Law Enforcement Practices & Problems
Wednesday, March 27, 1991
Robert M. Snyder
Glenn Tenney, Chair
Copyright (c) 1991 IEEE. Reprinted, with permission, from The First Conference on Computers, Freedom and Privacy, held March 26-28, 1991, in Burlingame, California. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the IEEE copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Institute of Electrical and Electronics Engineers. To copy otherwise, or to republish, requires a fee and specific permission.
Published in 1991 by IEEE Computer Society Press, order number 2565. Library of Congress number 91-75772. Order hard copies from IEEE Computer Society Press, Customer Service Center, 10662 Los Vaqueros Circle, PO Box 3014, Los Alamitos, CA 90720-1264.
TENNEY: ... I'm a computer person, .... Don't let the suit fool you; I decided to make these gentlemen feel more at home [by] wearing their uniform, although I feel more comfortable wearing a T-shirt.
... When I started hacking back in the ... early '60s things were quite different. First is the word, "hacking." It meant something good. There was nothing illegal. Second, there were no personal computers. To me a personal computer ... was an IBM 7040, 1401 and 1620 in one giant room. And ... I could spend all Friday night, from 10 at night until next morning, doing anything I wanted in that huge computer room. I wonder how my life would have changed ... if I had been able to do that seven days a week from my house, in my bedroom.
... I've also been involved with something called the Hackers Conference. And Jim Warren felt that this might be kind of interesting to have a computer person who chairs and organizes the Hacker's Conference every year to be on the Law Enforcement Panel - [understanding] that the word "hacker" in Hacker's Conference is something good, the old MIT definition, and not what is often used today.
Over the last six or nine months, I've spent a fair amount of time talking to law-enforcement people. ... It all started when I got phone calls from people. Before [John Perry] Barlow [who wrote "Crime and Puzzlement"] got questioned by the FBI, I got calls from people who had attended the Hacker's Conference [who] had been questioned. My immediate reaction was, "These [law enforcement] people don't know anything. We have to teach them."
What I have learned over the last six or nine months is - for the most part, without any exceptions that I've met - they know what they're doing. They have some problems to deal with. They're dealing with it very well. They're not stupid; they're sharp. We have to learn from them, and they have to learn from us. ... That's part of what will happen this morning.
A quick anecdote: On Sunday I had lunch with Gail Thackeray [well- known computer-crime prosecutor from Arizona]. ... We came back, and Gail was wearing a Secret Service sweater and these people, a couple of kids, ... were looking kind of strange. Gail was on the phone and I went up to one and said, "Phiber? Is that your name?" He said, "Who's asking?" I introduced myself. We'd talked a lot on the WELL, so he knew who I was, and immediately smiled and, OK. ... He said, "Is that Gail Thackeray?" I said yes, and he said, "Hmmm. You're hanging around with some strange people."
I happened to see Mitch [Kapor, co-founder of the Electronic Frontier Foundation] ... earlier this week, and [commented] about something I had talked about with Gail. He said "Yes, I know you've been talking with her a lot." So I guess it travels. But I've now become neither fish nor fowl. I have a suit on. I'm not law enforcement, but I don't have my jeans and my sandals on, so ... I'm strange right now.
We have a panel here of law enforcement from various jurisdictions from around the country. ...
First is Don Ingraham. He is the Assistant District Attorney from Alameda County [that includes Oakland, California]. He has been involved as a prosecutor in computer crimes since virtually the beginning. He is one of the prosecutors with the most experience and the - I was going to say I wouldn't use the word - but he is one of the oldest computer-crime prosecutors. ... Don, please.
INGRAHAM: ... Old as we are, we try to keep this thing going. We appreciate your turn-out this morning because we're somewhat in the position, I realize, of being a bunch of lions being thrown to the Christians. [laughter] ...
A lot of people don't realize the seriousness of computer-related crime. ... This is no laughing matter. We're dealing with some serious activity here. ...
[I have a theory]: "Cyberspace is a fine idea, but it is time to come of age. It is time to recognize your responsibilities as computer professionals, whatever that term may mean, in fulfilling the responsibility that went with your creativity."
That's kind of the pitch we're making right now. Let me talk to you a little bit about the myth of cyberspace - because I think it's pernicious, and I think it gets kind of in front of the problem.
The strength of this whole conference is that we are pulling together dissimilar people who come from dissimilar points of view. Who's missing? Well - through no fault of Jim Warren [Conference Chair], who did everything but take hostages to get them here - the missing people are the victims. Not just the banks, not just the furnishers of telecommunications - but the people who are paying the price of jacking up these costs of doing banking and doing telecommunications. Because somehow it became the idea that anything the phone company does is not only public but is a playground. We don't have to pay for it, we romp with it. This is what Cliff Stoll in his book [The Cuckoos Egg, about tracking a computer spy, from Doubleday Publishers] refers to as sort of a "sandbox" theory of it.
And I'm here to tell you it isn't true. It hasn't been true for 20 years - which is when I got into this. It was not made true because of the PC [personal computer] - even less so now.
What we have, if cyberspace means anything, is the greatest single contribution to the creativity of the human species that has ever existed. We can be on-line with minds, with ideas, around the world.
I'm not going to rehash the overseas events of the last year or so, but it's proof positive that we're dealing with a very precious item. That precious item can be destroyed.
[For instance], we are sitting in a hotel that is where part of San Francisco Bay used to be. Seventy percent of the bay over here has been filled in, and this [hotel] is one of the things that filled it in. It may have been worth it, but nobody thought to ask the Ohlone [Indians] when they were driven out of here - they were the original inhabitants of the area. Nobody thought to ask the oysters [that] Jack London used to poach out here before this was filled in.
I'm suggesting a parallel. I'm suggesting that the development of what was regarded as a frontier - even up to, say, ten years ago - has now gotten to be regarded as a sober, serious fact of life that requires the very best you can give it. The point is that there has been an enormous growth here [in cyberspace].
Let me sketch through the growth with you real quickly. [projecting a blank with the overhead projector] This chart you're now seeing represents cyberspace, the ideal. You're not seeing anything because it's a pure ideal. It is a complete myth. It's a nice idea, but, in fact, it is not something that you can actually put your hands on. ...
Let's just talk about [this in] our country, although what we do is universal. We take this [transparency showing United States with a few lines across it] as an example of this electronic frontier. There's only a few places where 20 years ago any real crime was going on. And it wasn't even crime, because nobody cared.
We're talking about the basements of MIT. We're talking about the garages around Palo Alto [and] up in Berkeley, where people were engaged in "core wars" - were attacking each other's systems, attacking each other's logic. And out of that competition came some brilliant ideas. Wonderful ideas. You've all read [Steven] Levy's, Hackers, [Anchor Press, Doubleday] or you should have. If you haven't, read it, because it lays out how much we owe to those people.
But at least eight years ago we began to look like this. [transparency with more communications lines] All of a sudden it's not just people playing with a new technology; it's people playing with telecommunications systems and banking systems.
And the thing has grown. Now it has scaled the chart more or less. This is supposed to indicate the networks of communications and all the rest of it. [transparency showing dense matrix of lines covering the nation] The fact is, you are the country. You are industry. You are free enterprise. You are the intellectual atmosphere in which - God help us - our freedoms are going to be preserved. Not just yours and mine, but those of our children and those of people who haven't the faintest idea what the hell I'm talking about.
I'm talking about the bulk of the people in this country who were not given the option of subjecting their property and their privacy to a technology that has built in the security of a sieve. I'm talking about the hundreds of widows and orphans, the hundreds of small-business people, that are - like it or not - willy-nilly dragged into the Information Age. No one ever asked me to put my accounts on a computer, but they are there by necessity. And that's the third class that isn't here at the meeting: the potential victims who don't even know they're about to be victims.
And this is what we've gotten into on the frontier area. And that's where "the frontier" is a fallacy.
The law was doing work here a long time before we got into any kind of a "frontier design." And we're a parallel, because the law moves by analogy to what was identified back in 1834 as a problem - which, amazingly to me, ties into everything we've talked about so far.
A fellow named Theodore Sedgewick, who was a writer up in New York, arguing in "The General System of Improvement" [New York Evening Post, 1834], identified the ferries, the canals, the railroads and the turnpikes, and worried about controlling them. [He] came down to the conclusion that [they had] an absolute power over the property of their poorer neighbors [who] they could harass and dispossess at their pleasure under the pretext of making roads and cutting canals through their lands. Is that any different [than] the risk we've opened up? I don't think so. I think it's significant.
