The Cybersecurity Canon: The Internet Police: How Crime Went Online, and the Cops Followed

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Hannah Kuchler: The Internet Police: How Crime Went Online, and the Cops Followed (2014) by Nate Anderson

Executive Summary

The Internet Police is a solid primer to many of the cases that helped define law online – from fighting against child pornographers to litigating against the masses who have downloaded music illegally. Nate Anderson, deputy editor at technology news site, Ars Technica, writes clear and, at times, entertaining tales about a large variety of online crime, including the creation of the Silk Road and the colorful lives of spammers.

But the book lacks an overarching narrative that would put the cases in context and help the reader to draw conclusions about the future of online enforcement. While useful for someone with an interest in learning more about specific court cases, it is not essential reading for the cybersecurity community and so does not make the cut for the Cybersecurity Canon.

Review

The Internet Police begins in a place that law enforcement agencies find hard to reach: a platform in the middle of the North Sea.

Sealand may be only seven miles from the English coast, but it is a separate jurisdiction that specialized in hosting sites, such as online gambling portals, that were prohibited in other countries. This offshore platform illustrates the fundamental problem of policing the Internet: bytes can travel across borders in seconds, always finding somewhere happy to host them.

This is one of the three major challenges for online law enforcement that Nate Anderson sets out at the start of The Internet Police. The second is that the structure of the Internet means network intelligence is stored on peoples’ computers, not in a central depository easily accessed by law enforcement. The third problem is that anonymity rules online, making it hard to identify individuals with any great certainty, even when armed with an IP address.

However, Anderson quickly goes on to explain why these three challenges were not ever as difficult as the so-called “Internet police” had feared.

To help address the jurisdiction problem, he argues the police could pursue online criminals based in their own country and rely on extradition from friendly countries. The decentralized structure still has its pressure points, such as ISPs and large Internet companies, which could be pushed into disclosing information. Finally, “anonymity,” he said, “turned out to be the province of the deeply skilled” and committed to disguising their identity. With a court order, most police can obtain enough information to identify a suspect.

Anderson’s argument would be more powerful if he used more detailed data and examples to back it up. It is true that police and other agencies have become skilled in tracing online identities and the NSA revelations – which Anderson devotes his Afterword to – make it clear that government can use a few key access points to gain a treasure trove of sensitive information. But he does not detail how successful extraditions have been, or how many online criminals have made their homes in countries which are not friendly to the U.S. He also skips writing about cyberattacks and hackers completely, most of which have been able to use anonymity, foreign jurisdictions and the decentralized nature of the Internet to their advantage.

If there is any clear lesson from the examples detailed in the book, it is that you cannot fight online crime with traditional methods: you have to turn to technology. Even when a prolific spammer is located, hundreds of millions of dollars in fines can mount that will never be paid. But much of conventional spam is now filtered away from our inboxes automatically with algorithms.

The music industry spent years and vast amounts of money chasing illegal downloaders of songs, in court cases against individuals on modest incomes, which often turned public opinion against the big companies. Now, the industry just sends lists of IP addresses to the government to let tax dollars do the work.

Overall, The Internet Police lacks a behind-the-scenes insight into how cops more familiar with chasing criminals down the street made the transition to pursuing crime online. Anderson does not quote any police officers or show any deep understanding of how law enforcement had to train its staff or hire new, more tech-savvy officers to tackle new threats.

Anderson writes both about the crimes that the police are tackling and how the online tools they are using may overstep the boundaries of privacy. He touches on evergreen debates about how much data it is appropriate for the FBI to harvest, the uses and misuses of encryption, and stories of law enforcement bending the existing rules to suit their needs. These tales are interesting for those who need an understanding of how arguments that hit the headlines today have existed for decades.

But the author does not reach a strong conclusion about what police should be allowed to do online to keep the population safe – and what oversteps the mark into spying. He warns that citizens need to keep an eye on the police and their tools and make “prudential judgments.” Anderson advocates instead for “productive chaos,” writing at the end: “Life is a messy business on the Internet as it is everywhere else, and we are never going to engineer the mess out of it.”