Chapter 10

Covert Operations on the Internet

This chapter introduces the reader to considerations when working covertly or undercover on the Internet. These considerations include the basic outlines for the policy, management concerns, and ethical issues. Special areas of attention, such as entrapment, identity take over, and appropriating versus assuming online identifies, Terms of Service agreements, are also discussed. Additionally, the major steps are covered to consider when developing an online undercover personas for use in investigations. The unique challenges faced with developing an undercover social media profile are also analyzed. Additionally, the importance of preventive steps and countermeasures is also noted. Finally, suggestions for avoiding problems or concerns that may arise during an online undercover operation are presented.

Keywords

Undercover; policy; persona; ethics; entrapment; Internet Crimes Against Children (ICAC) Task Forces; identity take over; assuming versus appropriating online identity; Terms of Service; Bitcoins; virtual currency; digital currency; countermeasures

Some of the bravest and the best men of all the world, certainly in law enforcement, have made their contributions while they were undercover.

Thomas Foran, Former United States Attorney

Covert operations on the Internet

Covert operations on the Internet and online undercover work are becoming an increasingly important task for the Internet investigator. Being undercover on the Internet is significantly different than doing the same activity in the real world. Think about it for a moment. Is there any way in the “real world” a 40-year-old male cop could successful impersonate a 13-year-old female to catch a sex offender? Only with the advent of the Internet are such investigations possible. Although the contact may not be in person, the skills are very similar. This chapter will help to outline the process to establish a properly configured undercover persona and use that identity during your Internet investigations.

Working covertly on the Internet is not a function of simply making a Hotmail account and sitting in a chatroom. Unfortunately online undercover investigative training, even for law enforcement, is not always provided. Tetzlaff-Bemiller (2011) noted that law enforcement personnel training for targeting sexual predators is not consistent across all units or agencies. To maximize effectiveness and to insure cases are not lost due to the use of improper techniques, there needs to be consistency in the content and frequency of undercover Internet investigation training.

Additionally, investigators and their employers have to develop effective policy, skills, and operation planning techniques to conduct covert and online undercover operations. So what is the purpose of working covertly on the Internet? Covert operations, like all investigative activities, are either proactive or reactive. They include:

• General intelligence gathering, including establishing information sources, identifying locations and web presence of questionable activities, and mapping online and social relationships/networks.

• Seeking out and identifying illegal behavior and establishing a crime has occurred.

• Establishing motives for crimes.

• Identifying relationships between targets, victims, and other subjects.

• Establishing whether the illegal activity constitutes a criminal enterprise and identifying the structure of that enterprise, including its leadership and assets.

• Providing location information of the targets, relationships, and victims.

• Disproving possible alibis of both targets and victims.

• Plan for and communicate with suspects/targets.

The traditional purpose of undercover activities is to gain the trust of an individual while acting as someone else to learn something useful to your investigation. Working undercover on the Internet has the same purpose. Only the location has changed. The Internet has numerous areas that can provide the undercover investigator with opportunities to find additional information related to their investigation. We have previously discussed these locations, each of which has its own protocols with unique methods of identifying, collecting, and presenting usable information. Common among all of these is the development and planning process prior to going online. Additionally, Internet investigators going undercover have to prepare their identity as any other undercover operative. Besides the investigative planning steps noted in Chapter 4, Internet undercover operations also include:

1. Clearly identifying the purpose: This is singly the most important part of the process. Is the purpose to establish the elements of a crime that has already occurred or it to be proactive and to stop a crime before it has been completed? Maybe the purpose is general intelligence gathering or “open source investigations,” which were discussed in Chapter 4. Whatever the purpose, it must be specifically defined to keep the investigation focused.

2. Identify the means: What undercover persona (emails, profiles, etc.) needs to be developed? This will be dictated by the area which is the investigation’s focus. Is the investigation centered on chatroom activities or on IRC channels? Is it a P2P investigation? All of these locations require different means to go undercover. Additionally, it is also necessary to identify the needed offline communication methods, such as undercover cell phones and postal addresses, while maintaining the undercover personas.

3. Define time resources: What days and hours will you be online? This answer will likely be dictated by your undercover persona. You can’t pretend to be a minor if you are online when you are supposed to be in school or asleep. You also create difficulties if you are pretending to be located in one area, such as Europe, but are regularly online consistent with someone located in a Pacific Standard Time zone. How long will you be undercover in an online area before you conclude it is time to adjust your persona or location or altogether discontinue the activity?

4. Identify documentation requirements: How are you going to document your undercover activities? Up until this point we have talked about capturing websites and taking screenshots. However, documenting undercover activity online involves capturing not only the target’s activities but also your interactions with them. Also, don’t forget to consider any legal requirements that may exist for how you record your activities. For instance, recall in Chapter 4 we noted there are 12 states (CA, CN, FL, IL, MD, MA, MI, MO, NV, NH, PA, and WA) which require two-party consent to record a communication, unless some legal process is met. Deciding how you are going to meet that requirement is important if you have to record a telephone or Skype communication with your target. Additionally, undercover investigations in a gaming environment will likely require digital video capabilities to capture the interactions with targets. As such, a special area or room may be needed.

5. Plan for the unexpected: Undercover investigations occur in real time and you have to expect the unexpected. What if your target, a sex offender, wants to meet you as minor, in half an hour? How will you handle it? Will you be able to marshal the manpower needed in a moment’s notice or will you need to come up with a reasonable excuse why that can’t happen. Brainstorming “what-if” scenarios as well as training and experience will help you be prepared for the unexpected.

