Robots, Wanderers, Spiders and Avatars: The Virtual Investigator and Community Policing Behind the Thin Digital Blue Line

A paper presented at the 1997 National Conference: Justice Agencies and the Internet
November 5, 1997

Kevin Manson, JD, Director 
Cybercop.org March 15, 1997 
Edited November 3, 1997

Introduction

http://www.cybercop.org

The downloadable electronic version will be coded with html tags to permit direct access to reference resources on the Internet. To best view the electronic version it should be loaded into a browser such as Netscape Navigator or Internet Explorer.  

Summary

The term "virtual investigator" was first introduced to the "Cybercop" law enforcement community at the first Colloquy on Electronic Sources of Information sponsored by the Financial Fraud Institute of the Federal Law Enforcement training Center on February 23, 1996.  

The three day Colloquy drew nearly 100 law enforcement agents and investigators from state and local government agencies and the Federal Government. The Colloquy focused on the use of online databases to aid the investigation of conventional and computer related crimes. Topical areas covered at the colloquy included the use of commercial databases, online services, the Internet and other online sources of information available to the criminal investigator. 

The Virtual Investigator

A second critical resource defines the "virtual investigator", one which until recently has remained in the domain of scientific, commercial and research community, the intelligent agent. 

Attributes

1. Use of anonymous remailers and so-called "anonymizers" for receiving tips from the Net community 
2. Deployment of robust cryptography 
3. Use of Avatars and Virtual Reality Modeling Language (VRML) client programs for MUDS and MOOS 
4. Use of network intrusion, auditing and tracking tools 

Tools

1. Robust public key cryptography products such as DES and PGP 
2. Secure voice software, such as PGPfone which can be used over computer networks such as the Internet 
3. Powerful link analysis programs such as Intelligence Analyst Workbench, ScreenIt, Lexmap, Orion and Watson, some of which are capable of making calls for data across networks as large as the Internet 
4. Search engines such as AltaVista, Yahoo, DeJa News, Excite which facilitate research and news gathering activities 
5. Listservs such as High Technology Crime Investigator Association (HTCIA), Police-L, Eurocop 
6. Web pages such as COAST, CERT, COPNET, Cybercop.org, SEARCH, NCSA, Computer Security Institute, FIRST.ORG, HTCIA, FCIC, IACIS 
7. Cybercop "Metasites" such as the FBI's Law Enforcement Online site 
8. Computer Crime and Intellectual Property Section, Department of Justice (202-514-1026) 
9. BBS's such as Dockmaster (NSA), Cybercop, Houston Area Technical Services (HATS), National White Collar Crime Center 
10. Newsgroups 
11. E-Mail 
12. Internet Relay Chat (IRC, or MIRC), UNIX "talk" or other "chat" or conferencing programs (including chat software built in to software packages from major online services such as Compuserve and America Online) 
13. Voice or "telephone"-like programs such as Iphone, Webphone or Netphone 
14. Videoconferencing and document conferencing packages from Cornell university such as CUSeeMe (and the commercial version from White Pine software) 
15. "Streaming" audio and video technologies such as Real Audio and CUSeeMe 
16. Network intrusion detection, auditing and tracking tools such as ISS, COPS, and SATAN 
17. Internet access via dialup, ethernet, ISDN 

Internet Investigator Skill Sets

1. Understanding of Internet Network topologies (organization of network resources) 
2. Understanding of Internet culture and resources (RFC's, RFTFM, FAQ's etc) 
3. Working knowledge of the tools described above 
4. Familiarity with UNIX, Windows NT and other operating system configurations, commands, directory and file structures, security features (or lack thereof) 
5. Methods of Internet access (Dialup, wireless, ISDN, cable modems, etc) 
6. Understanding of packet routing (how traffic flows on the Internet), and TCP-IP (Transmission Control Protocol / Internet Protocol) 
7. Ability to read mail headers and trace traffic across the Internet utilizing domain name service lookup and tracking tools such as ping, whois, traceroute, etc. 
8. Ability to engage in network monitoring, tracking, auditing and logging and placing protocol analyzers (wire taps) at appropriate sites on the Internet 
9. Ability to use basic investigative tools such as those listed in this paper 
10. Understanding of the legal restrictions and restraints on the collection of evidence and conduct of investigations on the Internet 

These tools, technologies and skill sets are necessary to give the virtual investigator "technical parity" with their suspects on the electronic frontier as well as extend and expand the reach of the cybercop beyond traditional capabilities in the conduct of traditional investigations.  

