In a time when every person’s digital life is now turned inside out and electronically dispersed and disaggregated, does it really make sense to think solutions lie in adding to that flood? Law enforcement and intelligence don’t need to sidestep court protections and civil liberties to meet the challenges of cyber crime – they need a new investigatory paradigm.

From The Globe and Mail

Smarter sleuthing can save our online privacy (Globe and Mail)
Ron Deibert

Special to Globe and Mail Update Published on Monday, Nov. 02, 2009 6:01PM EST

I’m at the Citizen Lab, an interdisciplinary research facility at the Munk Centre for International Studies, University of Toronto. I am reviewing reports on cyber security. With me is Nart Villeneuve, senior research fellow and chief research officer for our partner company, SecDev.Cyber.

Nart is busy doing what he usually can be found doing: following hunches, deeply engaged in cyber forensic investigations. In his latest work, he has gained backdoor access to track a very large, Russian-operated botnet – a collection of infected computers under the control of an attacker.

No doubt about it, the perpetrators of this botnet are into criminal behaviour. Although it is Russian in origin, the botnet uses control servers in China and manipulates thousands of compromised computers in the United States and Germany (so-called “zombies”) to launch computer network attacks. Russian criminal organizations are known to contract out such attacks to anyone who will pay. We witness a real-time attack against an obscure Russian website, lasting a few minutes.

This botnet also appears to be connected to a massive spam operation that sends out bogus links to gambling, pornography, pharmaceuticals and fake anti-virus software. Nart’s probes uncover directories containing four million recipient e-mail addresses. They are also engaged in widespread “click fraud,” redirecting browsers of infected computers to online ads without the users’ knowledge in order to generate microincome on a massive scale.

In fact, botnets like this one are at the heart of just about every imaginable menacing and serious act of Internet crime, from espionage to child pornography. They are so vexing for law enforcement and intelligence, we are often told, because of the so-called “attribution” problem – the challenge of identifying the perpetrators.

It has become a truism to say the Web facilitates anonymity. “On the Internet, no one knows you are a dog,” went the famous New Yorker cartoon – or in this case, a fraudster, terrorist or gangster. Perpetrators can mask their real identities through proxy computers located in foreign jurisdictions, or contract out to third parties who carry out their criminal deeds.

Some have advocated radical solutions to this problem, including the end of anonymity, the requirement for Internet users to have permanent IDs, even the wholesale scrapping of the Internet as we know it. Bills C-46 and C-47, currently working their way through Canadian parliamentary committees, would require Internet service providers to install new surveillance equipment, collect personal data, retain it for longer periods of time and allow law enforcement and intelligence to see that personal information, in some circumstances without a court warrant. The Privacy Commissioner of Canada and others have raised serious concerns about this.

Although attribution, anonymity, and investigation of Internet crime remain very real challenges, I believe they are not insurmountable and do not require radical infringements on privacy or wholesale alterations to the Internet as we know it. In fact, the Internet itself, and the mass of data it contains, points to the solution.

Shortly after our observations, Nart uncovered a lead to the possible botnet operator: a Russian student registered at Moscow State University. There was no magical sniffing tool or lawful access provisions clearing his way. He simply pieced together bits of seemingly disparate information – a name here, a string of code there, a domain registration, a recurring handle, an e-mail address, all pieced together by searching Google results.

It’s not the first time Nart has done this. In 2008, he uncovered a massive spy network being run through the Chinese version of Skype, and was able to locate, access and archive the control servers behind them using creative Google searches.

Earlier this year, the Information Warfare Monitor (one of our projects with SecDev.Cyber) tracked down Ghostnet, a massive cyber espionage network infecting 1,295 computers in a 103 countries. Nart provided a critical break in the investigation by Googling a 22-character string collected during field research. It led to one of the poorly secured command server interfaces.

The Information Warfare Monitor is now working on a report about attacks against the websites of prominent Burmese human-rights groups. Many people suspect the attacks are connected to Myanmar’s military regime, but our investigation leads conclusively to a single individual. We even have his picture from his social networking pages.

The reason for such successes are twofold: our methods and the nature of superabundant information in the cyber age.

As university-based researchers and private sector researchers without access to warrants and private information, we have been forced to do more with less. We rely on qualitative, as opposed to quantitative, approaches. We engage in multidisciplinary analysis of data, as opposed to its automated mining. We search for connections between disparate sources of open information, instead of digging through that which is private.

The problem for law enforcement and intelligence today is not the lack of information; it is the deluge of it. The U.S. National Security Agency reportedly sucks up the equivalent of the contents of the Library of Congress every six to eight hours, every single day.

This is an old paradigm, based on methods where information is easy to hide and hard to find. It’s ill-suited to our modern hypermedia environment, which includes more than four billion cellphones around the world, according to the International Telecommunication Union. Many of them are equipped to snap pictures and videos, and upload them instantly to YouTube or Twitter. These images can be geotagged through Google Maps, which now includes street-level images of many major cities.

In other words, who needs more surveillance powers when people willingly monitor themselves? Social networking has brought us the Age of Auto-Surveillance. These are my friends, here is my house, this is the bus I take, here is my dog, this is my e-mail address, here is my phone number, this is my place of work, this is what I like to eat for lunch.

Criminals and terrorists rarely tweet about their crimes, true. But they cannot escape the digital traces and electronic signatures that everyone, even the most determined criminal, now leaves. In the case of the Russian student, it was a user name posted on a hacker forum that was also used as part of a website domain, which then showed up as a prefix on an e-mail address of an innocuous undergraduate essay that was posted online, along with the student’s name.

In a time when every person’s digital life is now turned inside out and electronically dispersed and disaggregated, does it really make sense to think solutions lie in adding to that flood? Law enforcement and intelligence don’t need to sidestep court protections and civil liberties to meet the challenges of cyber crime – they need a new investigatory paradigm.

Ron Deibert is director of the Citizen Lab and a principal with the SecDev Group. He is a cofounder of and principal investigator for the Information Warfare Monitor.