Computer Crime Problems Research Center

Bryan Robinson

Taking a Byte Out of Cybercrime Evolving Crime

Nicodemo Scarfo Jr. thought the Internet was a foolproof way of running his gambling operation little did he know that he was under virtual surveillance every time he typed in his computer password.

Scarfo, a New Jersey mobster, was sentenced last month to the maximum 33 years in federal prison after pleading guilty to running an illegal gambling ring. FBI agents secretly wired Scarfo's office computer with a "key-logger" surveillance system and were able to find out his password. That password unlocked the gambling records the government used to build a case against him.

Scarfo's case illustrates just one way federal and other law enforcement officials have been relying increasingly on cyberforensics to track down criminal suspects. Investigators have had to become Web-savvy and acquainted with cybertechnology to adjust to an evolving crime world that includes Internet porn, sex predators in chat rooms and possible terror plots.

But privacy advocates worry that government officials may be giving law enforcement a license to trample on individual rights.

"There has to be some provisions, some type of system that calls for subpoenas, some kind of judicial process before police are allowed access to records of Internet use," said Charles Hoofnagle, legislative counsel for the Electronic Privacy Information Center.

"I know there are some bills being considered in Congress that would allow officers just to show up and demand that the ISP [Internet service provider] provide records," said Hoofnagle. "And we need safeguards against that because there are some corrupt officers out there who can just lie. An ISP can act in good faith when a police officer can act in bad faith."

Still, law enforcement officials argue that cyberforensic tools enable them to combat more sophisticated criminals and criminal activities. Everyone is entitled to their right to privacy, law enforcement officials say, but not at the expense of breaking other laws. Privacy is not a ticket for criminal activity.

"Whether you're surfing the Web, using an ATM card, conducting transactions, we are doing everything online. That means that there's going to be more information, more witnesses online as law enforcement searches for evidence," said Mark Pollitt, director of the FBI's National Program Office for Regional Computer Forensic Laboratories.

"If you're going to continue to combat crime effectively, you have to go where the witnesses are where the information, the evidence, and the bad guys are," said Pollitt. "All the bad guys are online now."

Terror Tactics on Non-Terror Crimes

Still, one bill privacy advocates have criticized in particular for giving law enforcement officials a license to act in bad faith is the USA Patriot Act. Passed by Congress last October following the Sept. 11 attacks, the bill expands the powers of law enforcement officials to investigate cases involving terrorism and foreign intelligence.

Among other things, the act makes it easier for law enforcement officials to obtain Internet use records from libraries. Agents only need to present a search warrant, not a subpoena, to get the records a quicker process for law enforcement.

Critics say the act has removed, or at least minimized, the judicial safeguards protecting potential suspects and ensuring investigations are conducted properly. They also fear investigators would use the Act to justify their actions in routine investigations unrelated to terrorism or use tactics designed for terrorism probes in typical criminal cases.

Scarfo's attorneys say this already happened, long before Sept. 11 and the passage of the Patriot Act. Before his guilty plea and sentencing, Scarfo and his attorneys challenged the methods government investigators used to obtain evidence against him.

They argued that FBI agents violated his Fourth Amendment right to privacy. They also argued that FBI agents should be forced to reveal how the key-logging system works so that they could have all the information needed to present a defense.

Prosecutors countered that agents had not violated any wiretapping laws or Scarfo's rights. Citing the 1980 Classified Information Procedures Act, they argued that they could not divulge the workings of the key-logging system because it would jeopardize ongoing and future investigations and undermine national security. A judge sided with the government.

And in some ways, Scarfo's lawyers said, the Sept. 11 attacks helped justify the methods used to obtain the evidence against his client.

"Yes, I do think Sept. 11 played a role [in the judge's ruling upholding the government's use of key-logging," said Vincent Scoca. "Despite the outcome, I believe this case was important in that it brought attention to an important issue. Citizens should be aware of the different ways their privacy may be invaded."

"We are not opposed to using key-logging and other methods, as long as it's used on terrorism," Scoca continued. "To use these methods on run-of-the-mill crimes like the one Mr. Scarfo was accused of seems like overkill to me."

Virtual Fingerprints of an Alleged Serial Killer

Criminal investigations aside, most people, like Scarfo, believe their travels on the Internet the Web sites they peruse, the chat rooms they visit, the items they download can remain private and have no idea what kind of trails they leave behind.

"Basically, whenever you go online, you're leaving a track," said Peter Shenkin, professor of Computer Information Systems in Criminal Justice and Public Administration at John Jay College in New York. "For instance, when I log on, I have unique number, an IP address, assigned to me by the Internet service provider, and I have that address as I go from one site to another. If I access a site, that site makes a record of my IP address. They know when I was online, how long I was on the site, what pages I looked at."