Intelligent Agents

What are intelligent agents?

In the context of the World Wide Web, intelligent agents, which are sometimes called spiders, wanderers or robots, are programs that traverse the Web retrieving linked pages. In the past several years robots have made visits to a number of web sites that resulted in unwanted consequences, such as flooding sites (floodbots), traversed very deep virtual trees on web servers and engaged certain common gateway interface scripts with adverse side affects such as voting.  

The concept of the intelligent agent can be broken down into its two components. The term agent has been in use in the computer science field for over a decade. in its simplest form an agent is a piece of software which does something for you. By this simple definition, wizards, assistants and even spell checkers would qualify as agents. Agent software can also automate repetitive tasks.  

Agents can be anchored or mobile depending on where they reside and where they do their work. Anchored agents do their work on client machines or servers. Mobile (or network) agents, however, are like a digital robot which can move themselves from server to server to find what information they need. They are executing programs which carry what is called "state" information which makes them self-contained.  

On the Internet, intelligent agents have been used to catalog millions of pages of content. Mobile agents, referred to as search engines, such as Lycos utilize spider agents which course through the Net to catalog the entire Web resulting in databases which are constantly updated with data that is reported back to the agent's home server.  

Intelligent agents have evolved from 1980's technologies which never entirely caught on such as artificial intelligence (AI) and expert systems which never quite lived up to users expectations.  

In the field of commerce, General Magic's Telescript programming language is written to permit programs to search the Internet for a certain product and price. This "shopping agent" can shop as easily for information as for products. Once it finds the right product the agent can actually make the purchase for the shopper using a credit card number. These shopping forays can last for days or weeks, 24 hours a day and can do comparison shopping. Telescript can only run on Telescript enabled servers, but it is being implemented on several Fortune 500 Intranets.  

These intelligence agents give a new meaning to "shop until you drop." They also give new meaning to how investigations can be conducted on distributed systems like the Internet. Investigative agents could be easily designed to be launched on the Internet to ferret out information while cybercops are sleeping or engaged in other activities and have the results of such virtual investigations reported back (via encrypted messages) to the "supervising" agent on a periodic basis.  

Real time investigations, which require the direct and personal interaction of the investigator with conventional client programs, represent the current state of the art. These programs are in use today by an untold number of investigators across the globe.  

Given the extraordinary pace of new technology development and deployment on the Internet, it will become necessary to reevaluate the paradigms that have defined the resources and procedures for the delivery of policing assets to the front lines of cyberspace.  

It is questionable whether current day governmental procurement, personnel and budgeting mechanisms, which are artifacts of the industrial age, can be mobilized rapidly enough or with sufficient flexibility to effectively address many problems posed by networked narco-terrorists, arms dealers, transnational criminal organizations who threaten our nations economic, educational, medical and information infrastructure.  

Investigative jurisdictional limitations within various agencies' charters represent a serious limitation on the ability to conduct investigations which can span international boundaries in milliseconds and implicate violations of a multitude of state or federal statutes and the laws of several nations.  

A trans-national virtual network of technical investigators, computer forensics specialists and cybercops linked by CMC tools and operating under electronic treaties and mutual assistance agreements represent the task forces of tomorrow.  

What are some of the social implications (privacy, security, freedom) of the use of these powerful tools and how will cybercops using them be perceived in the on-line community?  

I have been involved with the use of intelligent agents since 1995 when I subscribed to a service offered by the San Jose Mercury News, called NewsHound. The Newshound service is essentially a sophisticate newsclipping service that operates to seek out news items found on the Internet and on private databases based on a custom "profile" established by the customer.  

After establishing a profile for the kinds of information I was seeking, the Newshound program on the Mercury News server would traverse the Internet and select databases using search engines of varying sophistication to retrieve news articles and information matching my custom profile.  

Web sites, publications, files and other data that fit the Newshound user's profile are retrieved on the Newshound server for the user and the user is notified of the search results. The search engines may permit the user to specify the degree of granularity (or precision) that the search engines are to apply in their searches.  

Bots and search engines are used to obtain information for users who are seeking the lowest airfares and cheapest compact disks. Personal investment and banking services are also prime candidates for robots, looking for initial public offerings that meet specified conditions or interest rates for CD,s and T Bills.  

