBER CRIME. THEY ARE A PIECE OF A DEVELOPING COMPREHENSIVE FBI STRATEGIC PLAN ADDRESSING ALL ASPECTS OF CYBER CRIME WHICH WILL ALLOW THE FBI AND LAW ENFORCEMENT TO EFFECTIVELY AND EFFICIENTLY MAINTAIN A HIGH LEVEL RESPONSE CAPABILITY AND PROSECUTORIAL SUCCESS IN AREAS WHERE EITHER: (1) A COMPUTER SYSTEM AND/OR THE INTERNET ARE USED IN FURTHERANCE OF A CRIME; OR (2) A COMPUTER SYSTEM IS THE VICTIM OF A CRIME. THE USE OF A COMPUTER SYSTEM OR THE INTERNET IN FURTHERANCE OF CRIME IS NOT LIMITED TO ONE FBI PROGRAM AREA BUT IS INCREASINGLY FOUND IN CRIMINAL INVESTIGATIVE DIVISION AND NATIONAL INFRASTRUCTURE PROTECTION CENTER CASES. IN MANY INSTANCES WHERE A COMPUTER SYSTEM IS SERIOUSLY TARGETED, THE PURPOSE OF THE ATTACK IS TO FACILITATE ONGOING CRIMINAL ACTIVITY.
THE FBI HAS TAKEN A NUMBER OF OTHER STEPS TO ADDRESS CYBER CRIME. THE NATIONAL INFRASTRUCTURE PROTECTION CENTER (NIPC) WAS CREATED IN FEBRUARY, 1998, AND WAS GIVEN A NATIONAL CRITICAL INFRASTRUCTURE PROTECTION MISSION PER PRESIDENTIAL DECISION DIRECTIVE (PDD) 63. THE NIPC MISSION INCLUDES: DETECTING, ASSESSING, WARNING OF AND INVESTIGATING SIGNIFICANT THREATS AND INCIDENTS CONCERNING OUR CRITICAL INFRASTRUCTURES. IT IS AN INTERAGENCY CENTER PHYSICALLY LOCATED WITHIN THE COUNTERTERRORISM DIVISION AT FBI HEADQUARTERS. IN CONJUNCTION WITH THE CENTER, THE FBI CREATED THE NATIONAL INFRASTRUCTURE PROTECTION AND COMPUTER INTRUSION PROGRAM (NIPCIP) AS AN INVESTIGATIVE PROGRAM WITHIN THE COUNTERTERRORISM DIVISION. THE FBI HAS 56 FIELD OFFICES WITH NIPCIP SQUADS WITH 16 REGIONAL NIPCIP SQUADS, WHICH ARE COMPRISED OF SPECIALLY TRAINED INVESTIGATORS AND ANALYSTS. INITIAL INVESTIGATIONS INTO COMPUTER INTRUSION MATTERS HAVE BEEN PRIMARILY CONDUCTED BY NIPCIP SQUADS. DURING THE COURSE OF SUCH INVESTIGATIONS, IT IS INCREASINGLY FOUND THAT THE INTRUSION WAS MERELY THE FIRST STEP IN A MORE TRADITIONAL CRIMINAL SCHEME INVOLVING FRAUD OR OTHER FINANCIAL GAIN. AT THIS POINT IN AN INVESTIGATION, THE CASE WOULD NORMALLY BE TURNED OVER TO THE SUBSTANTIVE SQUAD HANDLING THOSE TYPES OF CRIMINAL SCHEMES. THIS HAS BEEN THE CASE IN NUMEROUS INCIDENTS INVOLVING COMPUTER INTRUSIONS INTO THE DATABASES OF CREDIT CARD COMPANIES, FINANCIAL INSTITUTIONS, ON-LINE BUSINESSES, ETC. TO OBTAIN CREDIT CARD OR OTHER IDENTIFICATION INFORMATION FOR INDIVIDUALS. THIS INFORMATION IS THEN USED IN SCHEMES TO DEFRAUD INDIVIDUALS AND/OR BUSINESSES. DUE TO THE NATURE OF CYBER CRIME AND THE MANNER IN WHICH IT CROSSES TRADITIONAL PROGRAM BOUNDARIES, A NUMBER OF FBI FIELD OFFICES HAVE FORMED ''HYBRID'' SQUADS WHICH COMBINE NIPCIP, CART, WHITE COLLAR CRIME, VIOLENT CRIME, AND ORGANIZED CRIME/DRUG TRAFFICKING RESOURCES AND INVESTIGATORS ON ONE SQUAD TO ADDRESS CYBER CRIME MATTERS. IN ADDITION, THE FBI CONTINUES TO DEVELOP AND OPERATE CYBER CRIME TASK FORCES CONSISTING OF INVESTIGATORS AND RESOURCES FROM OTHER FEDERAL AGENCIES AS WELL AS STATE AND LOCAL AGENCIES. THE FBI CONSIDERS SUCH TASK FORCES AN EFFICIENT AND EFFECTIVE MEANS TO LEVERAGE RESOURCES AND EXPERTISE IN COORDINATING INVESTIGATIONS INTO CYBER CRIME. THE COMPLEX NATURE OF CYBER CRIME INVESTIGATIONS MAKE COOPERATION AND COORDINATION AMONG LAW ENFORCEMENT AGENCIES VITAL IN THIS AREA. CYBER CRIME TASK FORCES PROVIDE AN INVALUABLE MECHANISM TO COVER INVESTIGATIVE AREAS THAT CROSS JURISDICTIONAL AND PROGRAM LINES. THE FBI PLANS TO AGGRESSIVELY PURSUE DEVELOPMENT OF SUCH TASK FORCES IN ALL FBI FIELD DIVISIONS.
Page 128 PREV PAGE TOP OF DOC Segment 2 Of 3
NO LESS IMPORTANT THAN COOPERATION AMONG OTHER LAW ENFORCEMENT AGENCIES IN COMBATING CYBER CRIME IS THE NEED FOR COOPERATION AND COORDINATION BETWEEN LAW ENFORCEMENT AND THE PRIVATE SECTOR. THE FBI CONTINUES TO PLACE A HIGH PRIORITY ON IMPROVING AND DEVELOPING PRIVATE SECTOR OUTREACH PROGRAMS TO FACILITATE REPORTING AND INVESTIGATION OF CYBER CRIME. FOCUS GROUPS HAVE BEEN AND WILL CONTINUE TO BE ESTABLISHED WITH THE PRIVATE SECTOR TO DEVELOP LONG TERM WORKING RELATIONSHIPS WHICH WILL AID IN IDENTIFYING CYBER CRIME PROBLEMS AND THE IMPACT THEY HAVE ON THEIR BUSINESSES AS WELL AS THE FORMATION OF PROACTIVE STRATEGIES TO ADDRESS THE THREATS. THESE RELATIONSHIPS PROMOTE PRIVATE SECTOR REPORTING OF CRIMINAL ACTIVITY, THREAT ASSESSMENT/WARNING TO THE PRIVATE SECTOR AND PRIVATE SECTOR ASSISTANCE TO LAW ENFORCEMENT (SUBJECT MATTER EXPERTISE, TECHNICAL EXPERTISE, ETC.).
FUNDAMENTAL TO THE EFFECTIVENESS OF EFFORTS TO ADDRESS CYBER CRIME ARE IDENTIFICATION AND IMPLEMENTATION OF RECRUITMENT AND TRAINING NEEDS. INTENSIVE TRAINING PROGRAMS ARE NECESSARY TO SUPPORT INVESTIGATIVE EFFORTS AT THE FEDERAL, STATE AND LOCAL LEVELS. CYBER INVESTIGATORS REQUIRE CYBER SKILLS IN THE BASIC PERFORMANCE OF THEIR JOB. THE FBI CURRENTLY PROVIDES SIGNIFICANT BLOCKS OF COMPUTER AND INTERNET TRAINING TO ALL ITS NEW AGENT CLASSES. IN ADDITION, SIMILAR AND MORE ADVANCED TRAINING IS INCREASINGLY PROVIDED TO AGENTS AS PART OF STANDARD ON-GOING TRAINING PROGRAMS.
THE FBI IS COGNIZANT OF ALL THE DIFFICULTIES FACED BY CONGRESS IN CONTEMPLATING ANY PROPOSED LEGISLATION WHICH WOULD AFFECT THE INTERNET. IT REQUIRES A DELICATE BALANCING OF INDIVIDUAL RIGHTS AND POTENTIAL HARM TO SOCIETY; OF FREE COMMERCE AND THREATS TO NATIONAL AND GLOBAL COMMERCE. ON-LINE CHILD PORNOGRAPHY AND THE SEXUAL EXPLOITATION OF CHILDREN PRESENT SUCH ISSUES. WHILE THERE ARE SOME WHO BELIEVE THE FBI'S INNOCENT IMAGES INITIATIVE WHICH UTILIZES UNDERCOVER AGENTS POSING AS CHILDREN ON-LINE TO IDENTIFY AND INVESTIGATE POTENTIAL SEXUAL PREDATORS TO INFRINGE UPON INDIVIDUAL RIGHTS, MOST WOULD AGREE THAT THIS IS OUTWEIGHED BY THE POTENTIAL HARM TO CHILDREN AND SOCIETY IN GENERAL IF THESE SEXUAL PREDATORS ARE NOT STOPPED. THE FBI FULLY SUPPORTS THE DEPARTMENT OF JUSTICE'S VIEW THAT ANY LEGISLATION AFFECTING THE INTERNET SHOULD: 1) TREAT PHYSICAL ACTIVITY AND ''CYBER'' ACTIVITY IN THE SAME WAY; 2) BE TECHNOLOGY NEUTRAL; AND 3) BE CAREFULLY CRAFTED TO ACCOMPLISH THE LEGISLATION'S OBJECTIVES WITHOUT STIFLING THE GROWTH OF THE INTERNET OR CHILLING ITS USE AS A COMMUNICATIONS MEDIUM.
Page 129 PREV PAGE TOP OF DOC Segment 2 Of 3
THE FBI IS COMMITTED TO ENSURING THE SAFETY AND SECURITY OF THOSE WHO USE THE INTERNET WHILE MAINTAINING AN APPRECIATION OF THE INTERNET AS AN IMPORTANT MEDIUM FOR COMMERCE AND COMMUNICATION. FOCUSED LAW ENFORCEMENT EFFORTS WILL PROMOTE GREATER CONSUMER CONFIDENCE AND TRUST IN THE INTERNET AS A SAFE AND SECURE MEDIUM OF COMMERCE AND COMMUNICATION. THE IFCC SERVES AS AN EXAMPLE OF AN INNOVATIVE APPROACH TO AN EMERGING CRIME PROBLEM. IT PROVIDES THE BENEFITS OF COMMUNITY POLICING, FORGING AN EFFECTIVE PARTNERSHIP BETWEEN LAW ENFORCEMENT AT ALL LEVELS, ORDINARY CITIZENS, CONSUMER PROTECTION ORGANIZATIONS SUCH AS THE NW3C, AND THE BUSINESS COMMUNITY. ADDRESSING THE EMERGING AND DYNAMIC THREAT OF CYBER CRIME REQUIRES CONTRIBUTIONS FROM ALL SEGMENTS OF OUR SOCIETY. THE FBI'S IFCC SERVES TO FACILITATE AND COORDINATE THIS COLLABORATIVE EFFORT. THANK YOU.
Mr. SMITH. Thank you, Mr. Kubic.
Mr. Savage?