“On the Internet no one knows you are a dog” (Fleishman, 2000)

Working undercover online requires the investigator to act as someone else. The process of building an undercover background to use on the Internet can be from the simple to the complex. Simple can include merely creating a fake Gmail account. More complexity can be actually building a persona and supporting information about the identity. The investigation will always dictate the level of persona required. Each investigator should plan ahead for this purpose. This can be done by building a variety of personas. Some of these will be a general use tools such as throwaway email addresses. These can be used and dumped if the case is over or the account has been compromised during the course of its use. The building of a more complete persona can be simply preparing a personal background for the identity.

Internet operations and policy considerations

Undercover online operations are becoming more common, but management control still needs to be in place to ensure compliance with agency/company policy, local regulations, and the law. The first issue to resolve is does my agency/company have a policy regarding “Undercover Operations”? The reason for policy is to ensure not only compliance with company direction and the law, but to give the investigator the boundaries by which they can conduct undercover operations on the Internet. When considering the policy, the investigator should identify whether or not the investigation falls within the jurisdiction of the agency or company. The investigator needs to insure that their actions never exceed their authority. Even though the Internet is essentially an open book, there are some legal limits to your investigations. Additionally, the policy needs to ensure that the investigators actions do not violate federal, state, or local laws regulating undercover investigations.

Other policy considerations include how an agency or a company selects personnel for conducting undercover operations. Historically, undercover personnel in the real world have been selected based on their skills in dealing with people. A good “talker” or someone that can BS very well, outgoing, and aggressive was a good candidate for undercover work. On the Internet those same skills, along with a technology savvy background, are the kind of talents required to successfully investigate crimes online in an undercover capacity. The persons assigned to this kind of work should be volunteers and not personnel chosen because a slot needs to be filled. Persons selected for undercover work should not only possess the above skills but be interested in the work to safeguard the program’s integrity. Assigning disinterested personnel could have a detrimental effect on the program.

Some undercover assignments, even on the Internet, can be stressful and result in the possibility the investigator may develop mental health issues or concerns. Child abuse and pornography investigations are the most obvious. Wolak and Mitchell completed a 2009 study involving 511 agencies, whose employees work with Internet Crimes Against Children (ICAC) Task Force. Online survey responses were solicited from the participants. They found that about half of the survey participants were concerned about the psychological impacts of work exposure to child pornography. Thirty-five percent of ICAC Task Force participants had seen problems arising from work exposure to child pornography. The study also reported:

Survey participants noted that undercover investigations in which personnel pose as minors also create difficulties for some personnel because of their sexually explicit content. ‘Those that engage in undercover chat operations or those that work cases involving communication between adults and children are exposed to material that I believe can be just as harmful …’ (pg. 9–10)

Any stressful situation can cause mental health concerns if not monitored or identified by supervisors governing the investigations. The investigator needs to be aware of this as a problem and should pay attention to themselves and coworkers in an attempt to identify potential issues. From a policy concern, the agency or company should have guidelines for how to deal with investigators’ stressful situations from working undercover. This is particularly true for any law enforcement investigation dealing with the constant viewing of child pornography, not to mention the audio that unfortunately is present with many of the moving images. As noted above, frequently portraying a minor or deviant online to communicate with sex offenders, even without child pornography as a factor, can have a detrimental impact on an investigator’s mental well-being.

Some of the things the policy should address are there any preassignment screening conducted? One area noted by Wolak and Mitchell was the need for open communication with new staff about the nature of child exploitation investigations and what may be encountered by the investigator. They also noted an inquiry might be warranted to determine if the potential investigator might be particularly troubled by these investigations, for instance being a victim of abuse or currently having children themselves. Additionally, openly discussing potential negative effects on the investigator and what may be done to alleviate stress should be covered. Other policies to consider are regular screening and conducting post assignment screenings. Such proactive measures can aid in the identification and prevention of problems encountered by an employee during undercover Internet operations.

Jurisdictional considerations are another area that the investigator should be aware of and have references to in their policy. In the United States, some Internet crimes may share joint jurisdiction, with one legal entity having stricter penalties that might be more appropriate for the crime. Certain crimes lend themselves better to state and local jurisdictions versus federal prosecution. At other times a federal prosecution is a better course of action. Operational policy should provide guidance on the best possible options for the investigator’s case. The investigator also needs to be aware of their jurisdiction’s legal requirements for these cases. Some state statutes have elements that require there actually be a “real” victim and not just an undercover law enforcement investigator acting as one. As always the facts of the case should dictate involvement of different investigative and prosecutorial jurisdictions. The key for the investigator is to know and use all available legal resources.

Corporate investigators have their own concerns when it comes to jurisdiction, in particular when crossing international boundaries. For the investigator, these can cause significant issues they need to consider. Many countries have very different laws regarding, privacy, how Internet crimes can be prosecuted and how to deal with employee terminations based on internal investigations related to employee’s Internet actions. Clearly policy guidelines need to be vetted by the agencies or company’s legal authority.

Get Connected!

Investigating online sexual exploitation of children is a resource intensive law enforcement activity. Going undercover, particularly when other agencies are working cases, may result in duplication and a waste of resources. It is also not unheard of to have one sex offender communicating simultaneously with several undercover investigators in different jurisdictions in an attempt to have illicit relations with a minor. As a result, there is a need to coordinate these cases and for investigators to be able to communicate with one another. In the United States, ICAC Task Forces were created to help federal, state, and local law enforcement agencies enhance their investigative responses to offenders who use the Internet to sexually exploit children. Funded by the US Department of Justice, Office of Juvenile Justice and Delinquency Prevention, the ICAC program consists of a national network of 61 coordinated task forces representing over 3,000 federal, state, and local law enforcement and prosecutorial agencies. The ICAC program provides training and guidelines on how to properly conduct these online investigations to its member agencies. For a state or local law enforcement agency seeking to become a member go to https://www.icactaskforce.org/Pages/TaskForceResources.aspx.