I know that yesterday you heard Marc Rotenberg talking about the need for people to agree to vulnerability. It has not been done in this area, and it's too late, regardless of what Ms. [Janlori] Goldman [ACLU Privacy Project] says, to get retroactive on this. We are committed by your efforts and those of your colleagues to providing the same protections [that] the Constitution established 200 years ago in a world of much more risk.
So where do we turn when we've got a problem on the frontier - of any kind of activity that might risk people's rights? First of all, it's a settled frontier. There are people all over the place. There are laws in place, and the only place to turn at that point is to reliable informants. [cassette tape-recorder plays music that sounds like the Cavalry is coming] What we had to do was to move into an atmosphere where we have a high-tech crime unit. [music swells to conclusion; applause]
... We have to have some [duly] constituted law enforcement to which to turn. You don't want law enforcement? Fine, take 'em [criminals] up on the loading dock and break their knees. That's vigilante tactics and we don't condone that in this country. This is a government of laws.
What we set up was a high-tech crime unit, and we kind of spread this idea. This is just in my [county district attorney's] office, because we had to do something, and we weren't trained for it. [projects high-tech investigator badge] This symbol ... basically indicates that within the constraints of law enforcement, ... we have a rule against chiseling; a rule against hacking - which should be chopping, but this is an old sketch - a rule against general screwing around; and, if you know anything at all about the rules of heraldry, [the lightning bolt means] illegal, ... the bastard line. This is the "bar sinister," and you'll notice it's an electronic contact going through the computer.
The point was that if we could organize and deliver on the laws that existed, then we could do something about it. And when somebody is victimized, we could come to their rescue. That was the whole theory. We're not entirely there yet, but as you can see there are developments going that way.
Let me just put up the Fourth Amendment - because it's decorative, and something everybody ought to memorize anyway - and I'll ... talk about what this means in actual application. [displays text of Fourth Amendment]
What this [Fourth Amendment] means in actual application is that we didn't need specific computer crime laws to deal with the problems of this technology. I argue with people on that, but I stand by it. Because we're not dealing with any evil that was created in MIT or Palo Alto. We're dealing with evil that existed back when Pascal was on Pablum. We are dealing with an evil because people commit crimes against one another. They steal. They use things that aren't theirs. One of the basic texts in this area probably is, All I Really Need to Know, I Learned in Kindergarten [by Robert Fulghum, (hardback) Random House ISBN 0394571029, $18.95; (paperback) Ivy Books ISBN 080410526X, $5.95 - ed.]. It's got points like, "Keep your hands to yourself. If you can't behave, leave the playground."
[That] basically is all we are trying to do with these laws: Don't be a bully. And that is the area [where] the law has [impact]. Interestingly to me, there has still been resistance to this - not a sense of people coming in and saying, "This is a law we could live with, but this is the risk." [Instead, many seem to prefer] no law at all. v Way back when Jim Warren was running Dr. Dobbs Journal [Editor, 1975-1977] - and many people think it was better then, but this is not the place to go into that - I got into correspondence [with a computer person], and I got nasty letters, ... basically saying, "Butt out. We don't need more lawyers. You people stink. You can't run the law very well. What are you doing here?" Now, I'm not denying any of that. [laughter]
I'm simply saying that the way we solve our problems is - we deal with them in a legal fashion.
... I'm going to read you something that was written in 1902 by the President of the Philadelphia & Reading Railroad, George Bayer. He'd gotten a letter from one of the workers saying, "Why don't you people that have the wealth do something for the downtrodden; do something for the victims?"
He replied, "The rights and privileges of the laboring man will be protected and cared for not by the labor agitators but by the Christian men to whom God in his infinite wisdom has given control of the property interests of the country and upon whom the successful management of which so much depends." That letter probably had as much [as anything] to do with getting the union movement going strong . ... But, let me ... ask you something that's a little bit rude: Does any of that sound like something, in more straightened phrasing, that you might be saying? That, "Don't worry about it. We're not going to try to come up with standards [of behavior]. We'll let someone else worry about it, but we don't need standards."
In all honesty, in all humility, and all gratitude for being here, some of what I hear sounds like that's what's being said. I think it sounds [to a] third party just like poor George, whose only place in history is to write a damn-fool letter showing no logic at all.
Now, we do have laws. In 48 states and in the federal system, we have specific laws. Why do we do that, if we didn't need them? Nobody writes a law to equip a prosecutor. People write laws to let the public know what the rules are.
If we never had another rape, if we never had another murder I don't know a D.A. or a prosecutor or police officer anywhere that wouldn't be grateful. Or a community. But our Constitution says we can't [just say], "Don't do bad things. Behave yourself." Kindergarten rules. We have to lay out with specificity what the rules are. California, for example, [is] one of the few states that actually has a [statute about computer] viruses. It's called a "computer contaminant" - which I think is a neat phrase for it . ...
... The reality [is] that enforcing the law means sometimes innocent people will suffer. The question is, "Will they suffer more if there was no law?" We [prosecutors and law-enforcement officers] don't write the laws. In fact in this state it's very hard for a prosecutor to write a law. But we do have to enforce 'em. The way to keep innocent people from suffering - ... as is alleged now in lawsuits [such] as Mr. Steve Jackson's - is to establish standards so that there is no reason to seize everything he's got. Is that chilling the First Amendment exercise? That's a very major concern.
Yes! [There's] no question that the free exercise of expression is going to be chilled if the possibility of prosecution exists. But the founding fathers were not ignorant of that, nor is anyone else.
Of course being able to sue for libel [and] being able to control the flow of stolen material is part of what the whole Constitution is about. The expression of ideas under the First Amendment [and] the privacy under the Fourth Amendment [and] all the other rights that exist and are important are tempered with the overriding concern about delivering on the promise to provide to the citizens of this country a fair legal system.
The justice system is preoccupied. We don't have the resources to do the job any of us would like in this [computer crime] area. We have murderers, rapists, cheats, televangelists, drug dealers, a lot of other people vying for our attention. And we give them our attention as best we can.
I submit that - ... [and I] am somewhat self-conscious about doing this - you've got to get over the idea that we [in law enforcement] are the foe. That we are somehow sneaking around at night; [sneaking] in on you; not letting you know what's going on. What we do, we do as openly as we can [within the legal system].
But the basic responsibility for resolving these legal problems - the concerns that brought so many of you here - is, I reiterate, on you. If you don't set the standards; if you don't establish the ethics; if you don't come up with the rules that are to be applied - but limit your activity to fighting us - that's [something we can live with].
Courtrooms are where we thrive. We do pretty good in there. If you get on the other side and participate in the writing of the laws - with an understanding of where the laws are going to take us - it's a better idea.
I would suggest to you that Computer Professionals for Social Responsibility is an important organization, but I think this can be misread. Society does not have a responsibility toward you. The government does, but society does not. [Society doesn't] owe you anything, except a controlled government of the same standing. I hope ... [that you have as much] concern for getting some Sociable Professionals for Responsible Computing. If and when you do that, we'll be able to talk effectively and do something about this, rather than burn court time doing it.
One closing note, because it came up in this week's ComputerWorld, which I bagged a copy of last night when I went to my office. You probably are all as concerned and shocked and horrified as I was by what went down in Los Angeles with Mr. King, stomped and beaten [by Los Angeles police officers, and videotaped]. One of the interesting issues that's come up on it is that some of the strong evidence [against the officers] ... was apparently picked up from a computer. It was an electronic message directed [through] a computer to another officer in the same department. And right away, the investigative light has got to light up: Is this a violation of the Electronic Communications Privacy Act - to seize [that incriminating message] without a warrant?
Keep in mind, when we write laws to restrain things we are also restraining the ability to control the bad guys. That takes expertise. That is for you to do, I think: To apply the standards, to develop some criteria, maybe to give us a hand in doing the investigations - and I've met several people here, of whom Glenn is certainly one, that I'm going to be turning to in the future. Because I now know them, [I can seek their help] when we have to screen a case. I don't know your friends as well as you do. We do have to be able to screen these things.
... The rules are going to be made and enforced; that's an inevitable. We're going to be going to the courts to do it. We're going to the legislatures to do it, because the people want it. The democratically elected legislature says they will do it. If the ethical standards are not established [by you] under which we draw the line between legitimate experimentation and [phone and computer] "phreaking" - [breaking] into someone else's system - then they are going to be drawn by people who don't know what they're doing as well as you do.
If you don't do it, who will? If you don't do it now, when are you going to get around to it? Thank you. [applause]
TENNEY: Thank you. ... Moving from the West Coast towards the wonderful Midwest, Robert Snyder is a detective with the Columbus, Ohio, Police Department Organized Crime Bureau. I notice his badge, I think, says "Public Safety Department." These euphemisms are strange.