STATEMENT OF JAMES A. SAVAGE, JR., DEPUTY SPECIAL AGENT IN CHARGE, FINANCIAL CRIMES DIVISION, UNITED STATES SECRET SERVICE
Mr. SAVAGE. Mr. Chairman, Members of the Subcommittee, thank you for the opportunity to address the Subcommittee regarding Federal law-enforcement efforts in combating cyber crime, particularly the efforts of the Secret Service in this regard. I, too, have submitted a comprehensive statement for the record. I would like to summarize; however, before I begin, I would like to acknowledge our partners from the FBI and Department of Justice who assist us in our efforts to combat cyber crime and are critical components in the overall effort.
Page 130 PREV PAGE TOP OF DOC Segment 2 Of 3
I will also acknowledge the representative from the Center for Democracy and Technology, which keeps us ever-mindful in respect to keeping the balance between law-enforcement and privacy. The Secret Service fights cyber crime as part of our core mission to protect the integrity of this Nation's financial payment systems. Since our inception in 1865 and an initial mandate to suppress the counterfeiting of currency, modes and methods of payment have evolved and so has our mission. Computers and other chip devices are now the facilitators of criminal activity or the target of such.
In this era of change, one constant that remains is our close working relationship with banking and finance sector. We believe that protection of the banking and financial infrastructure is our core competency area. Mr. Chairman, there's no shortage of information, testimony or anecdotal evidence regarding the nature and variety of cyber-based threats to our banking and financial infrastructures. There is, however, a scarcity of information regarding successful models to combat such crime in today's high-tech environment. That is where the Secret Service can make a significant contribution to today's and future discussions of successful law-enforcement efforts to combat cyber crime.
The Secret Service has developed a highly-effective formula for combating high-tech crime, as demonstrated by our New York Electronic Crimes Task Force. This task force, hosted by the Secret Service, includes 50 different law-enforcement agencies, over 100 different private sector corporations and six different universities. Mr. Chairman, the private sector members of this task force read like a who's-who of the American banking, finance and telecommunications sectors. Companies that have competed tooth and nail with each other in the marketplace come to our task force with a cooperative spirit and a shared goal of preventing computer-based crime and reducing consumer fraud.
Page 131 PREV PAGE TOP OF DOC Segment 2 Of 3
The notion of these companies, these competitors and 100 others, sitting down at the same table to share information, knowledge and resources with both each other and with law-enforcement is why we believe we have found a truly unique, innovative and effective formula for combating cyber crime. The task force provides a collaborative crime-fighting environment which reflects our recognition that in today's high-tech electronic crime environment, out-of-the-box problems demand out-of-the-box solutions.
How effective has this task force been? Since 1995, the New York task force has charged over 800 individuals with electronic crimes valued at more than $425 million. It has trained over 10,000 law-enforcement personnel, prosecutors and private industry representatives in the criminal abuses of technology and how to prevent them. Based on this enormous success of the task force, the Secret Service hopes to replicate the model developed by our New York field office in additional venues around the country in the very near future.
An important component of our investigative response to cyber crime is the Electronic Crimes Special Agent Program. This program is comprised of approximately 175 special agents who have received extensive training in the forensic identification, preservation and retrieval of electronically-stored evidence. We have placed at least one of these highly-trained specialists in every one of our field offices across the country.
Because of the success of the ECSAT program and the boundless nature of electronic crimes, domestic and foreign law-enforcement agencies regularly request training, assistance or seek to exchange information with the Secret Service. As an example, the Secret Service is coordinating with the FBI and NIPC in several areas, to include current investigations involving hackers who have targeted e-commerce sites in the United States. The Secret Service believes there is value in sharing information from our investigations with both those in the private sector and academia, who are devoting substantial resources to protecting their networks and researching new solutions.
Page 132 PREV PAGE TOP OF DOC Segment 2 Of 3
Law-enforcement must move from a reactive posture to a proactive or preventative posture by helping its customers to help themselves. The Secret Service learned long ago that our agency needed the full support of others outside our agency to create and maintain a successful and comprehensive security plan during the execution of our protective duties. This predisposition toward discretion and trust naturally permeates our investigative mission where we enjoy quiet successes with our private sector partners.
We have jointly resolved many significant cases with the help of our private sector counterparts, such as network intrusions and compromises of critical information systems. I must point out, however, that such cases are usually not publicized without the express consent of the U.S. Attorney and the victim, because it would breach our confidential relationship and discourage the victims of electronic crimes from reporting such incidents.
Let me relate the Secret Service's mission in fighting cyber crime to the bigger picture of critical infrastructure protection. In this context, our efforts to combat cyber assaults which target information and communication systems which support the financial sector, are part of the larger and more comprehensive critical infrastructure protection scheme. The whole notion of infrastructure protection embodies an assurance and confidence in the delivery of critical functions and services that in today's world are increasingly interdependent and interconnected.
To put this all into perspective, the public's confidence is lost if such delivery systems and services are unreliable or unpredictable, regardless of because the cause of the problem. The Secret Service recognizes that its role in investigating computer-based attacks against the financial sector can be significant in the larger plan for the protection of our Nation's critical infrastructures. When we arrest a criminal who has disrupted a sensitive communications network and are able to restore the normal operation of the host, but it a bank, telecom carrier or medical service provider, we believe we have made a significant contribution toward ensuring the reliability of the critical systems that the public relies upon on a daily basis.
Page 133 PREV PAGE TOP OF DOC Segment 2 Of 3
The Secret Service is convinced that building trusted partnerships with the private sector, local law-enforcement and academia is the model for combating electronic crimes in the information age.
If there are any questions, I would be happy to entertain them, and thank you for your time.
[The prepared statement of Mr. Savage follows:]
PREPARED STATEMENT OF JAMES A. SAVAGE, JR.
Mr. Chairman, members of the subcommittee, thank you for the opportunity to address the subcommittee regarding federal law enforcement efforts in combating cyber crime, and particularly the efforts of the Secret Service in this regard.
The Secret Service fights cyber crime as part of our core mission to protect the integrity of this nation's financial payment systems. This role has evolved from our initial mandate to suppress the counterfeiting of currency upon our creation in 1865. Since this time, modes and methods of payment have evolved and so has our mission. Computers and other ''chip'' devices are now the facilitators of criminal activity or the target of such. The perpetrators involved in the exploitation of such technology range from traditional fraud artists to violent criminals—all of whom recognize new opportunities and anonymous methods to expand and diversify their criminal portfolio.
Page 134 PREV PAGE TOP OF DOC Segment 2 Of 3
In this era of change, one constant that remains is our close working relationship with the banking and finance sector. Our history of cooperation with the industry is a result of our unique responsibilities and status as an agency of the Department of the Treasury. We believe that protection of the banking and financial infrastructure is our ''core competency'' area. As an agency, we seek to manage and apply our investigative resources in the most efficient manner possible for the benefit of our banking and finance customers.
Mr. Chairman, there is no shortage of information, testimony, or anecdotal evidence regarding the nature and variety of cyber-based threats to our banking and financial infrastructures and the need to create effective solutions. There is, however, a scarcity of information regarding successful models to combat such crime in today's high tech environment. That is where the Secret Service can make a significant contribution to today's and future discussions of successful law enforcement efforts to combat cyber crime.
The Secret Service has found a highly-effective formula for combating high tech crime—a formula that has been successfully developed by our New York Electronic Crimes Task Force. While the Secret Service leads this innovative effort, we do not control or dominate the participants and the investigative agenda of the task force. Rather, the task force provides a productive framework and collaborative crime-fighting environment in which the resources of its participants can be combined to effectively and efficiently make a significant impact on electronic crimes. Other law enforcement agencies bring additional criminal enforcement jurisdiction and resources to the task force while representatives from private industry, such as telecommunications providers, for instance, bring a wealth of technical expertise.
Within this New York model, established in 1995, there are 50 different federal, state and local law enforcement agencies represented as well as prosecutors, academic leaders and over 100 different private sector corporations. The wealth of expertise and resources that reside in this task force coupled with unprecedented information sharing yields a highly mobile and responsive machine. In task force investigations, local law enforcement officers hold supervisory positions and representatives from other agencies regularly assume the lead investigator status. These investigations encompass a wide range of computer-based criminal activity, involving e-commerce frauds, intellectual property violations, telecommunications fraud, and a wide variety of computer intrusion crimes.
Page 135 PREV PAGE TOP OF DOC Segment 2 Of 3
Since 1995, the task force has charged over 800 individuals with electronic crimes valued at more than $425 million. It has trained over 10,000 law enforcement personnel, prosecutors, and private industry representatives in the criminal abuses of technology and how to prevent them. We view the New York Electronic Crimes Task Force as the model for the partnership approach that we hope to employ in additional venues around the country in the very near future.
An important component in our investigative response to cyber crime is the Electronic Crimes Special Agent Program (ECSAP). This program is comprised of approximately 175 special agents who have received extensive training in the forensic identification, preservation, and retrieval of electronically stored evidence. Special Agents entering the program receive specialized training in all areas of electronic crimes, with particular emphasis on computer intrusions and forensics. ECSAP agents are computer investigative specialists, qualified to conduct examinations on all types of electronic evidence, including computers, personal data assistants, telecommunications devices, electronic organizers, scanners and other electronic paraphernalia.
The Secret Service ECSAP program relies on the 4-year-old, Treasury-wide Computer Investigative Specialist (CIS) initiative. All four Treasury law enforcement bureaus—the Internal Revenue Service, Bureau of Alcohol, Tobacco and Firearms, U.S. Customs Service and the U.S. Secret Service—participate and receive training and equipment under this program.
All four Treasury bureaus also jointly participate in curriculum development and review, equipment design and distribution of training assets. As a result, financial savings by all Treasury bureaus are realized due to economies of scale. Additionally, agents from different bureaus can work together in the field in an operational capacity due to the compatibility of the equipment and training. In the end, the criminal element suffers and the taxpayer benefits.
Page 136 PREV PAGE TOP OF DOC Segment 2 Of 3
Because of the recognized expertise of those in ECSAP, other law enforcement agencies regularly request training from the Secret Service or advice concerning their own computer forensics programs. These requests have come from agencies all across the country, as well as foreign countries such as Italy and Thailand. The Secret Service recognizes the need to promote international cooperation and remains proactive in the dissemination of information to law enforcement agencies, both domestically and internationally, regarding program initiatives and current financial and electronic crimes trends.
Mr. Chairman, we are committed to working closely with our law enforcement counterparts worldwide in response to cyber crime threats to commerce and financial payment systems. This commitment is demonstrated by the Secret Service's effort to expand our overseas presence. We currently have 18 offices in foreign countries and a permanent assignment at Interpol, as well as several overseas initiatives. Recently, new offices have been opened in Frankfurt, Lagos, and Mexico City. The Secret Service is also considering opening new offices in Bucharest and New Dehli. Our expanded foreign presence increases our ability to become involved in foreign investigations that are of significant strategic interest.
In addition to providing law enforcement with the necessary technical training and resources, a great deal more can be accomplished in fighting cyber crime if we are able to harness additional resources that exist outside government in the private sector and academia. The Secret Service believes there is value in sharing information during the course of our investigations with both those in the private sector and academia who are devoting substantial resources to protecting their networks and researching new solutions. On occasion the Secret Service has shared case-specific information derived from our criminal investigations after taking appropriate steps to protect privacy concerns and ensure that there are no conflicts with prosecutorial issues. I would further add that there are many opportunities for the law enforcement community to share information with our private sector counterparts without fear of compromise. The Secret Service recognizes the need for a ''paradigm shift'' with respect to this type of information sharing between law enforcement and our private sector and academic counterparts.
Page 137 PREV PAGE TOP OF DOC Segment 2 Of 3
Finally, law enforcement in general is not sufficiently equipped to train the masses nor can it compete with academic institutions of higher learning in the area of research and development. However, our partnerships with industry and academia have demonstrated that this should be an integral part of the solution.
