The Internet is a medium that seems to transcend jurisdiction. Whenever case
law involves the Internet several pages can be found trying to explain the nature
of this network. Simply put the Internet is a network comprised of many other
networks. This meta network allows users from around the world to interact
with each other. The majority of these interactions are legal and good.
The remaining interactions are either dubious, depending on the legal codes
established by the country of residence, or simply illegal for all parties
involved. This paper will focus on the easily identifiable illegal activities
and the difficulties in prosecuting the criminals behind those actions.
In particular this paper will look at several different Internet scams, the
methodologies behind them, jurisdictional questions that arise and possible
solutions.
Traditionally jurisdiction means both the right and the power to apply law.
To derive jurisdiction several tests are applied to each case. One test
regards subject matter as in the example of a patent case. Courts who hear
patent cases must be competent in such laws. This ensures that a speedy trial
is more likely since precepts of specific laws don’t need to be explained
time and again. Another test involves the monetary value involved. In the
United States small claims courts are a limited jurisdictional arena for
litigants to argue over sums less then $5000.00 . Since jurisdiction is
generally limited to specific territories another test must decide whether
the case falls within the court’s realm of influence. The venue of a case
is often based on where the crime occurred. So if a car accident occurred
between a United States citizen and a Canadian citizen in the state of Washington
then the United States would have proper jurisdiction to hear the case.
The last and most important test of jurisdiction regards enforcement. A
court may decide on a case and issue a ruling but not have the power to
enforce it. This contention is highlighted in the on going case between
France and Yahoo!. Ironically this case shows that even though a court may
not have the power to enforce it’s laws the other criteria being satisfied
can make courts believe they have jurisdiction anyway. The cases examined
in this paper will be of a more criminal nature. The crimes, known as
phishing and pharming, are growing rapidly because prosecution seems impossible.
Phishing has a much longer history then some would imagine. Originally coined
from the contraction of “Password Harvesting” , phishing was a method of extracting
fresh usernames and passwords in the early to mid 1990’s. There is even anecdotal
evidence that the crime reaches further back into the late 1980’s on certain
Bulletin Board Systems (BBS). The procedure of the crime is very simple and
relies on two elements. First is distribution. The first major site for harvesting
was America Online. Criminals would use the Instant Messaging feature to pose as
System Administrators and demand the user reveal their password. The wording of
the messages changed often but generally stated “our records are in need of
correction, please submit your password now. Failure to comply will result in
account termination.” Users who were used to not understanding the magic of the
technology behind their service would comply out of fear. Even today users will
see warnings in their AOL Instant Messaging windows stating that, "Reminder: AOL
staff will never ask for your password or billing information.".
As the Internet blossomed the crime changed its nature. Obtaining passwords
was not as lucrative as obtaining credit card numbers. This was also due to
the changing nature of credit card verification systems and the relative value
of credit card numbers. Generating fake credit card numbers was no longer
possible as of the mid to late 1990’s so “carders” needed real credit card
numbers. On AOL, the messages phishers used changed to reflect the newly
sought after prize. “Our accounting records have been damaged. Please submit
your credit card number, social security number, date of birth and mother’s
maiden name. Failure to comply will result in a loss of service.” During the
early days this type of crime was easier to prosecute. Calling long distance
was expensive so phone records could narrow down a jurisdiction in which to
prosecute. Even if the caller was a “phreaker” (one skilled in hacking the
phone system to place free long distance calls) one could assume that the
caller was probably operating out of the United States. Even more one could
generally assume that both parties (plaintiff and defendant) were both citizens
of the same country.
With the Internet everyone was local. Instant messaging moved to the global
network and now criminals as far away as Spain could easily phish for new
credit card numbers in New Mexico. This development allowed phishing to take
on newer forms although the same name is still used for the crime. The newer
forms are even more difficult to deal with from a jurisdictional viewpoint.
Spam is sent out to millions of potential victims masquerading as official
bank memorandums. These memos state that “our records are in need of
verification, please submit the following information”. The victims are
presented with a hyperlink that will take them to a fake site. The graphics
and layout for these fake sites will exactly mimic the real web site. The
only difference of course is that instead of updating information at the bank
the victim is submitting their most personal details to criminals.
Pharming is yet another tactic used by more technically adept criminals, or at
the very least by criminals who have paid off hackers to help them with their
operations. Pharming uses advanced techniques such as DNS poisoning to effectively
hijack a website. A simple way to think about this type of subversion is a
standard telephone number. If one dials 1-800-WALMART the
numbers 8 0 0 9 2 5 6 2 7 8 are pressed every time. What if a virus changed
the values for each of the buttons? So instead of ringing Wal-Mart the criminal’s
phone was dialed. Now instead of placing a phone order or asking about a
shipment the criminal could extract your personal information. Pharming works
in a similar fashion by changing the numeric values associated with the names
typed into a URL. This technique was most visibly noted when China first began
“negotiating” with Google in 2003. Chinese citizens who typed http://www.google.com
into their browsers were sent to various state run search engines. China didn’t
try to disguise the sites to look like Google; however, in pharming operations
the end result isn’t as overt. When a victim types the name of a hijacked
website into the address bar, the look of the website, even the certificates
can appear to coincide with the actual site. The difference is overwhelming.
