Techdirt. Stories filed under "cybercrime"

If Most Crime Involves A 'Cyber' Element, Can't We Just Call It Crime Instead Of Cybercrime?

Timothy Geigner — Tue, 5 Mar 2013 09:06:06 PST

It is a standing modern truth that you can take a scary word in the English language and turbocharge its terror factor by putting the word "cyber" in front of it. Don't believe me? Murder. Some guy stabs or shoots me. Cyber-murder. Holy crap! A dude can reach through the computer and electrocute my face! The problem, as we've discussed previously, is that many of the supposed facts used to hype cybercrime are massively overstated, and the unfortunately resulting hysteria breeds atrocities like The Patriot Act, because computers are terrifying and apparently the government is not. Of course, it doesn't end with crime. Cyberwar, cyber-terrorism, these words now permeate the bloodstream like terrifying nanobots, all while the use of technology and the internet marches forward at incredible rates.

But is the term "cybercrime" even useful anymore? When NYC district attorneys like Manhattan's Cyrus Vance suggest that pretty much all crime includes a cyber element, can't we just drop the scare words and go back to calling it "crime?"

According to Vance, cybercrime isn't just a growing trend—it's a fundamental shift in the way modern crime works. It has already reached a point where nearly every crime in the city involves a cyber component.

"It is rare that a case does not involve some kind of cyber or computer element that we prosecute in our office—whether it is homicide, whether it's a financial crime case, whether it's a gang case where the gang members are posting on Facebook where they're going to meet," said Vance.

It seems to me that just because there is a small element in a murder that involves a computer, that doesn't make it cybercrime, but that's apparently how it's being reported at the DA's office. This, of course, allows federal agencies like DHS and the CIA to get involved, where they, otherwise, would not.

The city is getting help from the Secret Service, Department of Homeland Security, local businesses, and others. This system of cooperation was actually set up in 2001 when President George W. Bush signed the PATRIOT Act into law. It established the Electronic Crimes Task Forces (ECTFs) under the Secret Service. According to the Secret Service website, "The concept of the ECTF network is to bring together not only federal, state and local law enforcement, but also prosecutors, private industry and academia."

I wouldn't want to necessarily suggest that having the alphabet agencies get involved at some level is always going to be a bad thing, but perhaps it is time we all had a conversation about how we, as citizens, want to be policed in America. That question is going to dovetail into whether or not we want scare-words like "cyber" to result in law enforcement evolving away from the local level to the federal level. For a country that bangs the "get government out of our lives" drum so frequently, often from the party that spawned The PATRIOT Act no less, we seem quite willing to let irrational fear dominate us.

Permalink | Comments | Email This Story

Philippine Government Ignores Public Concerns, Continues To Push Extreme 'Cybercrime' Law

Glyn Moody — Fri, 28 Dec 2012 13:28:00 PST

One of the striking -- and depressing -- features of the Internet today is the almost universal desire of governments around the world to rein it in through new laws. We wrote about one such attempt in the Philippines a couple of months ago, where the government is trying to bring in some particularly wide-ranging and troubling legislation. Although the Philippine Supreme Court put a temporary restraining order on the law, the Philippine government is not softening its stance, and has asked the court to lift the order. Its arguments are pretty worrying:

"there is always a presumption of validity that attaches to every legislative act"

Oh, really? It also said the law only "regulates and penalizes" acts defined as cybercrimes like hacking, and does not prevent the petitioners from using the Internet and expressing their thoughts.
Well, that rather depends on how you define cybercrimes, of course. The government said "traffic data" referred to in the Cybercrime Law is "non-content data" that consists of the origin, destination, route, time and date of the communication. It said that unlike content data, which is considered private, traffic data is an "auxiliary to the communication and is necessarily shared with a service provider who is a third party."
That is exactly the same erroneous argument used by the UK government to justify its Snooper's Charter. The problem is that some traffic data -- like destination Web addresses -- give considerable information about the content being viewed. For example, if people are visiting Web sites that are critical of the Philippine government, it's pretty clear what they are reading about.