Additionally, in May of 2006, the US Department of Justice initiated Project Safe Childhood (PSC), a unified and comprehensive strategy to combat child exploitation. This program combines law enforcement efforts, community action, and public awareness. The five essential components of PSC are (1) building partnerships, (2) coordinating law enforcement, (3) training PSC partners, (4) public awareness, and (5) accountability. Law enforcement seeking to become a PSC partner should contact their local US Attorney’s Office.

Other countries frequently have their own programs. In Canada, the Royal Canadian Mounted Police (RCMP) operates Integrated Child Exploitation (ICE) Teams, whose objective is to work… “in conjunction with the RCMP Tech Crime Unit, is to identify and assist child victims of sexual abuse, identify those responsible for the abuse and to lay appropriate criminal charges for the assaults, creation of the images and their distribution.”

In short, these cases are too important, to go it alone. Reach out and get connected to other law enforcement agencies in your area working these cases. You will be better trained and better prepared to investigate these online cases.

Ethics during undercover operations

Obviously the investigator conducting online investigations and those conducting undercover operations must follow a code of ethics that can define proper procedures. Investigators must follow all state, local guidelines and federal laws. But there are several other sources that the investigator should look to for guidance. The High Technology Crime Investigation Association (HTCIA) has a code of ethics and core values that if followed can give a proper foundation for conducting investigations, regardless of their type, i.e., criminal or civil. Additionally groups like the International Association of Investigative Specialists have membership code of ethics that drive the investigation of digital evidence. The High Tech Crime Consortium (HTCC) also has as its first goal… “To endorse high ethical standards and best practices in the investigation, acquisition and examination of digital evidence.” Additionally, HTCC is a partner in the Consortium for Digital Forensic Specialists, which is working to consolidate the digital forensic field around common standards and ethics.

HTCIA Core Values

1. The HTCIA values the Truth uncovered within digital information and the effective techniques used to uncover that Truth, so that no one is wrongfully convicted!

2. The HTCIA values the Security of our society and its citizens through the enforcement of our laws and the protection of our infrastructure and economies.

3. The HTCIA values the Integrity of its members and the evidence they expose through common investigative and computer forensic best practices including specialized techniques used to gather digital evidence.

4. The HTCIA values the Trusted network of forensic and investigative professionals within private and public businesses including law enforcement who share our values and our vision.

5. The HTCIA values the Confidentiality of its membership and the information, skills, and techniques they share within the association.

Some areas that are not generally described in ethics statements are the not so obvious, such as offensive behaviors when conducting Internet investigations. We are not referring to offending someone, but the act of going on the offensive. The investigator again has to understand his role in the investigation and what he can and cannot legally do during the investigation. When do his actions cross the line from investigating a crime to potentially perpetrating one himself? This has been the age old problem with undercover operations and investigators’ interaction with the criminals. In fact, J. Edgar Hoover, the first director of the Federal Bureau of Investigations, resisted allowing his agents to work undercover against the Mafia, believing that although some criminals would be caught, some of his agents might be corrupted as well (New York Times, 1981).

Traditional investigators working undercover are always on guard to ensure that their actions don’t cross the line from observer to active participant, either as a follower or leader. On the Internet, there are other things that could ethically cross that similar line. An investigator in general, without proper legal authority, should never be sending virus, Trojan, or worms to a suspect or any other type of file that would disrupt, delay, or destroy another person’s computer system. This is not to say that at certain times and under the requisite legal authority that this cannot be done, but in general some of these actions are not acceptable. Additionally, investigators must never send actual child pornography images or other digital contraband to a target.

One real concern in online undercover cases in the United States is the issue of entrapment. In U.S. v. Poehlman, 217 F. 3d 692 (Court of Appeals, 9th Circuit 2000) an appellate court overturned Mark Poehlman’s conviction, which originated as an Internet sting investigation. Poehlman was a retired Navy man, who was also a cross-dresser and foot-fetishist. He had posted to “alternative lifestyle” discussion groups. His posts were initially rejected. Eventually, one woman, “Sharon,” responded to his posts and they began their online relationship. “Sharon” however was an undercover agent.

Sharon advised Poehlman that she had three female children aged 7, 10, and 12 and she needed a “special mentor” for them. After several emails, Poehlman finally understood she was looking for a sex teacher for her children, and he graphically responded how he would “instruct” them. Eventually, Poehlman traveled from Florida to California to meet Sharon and to have sex with her female children in a hotel. After meeting with “Sharon” he was shown some child pornography, which he examined and indicated he always looked at little girls. He was then directed to an adjunct room containing the “children.” Much to his surprise the room contained Naval Criminal Investigation Special Agents, FBI agents and Los Angeles County Sheriff’s Deputies and he was arrested.1

The Ninth Circuit indicated that examining an entrapment defense requires the following questions be asked: (1) Did government agents induce the defendant to commit the crime and (2) Was the defendant predisposed to commit the crime? If the answer to the first question was “yes” a conviction could still be upheld if the answer to the second question was also “yes”.

The Ninth Circuit found that Poehlman was interested in a relationship with “Sharon.” However, it was only after she made future communication dependent upon him agreeing to serve as sexual mentor to her children did he finally agreed to play the role she had in mind for him. The Ninth Circuit found it was clear that the government had induced Poehlman to commit the crime based upon the communication between Poehlman and “Sharon.”

