U. S. Department of Justice
Washington, D.C. 20530
Mr. Chairman and members of the Subcommittee: Thank you for this opportunity to address the topic of Internet crimes affecting consumers. The Internet, which allows people to interact electronically for both personal and commercial reasons, has generated justifiable excitement over the past few years. But as with other innovations, crime has quickly followed, and it has already begun to affect consumers. I would like to describe for you some aspects of Internet crime that we are starting to see, and some of the steps we are taking to deal with it.
Although it is difficult to quantify the scope of the computer crime problem, public reports have estimated that computer crime costs us between five hundred million and ten billion dollars per year. The Computer Security Institute has surveyed 428 information security specialists in Fortune 500 companies; 42% of the respondents indicated that there was an unauthorized use of their computer systems in the last year.
Computers can play three different roles in criminal activity:
o First, a computer can be the target of an offense, for example if a hacker tries to steal information from, or to damage, a computer or computer network. We're all familiar with examples of this, such as vandalism of Web sites or the introduction of viruses into computers.
o Second, the computer can be a tool in the commission of a traditional offense. They can replace the telephone as a tool in an illegal telemarketing operation; they can be and are used to create and transmit child pornography. Or, to give you a specific example, Russian computer hackers in St. Petersburg broke into a Citibank electronic money transfer system and tried to steal more than $10 million by multiple wire transfers to accounts in at least seven different countries. Members of the gang have been arrested in several countries, but according to Citibank $400,000 has still not been recovered.
o Finally, computers can be incidental to the offense, but still significant for law enforcement purposes. For example, many drug dealers now store their records on computers, which raises difficult forensic and evidentiary issues that we don't face with old-fashioned paper records.
Of course, a single computer could be used in all three ways. For example, a "hacker" might use his computer to gain unauthorized access to an Internet Service Provider such as America On-Line -- known as an "ISP" -- and then use that access to illegally distribute copyrighted software stored on his computer's hard drive.
But it is not only ISPs or large financial institutions who should be concerned about computer crime. Others have testified in other forums about the important issues of protection of our infrastructure and of the impact computers have on our ability to protect our intellectual property, and I won't dwell on them today. But hackers can also affect individual citizens directly. For example, they can compromise the confidentiality and integrity of personal and financial information. In one case, hackers from Germany gained complete control of an ISP in Miami and captured all the credit card information maintained on the service's subscribers. The hackers then threatened to destroy the system and distribute all the credit card numbers unless the ISP paid ransom. German authorities arrested the hacker when he tried to pick up the money -- but had he not sought ransom he could have used the stolen credit card numbers to defraud thousands of consumers.
Just as significantly, the computer can be a powerful tool for consumer fraud. The Internet can provide a con artist with the unprecedented ability to reach millions of potential victims. As far back as December 1994 -- and two years ago is a long time in this field -- the Justice Department indicted two people for fraud on the Internet. Among other things, they had placed advertisements on the Internet which promised victims valuable goods upon payment of money. But the defendants never had access to the goods, and never intended to deliver them to their victims. Both pleaded guilty to wire fraud.(1)
Moreover, people can use computers to engage in new kinds of consumer fraud that would have never been possible before. In one interesting case, two hackers in Los Angeles pleaded guilty to computer crimes committed to ensure they would win prizes given away by local radio stations. When the stations announced that they would award prizes to a particular caller, for example the ninth caller, the hackers manipulated the local telephone switch to ensure that the winning call was their own. Their prizes included two Porsche automobiles and $30,000 in cash. Both of them received substantial jail terms.(2)
Just last month, in another interesting case that raises novel issues, a federal court in New York granted the Federal Trade Commission's request for a temporary restraining order to shut down an alleged scam on the World Wide Web. According to the FTC's complaint, people who visited pornographic Web sites were told they had to download a special computer program. Unknown to them, the program secretly rerouted their phone calls from their own local Internet provider to a phone number in Moldova, a former Soviet republic, for which a charge of more than two dollars a minute could be billed. According to the FTC, more than 800,000 minutes of calling time were billed to U.S. customers.
Like other kinds of crimes, Internet crimes against consumers can be addressed proactively and reactively. Fraudulent activity over the Internet, like other fraudulent activity, can be prevented to some extent by increased consumer education. Consumers must bring the same common sense to bear on their decisions in cyberspace as they do in the physical world. They should realize that a World Wide Web site can be created at relatively low cost and can look completely reputable even if it is not. They should invest time and energy to investigate the legitimacy of parties with whom they interact over the Web. Just as with other consumer transactions, they should be careful about who they provide their credit card numbers to. The ancient maxim "caveat emptor" continues to apply with full force in the computer age.
Consumers can also be protected by vigorous law enforcement efforts. Many consumer-oriented Internet crimes, such as fraud or harassment, can be prosecuted using traditional statutory tools, such as wire fraud. Moreover, last year the Congress, at our request, substantially strengthened the laws against computer crime in the National Information Infrastructure Protection Act of 1996, and I want to thank the members of this Subcommittee for their efforts in securing passage of this important legislation. As now drafted, the law contains eleven separate provisions designed to protect the confidentiality, integrity and availability of data and systems.
Nevertheless, the Internet presents novel challenges for law enforcement. Two particularly difficult issues for law enforcement are jurisdiction and identification.
One of the benefits of the global Internet is its ability to bring people together, regardless of where in the world they are located. But this can sometimes have a subtle impact for law enforcement. For example, to buy a book you used to walk down to your local bookstore and have a face to face transaction; if the bookseller cheated you, you went to the local police. But the Internet can make it easier and cheaper for a consumer to make purchases, without even leaving his or her home, from a distributor based in a different state or even a different country. And if they provide payment by credit card or, in the future, electronic cash, and then the book never arrives, this simple transaction may become a matter for the federal or even international law enforcement community, rather than a local matter.