The GMA News piece quoted above lists many other dubious arguments given by the Philippine government in favor of lifting the ban. Ironically, the way it dismisses or ignores the important issues raised by petitioners to the Supreme Court only serves to confirm the impression that the government is not really interested in achieving a fair and balanced solution here, but intends to push through its plans regardless.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Permalink | Comments | Email This Story

The Philippines' Awful New 'Cybercrime' Law Put On Hold -- For Now

Glyn Moody — Tue, 9 Oct 2012 23:51:53 PDT

Last week Tim Cushing wrote about the hugely-worrying new "cybercrime" law passed in the Philippines that seemed likely to criminalize all kinds of everyday online activities. As an article on Radio Australia's site reports, the Philippines' highest court has now stepped in after being petitioned to block the legislation:

The Philippine Supreme Court on Tuesday suspended a controversial cybercrime law, amid huge online protests over fears it would impose enormous curbs on Internet freedoms.

Justice Secretary Leila de Lima said a "temporary restraining order" was issued by the Supreme Court on Tuesday.

Such an order stops Philippine laws from taking effect until further orders from the court, while making no immediate judgement on their legality.

The same article reports on the widespread protests the new law has provoked: Human rights groups, media organisations and netizens have voiced their outrage at the law, with some saying it echoes the curbs on freedoms imposed by dictator Ferdinand Marcos in the 1970s.

Philippine social media has been alight with protests, while hackers have attacked government websites and petitions have been filed with the Supreme Court calling for it to overturn the law.
It's great to see the Supreme Court recognizing that there might be a problem here, but it's too early to assume victory. The law might still go into operation -- with what looks like dire consequences for the Internet and civil rights in the Philippines.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Permalink | Comments | Email This Story

As CISPA Hits Congress, Cybersecurity Company Hypes The Fear Of Anonymous

Leigh Beadon — Tue, 24 Apr 2012 08:03:00 PDT

Through TNW, we learn of a survey published by threat protection company Bit9 that states an attack by Anonymous is the number one thing IT security professionals fear. Doubtless the release of this survey was timed to coincide with CISPA, the dangerous cybersecurity bill that is being debated in the House this week. It's no surprise that a security provider would want to play up the fear of cyber attack, but I'm reminded of a quote from comedian Dara O'Briain: "Zombies are at an all time low level, but the fear of zombies could be incredibly high. It doesn't mean we have to have government policies to deal with the fear of zombies."

Apart from the fact that the fear of something is pretty meaningless (except to those who sell security, and those who want to pass bad laws), the details of the survey make it clear that this is entirely a matter of the hype around Anonymous:

61% believe that their organizations could suffer an attack by Anonymous, or other hacktivist groups.

Despite the utter sense of fear that Anonymous has created over the years, 62% were more worried about the actual method of attack, with malware accounting for the most cause for concern at 48%.

Only 11% of the respondents were concerned about one of Anonymous’ actual methods of attack – DDoS, while fears over SQL injections dipped to a measly 4%. Phishing was a concern for 17% of the respondents.

So, despite the fact that Anonymous apparently has them shaking in their boots, they know that their real vulnerability is malware—and that's not really Anonymous' game. The fear is manufactured.

What this survey calls attention to, though, is a fact that deserves more attention: under CISPA or a similar law, Anonymous would make a juicy target. Security companies and the government could collude and share data not only to strengthen their networks against attack, which would itself be perfectly reasonable, but also to identify and investigate Anonymous members, notwithstanding any other privacy laws. Regardless of how you feel about Anonymous' tactics, this should concern you: privacy rights and the 4th Amendment exist for a reason, and CISPA would wash them away online. The authors of the bill insist that it targets foreign entities, but it is arguably an even stronger weapon against domestic hacktivism that will inevitably be used and abused.

Permalink | Comments | Email This Story

Guess What? Most Cybercrime 'Losses' Are Massively Exaggerated As Well

Mike Masnick — Wed, 18 Apr 2012 10:25:00 PDT

We've talked about exaggerations in "losses" due to infringement for many years. However, we've also discussed how claims of "losses" due to so-called "cybercrime" are also massively inflated. It appears that others are figuring this out as well. The NY Times has an op-ed piece from two researchers, Dinei Florencio and Cormac Herley, highlighting how all the claims of massive damages from "cybercrime" appear to be exaggerated -- often by quite a bit:

One recent estimate placed annual direct consumer losses at $114 billion worldwide. It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable.