Partnerships are a very popular term in both government and the private industry these days and everyone agrees that there is great benefit in such an approach. Unfortunately, however, partnerships cannot be legislated, regulated, or stipulated. Nor can partnerships be purchased, traded or incorporated. Partnerships are built between people and organizations who recognize the value in joint collaboration toward a common end. They are fragile entities which need to be established and maintained by all participants and built upon a foundation of trust.
The Secret Service, by virtue of the protective mission for which we are so well known, has always emphasized discretion and trust in executing our protective duties. We learned long ago that our agency needed the full support and confidence of local law enforcement and certain key elements of the private sector to create and maintain a successful and comprehensive security plan. Furthermore, we are also keenly aware that we need to maintain a trusted relationship with our protectees so that we can work with them and their staffs to maintain the delicate balance between security and personal privacy.
This predisposition towards discretion and trust naturally permeates our investigative mission where we enjoy quiet successes with our private sector partners. We have successfully investigated many significant cases with the help of our private sector partners such as network intrusions and compromises of critical information or operating systems. In such cases, even though we have technical expertise that is second to none, we still rely on our private sector counterparts to collaborate with us in identifying and preserving critical evidence to solve the case and bring the perpetrator to justice. Equally important in such cases is conducting the investigation in a manner that avoids unnecessary disruption or adverse consequences to the victim or business. With the variety of operating platforms and proprietary operating systems in the private sector, we could not accomplish these objectives without the direct support of our private sector counterparts.
Page 138 PREV PAGE TOP OF DOC Segment 2 Of 3
In fact, in one recently completed complex investigation involving the compromise of a wireless communications carrier's network, our case agent actually specified in the affidavit of the federal search warrant that representatives of the victim business be allowed to accompany federal agents in the search of the target residence to provide technical assistance. This is unprecedented in the law enforcement arena and underscores the level of trust we enjoy with those we have built relationships with in the private sector. It is also indicative of the complexity of many of these investigations and serves to highlight the fact that we in law enforcement must work with private industry to be an effective crime fighting force. In approving this search warrant, the court recognized that in certain cases involving extraordinarily complex systems and networks, such additional technical expertise can be a critical, and sometimes imperative, component of our investigative efforts.
I must point out, however, that such cases are usually not publicized without the express consent of the U.S. Attorney and the corporate victim because it would breach our confidential relationship and discourage the victims of electronic crimes from reporting such incidents.
Four recently-concluded investigations demonstrate the breadth of cases the Secret Service is working, and provide concrete evidence of the continuing success of ECSAP. The cases include the malicious shutdown of a medical service provider's communications system, an intrusion into a telecommunication provider's network, an attack on a private investment company's trading network, and the disruption of a financial institution's complete operating system and communications network.
Page 139 PREV PAGE TOP OF DOC Segment 2 Of 3
The first case was initiated on March 5, 2001, when a local Secret Service field office received information that a medical diagnostic service provider had suffered a catastrophic shutdown of its computer network and communications system. The company reported that they were unable to access doctor schedules, diagnostic images, patient information, and essential hospital records, which adversely affected their ability to provide care to patients and assist dependent medical facilities.
Within a matter of hours, a Secret Service ECSAP agent was able to regain control of the network by coordinating with the facility's system administrator to temporarily shutdown and reconfigure the computer system. The ECSAP agent also essentially ''hacked'' into the compromised system, and modified compromised password files to ''lock out'' the attacker. This was accomplished while maintaining control of the computer system log files containing evidence of how the intrusion had occurred.
Using this evidence, a federal search warrant was obtained for the residence of a former employee of the hospital, who had recently been terminated from his position as system administrator. Computer equipment was seized pursuant to the warrant, the suspect admitted to his involvement, and federal computer fraud charges are pending.
A case with obvious critical infrastructure implications was initiated on February 20, 2001, when two major wireless telecommunications service providers notified the New York Electronic Crimes Task Force that they had identified two hackers in different remote sites who were attacking their systems. These hackers were manipulating the systems to obtain free long distance service, re-route numbers, add calling features, forward telephone numbers, and install software that would ensure their continued unauthorized access.
Page 140 PREV PAGE TOP OF DOC Segment 2 Of 3
The level of access obtained by the hackers was virtually unlimited, and had they chosen to do so, they could have shut down telephone service over a large geographic area, including ''911'' systems, as well as service to government installations and other critical infrastructure components.
On March 20, 2001, the Secret Service simultaneously executed search warrants in New York City and Phoenix and computer equipment was seized at both locations. One suspect was arrested on federal computer fraud charges, while the other suspect was questioned and released pending a decision by the Department of Justice as to whether or not to pursue federal charges.
The third case occurred from March 9, 2000, through March 14, 2000, when a company located in New York, NY, received several Internet-based ''denial of service'' attacks on its servers. A ''denial of service'' attack occurs when a perpetrator launches malicious programs, information, codes, or commands to a target or victim computer which causes a degradation of service or shutdown, thereby denying access by legitimate customers to those computers. In this instance, the company was a prominent provider of electronic trading services on Wall Street.
While the attacks were still occurring, the company's CEO contacted the Secret Service's New York Electronic Crimes Task Force. The CEO identified a former employee as a suspect, based upon the fact that the attacks preyed on vulnerabilities which would only be known to the former employee. These attacks continued through March 13, 2000, when ECSAP agents and task force members identified the attacking computer and arrested the former employee for violating Title 18, USC, Section 1030 (Computer Fraud). In a post-arrest statement, the suspect admitted that he was responsible for the denial of service attacks. As a result of the attacks, the company and its customers lost access to trading systems. Approximately $3.5 million was identified in lost trading fees, commissions, and liability as a result of the customers' inability to conduct any trading.
Page 141 PREV PAGE TOP OF DOC Segment 2 Of 3
The last case began just two weeks ago when a financial institution notified local police who in turn notified the local office of the Secret Service, that its entire banking and communications network had been shut down. The institution reported that it was severely crippled, as it had no access to electronic data used in support of its ATMs, banking transactions, employee payroll and all other critical functions. Working with the local police and the bank's technical staff, a former employee emerged as a suspect and electronic evidence was developed that strongly indicated his involvement. The suspect was promptly interviewed by agents and police in which he admitted to disabling the bank's system and ''hacking'' an unrelated database in his attempts to exact revenge upon the bank CEO. Federal charges are pending.
Let me relate the Secret Service's mission in fighting cyber crime to the bigger picture of critical infrastructure protection. As previously stated, we target cyber crime as it may affect the integrity of our nation's financial payment and banking systems. As we all know, the banking and finance sector comprises a very critical infrastructure sector and one which we have historically protected and will continue to protect. In this context, our efforts to combat cyber assaults which target information and communication systems which support the financial sector are part of the larger and more comprehensive critical infrastructure protection scheme. The whole notion of infrastructure protection embodies an assurance and confidence in the delivery of critical functions and services that in today's world are increasingly interdependent and interconnected. To put this all in perspective, the public's confidence is lost if such delivery systems and services are unreliable or unpredictable regardless of the cause of the problem.
We also recognize that our unique protective responsibilities, including our duties as the lead federal agency for coordinating security at National Special Security Events, demand heightened electronic security awareness and preparation. A well-placed cyber attack against a weak technology or support infrastructure system can render an otherwise sound physical security plan vulnerable and inadequate.
Page 142 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. Chairman, it should also be noted that all deliberate infrastructure attacks, before they rise to such a threshold, are also cyber crimes and are likely to be dealt with initially by law enforcement personnel, both federal and local, in the course of routine business. In fact, I don't believe there is universal agreement as to when a ''hack'' or network intrusion rises to the threshold of an infrastructure attack and corresponding national security event but we would all probably recognize one when it reached catastrophic proportions.
Given this continuum and interplay between computer-based crimes and national security issues, the Secret Service recognizes that its role in investigating computer-based attacks against the financial sector can be significant in the larger plan for the protection of our nation's critical infrastructures. When we arrest a criminal who has breached and disrupted a sensitive communications network and are able to restore the normal operation of the host—be it a bank, telecommunications carrier, or medical service provider—we believe we have made a significant contribution towards assuring the reliability of the critical systems that the public relies upon on a daily basis.
As a footnote, the Secret Service met recently with representatives of the Financial Services Information Sharing and Analysis Center (FS/ISAC) that was created pursuant to Presidential Decision Directive (PDD) 63. The directive mandated the Department of the Treasury to work with members of the banking and finance sector to enhance the security of the sector's information systems and other infrastructures, a responsibility managed by Treasury's Assistant Secretary of Financial Institutions. The role of the FS/ISAC is to devise a way to share information within the financial services industry relating to cyber threats and vulnerabilities. The Secret Service feels that it can make a significant contribution to the work of the FS/ISAC and is exploring common areas of interest with the FS/ISAC, to include information sharing.
Page 143 PREV PAGE TOP OF DOC Segment 2 Of 3
The Secret Service is also continuing to receive requests from local law enforcement agencies and others for assistance, and we welcome those requests. On an alarmingly increasing basis, our local field offices and the Financial Crimes Division of the Secret Service receive desperate pleas from local police departments for physical assistance, training and equipment in the area of computer forensics and electronic crimes so that they can continue to provide a professional level of service and protection for their citizens. In short, the Secret Service has become another option for local law enforcement, the private sector and others to turn to when confronted with network intrusions and other sophisticated electronic crimes.
Over the past 3 years, Secret Service ECSAP agents completed 2,122 examinations on computer and telecommunications equipment. Although the Secret Service did not track the number of exams done for other law enforcement agencies during this period, it is estimated that some 10 to 15 percent of these examinations fell in this category. Many of the examinations were conducted in support of other agencies' investigations such as those involving child pornography or homicide cases simply because the requesting agency did not have the resources to complete the examination itself.
In spite of our limited resources, we do provide physical assistance on a regular basis to other departments, often sending ECSAP agents overnight to the requesting venue to perform computer related analyses or technical consultation. In fact, so critical was the need for even basic training in this regard that the Secret Service joined forces with the International Association of Chiefs of Police and the National Institute for Justice to create the ''Best Practices Guide to Searching and Seizing Electronic Evidence'' which is designed for the line officer and detective alike. Mr. Chairman, with your permission, I would like to submit a copy of this guide for the record.
Page 144 PREV PAGE TOP OF DOC Segment 2 Of 3
We have also worked with this group to produce the interactive, computer-based training program known as ''Forward Edge'' which takes the next step in training officers to conduct electronic crime investigations. Forward Edge incorporates virtual reality features as it presents three different investigative scenarios to the trainee. It also provides investigative options and technical support to develop the case. Copies of state computer crime laws for each of the fifty states as well as corresponding sample affidavits are also part of the two-CD training program and are immediately accessible for instant implementation.
Thus far we have dispensed over 220,000 ''Best Practices Guides'' to local and federal law enforcement officers and it is expected that later this summer we will distribute, free of charge, over 20,000 Forward Edge training CDs.
In an additional effort to further enhance information sharing between the law enforcement community and the financial industry, the Secret Service recently created the ''E Library'' Internet website which serves as a mechanism for all members to post specific information, images and alerts relating to fictitious financial instruments, counterfeit checks, and credit card skimming devices. This website is accessible free of charge to all members of the law enforcement and banking communities and is the only such tool of its kind.
In today's high tech criminal environment, the challenge to federal law enforcement and government is to identify existing repositories of expertise and provide a framework for inclusion and productive collaboration amongst the many government agencies and their respective industry and academic counterparts. The Secret Service is convinced that building trusted partnerships with the private sector and local law enforcement is the model for combating electronic crimes in the Information Age.
Page 145 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. Chairman, that concludes my prepared statement, and I would be happy to answer any questions that you or other members of the subcommittee may have.
