Tuesday, August 28, 2007

Virtual world, virtual cops

I was chatting with a friend the other day – a former police officer, who now works in the area of computer crime. We were talking specifically about virtual worlds like Second Life and, basically, about whether they may evolve their own law enforcement presence.

Virtual world, virtual police . . . ? It’s an interesting idea. I found a clip on YouTube showing a police chase in Second Life. Although, as far as I know, there are no actual virtual cops in Second Life. It’s an interesting notion.

Then today I find this news story from China, which says that as of September 1 the Beijing police will be using virtual police officers to patrol the Internet:

Police in China's capital said Tuesday they will start patrolling the Web using animated beat officers that pop up on a user's browser and walk, bike or drive across the screen warning them to stay away from illegal Internet content.

Starting Sept. 1, the cartoon alerts will appear every half hour on 13 of China's top portals . . .and by the end of the year will appear on all Web sites registered with Beijing servers, the Beijing Public Security Ministry said. . . .

The male and female cartoon officers, designed for the ministry by Sohu (one of China’s web portals), will offer a text warning to surfers to abide by the law and tips on Internet security as they move across the screen in a virtual car, motorcycle or on foot. . .
If you go to the story linked above, you can see the little virtual cops, a male officer with his virtual motorcyle and a female officer with her virtual police car. (I’m assuming there are lots more of these animations . . . I wonder if they all look just alike? I assume the female officers only use police cars, since they’re wearing skirts . . . but maybe there are variations, and some wear pants. Why do I care?)

I have an initial reaction to this effort, and several questions (substantive questions, not the idle ones outlined above).

My reaction is that I would find having these people popping up on my browser to be INCREDIBLY annoying. Maybe someone with computer skills and a certain irreverence (hacker?) will come up with a way to eliminate them . . . but maybe that would qualify as a virtual assault on a police officer. I’m joking about the latter part, but I suspect it would be some kind of crime in China to interfere with these things.

My initial question is, what makes the Public Security Ministry think these things will be particularly effective? If they are only intended to discourage Chinese web users from accessing content that is outlawed in China, then I can maybe see how that could be effective . . . It could be like having a Walt Disneyesque Big Brother hanging around to remind you to avoid pornography and unrestrained political discussions and postings and other, similarly undesirable things. (The news story above notes that China closes down sites that are “obscene or subversive.”)

If they are actually intended to discourage real criminal activity online, then I do not think they will have any effect, at all. As I rather jokingly noted above, I suspect it would not be at all difficult for a talented person to either eliminate them or turn them into rogue operatives who direct people to porn and/or open political discussion groups.

I’m not going to inflict all of the questions I came up with upon you, but here’s one more: Why virtual cops? Why be so literal? You could, I think, accomplish the same thing with a button or a logo or something more abstract. And if you have to have virtual cops, why make them look like Hello Kitty? You could make them really weird and interesting . . . or really abstract and interesting. These cartoons look like something I’d expect to find on a children’s website. I can’t imagine that anyone would take them seriously, but, then, I probably underestimate the Public Security Ministry.

It is a little creepy. Hello Kitty people as virtual spies

Tuesday, August 21, 2007


We have all, I'm sure, seen news stories about an incident of "cyber war," which turns out to have been something else . . . crime or terrorism.

I want to talk a bit about why I think those errors occur . . . and what I think we need to do to avoid them.

The title of this post is “cyberconflict.” That is an umbrella term I use to encompass cybercrime, cyberterrorism and cyberwarfare. As I explain at length in an article I recently published, these three concepts are conceptually distinct but they all deal with the same problem: a society’s, a nation-state’s, need to maintain social order.

If societies cannot maintain both internal order (keep their citizens from preying on each other, keep the strong from taking advantage of the weak) and external order (keep other societies from coming in and taking over that society’s territory and population), they cannot survive. We’re seeing an object lesson in the need to maintain internal order (at least) in Iraq; if a country can’t establish basic order so people can go about the tasks that have to be done for their physical survival, then the country falls apart . . . and is in a pretty good condition to be taken over by some other country (not that I’m saying that is about to happen in Iraq, but it has happened to other countries that became destabilized).