The Ninth Circuit then focused on whether Poehlman was predisposed to commit the offense before he had any contact with government agents. Based upon all the communications and facts of the case, the Ninth Circuit concluded that the government had not met its burden to prove he was … “predisposed to demonstrate any preexisting propensity to engage in the criminal conduct at issue.” As a result the Ninth Circuit overturned Poehlman’s federal conviction.

The Poehlman case demonstrates that law enforcement must be very careful not to induce someone who has no previous propensity to commit a crime during their online activities. It is also important to note that the entrapment defense in the United States is only available to those who have not committed the crime before their interaction with law enforcement. Law enforcement using Internet techniques to investigate a crime that has already committed only have entrapment concerns about new crimes that may be committed after their interactions with the target. Even then their concerns are less as the target in these cases has already demonstrated a propensity for criminal behavior.

Basic undercover procedures

Undercover procedures require that the investigator follow the agency or company policy for undercover operations. Basic procedures by many law enforcement agencies may already exist and can be referred to for guidance when conducting online investigations. However, many companies and agencies have not developed separate policies regarding conducting online investigations, and even fewer have developed specific guidance for working undercover on the Internet. One of the primary reasons for the lack of guidance in conducting online undercover investigations is many organizations never contemplated conducting undercover actives prior to the Internet. This is particularly the case for corrections (pretrial services, probation, and parole) and corporate organizations, as their primary function is not law enforcement. They only now are contemplating undercover investigations as it seems so “easy” with the Internet. After all “online role playing” seems to be a regular occurrence, which can be done by anyone. Make no mistake. Online role playing is not the same as working undercover online. The stakes and consequences are much higher and accordingly working on these investigations should not be taken lightly. The following items are things that the investigator should consider when developing their procedures for conducting undercover Internet operations:

1. Type of investigation

a. The level of undercover preparation would reflect the level of the investigation that the case requires. General intelligence gathering is different than conducting an investigation. Proactive investigations are also different than reactive investigations.

2. Prepare undercover profiles for a range of suspects, based upon the scope of your agency’s mission. Here is a nonexhaustive list of possibilities:

a. Pedophile

b. Teen girl

c. Teen boy

d. Warez or carder

e. Intellectual property thief

f. Fence/theft

g. Gang member

h. Terrorist

3. Document your profiles.

a. Traditional methods of profile documentation are to use a form designed to prepare/document the persona. The form is then used by the investigator to refer to while undercover. Other options include automated tools like those in Vere software WebCase. WebCase has dedicated modules for streamlining the process for the investigators to record and provide access to the investigator's undercover identity.

4. Learn online terminology from targeted offenses as well as commonly used vernacular used by the intended profile.

5. Set up undercover accounts for each persona (as required):

a. Mailboxes

b. Email accounts

c. Gamer tags

d. Cell phones.

Developing your undercover persona

Depending upon the online operation being conducted, the investigator has several things to consider when developing the appropriate Internet persona. Name, address, age, and date of birth would seem the simplest of the persona building process. However, determining a name for your undercover identity can be problematic. Is the name and age of your new identity similar to that of a living person? Is that living person geographically located in the investigator’s region? The investigator needs to think about this as in an issue when developing the persona so as not to allow for the possible confusion with the false identity and a real person. Why would this be of concern to the investigator? Well depending on the case being investigated, a real person with the same name could be identified by another law enforcement agency as a potential perpetrator of a crime. Or a suspect might identify that person as the investigator and possibly do them harm. The liability for the investigator is too high to ignore. This is not to say you can’t use the real identity of a person in an investigation. In fact during an identity “Take Over,” that is exactly what the investigator does. In such situations, a signed consent needs obtained waiving liability and giving permission to the investigator to operate that profile during the investigation. Such waivers should reflect how the profile is going to be used and for how long and that the person consenting to its use will not attempt to regain or circumvent control of the profile. Additionally, once consent is obtained the investigator should immediately change the password to the account to prevent the person from interfering with the investigation.

Principles 8 and 9: Taking Over an Online Identity

Recall from the last chapter, the Online Investigations Working Group (Working Group) principles for concerning online investigations. Principle 8 discusses assuming another’s online identify and notes that this can occur… “if that person consents, if the communications are within the scope of the consent, and if such activity is authorized by agency guidelines and procedures.” (pg. 42)

However, what about where the person doesn’t consent, what then? Let’s suppose a terrorist has been arrested or even killed, unbeknown to his confederates. Can law enforcement assume the terrorist’s online identify to obtain information, particularly if it is a life or death scenario? Principle 9 covers this kind of situation, which it refers to as “appropriating online identity.” In a pre-911 world, the Work Group noted:

“Appropriating online identity” occurs when a law enforcement agent electronically communicates with others by deliberately assuming the known online identity (such as the username) of a real person, without obtaining that person’s consent. Appropriating identity is an intrusive law enforcement technique that should be used infrequently and only in serious criminal cases. To appropriate online identity, a law enforcement agent or a federal prosecutor involved in the investigation must obtain the concurrence of the US Attorney’s Office’s “Computer and Telecommunications Coordinator” (CTC) or the Computer Crime and Intellectual Property Section…. In rare instances, it will be necessary for law enforcement agents to appropriate online identity immediately in order to take advantage of a perishable opportunity to investigate serious criminal activity. In those circumstances, they may appropriate identity and notify the Computer Crime and Intellectual Property Section within 48 hours thereafter. (pg. 45)

Clearly both assuming and appropriating another’s online identity is appropriate, depending upon the circumstances. Again, these principles are for federal law enforcement. As always consult your legal authority for specific guidance.