Most cybercrime estimates are based on surveys of consumers and companies. They borrow credibility from election polls, which we have learned to trust. However, when extrapolating from a surveyed group to the overall population, there is an enormous difference between preference questions (which are used in election polls) and numerical questions (as in cybercrime surveys).

For one thing, in numeric surveys, errors are almost always upward: since the amounts of estimated losses must be positive, there’s no limit on the upside, but zero is a hard limit on the downside. As a consequence, respondent errors — or outright lies — cannot be canceled out. Even worse, errors get amplified when researchers scale between the survey group and the overall population.

This is pretty common. In the first link above, we wrote about how a single $7,500 "loss" was extrapolated into $1.5 billion in losses. The simple fact is that, while such things can make some people lose some money, the size of the problem has been massively exaggerated. As these researchers note, this kind of thing happens all the time. They point to an FTC report, where two respondents alone provided answers that effectively would have added $37 billion in total "losses" to the estimate.

This doesn't mean that the problems should be ignored, just that we should have some facts and real evidence, rather than ridiculous estimates. If the problem isn't that big, the response should be proportional to that. Unfortunately, that rarely happens. In fact, combining this with the recent ridiculous stories about the need for "cybersecurity," perhaps we can start to estimate just how much of an exaggeration in FUD the prefix "cyber-" adds to things. I'm guessing it's at least an order of magnitude. Combine bad statistical methodology with the scary new interweb thing, and you've got the makings of an all-out moral panic.

Permalink | Comments | Email This Story

EU Cybercrime Bill Targets Anonymous: Makes It A Criminal Offense To Conduct 'Cyber Attack'

Mike Masnick — Wed, 4 Apr 2012 03:34:00 PDT

While we're still sorting through the crazy cybersecurity bill proposals in the US, it appears that some in the EU are going through a similar process. The EU Parliament's "Civil Liberties Committee" has approved a legislative proposal concerning "cyber attacks," which appears to ramp up criminal penalties for all sorts of broadly defined activities. It even applies criminal penalties to a company if an employee hacks into a competitor's database (even if they weren't told to do it). But where it gets scary is when it appears to directly target "hactivism" like what Anonymous does. While we still think Anonymous' DDoS attacks are incredibly counterproductive, are they really criminal?

The Committee's proposals would make it a criminal offence to conduct cyber attacks on computer systems. Individuals would face at least two years in jail if served with the maximum penalty for the offence.

A maximum penalty of at least five years in jail could apply if "aggravating circumstances" or "considerable damage ... financial costs or loss of financial data" occurred, the Parliament said in a statement.

One aggravating circumstance in which the heavier penalty could be levied is if an individual uses 'botnet' tools "specifically designed for large-scale attacks". Considerable damage may be said to have occurred through the disruption of system services, according to plans disclosed by the Parliament.

Even more ridiculous? Merely "possessing... hacking software and tools" could lead to criminal charges. Does that make everyone with a computer a criminal? This whole thing seems like a bad overreaction by politicians who are freaked out, but who clearly don't understand the technology in question.

Permalink | Comments | Email This Story

FBI Preaches Dangers Of 'Cybercrime' To The Choir

Leigh Beadon — Mon, 5 Mar 2012 03:23:18 PST

FBI Director Robert Mueller recently spoke at a cybersecurity conference where he reiterated his belief that so-called cybercrime will soon surpass terrorism as the biggest threat in America. Perhaps this means that the FBI plans to start manufacturing cyber-threats like they do with terrorist plots—or perhaps it means that, as some people have been saying for years, cybercrime is just crime. Of course, in a room full of professionals who stand to make more money if people are scared of online threats, he's not likely to get a lot of argument.