There are a number of intelligence agent products on the market and their use will become even more prevalent as digital commerce on the Internet becomes more widespread. I have used several of these products in their beta cycles such as IBM's InfoSage.  

Commercial search engines such as AltaVista, Lycos, AllinOne, Open Text, InfoSeek, Webcrawler digest millions of documents continuously on the Net.  

Alta Vista, from Digital Equipment Corporation running on an Alpha server permits the operator to apply Boolean logic search terms in the formulation of a query to restrict the number of "hits" that are returned by the search engine in response to the query. 

Netiquette and "REP" on the Net

Robots are now increasingly being used by business to assist in gathering market demographic information. The use of these bots can result in spamming of users at sites based on demographic information about their users. We are now seeing an increase in the number of sites on the Net that require a user to "register" before allowing access.  

Several site I now frequent, such as the New York Times Syndicate and WIRED require registration before I can drill down past the uppermost layer of data. It might be argued that the top levels in these Web sites are "public areas" and the Webmaster or business has no reasonable expectation of privacy from a spider or bot that has been launched by law enforcement.  

Some agencies have established a policy of identifying themselves after digitally knocking a third time at the door of a BBS (logging on). Issues regarding guidelines for the conduct of investigations on the Internet are now being considered by the Department of Justice.  

It is ironic that the same acronym that defines the parameters of a "search" in the temporal world, "REP" (or reasonable expectation of privacy) may very well apply in the world of policing cyberspace as well. REP, or robot exclusion protocol, is an established mechanism in the world of Internet standards which defines levels of access to areas considered to be "private" by webmasters on their sites. The robot exclusion protocol notifies visiting robots (bots) what areas on a site are considered "off limits". 

Robot Exclusion Protocol, the new "REP"

# go away User-agent: *Disallow: /  

These kinds of files work for co-operative bots that "recognize" such files. Malicious robots, on the other hand, are not deterred by such "unwelcome mat" signs at the front door of a Web server. The law enforcement community needs to resolve several important issues before it seriously considers using intelligent agents to traverse the Internet. The legal implications of having investigative bots drill down deep into web and other sites on the Internet is one important issue that will have to be considered. Matters of comity, sovereignty and legal jurisdiction will also have to be resolved before intelligent agents begin coursing through servers in foreign universities, banks and government agencies. The precise scope and nature of these issues is beyond the scope of this paper.  

As John Gilmore has noted, on the Internet national borders are no more than speed bumps. Law enforcement on the Internet is a relatively new phenomenon. To date, there has only been one wire tap order granted in domestic law enforcement for capturing packet transfers on the Internet (Ardita). In the conventional law enforcement arena, there are hundreds of wire tap orders granted annually.  

Law enforcement in recent years has focused on the concept of "community policing". When the traditional beat officer was replaced by patrol officers in air conditioned cars, law enforcement became detached from the shop owners and residents on the streets which officers used to patrol on foot and in-person. The patrol vehicle extended the reach of the officer and at the same time distanced the officer from the very people they were sworn to protect.  

The use of robots on the Net is the temporal equivalent of putting officers in patrol cars and distancing them from the community in which they serve. The most effective investigative methods are often the most intrusive and covert, yet these are the methods that will, if not judiciously and sparingly used, create distrust, suspicion and an unwillingness to cooperate in the Net community.  

Law enforcement must realize that it is a new player in the Net community. Its presence on the Net was preceded by the scientific, academic and commercial segments of our society. Those who are responsible for enforcing the law on this new electronic frontier must understand that there *are* norms, conventions, protocols and rules in place on this frontier which has often been mis-characterized as *anarchistic*. The Net is anarchistic, perhaps in the sense that there is no single central governing body that *rules* the Internet. However, this place called cyberspace has a history, culture and large groups of individuals have developed sub communities and affinities that in some cases transcend nationalistic interests.  

If law enforcement rapidly moves to implement the use of robots within the confines of constitutional and statutory limitations without an appreciation of the culture within which they are to be used, there is a great risk that the community will move to completely remove such tools from law enforcement's investigative arsenal.  

This is essentially what was done by the 1934 Telecommunications Act in response to the Olmstead case. The 1928 Olmstead court ruled that the government had not violated the Fourth Amendment by placing a wire tap on telephone lines some distance from the tapped residence. The court ruled that there was no violation of the suspects' reasonable expectation of privacy because there had been no invasion of the physical premises to conduct the wire tap.  