Other things to consider when building the persona are how deep of an identity do you need to create? For instance, general intelligence gathering personas only need to be further developed if they will be used to actively interact with targets. Especially with online undercover identities, designing personal family information can aid in your ability to quickly and effectively communicate and make your identity believable. Information on the identities of direct family members, friends, school, and/or work can be developed ahead of time allowing the investigator to better think on his feet and respond in online conversations. The depth of the persona can include email addresses and contacts, phone numbers, building undercover banking or credit card accounts, and online fund transfer methods, such as Paypal or Bitcoin (Figure 10.1).

What the Hell Are Bitcoins?

In 2009, Satoshi Nakamoto, an anonymous (as in a hacker pseudonym not part of the hacker group anonymous) hacker created a digital peer to peer currency that is not backed by any government. This digital currency, known as Bitcoin, is automatically “mined” on a set schedule using Bitcoin user’s computers around the world. Basically, the user’s computers are running a program that creates the digital currency. The exchange of this currency is all controlled by computer and it can’t be traced. The amount to be mined is set at 21 million. What is the big deal? It after all is not “real.” Well, the currency is being used to actually buy things in the real world, and there are actually sites that have set up an exchange rate for Bitcoins to dollars, to pounds, etc. (Sanders, 2013).

Imagine the possibilities for using Bitcoins for criminal activity. Drug dealers could convert real currency into Bitcoins and then back to real currency, or not. Think this is far-fetched? Well in 2013, Liberty Reserve, was charged by the United States with operating a $6 billion cyber money laundering. “It traded in virtual currency and provided the kind of anonymous and easily accessible banking infrastructure increasingly sought by criminal networks…” (Santora, Rashbaum, & Perlroth, 2013). Additionally, Bitcoins were discussed being used to purchase The Anarchist Cookbook by self-proclaimed anarchists who were later arrested for plotting to bomb an Ohio bridge (Chick, 2012).

Now put your mind around this one. Bitcoins can also be bought with gaming or virtual currency. So gamers can convert their virtual currency into Bitcoins, which you now know can be converted to real currency. As Regli, Mitkus, and D’Ovidio (2012) note:

…many gaming companies have created digital currencies that are meant to facilitate transactions within the virtual world. Some companies even contemplated that their virtual currencies would be transferrable into real world currencies. There are even currency exchange platforms that allow users to trade in and out of virtual currencies in the same way they could trade foreign currencies in the real world. Individuals provide virtual goods and services – everything from new dresses for an avatar to virtual prostitution – and money paid for these goods and services can be transferred into U.S. dollars through the currency exchange. However, unlike traditional “real” world banks, these virtual exchanges and operations are not subject to the same regulatory oversight. (pg. 5–6)

So digital and virtual currency have value. It would also make sense that virtual goods in gaming environments, such as a “sword” or special “shield,” would likely also have value. If digital and virtual currency and virtual goods have value and they are stolen, do the victims call the “virtual police”? Nope, they are likely to call the real police to investigate who stole it. That is exactly what happened in Finland when virtual furniture and other items were stolen in the virtual world of Habbo Hotel (BBC, 2010). Brave new world ain’t it!

image

Figure 10.1 Bitcoin website.

Regardless of what persona is created, law enforcement investigators should run local and state checks to ensure your undercover identity does not match an actual person. The civilian investigator should do the same due diligence by checking with your corporate counsel about the use of undercover personas and researching the persona online to determine if there is any potential match in your locale. Whatever method is used to confirm information about the identity should be documented in the investigator’s case file. The identity can always be used in other investigations if it is not revealed and can be built on to improve its effectiveness as the investigator’s online persona.

The undercover role

Determining the need for an undercover identity is mainly dictated by the type of investigation being conducted. In general there are two types of roles, (1) proactive identities and (2) reactive identities. Common proactive identities could include:

• Minor boy/girl

• Adult with access to kids

• Adult trader of children

• Adult seeking kids

• Adult willing to trade child pornography

• Adult seeking prostitutes

• Adult seeking cardez

• Corporate Executive seeking Insider (Corporate Spy).

Reactive investigations frequently involve assuming another’s identity, such as the victim or a sex offender’s profile to facilitate the investigation of other pedophiles. An investigator’s predesigned identity might also be used. For instance, if the victim was a minor female and the investigator’s predesigned identity of another minor female might be used to further investigate or target the offender.

Online undercover accounts

When the investigator builds the online identity, he will look at obtaining various accounts and profiles from popular online sites. Adding several accounts can add in the depth of the identity and its believability. The investigator should be aware though that long periods of inactivity with the account could indicate to the investigation target that the account may be a phony. Another consideration is obtaining only the accounts required for that persona’s level of technology understanding. Having multiple email accounts and social networking sites might not fit the persona’s identity. However, having gamer tags and numerous accounts on Twitter and Facebook might fit the technology astute user and fit into the online community being investigated.

Other considerations when developing the undercover persona include the collection of false identity, undercover credit cards, untraceable cell phone, false business cards and letter head, and potentially a mailing address to use to accept packages and or traditional correspondence. Mailboxes require identification and can complicate the investigations. Law enforcement investigators can enlist the support of the Postal Service Investigators for this purpose. Internet Service accounts can be established with large companies using the same undercover identification. Simple use of Internet access at the local Starbucks or Barnes and Noble store can sometimes suit the investigation’s needs. However, remember that as you trace the targets they can also trace you. Ensure that your use of an Internet service fits your persona. If your persona is a 10-year old boy, accessing the Internet from Starbuck’s probably won’t fit.