He is an investigator who has been involved with computer crime for about eight years now - which makes him also one of the oldest, although I think we're about the same age, so I'm worried about saying that. Bob, please.
SNYDER: Thank you. I think that's a tough act to follow, Don.
What I am, and what I'm up here for, is I am probably your worst nightmare: I'm the cop on the street, [but], contrary to popular belief, I do not want to go out and confiscate your OS/2 IBM. I want your Cray YMP. [laughter] I need a trophy for my desk. I need something that will sit there and I can say, "Look what I did in 20 years of investigations." And I think a Cray would be a nice trophy. Just a little. I also want to be able to analyze and go through everything in it. It may take years, but that's job security.
[Speaking seriously,] what I want to do is give you a different perspective - from our side in law enforcement - how we actually get computer crimes and how we take 'em forward.
The first thing that comes to me ... [are victims] the first time they have somebody break into their system, or something happens to their system. Not one time did I hear anybody mention prosecution.
[Only later do other questions come up]: What happens when you finally decide that you want to prosecute a case? What happens when you finally decide somebody's broken in and done enough serious harm that you need to prosecute the case? Everybody had solutions [for] shutting the door.
Our problem in law enforcement is you're destroying what we need [evidence] - according to the law - to be able to do that [prosecution]. So sometimes we go in ... and try to find information [however] we can. ... I think we do have ... a new frontier; law enforcement has.
We have a problem in law enforcement. Everybody [in each jurisdiction] had to set their own standards. ... There are guidelines we go by [in Ohio], but Don [also] developed standards on the West Coast. I had nobody to turn to in the Midwest. When somebody came to me with this type of high-technology crime, I had to develop my own standards.
Are we doing things differently? We're still operating within the guidelines and the rules that are set down by our laws, but are they the correct ones? And when we go out to the victim, we can only rely on the victim, a lot of times. I [often] have to take ... as gospel what the victim tells me.
I don't know anything about [your] computers when I first go out there on the scene. I have to rely on you. If you tell me the wrong information, I still have to rely on it sometimes. It's kind of good faith that we go by. But if you have been abused, how do we handle it? We break it down. Hardware - what is a piece of hardware? First of all, you have to tell me what an IBM 370 is. Or a VAX, or an old PDP-11. I have to know what those things are. I even have to know what an IBM PC is.
When I go out and I kick in a door, and I say, "You're under arrest," the guy says, "Who me?"
I say, "No, not you. Your computer; I need it [for evidence]." I say, "I want everything out of that computer system." And he says, "Sure, let me help you." I say, "OK, how do I do it?" He says, "Here, it's a PC. Type in FORMAT C:'" [laughter]
[I say],"Thank you," and I type it in, and ask, "What's it doing?," and he says, "Oh, it's giving you the information you need." [The "FORMAT C:" command erases all data on disk C,' often the main storage disk - where incriminating evidence would most likely be stored. -JW]
It's happened! Policemen have done it to each other. Believe me. It fact, they did it as a joke, and the guy didn't have his system backed up. He was not too happy about it. One policeman says, "How do I look at this guy's computer system?" [Answer]: "You type in FORMAT'." So, he did it, and the guy that actually owned the system is going, "What is he doing?" He says, "I think he made a mistake. I told him to format your hard drive."
Software: That's our big problem area. What is software? Intellectual property. I can't get into that. That's our big fight. Does this property - does this piece of software - belong to who you say it belongs to?
And telecommunications - our biggest headache. Because we can have a suspect anywhere in the world entering through a computer and getting into another computer anywhere else in the world. Who's the victim? Who's the suspect? Where are they at the time? I'm just a local policeman. Is it out of my jurisdiction? Did he actually get in? What is the intent when somebody gets into a computer system?
These are all things that I have to look at when I go out there. "What happened to your system?" "He just got in and he nosed around a little bit." Fine. What's that mean? Did he do any harm to your computer system? According to you, yes [and] I have to listen to you. [Are you] telling me the correct information? I have to corroborate it later, but do I have time to do that ...? That's a problem area we're getting into. When I go out on the investigation, I have certain requirements that I've got to go by. And I have to go a lot of by what the victim tells me.
Also, I have to go back [to you, as] a victim, and say, "I need this evidence." Somebody breaks into your computer system and they leave a ".D" file on your UNIX operating system - you tell me that.
I say, "Fine. What is it?" I have no idea. You have to be able to save it. And you say, "I didn't save it. I got rid of it. I closed the door and nobody's in here [in my computer]. But I want you to prosecute this case."
Actually you just destroyed evidence that I need. And there, you've got a victim. And I'm not talking about victims that are sitting here that have $500-million budgets a year. I'm talking about mom-and-pop companies that operate on $100,000 a year - or $500,000 a year - who have had a $20,000 intrusion that is going to bankrupt 'em. I, as local [criminal investigator], have to take that aspect of it.
... If you've got a multi-billion-dollar computer system [federal agents] are going to take [the case] because it affects big people. But on a local level we have to look at the little guy and we have to worry about mom- and-pop companies out here running computer systems.
[Another] problem area we've gotten into with high technology is the links. The weak link in all this network is mom-and-pop. When you've got a small company that puts in a telecommunications PBX system, the company sells them [the] PBX system. [Maybe there's] voice-mail capability on it, but they don't tell the [buyer], ... or if they do the company has no idea what it is.
Then all of a sudden somebody breaks into their system and they have $25,000 worth of phone bills. Because somebody got in, took over their voice-mail system and spread it all over the U.S. Then they come to me and say, "Who's getting into my system? How can they [get in]?" And I say, "Do you have voice-mail capabilities?" And they say - this is the victim - they say, "What is that?"
Does a policeman have to tell a victim what he's got on his system? Or do I even know?
Also a problem I have in Ohio - not that I mind it a whole lot - [is that] somebody in another jurisdiction calls me and says, "Bob, I have a computer-system problem. Can you come over and help me? We've got a suspect. Will you help me go look at a computer system from a suspect? We think he's breaking into this system. This is what we've got."
[It's] a big grey area and a problem area. The Secret Service in Los Angeles may not take [such] a case, or the FBI may not take [it], unless it's [over] a million dollars in fraud. But somebody has got to do the mom-and-pop companies out there. So we've got to handle it.
Education of law enforcement: Nobody has bothered to go out there and say, "Law enforcement, this is what you need. This is the way the electronic frontier operates." [Instead], we had to set our own standards a lot of the time. People like me - people like Don, even Dale [Boll of] the Secret Service - had to set up [our] own standards as we go along, because the industry hasn't told us anything. And we have fast- moving technology. I bought an Apple IIe computer back in 1981. State- of-the-art, right? Boy, am I behind times now. And that is a short period of time.
Law enforcement moves real slow; slower than everybody expects. But we need education and we need an interaction [with you computer professionals]. We need to find some way to educate the victim to say [for instance, to a PBX salesperson], "Does telecommunications that you've put into your system talk to MIS? Do they talk to the auditors in the company?"
And, when I call up a major corporation and I say, "I need security," do you know who they give me? The gate guard. I say, "I understand you have an intrusion in your system." "Excuse me? I can't help you officer, I'm sorry." Who do I talk to? ... [Also], my problem is within the corporate structure. We have a little in-fighting - the same way you do - in law enforcement, between bureaus and between detectives trying to fight crimes.
Who is actually in charge of a computer intrusion? What did they do when they got in the system? Did they steal secrets out of your system? Was there a crime? Is there not a crime?
Evidence analysis: That's [my] worst nightmare [as a criminal investigator]. How do you hold a computer [long enough] to give you the information you want? I need everything on these disks. How long does it take me as an individual to go through evidence on that computer system? Can I take the time? Do I lock up your computer for six months (because you have a mainframe computer system) and go through everything? Do I pull those big platters out of there and then go to one of you people and say, "Can you read everything on here and give me information off of it?" If I take the platter from somebody's mainframe computer, who do I go to? Do I have to go to a similar computer system? ... Is it a competitor? And if I put it on that competitor's computer to read it, am I liable because there may be proprietary information on there that now the competitor has?
Is there a standard? If I go in and we have evidence of crime on a VAX- 8500, where do I go to read the information? Am I able to grab that mini- system? Do I take it down to police headquarters and stick it in the Property Room and leave it there for six months until we go to trial - [where] everybody's bringing their big stereo systems in at the same time? The big stereos have big 20-ounce magnets on the back of them. [In the Property Room], they're layin' everything on top of each other. Then I [finally] get to court, ... and they say, "Bring the system up. Let's run this system. There's nothing on here." Or, "Boy, is there garbage on here." Have I destroyed any evidence?