Countries therefore create a division of labor, the first part of which deals with the need for external order. Militaries (and diplomats) deal with external threats. I’m assuming, as the default, peaceful, non-aggressive societies; their goal in having a military (and diplomats) is to defend themselves against the Hitlers of the world – the countries that are aggressive and are perfectly willing to take over societies they see as weak.

The other part of this division of labor deals with internal order – keeping the citizens in a society from preying on each other in a way that will lead to chaos. Societies do this with two kinds of rules: What I call “civil” rules define what is and is not “legal” (and a subset define what is and is not “proper,” or acceptable) in that society. So every society defines who can marry whom and at what age; some define who can own property, and when; rules say if people can vote and, if so, when. They define property ownership, status, etc. Those are the rules that basically tell us how to live a normal, lawful life, and most of us do.

But since people are intelligent, they can do something social insects and other animals that live in groups can’t really do: They can basically say “the hell with the civil rules, I’m going to do what I want to do, take what I want.” We call that deviance, and societies have to discourage that. They do this with a separate set of criminal rules, which tell us that certain behaviors are really, seriously out of bounds and if we engage in those behaviors we will be punished (locked up, executed, banished, branded, etc.). For roughly the last century and a half, societies have used an analogue of the military to enforce these criminal rules: law enforcement officers. The process of enforcing criminal law used to be more eclectic – civilians used to get involved and, indeed, at times during Anglo-American history, anyway, pretty much were responsible for criminal law enforcement. They had to catch criminals and bring them into whoever was responsible for trying and sanctioning them (conviction pretty much seemed to be a foregone conclusion back then).

Law enforcement officers, then, deal with “crime,” which is internal; they keep the citizens of a society (and people visiting that society) from really, seriously preying on each other. Military personnel deal with “war,” which is external; they engage in combat with military personnel from other societies, societies that are trying to take over their own society, as Hitler did in 1939 when he invaded Poland.

One more note: Basically, societies lump terrorism in with crime. If you recall the Oklahoma City bombing in 1995, Timothy McVeigh was prosecuted for setting off the bomb, convicted and executed. The perpetrators of the 1993 bombing of the World Trade Center were federally prosecuted in New York, as were Al-Qaeda members for the 1993 bombings of U.S. embassies in Kenya and Tanzania.

Now we come to the problem: All of this assumes a tidy division based on territory. Law enforcement handles order within a country’s territory, the military handles order outside the territory. In the U.S., we have laws that rigidly establish that division; it seems to be less rigidly established in other countries, not rigid at all in some.

Cyberspace makes territory irrelevant. A cybercriminal or cyberterrorist or cyberwarrior can strike a target in another country as easily as he can one that’s just down the block. And that creates problems for (i) figuring out what kind of attack it is (Crime? Terrorism? Warfare?), (ii) who the attackers are and (iii) how to respond (Do we launch a military counterstrike? Send in the police?).

Simple example: In May of this year, Estonia was the target of a two-week set of sustained cyberattacks that shut down government websites, media sites, internet service providers and other communications sites. The news stories almost entirely referred to the attacks as cyberwarfare, because that’s what the Estonian government thought they were. They were DDoS attacks that reportedly involved the use of a botnet consisting of a million zombies. The Estonian government, and many reporters, cited the duration of the attack, the size of the botnets and the alleged complexity of the attack as factors establishing it as cyberwarfare. Estonian authorities also heard about the attack in advance and were able to watch as it was planned on Russian-language sites; they suspected the attack was retaliation for their removing a statue honoring World War II Russian soldiers shortly before a holiday honoring former Soviet soldiers.

So, attack-attribution = war. Attacker-attribution = Russian government. Response . . . well, there really wasn’t one.

After the fact, analysis of the attack showed it was hactivisim which, depending on your point of view, is either cybercrime (DDoS attacks are criminal in many countries ) or cyberterrorism (DDoS attacks undertaken with a political motive). The Estonian attacks are a perfect illustration of how difficult attribution and response are online . . . unlike in the real-world. When Hitler invaded Poland, Poland didn’t have any doubts that it was at war or who it was at war with.

