Computer Crime Research Center

Paedophiles: Tightening the net
(By Simon Davies)

Every website you visit, every payment you make, every e-mail you send is open to surveillance. Fears over child pornography and terrorism have ended the ideal of a free and secure internet.

There was a time, not so long ago, when police could get away with claiming that the internet was a dangerous and lawless environment filled with untraceable villains. If they made that claim today, they would be lying.

My many colleagues in the field of internet security are now unanimous in the view that privacy in cyberspace is dead. Well, virtually dead. No one should believe for a second longer that the internet is a secure place it leaks like a colander. Over the past five years surveillance capability has been designed into the core of the system to the extent that it is now absolutely hostile to privacy.

Traces of the sites you visit, the computers and phone lines you use, and the emails you send are available to any organisation with the mandate, the motivation and the resources to access them. There is little you can do to prevent this default surveillance.

The breathtaking number of internet-related arrests in the past two years demonstrates this, and also that the global financial environment and the international integration of law enforcement agencies have evolved beyond recognition. Operation Ore is a case in point. Many of the thousands of suspected paedophiles targeted by detectives believed they were safe from scrutiny. Maybe they figured that by using a "secure encrypted" payment link, that they were somehow invisible. Or perhaps they foolishly thought that visiting an overseas website afforded immunity from action by UK police. This is an idea as erroneous as the myth that deleting something from your computer actually gets rid of it. Any electronic payment you make will be stored in at least a half a dozen major databases, each ultimately accessible to any law enforcement agency.

The Paris-based Financial Action Task Force (FATF), responsible for tackling money laundering and the black market, has brokered dozens of international standards and laws that ensure the transparency of most financial transactions. Unless you happen to purchase from a Chinese website using a Nigerian-issued credit card (neither of which is likely to co-operate willingly with Western police), you are likely to be tripped up somewhere along the way.

The old claim by police that the internet puts crime out of the reach of law enforcement is largely untrue these days. Gus Hosein, an expert in police co-operation at the London School of Economics observes "concerns over child pornography, terrorism and trans-national crime have created legal regimes that are being harmonised across borders". The newly formed Council of Europe Cybercrime convention significantly increases the power and scope of investigating authorities. There is still a long way to go, but the creation of hundreds of international "mutual assistance" agreements have brought the world to the primary stage of globally integrated policing.

In the fight against internet crime these two developments financial transparency and international police co-operation rely heavily on two further pillars of support: communications surveillance and computer forensics. Combined, these four aspects of law enforcement create an almost seamless dragnet across cyberspace.

Unless extraordinary and complex measures are taken by the user, investigators are able to retrace every move. Information about all our internet activities is stored by e-commerce websites, employers, and internet service providers (ISPs). "The Government hopes to force ISPs to store this information for several years so that it can be accessed in later investigations," says Dr Ian Brown, director of the Foundation for Information Policy Research. "It can already require that ISPs insert surveillance devices in their networks."

The passage of the Regulation of Investigatory Powers Act is one of half-a-dozen recent pieces of UK legislation that create the potential for almost limitless surveillance. Under the new laws a range of public authorities will be able to obtain a list of email activity and websites browsed for a very broad spectrum of purposes. A secrecy clause already prevents ISPs from notifying their users of interception warrants issued against them. And the Government's planned monitoring centre located in MI5 could keep watch on any number of people, without any ministerial or judicial warrant.

Any expert in the communications field knows what steps can be taken to resist surveillance, but in the climate of fear over terrorism and child pornography few of us will publicly discuss those measures. Even if the formula for secrecy were made public, the requirements for following it are so onerous that barely a fraction of users would ever do so. (It involves using a complex combination of public computers, encryption systems, anonymous re-mailers and temporary email addresses.)

If the current porn environment remains constant, law enforcement authorities will ultimately hold the trump cards. The proliferation of child porn depends on the collection of credit card details or lists of email addresses for the swapping of images. As the internet becomes more surveillance friendly, "porn clubs" are increasingly exposed to investigation. And as financial institutions are bound by more transparency co-operation agreements, the use of a credit card on the internet brings the customer a substantial risk of discovery.

Having said that, the porn business is a lucrative one, and there is always a risk that while throwing away the privacy of all internet users, we merely create a new market for surveillance-resistant technologies. What if, for example, porn sites start to offer customers a "plausible deniability" defence by setting up a respectable "front operation"? A website dealing with antiquities might have a hidden link to child porn. Or what if porn entrepreneurs start to use steganography, in which illegal images are hidden inside legitimate images? A thousand pictures of Julie Andrews might each contain, in the grains of her skirt, pornographic images. Police would never know.

We face a dilemma of complex proportions. The internet was designed for free and secure communication. It was meant to be a balancing force against tyrannical government. If we destroy this in the quest to crack down on pernicious activities, we deal our democracy and our children an incalculable injury. We could end up with total loss of privacy and a porn industry immune to infiltration.

Simon Davies is a visiting fellow in the Department of Information Systems of the London School of Economics, and director of the watchdog group Privacy International


Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at +38 061 220 12 83