Finishing touches to your persona

Before you go live with your persona have it reviewed by several individuals in your agency or company to check for areas that are potential problems or inconsistencies. Recently, an undercover sting case targeting sex offender was lost due to an unscrutinized picture. In this case, a picture of a very young looking female police officer, posing as a minor, was sent to the target. Unfortunately, no one realized the young officer was wearing a wedding band, until the arrested target noted he believed it was all fantasy and the minor was an adult because he saw the band. Check and double check all facets of the developed persona to make sure there are no loose ends.

Once the persona is finalized it needs to be fully documented, such as in a notebook or binder, or in an automated tools such as WebCase, for easy reference (Figure 10.2). This is particularly important in case the person who commenced an undercover operation can no longer continue the activity. Additionally, this reference can be provided if others are required to take on certain facets of the operation. For instance, a male agent has developed a minor female persona and sometime during the operation a female is needed to speak to the target via a cell phone. This persona profile, as well as other records, such as chat logs, will help insure the female agent accurately portrays the persona during the call.

image

Figure 10.2 WebCase undercover identity module.

In cases involving an identity “Take Over,” investigators should interview the cooperating person, gathering and documenting all facets, that may be needed to accurate impersonate them online. In cases, where “appropriating the online identity” is necessary, the investigator should likewise research and document as much as possible about the real person to facilitate the impersonation. Again, this information should be in a ready format for quick review if the need arises.

The investigator should also pay attention to the numbers and types of personas he maintains. Keeping track of the different personas is a required task when working on multiple undercover cases. If the investigator does not track and manage the personas, he could potentially use conflicting information in an investigation. Additionally, are these personas used in cases that another agency might be investigating? The term “deconfliction” has come about as a method law enforcement uses to identify whether or not another investigator is undercover in someone else’s case. (The ICAC Task Forces regularly have investigators check for deconfliction.)

Countermeasures

Diligence in protecting your online persona can mean the difference between failing to solve the crime investigated and a successful apprehension of a criminal. Steps can include being cautious of your mail drop when picking up items. Criminals often apply the same techniques law enforcement and civil investigators do. Surveillance works both ways. Pay attention to the location when checking or picking up items from a drop box location. Investigations on the Internet are about real people and real places. Eventually when these cases come to a conclusion, the investigator has to get off the Internet and into the real world to place handcuffs on someone. When connecting to your ISP, make sure you are in the correct geographical location for your operation. If you state that you are in Austin, you do not want your IP Address resolving back to Los Angeles.

When using the cell phones to contact the suspect, be aware of caller ID and call return capabilities. There are services like Google phone numbers that can be applied to assist in hiding the investigator’s identity, but they are employed by the targets too. The investigator should set up and use anonymous email accounts as much as possible. These can be throwaway accounts that can be used repeatedly or abandoned if they are compromised. Yahoo mail, Google mail, and Windows Microsoft Live are popular free email services. Using an email account from a business or a local or regional Internet service can play both ways. It can assist in identifying the persona and legitimizing it to the target or it may have the opposite chilling effect if not part of the persona.

Use of Images for Profiles

Some novice online investigators think it is okay to use images of minors pulled directly from the Internet for their profile. Along the same lines, some of these same investigators, concerned over the copyright issues, will go the extra step and purchase an image. They think that by purchasing it they are free to do whatever they want with the image, including using it for their undercover online persona. These are very bad ideas. Here is why. There are websites out there, such as, TinEye.com, a reverse image search engine, that will allow individuals to compare your image to hundreds or thousands of similar images for a match. This website will allow the user to: find out where an image came from; research or track the appearance of the image online; locate web pages that make use of an image; and discover modified or edited versions of an image. In this way, your target could identify that the image is a fake or worse go after the real person whose image you used. Purchasing the image also does not give you the right to use the image for an undercover operation, particularly if the real person is inadvertently harmed by your activities. In an extreme case, a “defense” expert purchased stock images of minors for use in courtroom demonstrations to show how supposedly easy it was to “morph” innocent images into child pornography. Notwithstanding the potential criminality of such activity, the expert was successfully sued for misusing the purchased images, and the minors were awarded $300,000 in civil damages (Van Voris, 2012).

Instead of using an image of a person, take a picture of a landscape or some inanimate object and use it. In cases where you need a minor’s image, consider getting consent from one of your colleagues to use a picture of them when they were younger or use age regression technology to make an authorized adult image look young again. However, make sure there is nothing in the background that may “date” the image.

Undercover cell phones and credit cards

In today’s environment, getting the tools to support the identity such as cell phones and credit cards is much simpler for the investigator than in the past. Just as hiding on the Internet has become much easier, so has concealing your financial transactions and communications. Obtaining a traditional “cold phone,” one that is not identifiable to the agency or company, is fairly simple today. Walk into any Walmart store or your favorite Radio Shack and simply buy a “Tracfone.” The purchase can be a cash-only transaction along with the purchase of the minutes for the phone. Criminals have figured this out and are now regularly using this as a means of communication. If it is compromised, they can just remove the battery (and SIM card if it has one) and toss the phone in a nearby trash can. Undercover credit cards can be purchased through “Green Dot” kiosks at local stores or through the use of Visa or Mastercard gift cards.

Is Violating the Terms of Service (TOS) an “Otherwise Illegal Activity”?

Online companies have attempted to prevent false identities on their sites since the beginning of the Internet. Law enforcement investigators have spent years making up false identities to use on the Internet. So the question is can this be an issue later in court? Facebook has stated publically that any account that they find that is not real will be closed, even if it is a law enforcement undercover account. Other social media networks, such as LinkedIn, also require users to use their real name. Additionally, social media networks also frequently prohibit users from allowing others to use their accounts, which obviously would seem to preclude identity takeovers. What can happen is upon discovery the fictitious account is deleted, along with all the work that went into developing it.