Phishers must fool victims one at a time while a pharmer will capture every
person who happens to visit during a certain time period. This is even more
troubling given the nature of certain virus attacks seen lately. One of the
tools used to disable the victims anti virus capabilities is to modify the host
file. This file is like a local directory and overrides all DNS settings. In
the virus attacks, every update site (Microsoft Windows Update, Symantec Live
Update, etc) are set to 127.0.0.1 in the host file. 127.0.0.1 is a technical
address which describes a “loop back” or local host. This will stop cold any
attempt to contact the anti virus update sites for a current definition of the
threat attacking. An analogous situation is an attacker changing 911 to dial
the number of the phone the victim is using thus creating a constant busy signal
when help is most needed. Should pharmers start using this tactic, and evidence
in reports are showing this to be true, they can easily point a request for a
bank’s website to servers under their control. With so many countries involved
it is difficult to state who would have the right to try these criminals in a
court of law.
Personal jurisdiction, the power of a court to hear a case out of its normal
territory, are cloudy in cases such as Internet scams. In tort cases such as
Gutnick v. Barons it was established that an Australian court could hear a case
even though the plaintiff was based out of the United States. Yahoo! v. France
is yet another case where personal jurisdiction has brought foreign plaintiffs
into courts. In both cases an element of “minimum contact” was satisfied. Minimum
contact is the established contact of the two parties in the jurisdiction of the
court. So in these cases, even though the defendants didn’t technically fall
within the jurisdiction of the court, contact was made via the Internet. This
contention is still the subject of much debate since the Internet could
technically satisfy minimum contact for any person against any other person in
any country with an ISP. The criminals behind phishing would satisfy minimum
contact for at least 50 countries with every swarm of spam that is released.
With such an obvious danger to the public one may wonder why things have become
progressively worse. The legal enforcement arms of the United States have
increased budgets and training yet the crimes seem to flourish. One of the
largest reasons is that many victims are too ashamed to come forward. In the
case of phishing and pharming victims choose to deal with the banks. Banks
must consider their own brand which should imply trust. As such they tend to
accept losses in favor of derogatory media coverage. Of the small percentage
of victims who do report the crime an even more difficult problem arises. The
crime committed has crossed not just state lines but international borders.
Sometimes the crime takes place in more then two countries. In the instance
of a phishing website let us assume a standard operation. A criminal in
Nigeria has harvested email addresses from web based guest books across the
Internet. The criminal then emails millions of victims with a hyperlink
pointing to a website under his control. The web site is setup on a web
server located in London. Victims of the scam enter their information from
their personal computers in the United States. To properly prosecute this
crime police from all three countries would have to work together. Even
worse, courts from all three countries may feel they have the personal
jurisdiction to hear the case.
Phishing, which falls under identity theft, is illegal in the United States.
It is specifically covered under the Identity Theft and Assumption Deterrence
Act of 1998 (ID Theft Act). In the global nature of the Internet the ID Theft
Act is simply a local statute. Legally speaking phishing also violates United
States trademark laws since the web sites erected use the logos of the banks in
unauthorized ways. The typical reaction by banks is to contact the responsible
Internet Service Providers (ISP) and have the site shut down immediately. Unlike
cases such as Playboy Enterprises, Inc. v. Universal Tele-Talk Inc., and
Jay D Sallen v. Corinthians LTDA the banks realize they don’t have a chance of
getting trademark infringers in court. Even if they were able to find the
criminal and get them into the court the damages would be so high that the
criminal would never pay them.
One possible solution is to enforce absolute location information for every
computer on the Internet. As Global Positioning Systems (GPS) drop in price
it is reasonable to assume that computers could all transmit their exact
coordinates in the future. While this may technically fix the problem of
verifying jurisdiction and even the location of alleged criminals there are
other problems. The state of Georgia attempted to make legislation that made
illegal the masking of identity on the Internet.
The code, Georgia Code 16-9-93.1, was brought down by the ACLU of Georgia
because at times anonymity is needed on the Internet. The case of whistle
blowers and even medical patients seeking help online underscored the need
for a person to not identify who they are. Assuming all privacy rights were
thrown out the window and this type of legislation were enacted it would not
entirely help the situation at hand. Most criminals of this nature are
operating out of cybercaf