The court's opinion virtually invited the Congress to step into this area of the law to address the issue, and Congress obliged in 1934 with the passage of the Telecommunications Act. The 1934 Act effectively prevented law enforcement from using one of its most powerful investigative tools, the wire tap, for some thirty years.  

Bruce Sterling, author of the Hacker Crackdown, commented on a private virtual seminar sponsored by the Global Business network on the WELL, that law enforcement are like "shy woodland creatures" on the Net. This represents a tacit recognition that cybercops are rarely out of their "cyber patrol cars" (which are usually unmarked) as they course the Net. It is certainly understandable that law enforcement does not want to announce their true intentions on the net when they are undercover. It should be as permissible for cybercops to lie about their identities on the Net as it is for the narcotics undercover agents to do so on the real street.  

However, when cybercops are out visibly patrolling on the Net or are maintaining presence on the net, they should be mindful of the nature of their presence. A police officer who patrols a neighborhood by noisily driving by in a vehicle without a muffler, who fails to follow the rules of the road, or cannot control his vehicle will not engender respect or trust among the people on his beat. Likewise, a cybercop who does not understand the netiquette of an IRC channel or the rules regarding spamming will soon have no alternative but to go "underground" or undercover resorting to more intrusive of tools on the Net to obtain information which may be easily available from people he encounters on his beat while wearing his or her badge.  

The apprehension of one of the FBI's most wanted because of the assistance of a teen-ager in Central America who recognized the fugitive as a neighbor because of the digital wanted poster on the FBI Web page is a prime example of the salutary effect of a creative community presence of law enforcement on the Internet. The vision of that kind of presence on the Internet that my good friend Bill Tafoya pioneered will reap tremendous benefit for the safety and security of society for years to come.  

A less intrusive and more accessible law enforcement presences on the Net can have a salutary effect on crime. Even having an easily accessible site on the Net where criminal activity can be reported is a positive step forward. The use of anonymous remailers to contact law enforcement on an Internet site on the Web can permit individuals who might otherwise not report crime to come forward.  

I have placed a "cyber-neighborhood watch" section on my Web site @Cybercop.org to permit individuals to pass on information about crime on the Net to the proper persons or organizations. One of the reasons I decided to do this was in response to a comment made to me by Ann Duval during a break in the House Science Committee hearings in July of 1995 where I testified about protecting children on the Internet. Ann and her husband Bill Duval, one of the pioneers in the creation of the Internet, founded Surfwatch, a software program to help protect children from adult content on the Internet.  

Ms. Duval commented she or Surfwatch employees would occasionally encounter information on the Net that possibly pointed to criminal activity. Surprisingly, she stated that she was frequently uncertain just whom to contact to report such information. If someone with this level of interest and knowledge about the workings of the Net has difficulties finding a mechanism for reporting suspected criminal activities on the Net, there is clearly a need for law enforcement to create a more easily approachable presence on the Net for the many users who are not as sophisticated as Ms Duval. 

Suggestions

Specific suggestions for Law Enforcement as they begin to police the electronic frontier: 

Several specific suggestions are offered for law enforcement agents who are presently conducting investigations on the electronic frontier, or who expect to do so in the near future.  

1. Locate and read selected FAQ files from rtfm.mit ("rtfm", by the way is an oblique reference to a pithy response to questions from Newbies on the Net who do not take the time to read the manual before asking numerous questions about software, hardware or communications matters 
2. Join a professional organization such as the Internet Society, which has the interests of the Internet community as a part of their mission 
3. Find a mentor with well developed Net skills to tutor or guide your education about the complex world of the Internet 
4. Become familiar with the legal restrictions and implications of on line investigations. Make certain that if you *are* conducting investigations on the Net that your are not doing so without the knowledge or authorization of your agency. 
5. Develop an appreciation that the Internet is more than another method of communication, it has spawned very real communities, alliances and associations between persons, organizations, businesses and political entities (with all the benefits and perils associated with temporal communities and associations). 
6. Network with others in law enforcement through professional organizations such as the High Technology Crime Investigators Association and the Federal Computer Investigative Committee. These organizations hold frequent meetings that are extremely valuable for educating members and developing professional contacts. The HTCIA also has a listserv that links all its members on the Net. 
7. Don't ignore organizations that represent civil liberties and activist interests on the Net. They are a valuable source of information and perspective regarding matters of interest to law enforcement. 