What I look at when I go out on these crimes is, can I seize part of that computer system? What am I going to do when I get out there?
[Another thing]: I may be atypical but, being in the field a long time, everything is kind of subjective when I get out on the road. When we originally came out of the police academy, they said, "You write your ticket before you walk up to the guy's car. When you approach the person, you ought to write the ticket. That way, [even] if they're a real jerk, you've already decided you're going to give them a warning, [and] you'll still do it." I could never operate that way. I always walked up to the car and, if the the guy was real nice to me, I'd give him a warning. If he was a real jerk, he got a ticket. I took the opposite approach - the same thing I do with computer systems.
[For instance, with a search warrant, maybe] the judge gives me the right to take all computer hardware, software and disks out of a house. I went into one the other day and I looked at two computer systems. My goal was not to shut down the entire system. I could take everything out of that house I wanted, but dad was running his business on an Apple Mac. The kid had his IIc+ in his room. He was locked onto a system at the time, ... running through his modem, and he had his hacking program going.
Technically by my warrant - because I didn't know what was in the house at the time [it was requested from the judge] - I had a right to take dad's computer. But I didn't, because I didn't want to be over-broad and hurt the rest of law enforcement. But if you've got a policeman that doesn't know, or you've got somebody that is not [computer]-literate enough, he's gonna grab everything in that house. Because he just doesn't know at the time.
You bring it back to headquarters and you analyze it. If we have to do that, then what we've got to do - as quickly and expeditiously as possible - is go through both [computers for possible] evidence.
There are rules in place that [allow you to] come back and say, "You're ruining my business." So what we try to do is say, "We're looking through the disk as fast as possible. This is proprietary information. It's a program you bought. Here, you can have it back. Yes, we realize we're doing quick directories on it. We don't think there's any evidence in there. Yes, it doesn't look like there's anything we need. Here, it's yours back."
Our problem is, how much time do we need to go through all the disks? How much time do we need to go through all the evidence? What are we actually looking for? It depends on the victim. [Perhaps] the victim gives very sparse information, but enough probable cause. (That's one thing that I think the general public doesn't realize. We still come under probable-cause constraints with the law. We still have to operate within guidelines.)
We can't go out there and grab somebody's computers, wholesale. We still have to operate within ... guidelines. We still need victim cooperation. Right or wrong, we still may need the victim to say, "Yes, that is my computer program. Yes, he did steal the program. And yes, he's using it." ...
[Discovering unexpected but suspicious software during a search is another problem.] Are we liable, or are we not? When I confiscate a computer system, [what] if the suspect has pirated software as such - or it appears to law enforcement to be pirated software? He's got a copy of Lotus 1-2-3 on his system; he's got a copy of Borland on his system. Do I give that copy back to him, not knowing whether he has the original or not?
Glenn [Tenney] and I have talked about this a lot. What we're afraid of in law enforcement is: I give him back a copy of Lotus 1-2-3 and he [distributes] it to everybody. Then, does Lotus Development have a right to come back against the police department and say, "You gave everything back to him!"
If it's a piece of software that Glenn wrote, and I give back that software that was pirated and was illegal, he may not be able to prove it. But is there any liability on my part for giving information back or giving a proprietary program back that now gets back on the market? Am I facilitating another crime? That's something that Don has never told me either, across the country. He's the attorney.
And I think my time's up. I had a lot more to get into. But I think my colleague from New York will probably cover the same points that I do. Thank you. [applause]
TENNEY: I didn't say that we agreed every time we discussed things, but we did discuss these things. You've heard Bob talk, and he's a local police officer. But he covers most of the state because he's the only one there who understands it.
The next speaker's job is to cover the whole state. Don Delaney is a senior investigator in the New York State Police Major Case Squad. ... He's only got a little less than a year's experience with computer crime but he seems to be learning fast and he has a lot to say. Don?
DELANEY: Thank you, Glenn. I do not want a Cray. What I'd like is a laptop 386 that would fit on my desk nicely. However, one of the things that we've discussed is - budgetary constraints being what they are across the country - funding for the education of the police officers and purchasing equipment for police departments to do their job in the review of the evidence is just not there.
I still have not been to a computer school. And I'm the only person doing the computer investigations on a state level in New York.
We do most of our investigations in the New York City metropolitan area because my office is out on Long Island. However, during the past ten months, we've done 22 search warrants of our own. We did make arrests in four cases where the warrants were actually executed by the Secret Service, but the cases more properly [were] prosecuted by a local prosecutor, because the jurisdiction - [it] was the telephone company - was in the New York City metropolitan area and so was the computer criminal. All of the other cases were from state to state.
I want to read to you a brief thing that I prepared. It's not policy. I'm a low-ranking member of the New York State Police. I can't establish policy. These are just feelings as a citizen.
Law enforcement has the obligation to not only enforce computer-crime law but also to engage in computer-crime prevention.
The enforcement should be done intelligently to protect an individual's rights. The enforcement should be swift. It is far better to attempt to have the evidence on an individual at the time of the search- warrant execution, so that an arrest can be made at that time. Examination of the evidence should follow as soon after as possible. This permits the prosecution to have the facts and to make sound plea offers.
Computer-crime prevention can be aided by a three-way approach:
First in education: Computer courses should include information on computer-crime law and the potential consequences for violations.
Second, in proper staffing and education of police departments: The computer-crime squad should have sufficient people to properly investigate the reported crimes. This then sends the message to others that ... enforcement will be certain.
Third, good press relations: A good working relationship with the news media often causes the arrest and investigations to receive greater coverage. Proper coverage successfully scares off some of the computer criminals and [deters] others from engaging in this type of crime. Our experience in the New York metropolitan area in the area of the posting of credit-card numbers and telephone PIN numbers [Personal Identification Number] is that [publicity has] reduced it over 95 percent in ten months. ... Now to the body of what I wanted to speak about.
In 1985, my home was burglarized - in a nice area on Long Island. ... My wife was naturally very upset. [We] went through the house and found that most of the valuable things we owned were gone. ... All boxes with all of her jewelry that I'd purchased over the years were laying empty on the floor.
There was a feeling of violation. In Cliff Stoll's book, The Cuckoos Egg, he also says the same thing when he'd discovered that somebody'd entered his computer and he felt this personal sense of violation. It's an intangible, but I know what it is, and I see this in the people that come to me with complaints about their computer systems being hacked or cracked into. Whether or not there's any major loss, the violation is something that they feel very upset about.
[Consider] the case of IDG - since Don mentioned ComputerWorld magazine [published by IDG] - which was one of the victims this past year that we handled. IDG, International Data Group, lost a million and a half dollars because two children using a ... push-button phone got into their voice-mailbox system and caused the entire thing to go down for an extended period of time, where they lost the revenue from their advertisers - which I think was a shame.
There are people who lose money at the hands of people that are cracking, in addition to the telecommunications companies.
The first case that I got involved with was when American Saw called me from Massachusetts and asked me if I would take a computer- crime case. Never having done one nor been trained in it, I had to go to my captain and ask him if I could. It sounded like it was workable. The subject that they thought was doing the hacking into their mainframe UNIX system was from the 516 area code, Long Island. I got permission and we developed the investigation, executed a search warrant at the [suspect's] house and arrested him.
After that, with a review of the evidence, I got a tremendous education. He had notebooks that were filled with files of PBXs for free telephone calls; the ports on Internet and MILnet; the computer banks with code words; passwords at NASA, with TRW, CBI, TransUnion - ways to get into all of these systems, with the account numbers and passwords.
I had to bring in experts from a lot of different companies to tell me what I had in the evidence. What we saw was that this was just one person with the ability to commit so much fraud it was incredible.
Also contained in his books was a list of other people with their home addresses, their names, their code names, their real names - listed under one page called "The Legion of Doom." Another page listed the "Mod Group" from New York.
Also contained therein were copies of paychecks and the names of the executives of New York Telephone Company - that came, as I found out later, from dumpster-diving and [from] the people that belonged to a group in New York City that attended a meeting on the first Friday of every month known as the "2600 meetings" [named for the 2600 magazine on computer-vulnerability areas]. This individual was working together with several other people and they each had their own responsibility.
When they returned the following month they were supposed to bring back certain things. One person was supposed to bring back codes that he got from dumpster-diving. Another was supposed to bring back telephone numbers - 950 numbers that he'd hacked out. Or the people would bring back 540 numbers. Another [thing they wanted] was they needed ports on Internet or MILnet [and] telephone numbers of mainframes in different areas that were on 800 numbers they could hack into.