That's not meant to dismiss cybersecurity professionals—obviously they do a lot of important work, and obviously the FBI is going to need their assistance for plenty of things. But to call cybercrime the country's biggest threat is to lump together a whole bunch of unrelated crimes, most of which aren't even new:

"We are losing data, we are losing money, we are losing ideas and we are losing innovation,' Mueller said at the RSA Conference in San Francisco. 'Together we must find a way to stop the bleeding."

The dangers posed by organized cyber-crime, rogue hacktivists and computer breaches backed by foreign governments have become a focus for the FBI.

Counterterrorism is still the agency's top priority, but the agency has retooled to prepare for Internet-based aggressors, Mueller said. Cyber-squads in every FBI field office now monitor for crimes ranging from mortgage and health care fraud to child exploitation and terror recruiting, he said.

Presumably the FBI already has people specializing in mortgage and health care fraud, child exploitation and terror recruiting—so why portion off the "cyber" versions of these crimes into a separate "squad"? To then combine those things with hacktivism and online espionage just makes the category of "cybercrime" utterly meaningless. It is indicative of their struggle (which mirrors that of governments, the entertainment industry and others) to understand a core concept: the internet is not a separate thing. And even if there is a good administrative reason for organizing things in this way, it is highly misleading to call such a diverse array of crimes a single giant threat.

Permalink | Comments | Email This Story

Brazil Looks To Criminalize Ripping A CD?

Mike Masnick — Fri, 26 Aug 2011 19:39:00 PDT

Over the past few years, it really looked like Brazil was close to becoming one of the most progressive countries on copyright issues. It was embracing fair use and the public domain in a strong way, and was even considering proposals to fully legalize file sharing. And, of course, the music industry is thriving in Brazil as well, in part due to the embracing of free distribution. The government had also embraced open culture in a variety of ways, even using Creative Commons licenses on government websites.

How quickly things change.

Within months of a new administration coming to town, the new Culture Minister, ordered the Creative Commons license off of the Ministry's website. When asked why, she said "We will discuss copyright reform when the time comes." But having a CC license on a webpage has nothing to do with copyright reform. However, it was a warning sign that such efforts were coming, and rather than continuing the progress made in the country, the new administration was looking to go in the other direction.

Now it appears that we're seeing some of those efforts in action. The country is considering a broad new "cybercrime" bill, that, among other things, will criminalize both file sharing and ripping a CD to a computer. File sharing may involve infringement, but at a civil, not criminal level. The fact that the government seems to be going much further is ridiculous -- especially at a time when the Brazilian technobrega scene has demonstrated so clearly how an entire musical culture can thrive (and make lots of money) without even using copyright (and even actively ignoring it and encouraging the widespread sharing of works).

Permalink | Comments | Email This Story

How One Unverified Claim Of A $7,500 'Loss' From Cybercrime Translates To $1.5 Billion In Losses In The Press

Mike Masnick — Thu, 11 Aug 2011 10:04:30 PDT

I think we should just admit that there's a "cyber-" inflation factor. That is, for anything in which someone puts a prefix of "cyber-" before a word, we can assume that reports of the "impact" are going to be massively inflated. Cyberwar? Totally overhyped. Cyberbullying? Not nearly as crazy as you hear. And now we've got a new report saying that reports of "losses" from "cybercrime" appears to be greatly overestimated as well.

First, losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the losses. Second, losses are based on unverified self-reported numbers. Not only is it possible for a single outlier to distort the result, we find evidence that most surveys are dominated by a minority of responses in the upper tail (i.e., a majority of the estimate is coming from as few as one or two responses). Finally, the fact that losses are confined to a small segment of the population magnifies the difficulties of refusal rate and small sample sizes. Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population. A single individual who claims $50,000 losses, in an N = 1000 person survey, is all it takes to generate a $10 billion loss over the population. One unverified claim of $7,500 in phishing losses translates into $1.5 billion

And yet, of course, such claims of massive losses will still be regularly repeated in the press and by politicians. I've always said that it would be great if we could force feed politicians and journalists economics lessons, but I'd like to propose adding statistics to the required curriculum as well.