Mr. SMITH. Thank you, Mr. Savage.
Mr. Davidson?
STATEMENT OF ALAN B. DAVIDSON, ASSOCIATE DIRECTOR, CENTER FOR DEMOCRACY AND TECHNOLOGY
Mr. DAVIDSON. Thank you. Mr. Chairman and Subcommittee Members, I thank you for this opportunity to testify on the important issue of cyber crime. Thank you for holding this hearing and also for allowing us to participate on a panel with the Government witnesses who are most deeply engaged in dealing with this important issue. The Center for Democracy and Technology is a public interest organization that promotes civil liberties on the Internet.
We have been involved in policy issues surrounding cyber security, privacy and cyber crimes since our formation in 1994. We also coordinate a digital privacy and security working group that includes over 50 companies, public interest groups and associations, who are all thinking hard about how to deal with these issues of privacy and security online.
Mr. Chairman, our Nation is at a point where revolutionary changes in communications and computer technology have created new concerns about public safety, about security and about privacy online. Cyber crime is a serious problem and it demands a real, but limited, response from Government. Our main point today is that as Congress considers cyber crime, it should also strengthen outdated privacy laws. We need to do that in order to restore what is a shifting balance between Government surveillance and personal privacy, in order to build user trust and confidence in what is becoming an economically-vital new medium.
Page 146 PREV PAGE TOP OF DOC Segment 2 Of 3
We need to do this in order to afford law-enforcement agencies and online service providers with the clear guidance that they need and that they deserve. In the digital age, the home is exploding. Information that we once kept in our desk drawers is now moving out into electronic form, onto the desktop, and out onto computer networks where it is less secure and less private than it used to be. Our calendars, our checkbooks, our stock portfolios, our diaries, our personal communications, are all making their way out of our possession and onto these networks, where they are afforded far fewer legal protections and fewer of the technical safeguards that used to protect them.
All this contributes to our concern about cyber crime. It also provides new tools for law-enforcement and it shifts the balance that has existed for a long time in terms of our constitutional and legal framework for protecting privacy, both online and offline. It points to the need to rewrite many of the surveillance and privacy laws that were last visited by Congress in 1986, that have been outdated by these technological changes.
I would like to quickly emphasized two major points—two major themes in my testimony. The first is that concerns about cyber crime need not and should not become an excuse for sweeping new authorities or greater Government surveillance capability. The Government has a real, but limited role in protecting security online. On the Internet we have to recognize that users are the most important first line of defense, and it is giving users the tools to protect themselves and the secure systems to operate on that is going to do more to protect security online than anything else that Government can do, and industry is doing a lot in that regard and I think you will be hearing more about that in your hearing on Thursday.
Page 147 PREV PAGE TOP OF DOC Segment 2 Of 3
In that regard, it is not clear that new Government authorities or investigatory powers are needed. Hacking, the distributed denial-of-service attacks, breaking into other people's computers, destroying data, these are all crimes and they should be prosecuted and they are already illegal. Substantial authorities exist for investigating crimes, as well, and I think that on balance we will find that the digital age is actually a net plus for law-enforcement, because it provides access to so much more information than was ever available before.
There is a real risk, however, that concerns about cyber crime will be used as an excuse for implementing much broader kinds of surveillance systems than we have seen before. This point is best underscored by what is happening in Europe right now, where the implementation of a new Council of Europe Convention on Cyber Crime, with new data retention proposals that have recently been proposed or put forward to implement it, are creating huge concerns about personal privacy, cost burdens and changes to the Internet architecture.
Earlier versions of this treaty include very damaging provisions that would have had Internet service providers retaining sensitive information for long periods of time. With the help of the Justice Department, we appreciate that some of the worst provisions of that treaty have been changed, but many parts of it still contain too few limitations on Government action. We will be watching carefully to see how it is implemented.
The second major theme I will cover quickly is just to say that we really do need to strengthen our weak and outdated privacy protections. The last time the Congress revisited the privacy laws was in 1986, before the invention of the World Wide Web, before one out of every two Americans carried cellphones, those laws contained far too few protections or great ambiguities about how law-enforcement gets access to sensitive information like our geographical location.
Page 148 PREV PAGE TOP OF DOC Segment 2 Of 3
The extension of pen registers into the Internet introduces new questions about how these rules are going to apply in a world where source and destination information is much more revealing than it ever used to be in the online world, in the telephony world. So I would encourage the Committee to take up a lot of the provisions that it considered last year in H.R. 5018, providing greater protections for all of this information that is out there and is available on the network, and I think that is necessary if we are going to realize the promise of the Internet to protect—promote privacy and individual freedom online.
Thank you.
[The prepared statement of Mr. Davidson follows:]
PREPARED STATEMENT OF ALAN B. DAVIDSON
SUMMARY
Mr. Chairman and Subcommittee Members, thank you for calling this hearing and giving CDT the opportunity to testify about cybercrime. Our nation is at a point where revolutionary changes in communications and computer technology have created new concerns about public safety, security, and privacy online. Cybercrime is a serious problem that demands a real, though limited, response from government. That response must be crafted recognizing that the digital age also offers tremendous new capabilities for law enforcement, while the rise of personal information online has eroded essential privacy guarantees under law.
Page 149 PREV PAGE TOP OF DOC Segment 2 Of 3
As Congress considers cybercrime it should also strengthen outdated privacy laws to restore the shifting balance between government surveillance and personal privacy, to build user trust and confidence in this economically vital new medium, and to afford law enforcement agencies, online service providers, and Internet users the clear guidance they deserve.
This testimony explores three broad themes:
Cybercrime is a serious problem, but must be considered in the context of today's technology, law enforcement capabilities, and eroding personal privacy protections.
The Internet's unique open and decentralized architecture offers new challenges to traditional approaches to crime. But care must be taken that efforts to address cybercrime do not stifle the innovation or freedom that have been hallmarks of the Internet's success.
The digital age offers tremendous new tools for law enforcement. The soaring collection of electronic records about online and offline activity have created a wealth of information to investigate and prosecute crimes. On balance, the digital age is likely to be a major net plus for law enforcement capabilities.
Privacy rules have not kept pace with these changes. Astonishingly, the last significant update to our privacy and surveillance rules came in 1986—before the invention of the World Wide Web, before the Internet became a fixture in schools, homes, and businesses, before more than one in two Americans used mobile phones.
Page 150 PREV PAGE TOP OF DOC Segment 2 Of 3
Concerns about cybercrime need not, and should not, become an excuse for sweeping new authorities or greater government surveillance capability.
The government has a real, but limited, role in promoting security online. The nature of the Internet makes its users the first and most important line of defense against cybercrime, and government alone can do little to guarantee Internet security. Government does have an important role focused on getting its own house in order, training personnel to deal with new technologies, and supporting R&D.
It is not clear that new government authorities or investigatory powers are needed. Substantial authorities already exist for investigating and prosecuting most cybercrime.
There is a real risk that cybercrime concerns will become an excuse to implement sweeping new authorities that jeopardize personal privacy. Past efforts to mandate key recovery encryption backdoors, deployment of the ''Carnivore'' surveillance tool, and expansion of CALEA requirements demonstrate a track record of invasive responses. The point is best underscored in Europe, where implementation of a new Council of Europe Convention on Cybercrime and new data retention proposals are creating huge concerns about personal privacy, cost burdens, and Internet architecture.
Congress should strengthen weak and outdated privacy protections. While improvements to security technology can come from the private sector, only legislation can update the 1980s surveillance and privacy laws in order to provide confidence in the network and resolve gaps and ambiguities in the law. Top priorities should include——
Page 151 PREV PAGE TOP OF DOC Segment 2 Of 3
Providing heightened protections for access to wireless location information, now available for tens of millions of Americans carrying (or driving) mobile phones.
Increasing the standard for use of pen registers and trap and trace devices, and limiting their use on the Internet since address data for email and Web browsing can be much more revealing than telephone numbers dialed.
Providing enhanced protection for personal information on networks.
This testimony provides a more detailed list of needed reforms. As a starting point, we would encourage Congress to take up the helpful protections developed and passed by the House Judiciary Committee last September in H.R. 5018 of the last Congress.
It should be noted that nothing in these proposals would deny law enforcement the tools needed to fight crime and defend national security. No law enforcement agency would be prohibited from locating a criminal suspect or monitoring a terrorist's email. All these proposals do is to set clear and strong privacy guidelines for use of electronic surveillance techniques and require public reporting as the foundation of oversight and accountability.
These are complex issues vital to the future health and growth of the Internet. CDT looks forward to working with the Subcommittee, the Justice Department, and others in the law enforcement community to evaluate cybercrime proposals and to flesh out needed privacy enhancements, in order to restore the trust, security, and privacy consistent with the Internet's promise of promoting economic opportunity and individual freedom.
Page 152 PREV PAGE TOP OF DOC Segment 2 Of 3
The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values on the Internet. Our core goals include ensuring that the Constitutions protections extend to the Internet and other digital media. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer and communications companies, public interest groups, and associations working on information privacy and security.
CONTEXT: LAW ENFORCEMENT CAPABILITIES AND PRIVACY PROTECTIONS IN A DIGITAL AGE
As the Internet becomes increasingly important to consumers and businesses, concerns about criminal activity online and cybercrime are becoming more prevalent. The rapid pace of change has made it harder for Internet users to protect themselves, and creates real challenges for law enforcement.
Concerns about cybercrime are serious. But there are also many reasons to believe the important balance between investigatory powers and individual liberty—enshrined in our legal system and guaranteed by the constitution—has shifted in this digital age, and that greater protections are actually needed for personal privacy. Part of this context is that the digital age offers remarkable and effective investigative tools for law enforcement. At the same time, the amount of personal information available electronically is rising and there is great need for updates in outdated surveillance and privacy law.
The Internet: Rising use, growing concerns, and an eroding balance
Page 153 PREV PAGE TOP OF DOC Segment 2 Of 3
The Internet is at once a new communications medium and a new locus for social organization on a global basis. Because of its decentralized, open, and global nature, the Internet holds out unprecedented promise to promote expression, spur economic opportunity, and reinvigorate civic discourse. Individuals and groups can create new communities for discussion and debate, grassroots activism and social organization, artistic expression and consumer protection. The Internet has become a necessity in most workplaces and a fixture in most schools and libraries.
Every day, Americans use the Internet to access and transfer vast amounts of private data. Financial statements, medical records, and information about children once kept securely in a home or office now travel through the network. Electronic mail, online publishing and shopping habits, business transactions and Web surfing profiles can reveal detailed blueprints of peoples lives. And as more and more of our lives are conducted online and more and more personal information is transmitted and stored electronically, the result has been a massive increase in the amount of sensitive data available to both potential criminals as well as government investigators.
As social, economic, and personal activities move online, criminal activity taking place or being investigated through the use of the Internet is increasing as well and will likely to continue to increase. One element of concern about cybercrime is the rise of both familiar forms of criminal behavior extended to the instrumentality of the Internet, as well as new harmful acts—such as hacking or identity theft—unique to the digital age. Another concern is the tremendous changes in law enforcement methods that will be needed to adopt to a world where criminal activity is moving off of street corners and into cyberspace. These concerns are exacerbated by new public education problems, as people and business rapidly adopt new online activities without a clear understanding of how to protect themselves and using technologies that may not have adequately accounted for security needs.
Page 154 PREV PAGE TOP OF DOC Segment 2 Of 3
A natural reaction in the face of cybercrime concerns is to seek new governmental authorities and powers. A starting point for considering these government actions is the old doctors' adage: First do no harm. There is a real risk that sweeping new mandates or regulations providing incremental improvements in security could undermine many of the open and decentralized features that have been essential to innovation, growth, and freedom online.