This was just overwhelming for my first case, just trying to understand what all this meant. And naturally some of the people who haven't dealt with the law-enforcement community think that we all have horns on. ... Anyway, AT&T was involved with me on that particular case.
The next time they got a call that there was a case involving people committing computer crime in the New York metropolitan area, [they] volunteered my name to the City University out in Bellevue, Washington [across the nation]. And told me that all of the computer crackers in that metropolitan area were going to be arrested based on this up-and-coming case they were going to generously give me.
As it turned out, we were able to establish that 17 people in the New York City metropolitan area in seven different counties were involved in [using] an 800 number [to enter] the City University's computer, wherein a person, who most of the people in this room know as Zod, established a bulletin board.
Zod is also the one that's thought to have created a bulletin board in the Secretary of the Air Force's computer in the Pentagon. And he's had many incursions into other computers. He has had a search warrant executed for a subsidiary of General Motors [to which] he did many thousands of dollars worth of telephone fraud through their PBX. And [he is] rather a malicious young man - of all of the people that I've met so far the most malicious.
We executed 17 search warrants. We arrested that day 13; later two more [who] weren't home that day. The other two cases we had to drop because they engaged attorneys and we weren't able to speak to them. However, what we discovered in doing these 17 search warrants was that each of the 15 people that we arrested - in a review of their evidence - was also involved in other computer crime.
So when you're charging somebody - ... keep in your mind we, the police officers, are charging somebody with one particular computer crime - we'll seek one indictment. When the evidence is so voluminous that it would take months to go through it, [a single charge] is a matter of necessity in some cases - because you can then get a quick plea bargain, which is what you're going to get anyway with a first-time offender.
Generally, whether the computer cracker is a juvenile or a young adult - and we've had them up to the age of 32 - the district attorney does not want to see that you want 400 indictments for 400 incursions into an AT&T switch. What he wants to say is, "We'll plead him; charge him with two felonies; [and] let him plead guilty to a misdemeanor." This way, if he should do it ever again, we'll treat it more seriously. We know that that's the way it's treated, at least in the New York metropolitan area. So we seek to charge lightly and let them take their plea.
Should they plead not guilty to the charge ... we will go back to the grand jury, as we are about to do in April with one individual who has previously been convicted of computer crimes and will be going to jail - in my estimation.
While executing one of the search warrants at the home of Zod - and as Bob said when he executed a warrant - they didn't take a computer. In the case of Zod, when we [searched] his house, his father was also running a business. We took the time to have the expert that we brought with us review the hard drive. He looked around, saw that there were nothing but business applications in the computer, and we did not take that computer with us. ... But we did take all of Zod's equipment, and naturally therein is located evidence of many other crimes.
While we were sitting there, I was explaining to the father what "carding" is. He asked me - because I was talking to his son about being engaged in credit-card fraud by stealing credit-card numbers from TRW or CBI (your credit information, you, the victims) and then using that to purchase equipment - and the father said, "Gee, that sounds like that could have happened here."
And Zod was saying, "No, dad, I've never been involved in that." [His father said,] "Well, I've been asking you for weeks where that monitor - that NEC MultiSync that's sitting in the living room in a box - came from and you keep telling me you don't know." Naturally it was sent to the father, who never ordered it, and naturally it was obtained through carding. As I say, most of these people are engaged in crimes other than what you're seeing them charged with.
Of those 17 search warrants, we executed a search warrant at the home of a Russian national, who is now under investigation for espionage because of the evidence that we located in his house. There was evidence of obtaining information - that was not released to the public - in both the Pentagon and the White House. I think that that's pretty serious.
We're not talking in terms of what happened in The Cuckoos Egg, but I still think it's a matter of serious nature when we have kids that are hacking - and teaching other kids to hack into, or crack - into computers so that they can steal information at the national level. I think that's scary. And, yes, the government should tighten up.
But I wanted to get into one thing , ... and that's the number of computer criminals that I've run into executing other warrants, [where the suspects] are doing this for profit. Call-selling out of cars with cellular phones was a big thing until an algorithm was put into the system to knock them off-line. The same people went big time into application fraud, then [we started] getting these call-selling operations, where most of the numbers were going out of country - to Colombia, aiding narcotics cartels; into the Dominican Republic, Venezuela, several other countries.
The same numbers were being dialed by the people that were into the application fraud. At the end of three months, when the phone company gets around to turning off the phone, when they realize that it was a fraudulent application, there may have been $60,000 to $100,000 worth of telephone calls through that phone.
We hit an apartment recently where, [by] going through PBXs, he was providing telephone service for people outside of the country. The people in the neighborhood were lined up at the door after we executed the search warrant. In fact, one of them brought in a telephone, a cellular phone with a tumbled ESN in it, which is ... made in Italy, [an] illegal access device. [A "tumbled Electronic Serial Number" prevents a telephone company from billing the user of the cellular phone, thus enabling the person to sell lengthy long-distance calls for a low fee. -JT]
In the apartment he had three "computer accountants," basically a DNR [Dial Number Recorder], which recorded all of the telephone numbers that were being dialed out [and] the duration of the call so that he could keep track of his business. But also in his house was a set - just like a business - of the goals for the company and how much he was supposed to make this month, and next month, and each month on. [It] was not written by him. He is part of a bigger scam that is ongoing in the New York metropolitan area, and we are looking to do something within the near future. We also, within a week of the execution of that search warrant, executed another one.
In addition, I should mention that almost all of these things that we were doing, we were doing with the Secret Service. The Secret Service agency in New York City calls me and my subordinates in the state police when they do their investigations, and we call them in when we do ours. It's a matter of necessity because of manpower shortages.
[Here's] one I thought was rather ingenious, another entrepreneur crime in the computer field. He used his computer with a sequential-dial- out program at night to dial out approximately 8,000 numbers per night into blocs of numbers that are beepers. At night, when your beeper goes off and you look down and see 540-XXXX, you say, "I don't know who that is, but I'd better call if they're calling this late at night." And so you dial the number.
At the end of the month you get billed by the telephone company $55 dollars for that phone call. In the month of February, this genius was able to rack up $91,000 in collectibles from the New York Telephone Company. He did not receive the money; they did not deliver the check.
But he is not the only person doing this. There was literature and evidence in his apartment that other people are doing this, because the directions were there for how to do this. And how to ... make the telephone company give this service to him. The narcotics networks in the New York area, and I know in the L.A. area, are using telecommunications fraud big- time for their operations - to prevent the police from doing wiretaps on their operations.
This is a very sad thing because if we can't track down narcotics criminals it's going to get worse. This is as a result of the technology that's out there today. I would like to have in the future a couple of things. ...
First: The people that are losing as a result of computer crime are the companies with the PBXs, which are now being hardest hit. In fact, I got a call last week from California, a microchip company, who's been banged. They just paid a $60,000 bill for fraudulent telephone calls that went through their PBX. The software company's software is being duplicated, replicated as fast as it hits the market by people in Paradox Organization and distributed around the world.
Who loses besides the corporations? Their employees and their families. They lose their jobs, and their businesses go out of business. The phone companies: $500 million last year. The children that are subjected to increased drugs in their neighborhoods because of the telecommunications glitch that we have that we can't track down the narcotics networks that are operating - because they are doing it with free telephone service which is untraceable over cellular phones. Pure development of equipment would help.
The affidavit preparation by the corporations: I would like to suggest that, if you ever are the victim, you engage your attorneys in the writing of the affidavits. It would make the police department's jobs a hell of a lot easier.
Interagency cooperation: I recommend, for any of the law- enforcement agencies that are here, [cooperation] is a godsend. Without it, you'll find that you can't operate.
Education: All computer courses in the United States on a grammar-school, high-school [and] college level should make mandatory the education about the laws that exist and the penalties for computer crime. Many of the people that [we] arrest in this field don't have any idea what's going on. But they should. And somebody should take the bull by the horns and educate them.
Staffing and the budgets of police departments is grossly lacking. Somebody should be lobbying to see that the police department is able to do its job.
And press relations: Thank God for the press relations we've had because I think that it's been significantly helpful in the past year. Thank you very much. [applause]
TENNEY: Don, thank you. ...
We've covered some local jurisdictions [and] statewide. I think you see some similarities and some differences in the problems and procedures.
But now, progressing to the federal level, Dale Boll is the Deputy Director of the Fraud Division of the U.S. Secret Service. I'm very glad he was able to be here this morning. ... Dale, please.
BOLL: :Well, thank you, Glenn. I was a little concerned last night. I was in my room about 9 o'clock and up until around 10 o'clock I kept getting phone calls from people involved with this organization saying, "Gee, I can't believe you're here." So, needless to say, around 10 o'clock, I started calling up the airlines to see if there were any flights out of town. [laughter] But unfortunately they were all booked.