Permalink | Comments | Email This Story

Really Bad Idea: Make ISPs Liable For Cybercrime Efforts

Mike Masnick — Mon, 1 Aug 2011 13:11:00 PDT

Let me start off this post by noting that, while I don't know Noah Schachtman personally (other than a few emails back and forth many years ago), I've always liked his work writing for Wired and other publications. However, I'm surprised to see him advocating the strong use of third party liability as a tool to deal with cybercrime, as a part of a paper for the Brookings Institute. The idea is that, when talking about spammers & scammers online, there are, perhaps, a small number of ISPs who tend to do business with these guys, and Schachtman believes that by making those ISPs liable, it would pressure them into cutting off the bad clients.

Schachtman has numerous caveats and is pretty specific in his plan that it only apply to a specific list put out by a trusted independent third party, that the methodology for being on the list is clear and that an appeals process also be explicit. On top of that, he says that it should be limited to "universally recognized crimes, like theft, fraud, and criminal trespass" and is clear in saying that it "wouldn’t work for politically inflammatory speech or copyright infringement; they’re too open to abuse and overly broad interpretation."

Also, in reading the report, it's clear that this isn't just something he came up with overnight, or some random blogger or reporter dashing off a column on some fragment of a thought they had an hour before deadline. He's put a lot of thought and research into this. But I still think the idea is dreadful and shortsighted. It wouldn't solve the problem it seeks to deal with, at all, and (even worse) it would open up all sorts of collateral damage or unintended consequences.

First off, it wouldn't solve the problem it's trying to solve. We've seen this time and time again with attempts to shut down any kind of "rogue" behavior online by going after intermediaries. The bad players just figure out some other place to go, and they often go further underground in ways that makes it tougher to find or track them and their activities. Even Schachtman admits that many would likely jump to ISPs elsewhere. So, if it's not actually stopping the behavior, then what's the value?

Second, while Schachtman is clear that this shouldn't be used for those other things, chipping away at third party liability protections in any arena is quite dangerous, because it's not hard to see lobbyists using that to push for such rules to be expanded to cover their pet area. Anyone who thinks that the RIAA and MPAA wouldn't pounce on this and work hard to add copyright infringement to the list simply hasn't been paying attention. What Schachtman describes in terms of the ability to sue an ISP for third party actions has been the legacy entertainment industry's wet dream for over a decade. Anyone who thinks that politicians would distinguish the types of crimes that Schachtman focuses on from garden variety claims of copyright infringement is living in a dream world.

And, honestly, I'm still at a loss as to why this is actually needed. It seems like there remain much more effective ways to deal with issues like this that don't involve giving up basic concepts of properly applying liability to the actual party responsible. The first is actually targeting those responsible for the crimes. If they're using known ISPs, then it seems like there is a record trail that can be traced back to go after those actually breaking the law to try to put them out of business. Second, if the concern (as it appears) is that some US ISPs are doing this and that's a shame, then deal with that publicly, by more publicly shaming ISPs who are popular among criminals. Use public pressure to get them to (a) either help law enforcement or (b) to enforce reasonable terms of service. Trying to make them liable as a third party will make life difficult for them, but not the actual scammers.

Permalink | Comments | Email This Story

Time To Stop Being So Fascinated With The Cyber- Part Of Cybercrime

Mike Masnick — Wed, 10 Nov 2010 06:01:55 PST

In the past, we've noted that when technology is somehow involved in a crime, suddenly people (and especially the press) seem to forget about the actual crime that's happening and focus just on the technology. It appears others are noticing this as well. Slashdot points us to a nice rant by Neil Schwartzman pointing out that it's silly to single out "cybercrimes" as being "cyber" at all: they're just crimes. The fact that you're using a computer or the internet as part of it doesn't change facts when a crime is being committed, and at times people seem to get so focused on the cyber- part that they miss the seriousness of the crime itself:

When someone is mugged, harassed, kidnapped or raped on a sidewalk, we don't call it "sidewalk crime" and call for new laws to regulate sidewalks. It is crime, and those who commit crimes are subject to the full force of the law...

Some of these crimes involve technology. So what? Criminals have used technology before.

Some of these crimes cross borders. So what? Crimes have crossed borders before.