More broadly, cybercrime must be addressed in the context of the important protections for individual liberty that stem from the U.S. constitution and are enshrined in our legal system. The Congress and our courts have often denied powerful surveillance tools or police powers to the government in order to guarantee basic liberties. In considering cybercrime, it is appropriate to look at both the new capabilities now available to government as well as the eroding state of legal privacy protections.
The Digital Age Presents Tremendous New Tools For Law Enforcement
While the Justice Department frequently complains that digital technologies pose new challenges to law enforcement, it is clear that the digital revolution has also been a boon to government surveillance and collection of information. For example, in testimony last year before a Senate appropriations subcommittee, FBI Director Freeh outlined the Bureau's success in many computer crime cases. Online surveillance and tracking led to the arrest of the Phonemasters who stole calling card numbers; an intruder on NASA computers, who was arrested and convicted in Canada; the thieves who manipulated Citibank's computers and who were arrested with cooperation of Russian authorities; and the creator of the Melissa virus, among others. More recently, alleged hackers who distributed the ''I Love You'' virus and initiated last year's debilitating distributed denial of service attacks on prominent U.S. web sites have been identified.
Page 155 PREV PAGE TOP OF DOC Segment 2 Of 3
In many of these cases, it is the Internet itself that has provided the key instrumentality in investigating and gathering information. Examples include the Justice Department's successful ''Innocent Images'' campaign to prosecute child pornography, and the recent highly-publicized crackdown on Internet fraud.
Electronic surveillance is going up, not down, in the face of new technologies. Computer files are a rich source of stored evidence: in a single investigation last year, the FBI seized enough computer data to nearly fill the Library of Congress twice. The FBI estimates that over the next decade, given planned improvements in the digital collection and analysis of communications, the number of wiretaps will increase 300 per cent. Online service providers, Internet portals and Web sites are facing a deluge of government subpoenas for records about online activities of their customers. Everywhere we go on the Internet we leave digital fingerprints, which can be tracked by marketers and government agencies alike. The FBI has even requested additional funds to ''data mine'' these public and private sources of digital information for their intelligence value.
The FBI is also becoming adept at using data collected and stored by the private sector. For example, a recent story in the Wall Street Journal detailed how federal law enforcement agencies have begun purchasing detailed collections of personal data from commercial ''look-up'' companies. While this raises concerns about agencies skirting the Privacy Act's restrictions on the government's own data collection efforts, it is clear that the FBI is adopting to and using these new and rich data sources.
Privacy Rules Have Not Kept Pace With These Rapid Changes
Page 156 PREV PAGE TOP OF DOC Segment 2 Of 3
Another important context for considering cybercrime is that outdated surveillance and privacy laws have not kept up with changing technology and offer only reduced protections. Electronic privacy and surveillance are today governed by a complex statutory and constitutional framework that has slowly eroded in the face of technological change.
Remarkably, the 1986 Electronic Communications Privacy Act of 1986 (ECPA), 18 USC 2701 et seq. (setting standards for access to stored electronic communications and transactional records) was the last significant update to the privacy standards of the electronic surveillance laws. Astonishing and unanticipated changes have occurred since then, including——
the development of the Internet and the World Wide Web, and their widespread use;
the convergence of voice, data, video, and fax over wire, cable and wireless systems, and the rising deployment of high-bandwidth broadband facilities;
the increasing use of mobile telephones and devices, including those that access the Internet;
the proliferation of service providers in a decentralized, competitive communications market; and
the movement of information out of people's homes or offices and onto networks controlled by third parties.
Page 157 PREV PAGE TOP OF DOC Segment 2 Of 3
These changes have left gaps and ambiguities in the surveillance law framework. In some cases, such as the rise of mobile location information or the development of the Web, whole new types of information never available before to law enforcement can now be accessed under a legal framework that never contemplated their existence. In other cases, such as the use of pen registers for Internet traffic or the standard for accessing location information, the standards and procedures for lawful access are unclear at best.
These gaps create privacy problems, and they also create confusion on the part of law enforcement officers. Greater clarity and enhanced protection is needed both to promote public confidence in law enforcement and to provide deserved guidance about what is and is not acceptable behavior for electronic surveillance and data-gathering.
Most fundamentally, as a result of these changes personal data is moving out of the desk drawer and off of the desktop computer, out onto the Internet and out of personal control. More and more, this means that information is being held and communicated in configurations where it is in the hands of third parties and therefore not afforded the full protections of the Fourth Amendment under current doctrine. In a world where the Internet is increasingly essential for access to commerce, community, and government services, personal privacy should not be the price of living online. Rather, it is necessary to adopt legislative protections that map Fourth Amendment principles onto the new technology.
CONCERNS ABOUT CYBERCRIME NEED NOT, AND SHOULD NOT, BECOME AN EXCUSE FOR SWEEPING NEW GOVERNMENT AUTHORITIES OR GREATER SURVEILLANCE CAPABILITY.
Page 158 PREV PAGE TOP OF DOC Segment 2 Of 3
The government has a real, but limited, role in promoting security online.
At the root of many concerns about cybercrime are problems relating to computer security. Hacking, unauthorized access to computers, denial of service attacks, and the theft, alteration or destruction of data are all already federal crimes, and appropriately so. But Internet security is not a problem primarily within the control of the federal government. Particularly, it is not a problem to be solved through the criminal justice system. Internet security is primarily a matter most effectively addressed by the private sector, which has built this amazing, complex and rapidly-changing medium in a short time without government interference.
The government's limited role in cybersecurity stems from the unique technical features of the decentralized, global, user-controlled Internet:
Unlike traditional broadcast or telecommunications media, where security concerns could be focused on a relatively small number of large companies, today's cybersecurity solutions must apply to literally millions of individuals around the world who create, publish, transmit, route, process, and sell online.
The Internet's architecture is open, with few (if any) gatekeepers over online activities—a feature essential to the innovation in online services, content, and technologies, and essential to the Internet's promise in promoting free expression worldwide.
The Internet is global, so the actions of any one national government will only have an incremental effect on behavior and are unlikely to prevent undesirable activity online.
Page 159 PREV PAGE TOP OF DOC Segment 2 Of 3
In such an environment, it is the Internet's users who are the first and most important line of defense in the fight against cybercrime. Providing technology to protect users online—such as strong encryption tools and secure software and networks—is likely to be far more effective and scale far better than direct government intervention.
It must be stressed that the source of the security problem is not the architectural openness of the Internet, nor is it inherently a function of the anonymity that openness affords. Indeed, this robust and decentralized architecture is what makes the Internet as resilient as it is. Rather, the problem is that security measures compatible with the open and anonymous nature of the Internet have been given a low priority as the Internet has grown. The explosion of services and business online and the rapid rollout of new software with new features have often come at the expense of good technical security. In that sense, heightened concerns about cybercrime are a helpful wake-up call, not only because they highlight the lack of security but because they also emphasize the bottom line risks.
It is clear that the private sector is stepping up its security efforts, with an effectiveness that the government is not likely to match given the rapid pace of technical change and the decentralized nature of the medium. The tools for warning, diagnosing, preventing and even investigating infrastructure attacks through computer networks are uniquely in the hands of the private sector. In these ways, Internet crime is quite different from other forms of crime.
In this environment, government has an important but limited role focused on getting its own house in order, hiring trained staff, and supporting R&D. First, it must get its own computer security house in order. The Administratio's National Plan for cyber-security, which focuses on protecting the governments own systems, has some laudable and long-overdue elements. We are concerned, though, that it relies too heavily on a monitoring system that threatens privacy and other civil liberties (''FIDNet'') and gives too little priority to closing the known vulnerabilities and fundamental security flaws in government computer systems. (Target date for fixing ''the most significant known vulnerabilities'' in critical government computers: May 2003.) To improve government computer security and enforce the computer crime laws, the government needs the resources and Title 5 authority to hire and retain skilled investigators and computer security experts. Law enforcement must undertake the daunting task of training a new generation of public safety officers whose most important weapon is not a gun but a laptop.
Page 160 PREV PAGE TOP OF DOC Segment 2 Of 3
The government should do more to support basic research and development in computer security. It is a positive step that the U.S. government has stopped fighting deployment of encryption. We are concerned, though, that a range of new surveillance initiatives ranging from ''Carnivore'' to CALEA and ''wiretapping for the Internet'' are being used to build surveillance features without adequate attention to security and may themselves constitute a security vulnerability. While the potential for the government to help is limited, the risk of government doing harm through design mandates or further intrusions on privacy is very high.
IT IS NOT CLEAR THAT NEW GOVERNMENT AUTHORITIES OR INVESTIGATORY POWERS ARE NEEDED.
Substantial authorities already exist for investigating and prosecuting cybercrime. It appears that most of the ''cybercrime'' activities conducted online could be prosecuted through existing criminal law. The Computer Fraud and Abuse Act and other statutes broadly make hacking, unauthorized access to computers, and the theft, alteration or destruction of data already federal crimes. Powerful statutes exist to punish distribution of obscenity or child pornography online. Existing criminal statutes covering a range of topics from fraud to abuse of a minor are being applied to or have been adopted to include online behavior.
It is always appropriate to consider whether our laws have been outdated by changes in technology, and several proposals have been under consideration to amend the computer crime statute and the electronic surveillance laws to enhance law enforcement authorities. The Subcommittee, after careful analysis, may find that some modest changes are appropriate. But we urge caution, especially in terms of any changes that would enhance surveillance powers or government access to information. For example, the Justice Department had proposed changes to the computer fraud statutes that would lower the $5000 loss threshold before criminal penalties apply. However, there is reason to believe that prosecutors are unwilling to bring even cases that meet the threshold because of stiff mandatory minimums that apply. Removing the damage threshold would only exacerbate the situation and also could make de minimus activity or online pranks serious federal crimes.
Page 161 PREV PAGE TOP OF DOC Segment 2 Of 3
Some in government have argued that the Internet requires greater investigatory powers. In particular, they complain about anonymity or lack of traceability on the Internet. This is a red herring. The digital age of web logs, ISP records, credit card transactions, electronic banking, cookies, and clickstreams is creating a wealth of investigatory capability where none existed before. While there is not perfect traceability online, there is probably more traceability online than in the real world. An anonymous vandal can throw a brick through a bank window and run away down any number of streets. An anonymous pickpocket can steal your wallet with credit cards and melt into the crowd. Yet we do not require people to carry identification cards, nor do we install checkpoints on our streets. We do not have perfect traceability in the real world, for good reasons. We do not need perfect identity and traceability online either.
Nonetheless, the Justice Department has sought further expansions in its surveillance authorities. But surely, before enacting any enhancements to government power, we should ensure that current laws adequately protect privacy. For example, the government has proposed extending the pen register statute—designed for capturing digits dialed on a phone—to the Internet. Yet, the current standard for pen registers imposes little effective judicial control, reducing judges to mere rubber-stamps. Pen registers as applied to Internet communications are far more revealing than phone numbers, and there is a great deal of ambiguity about how they might be applied online. In this and other cases, we must tighten the standards for government surveillance and access to information, thus restoring a balance between government surveillance and personal privacy and building user trust and confidence in these economically vital new media.
Page 162 PREV PAGE TOP OF DOC Segment 2 Of 3
These are complex issues. CDT is prepared to work with the Committee and the Justice Department to evaluate cybercrime proposals, to flesh out needed privacy enhancements, and to convene our DPSWG working group as a forum for building consensus.
THERE IS A REAL RISK THAT CYBERCRIME CONCERNS WILL BECOME AN EXCUSE TO IMPLEMENT SWEEPING NEW AUTHORITIES THAT JEOPARDIZE PERSONAL PRIVACY.