Accused serial killer Maury Troy Travis had no idea that he would leave police a virtual trail when he allegedly sent a letter to a St. Louis Post-Dispatch reporter. The letter was sent in response to an article about a slain prostitute believed to be one of the victims of a serial killer in Missouri and Illinois. The note to the reporter read, "Nice sob story. I'll tell you where many others are. To prove im real here's directions to number seventeen. [sic]"

The second part of the letter contained a downloaded map of West Alton, Ill., marked with an X. Police went to the spot marked by the X and found a woman's skeleton. But that was not the only information the map provided. By surfing on different travel sites, Illinois State police found out the map had been downloaded from After receiving a federal subpoena from investigators, pulled up the IP address of every user that had looked at the map in recent days. There was only one person.

The FBI subpoenaed the Internet service provider to find out who had been assigned the IP address. That user, ISP records indicated, turned out to be Travis, who resided in St. Louis County. FBI agents searched Travis' home and found blood spatters and smears throughout his home and on belts and other things used to tie people up.

Travis was arrested and charged with two counts of kidnapping. Officials suspected him in the killings of six prostitutes and four unidentified women found in the St. Louis area between April 2001 and May 2002 and were reportedly planning additional charges for murder.

However, Travis killed himself while jail. After his death, police said they believed he was possibly involved in as many as 18 slayings. Arguably, investigators would have never received their break if Travis had not sent the letter and been aware of the virtual fingerprints he left behind with the downloaded map. And the Illinois State police were Web savvy enough to see the fingerprints.

"Technology itself is not the issue," said Pollitt. "For example, a car is not good or bad; it's neutral. But like virtually everything else, technology can be used for good as well as bad things. The real issue is human behavior. Cyberspace is like anyplace and if you suspect something is going on, or you see something illegal, we expect people to report it, to come to law enforcement."

In Travis' case, it seems he unwittingly reported himself to law enforcement.

Room for Error

Some may be surprised that the ISP records in the Travis case were not deleted right after the user logged off. That, experts say, is another misperception by computer users who think their privacy is ensured.

"It really depends on the ISP," said Hoofnagle. "Some ISPs keep data longer than others, some keep records long enough to meet certain law enforcement compliance requirements. If you go to Europe, you have ISPs that keep records as long as seven years."

There is the possibility of error. Investigators and advertisers are able to trace someone's Web usage tendencies, but what about identity theft? What if someone gets ahold of your username and password and performs illegal activities over the Internet using your name?

"No doubt with more sophisticated technology, we are better able to track the movements of people. Still, there's no doubt identity theft certainly can occur," said Charles Marske, professor of sociology and criminology at St. Louis University. "It's kind of a mixed bag. We can track people but we can't be absolutely sure who we're tracking."

Still, officials from the U.S. Attorney's office in New Jersey are unapologetic about the way they prosecuted Scarfo. The key-logging system was a new, effective way to bust a gambling ring that Scarfo ultimately admitted running. Assistant U.S. Attorney Ron Wigler, who prosecuted Scarfo, said the judge's decision and past court rulings support the tactics agents used in the case.

Investigators expect the privacy debate to continue as they employ more innovative and perhaps more invasive tactics. However, their primary concern remains tracking and combating crime they are not lawyers.

"It's a balancing act. Certainly the personal privacy of others should not be violated," said Pollitt. "We've seen the issues regarding law enforcement and privacy litigated before and we're going to continue to see them litigated. But that's not the job of law enforcement. That's a job for the courts."

Privacy Versus Crime and Terror Fighting

Investigators in the Scarfo case refused to comment on whether the key-logging system was being used in other investigations and whether there would be more cases prosecuted as a result of the system. And federal investigators refuse to reveal the specific new devices they are using to track potential suspects over the Internet. Experts say biometric tracking devices for keyboards have been developed that will verify the identity of computer users, but add they may be years away from use.

Law enforcement authorities have made good use of the technology available to them now. In March, the FBI announced the arrest of 86 people in "Operation Candyman," a sting that targeted an e-mail group that was really international Internet child porn ring in disguise. The FBI expects to make similar arrests in ongoing stings on virtual porn rings.

An e-mail and Internet use records have been tools agents investigating the Enron scandal and were used by police searching for clues on the whereabouts of Chandra Levy before her remains were found this past May.

Still, in a post-Sept. 11 world of increased surveillance and a constant state of terror alert, the privacy questions surrounding the ever-evolving cybersleuthing tools of law enforcement will continue.

"As the technology and computers in our society have advanced, so has our ability to be tracked," said Marske. "With what's happened since Sept. 11, it illustrates that every generation encounters a new dilemma where they must decide whether they are willing to sacrifice some individual freedom for the greater good of the country. We saw it during World War II and what we did to the Japanese in this country, and we're seeing it now."


Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center, 2001-2002 All Rights Reserved.
Contact the CCRC Office at 380-612-735-907