He similarly attacks the concept of "cyberwar" and the fact that various governments are hyping that up these days:

While we are at it, we should mention 'cyber-warfare', something often conflated with cyber-crime. Cyber-crime is not "cyber-warfare." There may be state or terrorist agencies copying the tactics and methods of these criminals, but that does not mean that the criminals must be left alone until new cyber-warfare agencies have been created and funded.

But, of course, by naming it "cyberwar," it creates something that seems "new," and with something "new," money can flow. The reason for these new "cyber-war agencies," is money. The suppliers want to sell to the government, so they hype it up. The folks who want more power get to set up an entirely new group -- and in an area that's considered "hot." The use of "cyber" is generally there to mislead people, and often for the sake of money.

Permalink | Comments | Email This Story

US Officials Finally Going After Online Organized Criminals In Other Countries

Mike Masnick — Wed, 10 Jun 2009 00:50:16 PDT

It's no secret that Eastern Europe has become the center of an awful lot of organized crime online. Various phishing and scam rings tend to work from a variety of different Eastern European countries without much fear of law enforcement or prosecution. Most of the enforcement in the US to date has been on the few unfortunate Americans who got involved in such scams -- but such targets were almost always small-time scammers compared to the big players across the ocean. However, there are some signs that's starting to change. Forbes details the first case of a foreign cybercriminal being extradited to the US, noting that greater cooperation between foreign governments and the US means that we should be seeing more of this. However, the article also notes that this is only one small attempt, and officials haven't really been able to do any damage to some of the bigger organized crime groups online. Still, given how little the US gov't had been able to do to actually go after the real criminals, it is a good sign that at least they're looking for ways to reach across boundaries to find them.

Permalink | Comments | Email This Story

Apparently, Cybercrime Isn't Actually A Trillion-Dollar Business

Carlo Longino — Tue, 31 Mar 2009 08:01:00 PDT

While online scams and cybercrime are growing, the claim made recently that cybercrime is a trillion-dollar business simply isn't true, says The Register. As Gary Stiennon points out, if it were, it would be bigger than global IT business itself, as well as the GDP of several industrialized nations. AT&T's chief security officer threw out the figure in front of a Senate committee; he also said that cybercrime was a bigger business than the global drug trade, another claim Stiennon disputes. He dug into where the myth was started, and how it's evolved, and traced it back to a single comment made by a consultant to the US Treasury Department in 2005. It's then been so commonly cited -- often by security companies looking to advance their own agendas -- and repeated that it's become widely accepted. Certainly cybercrime is a problem, and a growing one, but overstating its true impact won't make fighting it any easier.

Permalink | Comments | Email This Story

Forget The Economy, Security Vendor Says Cybercrime Is The Real Threat

Carlo Longino — Thu, 11 Dec 2008 18:48:00 PST

You might have noticed that the economy is in the tank. Something about this "credit crunch" and "recession" and whatnot. But the amount of attention governments around the world are paying to these issues is giving cybercrime a foothold, according to a new study from a -- yep, you guessed it -- security vendor. This is the same vendor that's been saying the government needs to create new laws to combat cybercrime for at least a year. While their consistency is notable, their implication that the government is in the best position to fight cybercrime seems misguided. The best solutions remain technical and market-based in nature, while the usual mess governments make out of this sort of thing are hardly a ringing endorsement of their abilities to solve technological problems. All this makes you wonder if maybe the vendors see some way for themselves to gain from cybercrime legislation. Surely that's not right...

Permalink | Comments | Email This Story

Online Criminals Move On To Corporate Espionage

Mike Masnick — Thu, 13 Nov 2008 23:07:56 PST

One of these days, someone will do a fascinating study or book on the evolving nature of online crime. It's a constantly changing phenomenon that would be quite interesting to study. A few years ago, we noted that the ease with which script kiddies could jump into the phishing and online extortion market meant that margins were getting squeezed for older online organized crime groups who had focused on such practices in the past. Apparently, the big money now has moved away from standard phishing and into corporate espionage. Organized crime groups are figuring out ways to hack into company networks, suck up as much data as possible, and then sell it off to the highest bidder -- whether it's competing firms or foreign governments.

Permalink | Comments | Email This Story