Americans are already deeply concerned about their privacy, especially online. Changes in technology are making ever more information available to government investigators, often with minimal process falling far short of Fourth Amendment standards. There is a real risk that concerns over the very real problems of cybercrime will serve as justification for legislation or other government mandates that will be harmful to civil liberties and the positive aspects of the Internet. Such a course is especially unjustified when there is so much to be done to improve security without changing the architecture or protocols of the Internet or further eroding privacy.
Examples abound already here in the U.S. For much of the last decade, the government has sought to force Internet users to adopt ''key recovery'' backdoors for their encryption products in the name of fighting crime online—despite the security risks and privacy concerns raised by creating backdoors in security tools. In the name of protecting critical infrastructure, some have promoted ''Caller ID for the Internet''—a system of mandatory identification for Internet traffic of dubious practicality that would eliminate much privacy online. While these proposals have been largely rejected ''Carnivore''—the FBI's aptly-named Internet surveillance tool—has been deployed despite concerns that it is ripe for abuse and accesses too much information without appropriate legal standards in place. The CALEA statute, passed to preserve government phone tapping capabilities from the specter of digital age communications, has since been expanded to include a wide variety of new services including turning mobile phones into location tracking devices for law enforcement—with little judicial oversight.
Page 163 PREV PAGE TOP OF DOC Segment 2 Of 3
It is understandable that many are concerned about new surveillance proposals put forward to fight cybercrime. We have avoided some of the worst of these proposals here in the U.S. Unfortunately, there is evidence that many of the most damaging surveillance proposals are taking root outside of the U.S.
Recent efforts in Europe on cybercrime, and particularly the experience of the recent Council of Europe's proposed Convention on CyberCrime, underscore this point. Early versions of that Convention—developed in part in consultation with U.S. law enforcement officials—contained data retention and other requirements that would have forced ISPs and web services to keep and produce vast quantities of private data at substantial expense and with few privacy protections. Only in response to outcry from industry and public interest advocates were the worst of these provisions modified in recent drafts. But the Convention still contains few privacy protections and lacks an appropriate balance between provisions for law enforcement and preservation of individual rights. We note that the Convention would not require any changes in U.S. law, and we will carefully monitor any efforts to use it as an excuse for changes in the U.S.
A major concern about the COE Convention is how it will be implemented by individual nations. With few clear privacy guidelines built in, it is feared that many will use the Convention as a justification for imposing new design mandates on Internet providers that will threaten many of the Internet's most important characteristics. In recent weeks, a serious proposal has been floated in Europe to require that all Internet traffic be retained for seven years. Besides being impractical and prohibitively expensive, if not virtually impossible, such an effort would be an unprecedented invasion of personal privacy and a severe rollback of initiatives in Europe and elsewhere to limit the retention of personal data.
Page 164 PREV PAGE TOP OF DOC Segment 2 Of 3
In addition to affecting the human rights of Internet users worldwide, proposals such as these have an impact on U.S. users as well. They risk subjecting consumers and businesses engaging in global Internet communications and commerce to potential surveillance, industrial espionage, or invasions of privacy. And they risk squelching the promise of the Internet as a medium that promotes the free flow of information and the exchange of democratic ideas.
The U.S. has been a force for democratic values, individual liberty, and human rights worldwide. There is a real risk now that cybercrime efforts here and abroad will threaten these very values. It is important that we continue to be an example and resist the temptation to implement cybercrime proposals that would jeopardize the promise of the Internet to promote liberty.
The Need for Enhanced Privacy Protections
Considering the broad sweep of the digital revolution, it is apparent that the major problem now is not that technology is outpacing government's ability to investigate crime, but, to the contrary, that changes in communications and computer technology have outpaced the privacy protections in our laws. Technology is making ever-increasing amounts of information available to government under minimal standards falling far short of Fourth Amendment protections. Gabs in our surveillance laws leave information unprotected, or create ambiguities, ultimately harming public faith in law enforcement and undermining public trust in the online activities that have become such an important part of the digital age.
Page 165 PREV PAGE TOP OF DOC Segment 2 Of 3
While improvements to security, technology, or corporate policies to promote privacy can come from the private sector, only legislation can update the legal framework governing electronic surveillance and privacy. Companies can adopt great privacy practices about the disclosure of information, but they have little choice but to produce sensitive data they hold when presented with a lawful order. Consumers and businesses increasingly recognize that only legislation can provide adequate privacy protections for such information and these protections themselves can be a key enabler of trust and security online.
Congress should adopt a comprehensive legislative approach to cybercrime that recognizes the urgent need for additional privacy protections. The Congress could start by taking up the helpful changes to surveillance law developed and passed by the House Judiciary Committee in the last Congress, under H.R. 5018, including:
Provide heightened protections for access to wireless location information, requiring a judge to find probable cause to believe that a crime has been or is being committed. Today tens of millions of Americans are carrying (or driving) mobile devices that could be used to create a detailed dossier of their movements over time—with little clarity over how that information could be accessed and without an appropriate legal standard for doing so.
Increase the standard for use of pen registers and trap and trace devices, requiring a judge to at least find that specific and articulable facts reasonably indicate criminal activity and that the information to be collected is relevant to the investigation of such conduct.
Add electronic communications to the Title III exclusionary rule in 18 USC 2515 and add a similar rule to the section 2703 authority. This would prohibit the use in any court or administrative proceeding of email or other Internet communications intercepted or seized in violation of the privacy standards in the law.
Page 166 PREV PAGE TOP OF DOC Segment 2 Of 3
Require a judicial warrant for government seizure of read or unread email stored with a service provider for up to one year. (Currently, the warrant requirement applies for only 180 days, and the government has maintained that it could obtain email with a mere subpoena as soon as it is opened, no matter how recent it is.)
Require statistical reports for 2703 disclosures, similar to those required by Title III.
Require high level Justice Department approval for applications to intercept electronic communications, as is currently required for interceptions of wire and oral communications.
In addition, other issues—some of broader scope—need to be addressed:
Define and limit what personal information is disclosed to the government under a pen register or trap and trace order served on Internet service providers. Transactional or addressing data for electronic communications like email and Web browsing can be much more revealing than telephone numbers dialed.
Define clearly what transactional information can be collected on Internet communications and under what standard, making it clear that Internet queries are content, which cannot be disclosed without consent or a probable cause order.
Improve the notice requirement under ECPA to ensure that consumers receive notice whenever the government obtains information about their Internet transactions.
Page 167 PREV PAGE TOP OF DOC Segment 2 Of 3
Provide enhanced protection for personal information on networks: probable cause for seizure without prior notice, and a meaningful opportunity to object for subpoena access.
Require notice and an opportunity to object when civil subpoenas seek personal information about Internet usage.
The bills put before this Committee last year were efforts towards a modest improvement in privacy protections without in any way denying the government any investigative tools. They should serve as a starting point, and we hope that Members will consider reintroducing them in the near future and begin to address the privacy concerns of many Americans and the imbalance that exists in today's electronic surveillance laws.
CONCLUSION
The issue of cybercrime appropriately demands public attention and real, but limited, involvement by government. More broadly, it speaks to the need for modernization of our surveillance laws and greater privacy protections to counteract new threats to privacy online.
Protecting national security and public safety in this digital age is a major challenge and priority for our country. On balance, however, we believe that new sources of data and new tools available will prove to be of great benefit to government surveillance and law enforcement. These new technologies are likely to make law enforcements job harder in some ways. There is no doubt that resources will be needed to deal with change as the Internet alters traditional methods of crime fighting and information gathering.
Page 168 PREV PAGE TOP OF DOC Segment 2 Of 3
The real cybercrime risk is that concerns about public safety will become a justification for sweeping new surveillance proposals or design mandates that destroy the best features of innovation and freedom on the global, open Internet. It is essential that we offer a measured response to these concerns, and urgently take up the need to reform privacy protections in the electronic surveillance laws.
Mr. SMITH. Thank you, Mr. Davidson.
Mr. Chertoff, let me ask a question that Mr. Coble was going to ask and I would have asked in any case, anyway, and that is what priority is the Administration going to give to the prosecution of intellectual property crimes?
Mr. CHERTOFF. Mr. Chairman, we're going to give it very high priority. I think there's no doubt in this day and age the most valuable kind of property we have this country, in many instances, is intellectual property. It is the source of value for our businesses. It is a source of value for private people and it is something that we have a very serious obligation to protect. One of the reasons we have the section I described in my opening testimony was to concentrate expertise in intellectual property investigations in a group of lawyers who, though experience and education, will become really the cutting edge of these kinds of investigations and prosecutions.
We are aggressively pursuing these crimes. It is a very high priority and we're going to use all the tools we can to pursue it.
Page 169 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. SMITH. Thank you. Let me address my first question to Mr. Chertoff, Mr. Kubic, and Mr. Savage, as well; and it is this: You three individuals have made the point in your testimony that basically our current laws are outdated, much as Mr. Davidson said. Our privacy laws are outdated because we really have not had any legislation since 1986. The same can be said about our high-tech or intellectual property or cyber crime law, I think, particularly in the areas—just to mention three, I would say child pornography, fraud and gambling, perhaps.
In the past, we have had laws that have dealt with these crimes in what you referred to as the physical world, as opposed to the online world. What changes in the laws need to be made to bring our laws up to date so that we can apprehend and convict the cyber criminals? If you will, be specific about what changes you think need to be made in the laws, because that is really the direction we're heading with these three hearings on this subject. Mr. Chertoff, if you will begin and hen I'll go to the other two individuals.
Mr. CHERTOFF. I will be happy, Mr. Chairman. Obviously, there are two types of laws. There are substantive laws against fraud and child pornography which we can apply, really, equally to the Internet as we do in the physical world. But there also a series of what I would call procedural or process laws, which were written in the last couple of decades at a time when computers and Internet use were really not what they are today.
I will take a concrete example. When you deal with telephony, you have pen registers and traps and traces which allow you to determine, not the content of conversations, but where telephone calls are being placed and where telephone calls are being placed from. In applying that law to the Internet, it has been unclear sometimes to the courts whether the law gives us the authority to use those devices in the world of e-commerce, in the world of the Internet.
Page 170 PREV PAGE TOP OF DOC Segment 2 Of 3
By the same token, laws that were written to govern pen registers and trap and trace devices jurisdiction by jurisdiction, court by court, really do not work very well in a world in which data moves internationally with great speed and where we are very happy to go to a judge and get an order under the prevailing legal standard, but it becomes difficult to go to 10 or 15 or 20 judges at one time.
These are the kinds of procedural fixes that we need to bring into law. They don't affect privacy, but they do affect efficiency.
Mr. SMITH. Very good. Thank you.
Mr. Kubic?
Mr. KUBIC. Actually, Mr. Chairman, I cannot add too much to that. I think we have been very effective in working with the Department of Justice in terms of substantively what to charge. The frustration for the investigator comes to the forefront when he or she interacts with the prosecuting attorney and confronts different rules that define what, in fact, can be obtained through the court order. So it is an issue that I think needs some careful study and attention, and I think we can come back with some recommendations for your consideration.
Mr. SMITH. Very good. Thank you.
Mr. Savage?
Page 171 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. SAVAGE. Yes, Mr. Chairman, nothing more to add, other than to make the analogy law-enforcement needs the same tools it has in the physical world, to be able to apply those to the cyber world, with the extra dimension, as previously mentioned, the speed and diffusion of evidence, electronic evidence, is so great that we need greater flexibility in terms of orders or judicial tools that would allow us to get the same information we might have in the physical world, but get it in the cyber world.
Mr. SMITH. Thank you.
Mr. Davidson, I have actually got another question for you that might let you say what you want to say anyway, but in all fairness, if you want to respond, you may.