In the article I mentioned (which you can find here), I took a first shot at parsing out how these difficulties in attribution and response arise, and what we can do to improve our ability at dealing with them. It’s just a first attempt – I need to do more with it, but I wanted to note the existence of these problems.

One final note: As the Estonian authorities learned when the contacted NATO and asked for help in dealing with what they then believed to be cyberwarfare, they learned that cyberattacks do not constitute “warfare” under the modern law of war. Those laws define warfare as the result of an “armed attack,” and everyone pretty much agrees that a DDoS attack may be an attack, but it isn’t and “armed” attack. As things stand now, if a country started an overt cyberwar, the victim country really could not treat that as “war” and respond with military force, at least, not without becoming the aggressor in the war.

Sunday, August 05, 2007

Anti-GPS technology

You may have heard about these – devices that block (purport to block?) GPS tracking devices installed on vehicles.

Here’s the description of one such product, available on Chinavasion:
small sized Anti GPS Tracking Device, powered by and for use with any car that has a standard Cigarette Jack for power and supplys 12V . Operation is incredibly easy, as all it take to work is plugging it into the cigarette lighter and it's on and working! The Anti-Tracker will knock out GPS logging or GPS tracking systems that may be operating on your vehicle. Using our Anti-Tracker will make it very hard for any one to keep tabs on you or your vehicle.
So here’s the way criminals (and anyone else) can protect themselves from being tracked by GPS devices surreptitiously installed on their vehicles. As I’ve written before, courts have consistently, and correctly, held that under current Fourth Amendment law it is not a “search” to monitor such a device, one it has been installed in a “public” part of the vehicle (e.g., not inside, in the trunk, etc.). A few courts have held (incorrectly, IMHO) that it is not a “seizure” under current Fourth Amendment law to install such a device.

If this product works as it’s supposed to, that would eliminate the problem: Install the device in your vehicle and block any surreptitiously-installed GPS devices from tracking your movements.

As to whether the use of an anti-GPS device is legal or not, I don’t know. I did some quick research just now, being in a bit of a hurry to go somewhere, and couldn’t find anything that seems to criminalize its use. I did find cites to several cases in which courts approved law enforcement’s using certain tactics because the suspect was utilizing “anti-surveillance” technology, which frustrated their wiretapping efforts.

I know lots of people, including lawyers, who periodically have their offices swept for bugs, and that’s never been a crime, so I’m guessing the use of a device like this isn’t a crime, either. (Don’t take that as legal advice – it’s a rushed Sunday morning guess.)

The analogy that comes to mind is the use of radar detectors to try to avoid getting a speeding ticket. I know the use of radar detectors is illegal in some states (don’t know how many), but that’s different: You’re using the radar detector intentionally to facilitate your violating the law – the laws against speeding. So, since a radar detector’s only purpose is to facilitate the commission of illegal activity (granted, minor illegal activity, but it’s still illegal), it’s only logical to outlaw their use. (The other way to go would be to hole the manufacturers of radar detectors as accomplices to the crime they are facilitating, speeding, but that’s just silly.)

Unlike radar detectors, anti-GPS technology is not, itself, facilitating a crime. It’s a way to preserve your privacy . . . from police, from your spouse’s divorce attorney, from a jealous lover, from anyone you don’t want spying on you. Since you have a right to privacy, I can’t see why or how Congress or state legislatures could outlaw the use of this technology.

Some might argue that it is being used to commit a crime if it’s being used by criminals, but that argument only works if the anti-GPS technology itself is being used to commit a crime or to facilitate the commission of a crime . . . such as, say, a fugitive’s flight from justice. But I still don’t think you can outlaw it because, to continue with this example, someone who is fleeing from justice uses all kinds of things in the course of doing so: telephones, cars, airplanes, trains, hotels, etc. We don’t hold those who provide these products and services liable for facilitating the flight, so I don’t really see why that would work for the anti-GPS technology, either.