In one criminal case, U.S. v. Drew, charges were filed due to the creation of a false identity, which was used to harass a minor, who later committed suicide. The defendant, Lori Drew was indicted for conspiracy and hacking for creating and using a false MySpace identity, which was a violation of the TOS (Lemos, 2008). This was the first case drawing primarily on the fact that someone had fabricated an identity on a social networking site and was prosecuted by the federal government for doing so. Ultimately Drew was acquitted of the charges but not before bringing to the forefront that “cyberbullying” was real and required to be addressed legally. Missouri, where Drew lived, later added to their state law penalties for harassment by computer. The question remains where does the Internet crimes investigator’s activities fall within this situation? Is the act of making an identity simply a violation of the TOS or is it a more deliberate law violation? In a real world analogy, it is perfectly acceptable for a police officer to “speed,” thereby breaking the law, to catch a criminal. However, even in this scenario, a police officer can’t ignore administrative guidelines and continue without regard to the public’s safety. Clearly, corporate investigators have even more to consider. Again, consultation with the appropriate authority is the key to insuring you are on firm legal ground.

Social networking site undercover challenges

Selecting appropriate social media sites for undercover personas is critical in today’s operations on the Internet. There are a few more challenges though with social media than simply getting an email address for the persona. The investigator should review the sites’ TOS. Many sites actually prevent the use of their sites with false identities. In fact Facebook has specifically stated that they will make no exception for even law enforcement using undercover accounts on their service.

Facebook spokesman Simon Axten said that the site’s rules forbid people from using fake names and that Facebook would not make an exception for police officers working undercover. Facebook is based on a real name culture, so fake names and false identities are actually a violation of the terms of use.” Axten wrote in an email. “We disable the accounts of people operating under pseudonyms.”2 (Masis, 2009)

Some social media however understands that law enforcement’s presence online, even in an undercover capacity, can make the Internet environment safer. As such they have no issue with an undercover profile being created, as long as they are notified of its creation. However, depending upon the investigative focus, this prior notification may not be possible. Again, the investigation dictates and legal concerns will guide whether prior notification should be made.

Using social media accounts during online undercover investigations is almost a necessity these days. However, these are complicated tools to use effectively and make believable. The investigator has to consider how they will get and make “Friends” requests as a start. Building the social media piece of the persona without them makes them less believable. The investigator needs to request “Friends” who are not investigation subjects, are not law enforcement friends or connected directly or indirectly to law enforcement, or connected to the investigator’s real identity. This certainly complicates the building of the identity because the persona has no real friends or family to connect to. The whole purpose of social media is to connect to people you know. Other things to consider regarding setting up your social media undercover accounts is will your online interactions with other “Friends” or “Friend’s” page compromise your investigation? One way to make your social network persona more realistic is to consider networking with your colleagues personas profiles. In this manner you are “legitimatizing” each other’s profile to make is appear to be real. However, doing so could expose the identities of one or more of them if anyone of the identities is later revealed as a law enforcement investigator. At some point this will occur if the identity is used in a prosecution or litigation.

Social media services are constantly updating and changing their security, functions, and online services. Setting up a practice account on the social networking site you are considering using can be an effect way to identify issues with the service and its effective use prior to deploying your undercover identity on that service. Spending time observing how the social networking service operates can also prepare you for its effective use in your investigation.

Computer equipment for undercover operations

Preparing the computer system for undercover operations needs have the same importance as any other undercover operation in the real world. The computer you use, the Internet service you select, and the browser you use, all tell a tale of who you are. First, the equipment should only be used for undercover operations. Accessing the Internet for an agency or a company owned system may reveal your real identity. Personal information and/or agency or company information should never be stored on the undercover computer. This prevents the possibility of an adversary identifying your true identity if they offensively work back to your computer. The computer should not be connected to any network system within the agency or company. The investigator should plan for and prepare for the possibility that the undercover system could be accessed by a target while you are connected to the Internet.

Identifying the Suspect Online

1. In Instant Message or chat session have the target do a “Direct Connect” with you

a. Use NETSTAT to grab his IP addresses

2. Have the target email you and analyze the headers

3. Have the target send you a file type that might contain Metadata (Microsoft Word document, an image file). Examine Metadata for possible incriminating information

4. Have the target provide you other means of contacting him that could potentially be traced

a. Email addresses

b. Instant Message accounts

c. Telephone numbers

5. Direct the target to a website you control and capture their IP address when they visit.

Conclusions

In the “real world,” undercover operations are a strong tool to identify targets in criminal investigations. They can also be effective tools in investigating Internet crimes. However, investigators need to be aware of their agency or company policy regarding conducting undercover online investigations. Besides investigative planning, undercover online investigations require: a clearly defined purpose, identification of the means for conducting the investigation, defining time resources, identifying documentation requirements, and planning for the unexpected. Building undercover personas is a somewhat complicated concept especially when dealing with social media investigations. There are also unique issues associated with an identity take over. Investigators also need to be familiar with the concepts required to conduct undercover operations on the Internet and the ethical considerations surrounding these operations.

Further reading

1. Bitcoin Exchange Rate/Value Calculator. (n.d.). Bitcoinexchangerate.org. Retrieved from <http://www.bitcoinexchangerate.org/>.

2. Chick, L. (2012, May 2). Bomb plot reveals hidden dangers of the occupy movement. Breitbart.com. Retrieved from <www.breitbart.com/Big-Government/2012/05/02/bomb-plot-reveals-hidden-dangers-of-the-occupy-movement>.

3. Code of Ethics & Bylaws. (n.d.). High Technology Crime Investigation Association (HTCIA). Retrieved from <http://www.htcia.org/code-of-ethics-bylaws/>.