Mr. DAVIDSON. Well, I just wanted to respond to Mr. Chertoff's comment, because I agree, I think, that the pen register is, for example, a great example of an area where we need to revisit the law, but I think to show the complexity of this, there is a feeling that, on the Internet, the notion of extending a statute that was designed to talk about—provide digits dialed on a telephone to law-enforcement on what is a very low legal threshold, based on relevance to an ongoing investigation, reveals much more on the Internet than it did in the context of digits dialed.
Mr. SMITH. Let me get in a quick question, since my time is up, and then, as you said at one point in your testimony, it is not clear that new Government authorities or investigative powers are needed, but then you conceded, I think, the Subcommittee may find that some modest changes are appropriate. Do you want to very quickly tell us what those modest changes are?
Page 172 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. DAVIDSON. Well, I will defer in some ways to Mr. Chertoff's comments about where there are different difficulties in applying the law.
Mr. SMITH. My suspicion was that there was perhaps more agreement than disagreement, and that confirms it, I think, to some extent. Thank you.
The gentlemen from Virginia, Mr. Scott, is recognized for his questions.
Mr. SCOTT. Thank you, Mr. Chairman.
Mr. Savage, you had indicated that some of the banks and others had gotten together to share resources or share ideas. Are there any intellectual property or antitrust implications that we should be addressing and having groups get together like that?
Mr. SAVAGE. Mr. Scott, of course all the participants, especially at the beginning of such efforts, are particular mindful of such concerns. However, after developing personal relationships amongst each other, they realize that, in fact, there are ways to avoid such concerns and still yet be able to share important information and resources. Oftentimes, competitive concerns do not rear their head when you're talking about addressing particular investigative aspects in a generic fashion, about a variety of cases.
Mr. SCOTT. But codes and things like that, software that one bank may have that another one might not have figured out how to do yet, the intellectual property exchanges and the antitrust implications of getting together and agreeing to do things certain ways, are those things that we ought to be looking at to make sure that the antitrust laws and intellectual property laws allow that to happen?
Page 173 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. SAVAGE. Mr. Scott, it is difficult for me to speak for the private sector, but I do know in our conversations with them, they feel like they have been able to overcome a lot of those concerns, but certainly the Government needs to promote avenues and methods for them to more freely exchange information amongst themselves and with us.
Mr. SCOTT. You indicated that you keep secret sine crime reports.
Mr. SAVAGE. I'm sorry?
Mr. SCOTT. You keep secret some reports of cyber crime, so that you would encourage the reporting of the crimes?
Mr. SAVAGE. Absolutely.
Mr. SCOTT. You can't keep it secret and prosecute it at the same time.
Mr. SAVAGE. Mr. Scott, the point I was trying to make is that what is very important to the Secret Service is that when a corporate victim steps forward and raises their hand and says, ''We have a problem,'' or ''We have suffered a problem,'' that we're able to respond in a fashion that addresses their concerns with where they are in the marketplace, their potential public exposure, their operational aspects, their duties to their customers, and to that extent we do not treat that relationship lightly. If there is a success that we do encounter, if it were to be publicized, we would seek their express permission, as well as that of the U.S. Attorney.
Page 174 PREV PAGE TOP OF DOC Segment 2 Of 3
It is far more important for the Secret Service to have the success than it is to have others knowing about it.
Mr. SCOTT. Mr. Chertoff, the trap and trace on e-mails, when you get an order allowing this, you have indicated that it is inconvenient to go to different judges. Is your proposal to allow one judge to give an order, regardless of the jurisdiction or are you looking for a blanket order so that once you get the order, you can take it where you want?
Mr. CHERTOFF. I think what we're looking for, Congressman, is the ability to go to a single judge, satisfy the appropriate standard, and have that order apply with nationwide jurisdiction, not be subject only to the particular district in which the judge is sitting.
Mr. SCOTT. Well, if the judge sits and hears that you need a trap and trace, is that just one computer that you're talking about ? If you had several computers, if they were e-mailing within your jurisdiction, would you have to go back to have a trap and trace for each different computer within that jurisdiction?
Mr. CHERTOFF. I don't want to stretch myself beyond my technical competence, so I am going to let Mr. Kubic chime in, but I think it—what we're trying to do, and I use the analogy with the telephone, if you want to get the identity of whoever has generated a particular transmission, typically in the old days with telephony, you could pretty much figure out where the communication was being routed from, what jurisdiction you have to be concerned about.
Page 175 PREV PAGE TOP OF DOC Segment 2 Of 3
Nowadays, it is possible to move the communications through a lot of different computers and a lot of different intermediaries, and to avoid a problem, you want to—you know, you technically want to make sure you have covered all of those intermediate stops for the communication. That is what we want to address. I will let Mr. Kubic talk about the actual mechanics of that process.
Mr. KUBIC. I wish I could.
Actually, what we do is we work very closely with the Internet service providers, so that when we get a court order, we would go to the Internet service provider. It is at that point that the questions come up, because some of the routing of the e-mail messages go out-of-state, sometimes they go through another country, and it gets very, very confusing very quickly.
We have had occasions where some of the service providers have requested conflicting-type orders. So, for instance, they were mixing up orders that would provide the content of the e-mail when, in fact, we're just simply seeking a trap and trace order. So the people who are trying to do the job get confronted with the battery of corporate counsel, who might not have a real good understanding of the law. We engage in a little bit of an educational process in so doing.
But I think what we're saying is that there needs to be a very clear—clearly-written language in any legislation proposed, that precisely spells out the how-to, so that not only the Federal agents, but also the recipients of the order clearly understand what they are being asked to do and what the overages are.
Page 176 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. SCOTT. Mr. Chairman, could I get an additional minute, so that Mr. Davidson could——
Mr. SMITH. Without objection, the gentlemen is recognized for an additional minute.
Mr. SCOTT. Before you respond, Mr. Davidson, if someone has an expectation of privacy on their e-mail, what limitations should we be looking for, particularly in light of the fact that trap and trace is, as I understand it—has to be issued by the judge, based on the certification of law enforcement that it is needed—the judge has no discretion—and whether or not it is possible to an e-mail without getting the content?
Mr. DAVIDSON. Well, I think this is—it highlights a very difficult problem which I was trying to get at before, about the extension of the trap and trace and pen register statute into the Internet world. The fact is that the source of destination of e-mail traffic may be much more revealing then the digits dialed on a telephone, partly because e-mail addresses are much more intimately connected to a person and an individual than a telephone, which may be used by many different people, and this especially applies to the extension of pen registers and trap and traces to finding Web URLs, resource locators, when you type in http, which is our understanding of a desire of the Justice Department, also and we have seen this in the context of the implementation of Carnivore.
I think that what you hit on is the fact we do need clarity in these laws. There's a great deal of ambiguity about how these statutes apply to the Internet, and when we add that clarity, we need to think about upping the standard a little bit. Right now, judges do not have any discretion. Once the showing is made, they are required to issue these orders. Judges should be given that discretion, to weigh the circumstances of a particular presentation, and we also need to think very carefully about this blurring line between source and destination and the content that might be embedded in a URL, where you go search for a book or something like that, and may be much more revealing than digits dialed.
Page 177 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. SMITH. Thank you, Mr. Scott.
The gentleman from Wisconsin, Mr. Green, is recognized for his questions.
Mr. GREEN. Thank you, Mr. Chairman.
Mr. Chertoff, your opening remarks got my attention. The first example that you gave is remarkably like something that happened in my district back in northeastern Wisconsin, in which a couple that had broken up, divorced, the ex-husband was posting photos, intimate photos, of his ex-wife on the Internet and e-mailing them to places that she frequents, business and such, and we have been looking for ways to provide tools for prosecutors to deal with that instance, which is remarkably like the one that you pointed out. What tools do you think we should be looking for? What would help you in those kinds of situations?
Mr. CHERTOFF. Well, I think this is a problem which is increasing. I think we have some very good statutes now. One of the issues we have to address, though, are statutes that couch criminality in terms of dollar value, where you have, for example, computer invasions or intrusions that do damage above a certain amount of money, and the reality is that sometimes the damage that is done cannot be quantified, but it can be, in fact, more serious than monetary damage.
I think one of the things I would like to do going forward is to sit and look comprehensively at all the statutes that cover identity theft, computer crime and make sure we have what I would call a seamless system, where we are really covering the kinds of invasions of privacy and damage that we are becoming concerned about.
Page 178 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. GREEN. What I would like to do, if I can, is to send you a draft of what we have been working on, because we have been flailing about, trying to figure out just how to get our arms around this situation, and would welcome your thoughts and comments. Let me shift gears to Mr. Kubic and Mr. Savage. Last session, I co-authored legislation with Senator Collins which passed, dealing with the problem of fake IDs and how they were being either transmitted or marketed over the Internet, and the legislation passed and created a committee to deal with the issue of Internet fake IDs, and how their could be a cross-agency task force on the subject.
Are you aware of whether or not that task force has, in fact, been assembled and if there has been any progress on this issue?
Mr. KUBIC. Congressman, I am unaware of whether or not that specific task force has been assembled. However, the Department of Justice does host and share regular meetings that deal with the theft of—identity theft—broadly. I'm not sure if that was what you had in mind.
Mr. GREEN. One of the things that the testimony suggested last session was that about 83 percent of all fake IDs, everything from the fake IDs we often think of for underage alcohol abuse to forged passports and such, 83 percent by next year will be procured over the Internet, and for a variety of reasons, it is difficult for us to trace and block that. That was the reason for the legislation, and, as I said, it created actually a task force on that.
Mr. Savage I don't know if you're aware of whether or not that task force has been created.
Page 179 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. SAVAGE. Congressman, as I understand it, we participate in the same task force or the same group alluded to by Mr. Kubic, and it is my understanding that suffices for the task force envisioned, but I am not 100 percent sure on that. I can say that Secret Service recognizes the problem, especially with respect to identity fraud. We have placed an agent full-time at the Federal Trade Commission to help coordinate with respect to identity fraud cases.
Mr. GREEN. If the two of you could check into it, because there was actually a coordinating committee established by this legislation signed into law last session. The law is now Public Law 106–578, and I would appreciate any follow-up you could give us as to its status. Finally, the legislation as we originally introduced it, not all the provisions were adopted. One of the provisions that fell away would have made it illegal to knowingly produce or transfer a document that is designed for use in the production of false IDs, as opposed to just the marketing, the actual transmission of the document.
One of the reasons it was dropped is because it sort of hit the jurisdiction of a number of Committees and again has some technical challenges to it. Do you have any comments on whether or not that would be useful, or your thoughts on that type of proposal?
Mr. SAVAGE. Congressman, my response is such a thing probably would be quite useful. The limiting factor usually in such legislation is proving that intent, that it was designed to be used in the commission of a fraud, and certainly that prerequisite, that standard, is usually found in the fraud statutes for good reason. However, it would be of value to see if there would be something similar that could be substituted in that regard.
Page 180 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. GREEN. As you may know, of the reasons that this is a growing problem is that these documents are transmitted with an easily-removed sticker on the back that says, ''Not a Government document; for entertainment purposes only.'' Of course, when the recipient gets it, they simply peel off the sticker and they have their documents. That is why we have tried to get at this, but the intent, obviously, is the difficult issue to prove.
Mr. Kubic, I don't know if you have any thoughts on that.
Mr. KUBIC. Manufactured, false or counterfeit documents are often found in a lot of the fraud cases that we see, whether it is financial institution fraud, credit card fraud, it rivals the theft of real identities as an issue.
Mr. GREEN. Thank you.
Mr. SMITH. Thank you, Mr. Green. The gentleman from Virginia, Mr. Goodlatte, is recognized for his questions.