I have two pieces of bad news for you. The first one is that [Secret Service] Director Simpson was asked to come to this conference but unfortunately, because he had a ... conflict, he couldn't. The second piece of bad news is that I could. [laughter]
Anyway, about the Secret Service: We're a 125-year-old law- enforcement agency and we're best known for our protection [of public figures]. But in fact our history involves financial crimes.
We were founded in 1865 because of counterfeiting problems in the country. In 1984, Congress passed the Comprehensive Crime Control Act. This involved three laws. One was against false identification. The second one was for access-device fraud. The third one was computer fraud.
These laws were given to the Secret Service and FBI to investigate. It was a natural for our agency 'cause they involve financial issues. 18 USC [United States Code] Section 1029 is the one that deals with access-device fraud and abuse and 18 USC Section 1030 is the one that deals with computer fraud.
As I said, we share these with the FBI. We didn't want to be duplicating efforts, so we got together with the FBI and wrote up a memorandum of understanding as to what they will do and what we will do. Generally, the FBI is going to continue to investigate cases they have historically, like organized crime, terrorists, high government officials, high banking officials. And we have the rest.
Since 1985, using 1029, the access-device fraud law, and computer fraud law, we've made 10,000 arrests - since 1985.
Now I put both of those laws together. I don't mean to scare you that we've arrested thousands of computer people - 99.99 percent of these arrests are access-device fraud. [The] Access-Device Fraud Law is a very broad law. When they started to pass this law, they were going to call it the "Credit-Card Fraud Law." Somebody said, "Well, that's kind of a narrow restriction. Let's make it access devices, and that'll make it broader." The reason it's broader is that an access device can be the credit card, credit-card account number, your ATM card, your PIN number for your ATM card, your personal-identifying number, passwords for computers, log-on sequences, long-distance telephone-access codes, and so forth.
We even had one case in Las Vegas involving several million dollars of fraud where they deemed the frequent-flier membership number you have with the airlines as an access device. It entitles you to get access to services.
Now what constitutes a violation of access-device fraud? For one thing, it's illegal to merely possess fifteen unauthorized access devices. It's illegal to use one unauthorized access device to obtain a thousand dollars over a one-year period, and it's illegal to possess one counterfeit access device. In fact, the court - I think it was the Ninth Circuit here in California - just ruled that if you use a fraudulent application to obtain what in essence is a genuine credit card, it is in reality a counterfeit device and therefore, ... if you just had one of these that you obtain from a fraudulent application, you would be liable to be arrested.
Many of our so-called computer arrests are actually access-device fraud. And the reason I say so-called computer arrests is because, whenever we arrest anybody that's a computer user, the immediate thought is that there's some computer crime that he's committed and therefore he's being arrested for computer fraud. In actuality - this includes bulletin-board operators and everybody - I know of very few that have been arrested for computer fraud. Generally it's access-device fraud.
Now let me give you some examples. Computers sometimes are the tool by which a crime is committed but they are not, in fact, the crime. In Pittsburgh we arrested a man who was manufacturing counterfeit currency using a computer and a laser printer. He was arrested for counterfeiting; not for computer fraud.
In Houston, we arrested a couple of people who got into a credit bureau, obtained people's credit information, used that information to get 35 applications for loans and mortgages [and] defrauded the banking industry of $2.2 million. Again, the computer was involved but they weren't arrested for computer crime.
In New York, a man threatened to shut down a business if they did not pay him a certain sum of money - shut down their computers. We arrested that individual.
We arrested a man in Boston for manufacturing counterfeit identification using a computer, an optical scanner and a ... laser printer. In Los Angeles we arrested a man who threatened the President on a bulletin-board system. In Los Angeles, we arrested a man who was stealing stories in one news agency's computer and trying to sell them to a competitor.
In Los Angeles, we also arrested a person who had gotten into a bank's computer system, stolen 5,000 pieces of account information, got together with a group of people, and decided how they were going to defraud the bank by using cardboard to make ATM cards and just regular magnetic tape - like you get off a tape player - and encoding these mag-stripes. They did a test run - they were able to do $5,000 over a one-day period with no problem.
They planned on going over a three-day holiday, a federal holiday, to these banking systems around the country, breaking up into groups and taking in $14 million. Fortunately, because we had an informant involved, we were able to arrest everybody before they went any further. But, again, there were computers involved. The guy was a computer technician. He stole the account numbers. But in fact, they were arrested for access-device fraud.
If people steal credit-card account numbers, use those numbers to try and order merchandise from a mail-order house, use them to try to get cash advances, they're going to be treated as a criminal. The same thing if they're stealing long-distance telephone-access codes. These thefts cost these businesses a ... great deal of money. Some businesses because of the PBX fraud are losing $100,000. They suffer the loss. Many of these people cannot afford to suffer these losses.
Some of the bigger companies like AT&T are accused of being profiteering gluttons - [and] really all [computer criminals are] doing by using their service is rendering some of their profits, and they're not going to have these potential profits. Well, I don't know about AT&T but we do know of small inter-exchange carriers that have gone bankrupt because of the losses caused by hackers. One company in North Carolina went bankrupt because the hackers had gotten together, gotten their long- distance access-code numbers and defrauded the company out of enough money to cause them to go bankrupt.
The telecommunications industry has just upgraded the amount of losses they had last year. It had been $500- to $600-million. They now estimate $1.2 billion. The credit-card industry is losing $1 billion a year and that continues to rise every year. As I said, if we arrest somebody that happens to be a computer user, the media seems to focus on the fact that they're probably being arrested for computer crime.
For the vast majority of these cases, they're being arrested for white-collar fraud and that's it. Sometimes these individuals we arrest or do a search on will try and change the focus of the media away from what they did to what we did. Sometimes this has been successful, to at least divert attention for awhile. But the fact remains we're still maintaining a 96-percent conviction rate. We do have occasionally a few times where ... the people are not convicted, but 96 percent of the time they are.
We don't arrest bulletin-board operators that happen to have one credit-card account number or one long-distance telephone access code that happens to be on their bulletin-board system. We know these systems are very difficult to maintain. But [if we] do see evidence of somebody that is encouraging people to post credit-card numbers, is using these credit-card numbers, and participating, then these people are subject to investigation and possibly being arrested.
We also see evidence occasionally where people clean up their bulletin board and erase old messages, but the one section that has all the credit-card numbers, they never seem to have time to clean that up. This would also give us an indication that maybe they are involved in something.
I wanted to get into a few things today that have been of interest lately.
We wrote a response to [Congressman Don Edwards'] staff, or congressional staff, awhile back regarding the monitoring of bulletin- board systems. I can talk to you very openly about this today, because I'm the one that wrote the response. We hear in the paper that Director Simpson said this; Director Simpson said that.
When you get a large bureaucracy what happens is that somebody on a lower level writes these responses. Director Simpson doesn't even know what I wrote regarding monitoring. Here's what happened. We got this question from [Congressman Edwards'] staff [asking], "Do we monitor bulletin-board systems?" I, as a regular law-enforcement copper, look at the word "monitoring" and say, "No, we don't monitor bulletin boards. That's like we're wiretapping bulletin boards. That's ridiculous. We never have; never will."
What we have in most agencies [are] the intellectuals who came to me and said, "Well, remember the word monitoring' That can be interpreted in many ways. So let's look this over. We want to be ... perfectly honest with Congress. In the meantime the FBI wrote their response, that they "never have; never will." I wanted to write "never have; never will," but we didn't.
The intellectuals convinced me that ... we have a lot of people who are computer enthusiasts in the Secret Service - I've been involved with computers for 20 years. We occasionally get on a bulletin-board system on our own time for our own recreation and enjoyment. Were we to discover something on that bulletin board, we would obviously bring it to the proper authority's attention. Are we not in fact then in essence monitoring their bulletin-board system? I think that's ludicrous, but the intellectuals and the other people felt we were.
If we get an informant - we arrest somebody [and] they become an informant - and they bring us information about a bulletin board, we will have them access the bulletin board. They're the ones that have the authorization. We don't even do that. And they can show us the information on that bulletin board - 400 credit-card numbers on that bulletin board.
Are we not again, in fact, in the simplest form of the definition of the word "monitoring," ... monitoring that bulletin-board system? I felt we weren't, but the intellectuals convinced us that we were. So we wrote our response, and we've been catching all kinds of heck ever since.
But the fact is, we do not monitor bulletin boards. In the terms you and I consider the word "monitor," we don't do it. A re-examination of the letter - I wish I had stuck to my guns and just wrote it the way I wanted to.