Moreover, the Internet makes interstate and international consumer fraud significantly easier in a number of respects. For example, a fraudulent telemarketing scheme might be extremely difficult to execute on a global basis because of the cost of international telephone calls, the difficulty of identifying suitable international victims, and the more mundane problem of planning calls across numerous time zones. But the Internet enables scam artists to victimize consumers all over the world in simple and inexpensive ways. An offshore World Wide Web site offering the sale of fictitious goods may attract U.S. consumers who can "shop" at the site without incurring international phone charges, who can be contacted through e-mail messages -- and who may not even know that the supposed merchant is offshore. The Moldova phone scam I mentioned earlier provides an example of the relative ease with which more complex international crimes may be perpetrated. In such a global environment, not only is international crime more likely, but some consumer fraud cases traditionally handled by state and local authorities may require federal action.
Another fundamental issue facing law enforcement involves proving a criminal's identity in a networked environment. In all crimes -- including cybercrimes -- we must prove the defendant's guilt beyond a reasonable doubt, but global networks lack effective identification mechanisms. Indeed, individuals on the Internet can be anonymous, and even those individuals who identify themselves can adopt false identities by providing inaccurate biographical information and misleading screen names. Even if a criminal does not intentionally use anonymity as a shield, it is easy to see how difficult it could be for law enforcement to prove who was actually sitting at the keyboard and committing the illegal act. This is particularly true because identifiable physical attributes such as fingerprints, voices or faces are absent from cyberspace, and there are few mechanisms for proving identity in an electronic environment.
A related problem arises with the identity of the victim. With increasing frequency, policy-makers are appropriately seeking to protect certain classes of citizens, most notably minors, from unsuitable materials. But if individuals requesting information can remain anonymous or identify themselves as adults, how can the flow of materials be restricted? Similarly, if adults can self-identify as children and lure real children into dangerous situations, how can these victims be protected? Congress last year made an important attempt to protect minors who use the Internet in the Communications Decency Act. As you know the Government is defending the constitutionality of that statute before the Supreme Court this very week.
One area that raises both jurisdiction and identification issues is Internet gambling. The Internet offers several advantages for gambling businesses. First, electronic communications, such as electronic mail, allow for simple record keeping. Second, the Internet is far cheaper than long distance and international telephone service. Third, many software packages make it easy to operate consumer businesses over the Internet. Use of the Internet for gambling -- as well as for other illegal activities such as money laundering -- could increase substantially as the use of "electronic cash" becomes more commonplace.
Gambling on the Internet is governed by existing federal law. Interstate gambling by the use of any wire communication facility, including the Internet, is illegal unless the gambling activity is legal in both states. Even where gambling is legal, it is legal only for adults. Therefore, the legality of gambling depends critically on both the location and the age of the participants, neither of which can be verified reliably through current network mechanisms, at least when the participants are not willing to cooperate honestly. Congress has already established the national Gambling Impact Study Commission to study a variety of issues, including "the interstate and international effects of gambling by electronic means, including the use of interactive technologies and the Internet."(3) We expect to provide assistance to the Commission, and hope they will address the difficult issues we have raised here.
In other contexts as well, we have long taken steps to ensure that the Justice Department can respond effectively to Internet crime. For example, as far back as 1991 both the Federal Bureau of Investigation and the Justice Department created dedicated computer crime units. Since that time, the FBI has established two additional high-tech squads, and the Department has created, within the Criminal Division, a new Computer Crime and Intellectual Property Section. Additionally, in early 1995, the Department initiated the Computer/Telecommunications Coordinator program, under which each of the 93 United States Attorney's Office has designated at least one Assistant United States Attorney to serve as an in-house high-tech expert. We provide special training to these prosecutors to help them keep abreast of the rapidly changing technological and legal issues.
The Department of Justice is also taking the lead in providing training in computer and telecommunications technologies and legal issues to others in law enforcement. The Computer Crime and Intellectual Property Section has established an "Infotech Training Working Group," which includes representatives from every relevant federal agency, the National Association of Attorneys General, the National District Attorneys Association, and others, to guide, assist and coordinate federal, state and local high-tech training.
As significant as these efforts are, however, the problems of the global Internet cannot be solved without extensive international cooperation. Although international awareness concerning computer crime is growing, considerable work remains, as countries attempt to harmonize their computer crime laws and eliminate the procedural obstacles which prevent the timely acquisition of evidence that is located in cyberspace. Several separate efforts are underway to tackle these difficult issues, including multi-lateral efforts at the Organization for Economic Cooperation and Development, the P-8, and the Council of Europe.
Mr. Chairman, I thank you for the opportunity to appear before you today. The Attorney General and the Department of Justice look forward to working with the Congress to meet the challenges associated with Internet crimes, particularly those that affect consumers.
1. 1 One of the two was sentenced to incarceration of 15 months, and 36 months probation, while the other was sentenced to 60 months probation. Restitution was ordered jointly in the amount of $32,000. United States v. Marriott, No. 94-403PHX-PGR (D. Ariz. Sept. 11, 1995).
2. 2 One of them received a sentence of 51 months of incarceration and three years supervised release for these crimes alone. The other received a sentence of 41 months, three years of supervised release, and restitution of $40,000, for commission of these and other crimes. See United States v. Peterson, 98 F.3d 502, 504 (9th Cir. 1996) (upholding two-level enhancement under Sentencing Guidelines for use of special skill to facilitate crimes, including crime described in text).
3. 3 HR 497, § 4(a)(1)(f).