Industrial Metaphors

Community policing on the electronic frontier and the Danger of Industrial Metaphors in an Information Age

Far more than a simple precatory language will be needed to guide the conduct of cybercops as they move out of their virtual squadrooms to police the electronic frontier.  

In an area where the law is "vaporware", there is a need for a structural and global view of the parameters needed to guide the policing of cyberspace. It would be tempting to attempt to prognosticate or divine the course that will be taken by the courts as they define the legal boundaries of this new frontier of policing.  

Unfortunately we do not have the luxury of awaiting a body of caselaw before we begin aggressively policing this new frontier. The task is far more complex than predicting how the courts will respond to the challenges faced by law enforcement in the information age, we must concern ourselves with the course of public opinion, congressional will, and media attention regarding our work on the electronic frontier.  

The Olmstead case taught us that the courts are sometimes willing to let law enforcement intrude into areas that Congress will not. The wiretapping that the court permitted in that 1928 decision was wrest from our grasp by Congress in the 1934 Telecommunications Act. Congress was far more attuned than the courts to the concept that Constitutional protections were to be predicated on protection of the person rather than protection of a "place".  

With the advent of Multi user dungeons, VRML virtual "places" and avatars, the question of what constitutes the legal definition of a "person" has come under scrutiny. Questions have even been raised in the scientific and legal communities about whether avatars and other digital personae are entitled to protections and legal status akin to what is granted to the persons whom they represent.  

This whole concept of "place" has become an unfortunate metaphor for untangling issues that have partake more of the mind than of matter. The industrial paradigm of property will not serve us well if it is the talisman that we erect to deal with issues of intellectual property and privacy in a digital age.  

Our "digital reach" must not exceed our Constitutional grasp in the pursuit of electronic outlaws. The concept of "fair play" is very much alive in the American culture and if our means are widely viewed as too intrusive, too Orwellian, or too authoritarian by the public or their representatives, then we will again be faced with the distinct possibility of loosing access to powerful tools to combat crime in cyberspace.  

It is not the tools themselves which are viewed by the public as Orwellian, it is the indiscriminate and unsupervised use of such tools that is problematic. The nature of advanced technology makes oversight of its processes increasingly difficult. The move to create "technology courts" in recent years is a recognition of this problem.  

Congressional action restricting law enforcement's access to certain tools also reflects a discomfort or fear of "Big Brother". A high level of discomfort or fear of the new technologies available to law enforcement coupled with high profile reports of abuses of these technologies could easily translate into demagoguery in political and media salons that would play into the hands of digital thugs, criminal hackers and every other criminal element found on the Net.  

The incredible ease with which individuals may access massive amounts of personal information in open source databases online is just now becoming a concern of the public at large. 

"Nethics and law enforcement on the Internet

Loyalty to the rule of law must be placed above loyalty to an agency's image, above "ends-justifies means" practices, and above loyalty to the pursuit or prosecution of criminals.  

Trust and confidence of the public in the integrity of the police is absolutely essential to the continued viability of the rule of law. It is that rule of law which distinguishes a democracy from a police state.  

The criminal justice "game" is *not* played on a level playing field. The only place where law enforcement enjoys a truly level playing field with the criminal element is in a police state. Criminal hackers, pedophiles, narco-terrorists, trans-national criminal organizations, phreakers and scam artists do not have to follow the rules as they ply their trades. Cybercops, on the other hand are obligated to obey the law as they enforce it. The way we deal with this planned "inequity of means" to obtain the desired result of justice is not to have the police become the criminals they pursue, rather it is to dedicate more assets, resources, training and skills to the task of policing.  

We must not forget the powerful resource that a motivated public represents in assisting law enforcement in the task of fighting crime through citizen involvement and action. Cyber- neighborhood watch organizations can provide tremendous assistance to law enforcement on the electronic frontier.  

We must, however, be cautious that by enlisting such public support that law enforcement does not convert the actions of a concerned citizenry into "government action". When government initiates or participates in private action it is held to the same Fourth Amendment restrictions which govern police conduct. This same concern for the actions of private individuals engaging in "government action" must be focused on the conduct of law enforcement during their "off hours" as well.  

Kevin Manson  

http://www.cybercop.org 

November 3, 1997 
ACJS_SEARCH.HTM  

Office of International Criminal Justice