4. Consortium of Digital Forensic Specialists. (n.d.). Consortium of digital forensic specialists. Retrieved from <http://www.cdfs.org/objectives.php>.

5. Facebook Policies. (n.d.). Facebook. Retrieved from <https://www.facebook.com/policies/?ref=pf>.

6. Fleishman, G. (2000, December 14). Cartoon captures spirit of the Internet —New York Times. The New York TimesBreaking News, World News & Multimedia. Retrieved from <http://www.nytimes.com/2000/12/14/technology/cartoon-captures-spirit-of-the-internet.html>.

7. Foran, T. (n.d.). Famous quotes at BrainyQuote. Retrieved from <http://www.brainyquote.com/quotes/quotes/t/thomasfora191172.html>.

8. HTCC—Mission and Goals. (n.d.). High Tech Crime Consortium (HTCC). Retrieved from <http://www.hightechcrimecops.org/mission.html>.

9. ICAC Home. (n.d.). Internet Crimes Against Children Task Force. Retrieved from <https://www.icactaskforce.org/Pages/Home.aspx>.

10. Integrated Units. (n.d.). Royal Canadian Mounted Police. Retrieved from <http://bc.rcmp-grc.gc.ca/ViewPage.action?siteNodeId=342&languageId=1&contentId=1570>.

11. Investigations involving the Internet and computer networks. (2007). US Dept. of Justice, Office of Justice Programs, National Institute of Justice.

12. Lemos, R. (2008, May 16). Legal experts wary of MySpace hacking charges. SecurityFocus. Retrieved from <http://www.securityfocus.com/news/11519>.

13. Masis, J. (2009, January 11). Police increasingly use social networking websites in detective work—The Boston Globe. Boston.com—Boston, MA News, Breaking News, Sports, Video. Retrieved from <http://www.boston.com/news/local/articles/2009/01/11/is_this_lawman_your_facebook_friend/?page=full>.

14. Mitchella K, Finkelhorb D, Jonesa L, Wolaka J. Growth and change in undercover online child exploitation investigations, 2000–2006. Policing and Society: An International Journal of Research and Policy. 2010;20(4):416–431.

15. New Membership: Code of Ethics. (n.d.). The International Association of Computer Investigative Specialists (IACIS). Retrieved from <https://www.iacis.com/new_membership/code_of_ethics/>.

16. Police Investigate Habbo Hotel Virtual Furniture Theft. (2010, June 1). BBC—Homepage. Retrieved from <http://www.bbc.co.uk/news/10207486/>.

17. Regli B, Mitkus M, D’Ovidio R. Our digital playgrounds: Virtual worlds and online games: Criminal threats are emerging in online communities where adults and children play Camden, NJ: Drakontas LLC; 2012.

18. Sanders, T. (2013, June 12). The Wild Wild West of Digital Currency. Informationintersection.com. Retrieved from <www.informationintersection.com/2013/06/the-wild-wild-west-of-digital-currency/>.

19. Santora, M., Rashbaum, W., & Perlroth, N. (2013, May 29). Liberty Reserve operators accused of money laundering—NYTimes.com. The New York Times—Breaking News, World News & Multimedia. Retrieved from <http://www.nytimes.com/2013/05/29/nyregion/liberty-reserve-operators-accused-of-money-laundering.html?pagewanted=all&_r=0>.

20. Tetzlaff-Bemiller M. Undercover online: An extension of traditional policing in the United States. International Journal of Cyber Criminology. 2011;5(2):813–824.

21. The Department of Justice’s Principles for Conducting Online Undercover Operations. (n.d.). Public intelligence. Retrieved from <http://publicintelligence.net/the-department-of-justices-principles-for-conducting-online-undercover-operations/>.

22. TinEye Reverse Image Search. (n.d.). Retrieved from <www.tineye.com/>.

23. USDOJ: Project Safe Childhood. (n.d.). United States Department of Justice. Retrieved from <http://www.justice.gov/psc/>.

24. Undercover With the New F.B.I.—NYTimes.com. (1981, November 29). The New York Times—Breaking News, World News & Multimedia. Retrieved from <http://www.nytimes.com/1981/11/29/opinion/undercover-with-the-new-fbi.html>.

25. Undercover Policing: Interim Report: Thirteenth Report of Session 2012–13: Report, Together with Formal Minutes, Oral and Written Evidence. (2013). London: Stationery Office.

26. U.S. v. Poehlman, 217 F. 3d 692 (Court of Appeals, 9th Circuit 2000).

27. User Agreement (n.d.). LinkedIn. World’s Largest Professional Network. Retrieved from <http://www.linkedin.com/legal/user-agreement>.

28. Voris, B.V. (2011, October 22). Facebook Claimant’s lawyer must pay award in child porn lawsuit—Bloomberg. Bloomberg—Business, Financial & Economic News, Stock Quotes. Retrieved from <http://www.bloomberg.com/news/2011-10-21/facebook-claimant-s-lawyer-hit-with-morphed-child-porn-images-judgment.html>.

29. Wolak, J., & Mitchell, K. (2009). Work exposure to child pornography in ICAC task forces and affiliates. Durham: Crimes against Children Research Center. Retrieved from <http://www.unh.edu/ccrc/pdf/Law%20Enforcement%20Work%20Exposure%20to%20CP.pdf>.

1He was also convicted in California state court for attempted lewd acts with a minor. He completed his 1-year prison sentence and was charged federally 2 years after his release from state custody.

2Facebook also has a policy against allowing sex offenders to use their site. Seems kind of ironic that with this stated policy they are making it harder for law enforcement to catch repeat sex offenders who are illegally using their site to look for children to victimize.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.14.151.45