Mr. GOODLATTE. Thank you, Mr. Chairman. First, thank you for holding this and the continuing series of hearings on crime on the Internet.
Mr. Kubic, in your testimony, you state that difficulty with online crime is that there are no fingerprints, shoe impressions, surveillance video or photographs, money taken or witnesses, and that the evidence can be lost forever rather quickly. How does the FBI handle this problem with cyber crime investigations?
Page 181 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. KUBIC. Well, basically, while I say that there—the evidence exists in a somewhat different form. Rather than the physical fingerprint that is left, there is, in fact, an electronic fingerprint that is most useful in establishing some of the people who are engaged in the theft, using that as an example. What happens, however is that many of the people that we look in terms of intrusions or hacking use different platforms and bounce around through the cyber world.
So while it is a different type of evidence that we are seeking, there are active steps taken by this category of criminals to hide their efforts. We have an engineering research facility at Quantico, as well as technically-trained agents in each of our field offices, who are actively engaged in the collection and preservation of evidence in digital form. Additionally, the FBI has computer response teams that do things like mirroring images—mirror-image creation of seized computers, wherein we can further identify the activity of a particular suspect or subject.
Mr. GOODLATTE. Thank you.
Mr. Davidson has testified that cyber crime is more traceable than physical, real world crime. Would you disagree with that statement, and, if so, why?
Mr. KUBIC. I would not say it is more traceable at all. I think it represents a new challenge for law-enforcement investigators. Because of the nature of the evidence being so much different from what we collect in a normal crime scene, there is a need, one that is being met, I think, in part today, to retrain, to retool, and to upgrade the set of skills that the investigators have, whether they are State and local officers or Federal agents.
Page 182 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. GOODLATTE. Go ahead, Mr. Davidson.
Mr. DAVIDSON. No. I might say that it is actually sort of—it is differently available than it is in the offline world, and that is definitely true. We support the tremendous challenge that is in front of law-enforcement officials to retool and retrain agents to be able to deal with this, these new kinds of evidence, but I think it is worth recognizing that we have heard many claims that substantial new authorities are needed because it is so difficult to find evidence online; and I think there are many reasons to believe that once—when we take on this substantial challenge of retooling ourselves, we will find that, on balance, there's actually a tremendous amount of information that's out there.
Mr. GOODLATTE. Let me get into a specific area that concerns me, and that is the distribution of obscenity or child pornography online. You have stated that powerful statutes exist to punish that distribution and I agree, but I think—and I will ask the other gentleman whether they agree or not—I think there are some gaps in that law that inhibit law-enforcement in investigating this type of behavior. Would any of you care to respond to his assertion?
Mr. CHERTOFF. Well, I think that that is a very good example of an area where some of these procedural problems that we face, legal problems, can be an impediment. I think that the actual substantive laws, for example, dealing with child exploitation, are good laws. Now, you know, Congressman, there is an issue now before the Supreme Court regarding one subset of that involving so-called virtual reality. But again we need to be able to move quickly. The people who are purveying this material, some of them are unsophisticated, but some of them are sophisticated. Some of them are overseas. By streamlining the procedures, without sacrificing privacy, I think we can add tools that will allow our investigators to be more effective.
Page 183 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. GOODLATTE. One of the areas that concerns me, and I'm not sure what to do about it, are these online chat rooms, which are the genesis of the great deal of problems we have with predators online, with the so-called travelers who will go into these chat rooms and develop a relationship with a 12, 13, 14-year-old boy or girl and then attempt to develop that relationship, meet them.
We have a local law-enforcement agency in my district; Bedford County Sheriff's Department has Operation Blue Ridge Thunder, which receives funds through a Federal grant program, and have been very effective in prosecuting dozens of people all over the country who, in many instances, come to Bedford with clearly malicious intent to do so, and trying to break that link, trying to make it easier for law-enforcement to do something in the chat room itself, is of interest to me.
Obviously, we have got to be concerned about the first amendment and what happens there, but do any of you have any thoughts on what can be done to criminalize the initial activity of these individuals who get online and attempt to discuss, in some instances, obscene activities online with children? Is there a constitutional prohibition on attempting to have a prohibition on adults discussing these types of thing online, with minors, for example?
Mr. CHERTOFF. Obviously, there are constitutional limits on your ability to regulate discussion, and I know that Mr. Kubic can speak to this, the Bureau has been very effective in using active investigative techniques to ferret out those people who get into those chat rooms in a predatory fashion. I think that is really a very effective tool, and I will let Tom talk about that.
Page 184 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. KUBIC. Yes, under the Innocent Images initiative, the traveler-type cases, the cases that you have kind of defined, which means in brief that there's an individual posing as a teenager engaging in conversation, trying to either lure a young person to visit him or to be more upfront about their intentions, and then they themselves travel to another district to engage in some type of elicit activity, are the top priority of our Innocent Images investigations.
Mr. GOODLATTE. But at the point where they actually attempt to travel. I know the sheriff's department, for example, has officers that pose as 13, 14-year-olds, and do that, and it is only when they get to the point of actually attempted to have a meeting, that they attempt to prosecute; and if there were a chill, and I know first amendment folks love to hear that word chill, but if there were a chill on this type of activity, because people, if they went online and were deliberately, under some definable criminal statute, engaging in an activity that were illegal in and of itself, we could prevent this whole thing from happening in the first place. I will let you respond to that, and I would also like to hear Alan Davidson's view on that.
Mr. KUBIC. Well, I understand, you know, your position. I think it would be extremely difficult to write legislation which would cover that kind of conduct, because to a very great extent it is merely a discussion and often, you know, is this a fantasy or is there an effort to really engage in some illicit act?
Mr. GOODLATTE. But when you're dealing with a minor, does it matter if it is a fantasy or not, if an adult is engaged in that type of a discussion of activities?
Page 185 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. DAVIDSON. Well, I would say that we really need to tread lightly here, in the sense that the distinction between speech and action has been an important one, in terms of constitutionality of these kinds of statutes, and I would just suggest——
Mr. GOODLATTE. But remember what we are talking about. These are adults with a very serious disposition. This is all part of the intent. It is all part of the formation of a crime, and you're having people engage in very salacious discussions with kids who think it is really cool to do this with some adult who is doing it online like this.
Mr. DAVIDSON. The courts have afforded a great deal of protection to adult speech.
Mr. GOODLATTE. Even with minors?
Mr. DAVIDSON. I believe so, and I think it is a very—it is a very—the knowledge component of this was very tricky, and all I can say is I know the congressman has a record of being very concerned about these issues. I think there is a resource question.
Mr. GOODLATTE. I am very concerned about the first amendment. I'm also very concerned about children in the type of circumstances that we are defining here.
Mr. DAVIDSON. And I think that we should recognize that the Internet, in many ways, has also provided this new tool that we didn't have before, which is to bring people out, the kinds of people that you are trying to—that you would like to prosecute here—to bring them out of the dark corners of society and into places where the FBI and other law-enforcement agencies can very effectively, increasingly effectively, find them and prosecute them, and that is an effort that we should continue. But we need to do——
Page 186 PREV PAGE TOP OF DOC Segment 2 Of 3
Mr. GOODLATTE. Not if they can—as long as they never have that meeting with the individual, you're telling me that not only are we bringing them out of the dark corners, but we're giving them a forum in which to engage in this activity in a protected way that they never had before, and it is causing an explosion of difficulty in this area.
Mr. DAVIDSON. And perhaps a new way to find them. No doubt that this is a problem and that more work needs to be done on the enforcement side.
Mr. SMITH. Thank you, Mr. Goodlatte.
The gentleman from Virginia will be recognized for an additional question.
Mr. SCOTT. Yes, Mr. Chertoff, you mentioned virus crimes. Should we be considering anything to help on the jurisdiction of the crime; the perpetrator may be traveling with a laptop; the victim may have a laptop? How do you figure out what the jurisdiction of the crime is, or has that been a problem?
Mr. CHERTOFF. Well, I think that is a species of the same kind of problem we talked about earlier, with pen registers and trap and trace orders. Typically, for example, if you are intercepting data in real-time and you're going to get what we call a title III authorization from a judge, again there have been issues historically about going to the right jurisdiction. If I want to tap a particular phone, I go to a judge, I get a title III order, let's say in New Jersey. I know the phone is in New Jersey. Even in the area of cell-phones now, we have developed laws and techniques that allow us to basically attach the order to the traveling phone. And I think we want to be able to do the same thing with respect to traveling laptops.
Page 187 PREV PAGE TOP OF DOC Segment 2 Of 3
Again, the idea is not to dilute the protection, the substantive protection of privacy under the law. The idea is to eliminate the problem of geographic limitations on judicial orders. So one of the things I think we want to do is essentially create one-stop shopping for these kinds of orders.
Mr. SCOTT. I'm talking about the prosecution. What court do you go in to get the indictment?
Mr. CHERTOFF. Well, typically the general rule with respect to venue in criminal cases is anywhere the crime occurs, so any place somebody traveled in the course of committing an illegal act, if the illegal act occurred over the Internet, would be the place that we could bring the case.
Mr. SCOTT. Do you have to prove jurisdiction? I know in State court, you have to prove the crime was committed within the State. Do you have a jurisdictional part of the prosecution where you have to show that the crime was committed in State where you may not know where the guy was?
Mr. CHERTOFF. You do. You do have to prove venue, because you have to bring the case in the appropriate venue. And it may be, Congressman, that what you're suggesting is something worth thinking about, which is whether we ought to create a venue provision that allows us to prosecute crimes in certain designated places, whether or not the person was actually traveling in that place or broadcasting while they were traveling.
Page 188 PREV PAGE TOP OF DOC Segment 2 Of 3
I could certainly envision proof problems, for example, in showing when—you know, where someone was at the time they transmitted a particular message, and perhaps we want to make sure in the law that we can adequately address these, where the service provider is located, where the recipient is at some other place. I think that is worth looking at.
Mr. SCOTT. Mr. Davidson, do you want to——
Mr. DAVIDSON. Well, I would just indicate that, of course, there are going to be issues here on the user side, as well, which is that users don't necessarily know where all of their communications are going, who they are necessarily using when they're on the Internet. Your ISP may be routing communications all over the place, and I think—which just demonstrates the difficulty here also on the user side, of finding out that you may be subject to an order that has been issued across the country, that you may not necessarily have knowledge of, that you may have a difficulty in terms of answering or defending.
In many of these cases, of course, you never have notice of this. But I think there are some mitigating difficulties on the user end that need to be worked out, also.
Mr. SMITH. Thank you, Mr. Scott. Before we adjourn, I do want to say, and the witnesses might be interested in it, as well, and it has been mentioned by one witness, and the audience may be interested in knowing that we are having our third and last hearing on cyber crime this coming Thursday, day-after-tomorrow, at 10 o'clock in the morning, and that will conclude our series; and, in fact, so far as I know, we will have had more hearings on that subject than on any other subject this year.
Page 189 PREV PAGE TOP OF DOC Segment 2 Of 3
So that is the importance we attach to it and that is how serious we are about trying to be helpful to all of you all, law-enforcement and those interested in privacy concerns, as well.
Mr. Chertoff, I just want to tell you, if you have been head of the Criminal Division for less than 2 weeks, you sounded like a veteran today. So you're off to a good start.
Mr. CHERTOFF. Thank you, Mr. Chairman.
Mr. SMITH. We thank all the witnesses. We appreciate their testimony and their expertise, and we stand adjourned.
[Whereupon, at 5:11 p.m., the Subcommittee was adjourned.]
Next Hearing Segment(3)
(Footnote 2 return)
New York Times, November 12, 1999
(Footnote 3 return)
Source: Forrester Research, Inc., <http://www.Forrester.com>