I know Operation Sun Devil has been of interest to people. Whether you realize it or not, I've already discussed it. If you think back [on] what I've said, I've already discussed Operation Sun Devil. The fact is, I can't discuss it openly because of the sealed affidavits and so forth. These were not the Secret Service's ideas - to seal affidavits and hide behind sealed affidavits. This is the first time it's happened.
I believe you will start seeing some indictments this week. I don't believe that everybody that was searched is going to be arrested or indicted but I think probably a good deal of them will [be]. There's been some speculation as to why it's taken us so long to review the evidence. These searches took place on May 8 . We also had a big media splash.
... I don't know if you're familiar with the Secret Service. We do not have a PR department. We don't run around broadcasting every time we make an arrest, "Oh, look at us. Look at what a great job we did." You never see us hold a press conference. This was the first time in history I'd ever seen one. ... We did it for a very good reason. We used to go around, knock on people's doors and say, "Hey, Mr. and Mrs. Smith, your kid's screwing around with the telephone company. Tell him to cut it out. Thank you very much." And be gone and done with it.
But people didn't learn that way. So we wanted to get the message out to people that we are, in fact, arresting people; that there are people being convicted of computer crime and access-device fraud. And this is the first time I can recall us having a press conference.
The reason it's taken us so long to review this evidence is, unbeknownst to us when we made the seizures, we wound up having over 50,000 diskettes. I think there were probably four or five dozen hard disks. Really, the magnitude of the seizure was one problem.
The second problem is we wanted to go through it very carefully and make sure that we protected everybody's rights, reviewed everything carefully and didn't indict somebody just for the sake of indicting them. We proceeded very slowly, with caution.
The evidence review has been completed. It is being given to the prosecutors and we'll probably see some indictments starting this week [late March, 1991].
This was not a fishing expedition, as some people have called it. We are not going through all this evidence trying to find other people that we can arrest. There may be one or two spinoffs [but] I doubt even that. We call these spinoff investigations, when we arrest somebody and wind up doing another investigation because they gave us information on something else. If there is a spinoff, it will be because somebody that we arrest says, "Golly, gee willikers, I did something wrong, but there's somebody else that I know [who] did a lot worse things, and here's the information and maybe you should pursue those people, too." We may, in fact, do that. But we're not going through the evidence trying to find every person we can who ever possessed one unauthorized access device.
By the way, ... when we reviewed the evidence, one of these people had over 1,100 stolen credit-card numbers. You and I can see the right and wrong here. I have no need to have in my house 1,100 stolen credit-card numbers. The law says if you have 15 or more you're subject to a federal violation. This individual had 1,100.
Some of these reports that have been going around about [how] we responded ... when we were asked if there was a software package that we could [use to] scan [disks] and get evidence that way. We do not have any artificial-intelligence program. I don't know if there are any out there. There probably are some being developed, but our response had to deal with a program like "Gofer" [that] you're probably all familiar with - where you can search [a disk] for key words.
Our response was that, yes, we had it and, yes, it's commercially available. Anybody can buy it. There [are] all kinds of programs like Gofer. The interpretation was that we're putting Gofer to work on all this evidence searching for everything we can find so that we may be able to arrest more people. Yes, we do have Gofer. I use Gofer in my office to look for other things about budgets, congressional responses and so forth. We don't use it for evidence review. I don't know if we ever will use it for evidence review.
Eventually, I think there probably will be something developed as far as an artificial intelligence. We may take a look at it, but I can assure you right now we are not using artificial intelligence. We're not even using Gofer.
One thing I wanted to point out today if I pointed nothing else out is that a lot of these people think they are doing nothing wrong when they commit these crimes. They try and focus attention away from what they've done.
But the fact is, we have no privileged classes in the United States. If ... you commit a crime, you're going to be treated like a criminal. Don't be surprised when you commit a crime and somebody comes to your door with a search warrant. [If] you refuse to open the door and the door's kicked in and you say, "Well, gosh, gee willikers, I'm a computer user," you're going to be treated like a criminal. That's just the facts of life. That's the way it is.
The computer industry has made magnificent technological advances in the last ten years. I think the computer industry is the future for this country, this century, next century. We shouldn't be upset with the few bad apples we have out there. There's a miniscule amount of people that are involved in fraud out there. When you look at the overall picture, you should be proud that you are in the vanguard of the next century.
We are certainly open to meet and discuss issues like this with any group that wants to talk to us. In Washington, we've had some people come in recently from the Computer Professionals for Social Responsibility. They came in and met with us. We came out here for this conference because it's important, we think, to get the message out. We've given probably about 50 or 60 speeches a year. If you haven't seen us before, it's just that you've been going to different conferences than we have. But we are trying to get the message out. Thank you very much. [applause] ...
QUESTION & ANSWER PERIOD
TENNEY: ... [OK,] ask all your questions. It is possible they can't answer some based on ongoing investigations. ... Charles Wood is asking, "Given that many cases go unreported and given many cases go undetected, what's your estimate of the probability that a computer criminal will be prosecuted? Why is this so much lower - this is an assumption - than the probability of prosecution for other criminals?"...
INGRAHAM: I can jump on it because I'm the prosecutor. Odds are that a computer criminal will be prosecuted. If by ... prosecution you mean take up the time of a jury court, the difficulty is, as I pointed out before, you have rapists and murderers vying for available space. They get preferred seating. [laughter]
We are put in the position of having to "deal" a lot of these cases, to negotiate. As was pointed out by the other speakers, these cases tend to negotiate because they are not committed by violent people. I think we [on this panel] did a pretty good job of laying out that we are dealing with some violent people. A person that uses a computer to traffic drugs - which is not an unknown phenomena, even in Oakland - is going to [be prosecuted] not because of a computer crime, but because it is the instrumentality of a crime deemed more serious.
I think the odds of prosecution are excellent, and they're no different then they are in any other kind of case.
TENNEY: [Next question:] ... "Though conviction rates are high, how are detection rates?"
BOLL: :That's a tough question. There's nobody who really knows how much computer fraud there is out there. The estimates I've heard is $3 to $5 billion, but we really don't know. A lot of fraud in businesses is just swept under the rug. They fire the employee, shut down whatever was happening, and move on. They don't want to have any prosecution involved because they don't want bad publicity.
If you're running a bank, you don't want the citizens of your community to know that you had a problem with your bank and that they were exposed to a great deal of losses. So consequently a lot of it's not reported. [For] that which is reported I believe we investigate the preponderance of it, and we convict the preponderance of [the perpetrators] that we arrest.
INGRAHAM: It has been proposed ... that there be a requirement in various state levels that computer-related crime be reported. We didn't use to require reporting child abuse either. We do now, and we have more [child-abuse cases] to handle.
The problem is, if you are the victim it's entirely up to you to let us know if it's a crime, because by definition it has to be an unauthorized act. Well, you're the one that decides whether or not it was authorized.
So hearing these estimates by various sages and runecasters - that we're dealing with one-tenth, one-billionth, one-something of computer crime - I don't know how the hell they know that. I don't know that. An unreported crime is not a crime in any technical legal sense.
DELANEY: A number of companies have called me to become complainants in cases but ask, "Is the name of the corporation going to be used?" Well, it has to be used in the affidavit, which becomes public record. And when they find that out, they no longer wish to be a complainant; [they just] sweep the loss under the rug.
TENNEY: [Question] from Harald Sundt: "On the street level, profiles modify the treatment of the person suspected of a crime and their property. Do your profiles distinguish between virus planters, fraud, fraud perps, phone-time theft and people who want to expand the definition of access as new kind of necessary public domain?"
ONE OF THE SPEAKERS: Yes. [laughter]
TENNEY: Please describe for the audience, Don Ingraham, how law enforcement in California actually does participate in making ... computer law.
INGRAHAM: This question [is from] Bob Jacobson, who used to be a legislative analyst here in California, and is now serving the same interest of democracy up in Washington State - it is our great loss.
The original computer crime law in California, which is the only one I'm an expert on, was originally written by Donn Parker [and] by Susan Nycum, and they brought me along to testify to add a little class to the panel. [laughter]
Since then, we have been contacted by legislators and, from our own experience, have suggested certain areas where the law might go. The way this goes is you find a legislator; he introduces the bill; his staff works on it. It's a matter of public record what bills are introduced. Indeed, there's a computer system in any law library in the state - or just about any, I think; [in] Alpine County you've got to commute in a bit. They solicit eagerly, as early as possible, your contribution, your suggestion, your offer to testify. Be aware that testifying is not the decisive part of the process.
[Someone] mentioned education. Education is mandated in California but not at the University of California because the legislature can't run that. It's only mandated at the secondary level.
We talked about the reporting thing. That was strangled before it ever got to the floor.
We talked about "disbarring" - in effect, striking people from practicing if they were convicted of a computer crime; from being employed in any computer-related industry licensed to do business in California; or from receiving any academic degree or recognition during the period of their probation. It got strangled before it ever went to the floor. It was better than the original proposal, which was to lop off the entry finger, but it still didn't have viability. [laughter]
This is the result of a dynamic democracy. Last year we got a lot of toughening in a very major area of trade-secret protection. That was largely written - entirely written - by Ken Rosenblatt (who is on the panel after this one) at the request of the assemblyman for his district, which is Silicon Valley. It went through this whole process. That's how those bills come around.
Yes, we are involved. We're not always involved because sometimes they get by us, but on those [others], we are involved actively.
TENNEY: [A question] from Steve Jackson: "What's the difference between returning a copy of a possibly pirated program and returning any other property that might have been stolen? What makes software special?"
There are a whole series of questions about ... the question of returning property [seized during a search]. One asks, "What about innocent until proven guilty?' Why is it the victim has to prove that they own the property?"
INGRAHAM: First of all the presumption of innocence is a widely held fallacy. [laughter and hisses] ... Read the Constitution!
Read the applications. I'm quite serious about it (although I'm being a little facetious about it.). The person is presumed guilty at the stage where we're acting to set bail. The judge is supposed to say, "Assuming the charges are correct."
Presumption of innocence is the thread that runs through everything we do. So obviously it's not something we throw away. But when we're talking about the investigation, if we required it to be proven [that] the person were guilty before we could seize any property, do you see a certain lack of activity in the criminal area from this? No, we have to go on our "probable cause," according to the U.S. Supreme Court. We have to seize the evidence that we think points toward [a crime], screen it as rapidly as we can and get it back as fast as we can.
Those are all expectations of the system. I don't see where that's inconsistent with a presumption of innocence - once you realize the presumption of innocence is the entire burden on us of proving not only guilt beyond a reasonable doubt and to an abiding certainty but proving that the evidence obtained towards that point was obtained legally. We're more convoluted in this country than we are in any other country in the world. And I think it's a good thing because that's where the Bill of Rights resides.
The question then is, "What can we return?" If we suspect that it is stolen, it isn't ours to return. It is evidence of a crime and it is contraband. What we usually return is the data, not the stuff that massages the data, but the data - so as not to put somebody out of their business.
Assuming, as in Steve Jackson's case - which I had nothing to do with; it didn't happen in Alameda County - that it is basically a legitimate business. Which it is. I have some of his books and my kids play his games. I'd play the games if I understood them. [laughter]
But the problem is: If you've got a criminal conspiracy, as was earlier discussed by Don Delaney, then we are not going to return zip. If you want any of that stuff back, you go to court and ask for it. Anything seized under a search warrant is in the custody of the court that issued the warrant. It isn't ours to give. You have to go through the court to do it. We have very strict inventory controls on everything that's handled.
That may not be entirely responsive but it is an answer.
TENNEY: [OK. Next question]: "Do you use any reality checks on the value a company sets on a program? For example, AT&T claiming two hundred lines of source code was worth $77,000?"
SNYDER: ... The approach we take when we go to a victim is, indirectly, I have to take the victim's word for it. If he says he paid $45,000 for this program and he can show me that, yes, he did pay $45,000 dollars for that program, then, yes, that's a value I use for it. What I've tried to take into consideration - because I think it is a need throughout the whole system - is, if you've got a large, major system that somebody broke into, what did it cost them to actually "shut the door" on the system also?
I like to make a distinction between the two, because we're looking at engineering minutes and billing minutes. ... Most of the time we deal in telecommunications fraud. But, what did it cost? Because what ... is passed on to the victim or ... to the general public is what we're looking at. And we're looking at protecting the public's rights as much as anybody else.
When we prosecute a case, I've got to look at what the general public is going to do. For example, I'll take shoplifting. If somebody walks into a store and is able to pick up an item, walk around the corner, give it back to the cashier and say, "I want to return this item." What happens? ... They give the money back, and then they pass the cost on to the general public. [In] the same way, if somebody is beat out of their program what they do is pass that cost on to the general public.
Small as it may be, it's still gonna build up. And that's probably part of the cost. ... It cost me $50,000 in programming time and energy to shut the hole into the system. It's still passed on and you and me and everybody else has to pay for it. ... If it was an ideal society, we could get shareware out there, everybody would pay for shareware. But they don't. People don't want to pay for items. The rest of us have to pay for it, which costs everybody.
So ... I try to take into consideration, "What did it cost you to close the door on the system?"
And whether it was yours or not - you do have to show me proof that [a seized] program was yours, that you did write it.
I go to the writer of it and say, "Why is it yours? You show me why this source code belonged to you. Who wrote the program?" You may take other source code and compare it. I [had] a case [that] way that I could not prosecute. [One] company says [another] company stole their software. It was worth $5,000. And they are now running another business in conjunction. But they could not show me any probable cause where I can go into their competitor's business and confiscate his computer system because there was a big time-lag. Yes, it looked similar, but it was far enough removed when his software was missing from when the other company started [that they] could have written a similar program.
I just don't have probable cause to go up there and harass the guy. He may have the program. And he may have just [installed] it and changed a few things. But I have no probable cause to get into that guy's computer and say, "Give me your source code on the computer. I want to look at it." I can look at the victim's [program], but, yes, I've had to turn cases down because of that. I don't know if that answers it all. ...
DELANEY: Are you indicating that the Fourth Amendment is working? [laughter]
INGRAHAM: [It has] every sign of life.
DELANEY: With regards to AT&T "C" source, we had one of our defendants in possession of the entire set of disks of AT&T C source. AT&T, from several different experts that I spoke to, gave me several different valuations of the property, which ran from the hundreds of thousands of dollars down to around a hundred-thousand dollars. We were charging the person with incidental crimes.
We decided not to go with that charge with respect to the possession of the property because he wasn't doing anything with it. He just, like many of the crackers, wants to possess every piece of software in the universe and they never use 90 percent of it anyway, some of them. If that source had been found in the possession of somebody with a UNIX [system], and he was using it, it would have been looked at much more differently and probably gone to a grand jury.
CLOSING COMMENTS TENNEY: [In the time remaining, I'd like to ask each of the panelists ...]: What can be done to help law enforcement better deal with these technology issues and high-tech crimes?
BOLL: :Well, financially, the Secret Service [was] given these laws in 1985. Since then we've received not one penny to enforce them. No agents; no money - and that's typical. The budgets have been pretty lean, so we've been doing the best we can. We prioritize our cases and we've been trying to work the more important ones [rather] than the lesser ones, depending on the jurisdiction. For example, in Los Angeles, you need $50,000 in losses or they won't even talk to you.
But maybe down in San Diego a $2,000 loss piques some interest. ... I think groups like this conference are very important to get the message out as to what really is happening out there. Who's being arrested? Who's being investigated? What we can do to improve ethics and so forth. Meetings like this are, I think, of tremendous [value].
DELANEY: I'd like to see, on a national-level, mandated education in computer courses, for the first thing. Secondly, I think an organization [such] as the Computer Professionals [for Social Responsibility] should look at what they can do by either lobbying or getting corporations interested in funding proper investigations.
SNYDER: I think the approach that I've tried to take - but what I'd like to see the industry take - is [to go] to the private sector and say, "We need some kind of a meeting, some kind of understanding," what we call ... a security-roundtable meeting. I have approached the private sector, especially in Columbus, Ohio, and said, "Let's get together once every three months. I'll tell you my problems; you tell me yours." It's in a smaller group, and that's what I think this group is for.
But what happens is you don't have anybody in the large computer industry coming to law enforcement. They avoid us. And why? We need the education as much as anybody. But the private sector has to help us to get a feel for where the technology is going, and how to handle, possibly, cases.
Plus we have to educate. A problem [in] education is you have to educate law enforcement, prosecutors, judges and juries.
That's four things you have to do. I don't know what approach to take, unless you can give some kind of law-enforcement training for judges and attorneys - and I don't know if we can ever educate them.
INGRAHAM: Can I say eight words?
TENNEY: Eight words. Go!
INGRAHAM: Eight words. Jonathan Budd, National Institute of Justice, is here. [NIJ is the education and research arm of the Department of Justice. -JW]
TENNEY: I'd like to thank the panel very much. We appreciate it. [applause]
Return to CFP'91 Index page.
Return to the CPSR home page.
Send mail to webmaster.
Created before October 2004