Chapter 4: Technology and Crime

Identity Theft
Internet Fraud
Viruses
E-Crime and Organizations
Intellectual Property Theft
High-Tech Law Enforcement

New technologies almost always introduce new problems into a society. The information technology that became widespread during the 1980s and 1990s is no exception. The advent of online shopping and the increased use of electronic currency have given rise to an identity theft epidemic. The digitization of music, movies, television, and the printed word has led to widespread intellectual property theft and losses of millions of dollars for the entertainment industry.

High-technology (high-tech) related crime has grown ever more common in the twenty-first century. In fact, David W. Moore of the Gallup Organization notes in Crime Rate Steady; 3 in 10 Households Victimized Past Year (December 3, 2004, http://www.gallup.com/poll/14227/Crime-Rate-Steady-Households-Victimized-Past-Year.aspx) that Internet crime alone drove the overall incidence of household crime up from 25% in 2003 to 30% in 2004. Reporting on updated research, Joseph Carroll of the Gallup Organization finds in U.S. Crime Victimization Trends Flat (November 9, 2007, http://www.gallup.com/poll/102658/US-Crime-Victimization-Trends-Flat.aspx) that in the twelve months preceding October 2007, 29% of American households had been victimized by crime. Eight percent reported they or someone in their household had been a victim of a computer- or Internet-based crime such as fraud or computer hacking. This represented a 33% increase from October 2003, when Moore notes that only 6% of Americans said they had been victims of electronic crime (e-crime). To put this into perspective, Carroll states that in October 2007, 15% of respondents said money or property had been stolen from them or from another member of their household, 4% reported their house or apartment had been broken into, 4% indicated that either their car or one belonging to a household member had been stolen, and 3% reported they or another household member had been mugged or physically assaulted. As more and more people become dependent on information technology, Internet crimes will likely continue to grow more common, in some part because they do not require a face-to-face confrontation with the victim.

Identity Theft

The Federal Trade Commission (FTC) has the responsibility of tracking identity theft and consumer fraud in the United States. Each year the FTC gathers consumer complaints of fraud and identity theft and logs them into its Consumer Sentinel database. In 2007 more reports of identity theft found their way to its Consumer Sentinel database than any other single type of fraud complaint. (See Table 4.1.) Simply put, identity theft is the theft of an individual's personal information such as a telephone number, address, credit card number, or Social Security number. Thieves use this information to buy things, set up false credit card and cell phone accounts, or perpetrate other crimes. With a victim's Social Security number, address, and phone number, a thief can apply for many credit cards in the victim's name and proceed to run up the limits on these cards. Such a crime leaves the victim's credit report in shambles, making it difficult to apply for loans or additional cards in the future.

In the press release “Retail Hacking Ring Charged for Stealing and Distributing Credit and Debit Card Numbers from Major U.S. Retailers” (August 5, 2008, http://www.usdoj.gov/opa/pr/2008/August/08-ag-689.html), the U.S. Department of Justice (DOJ) describes what it believes is the most extensive identity theft case ever prosecuted by U.S. federal prosecutors. Indictments were brought against eleven individuals accused of operating an international identify theft ring in which an estimated forty million credit and debit card numbers were stolen from patrons of many retail chains in the United States. Of those charged with the crimes, three are U.S. citizens, three are from Ukraine, two are from China, one is from Belarus, one is from Estonia, and the eleventh individual's nationality and name are

unknown (he or she is known only by the screen name “Delpiero”). The DOJ alleges that the accused defendants hacked into the wireless computer networks of TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW to install “sniffer” programs that capture customers' account information. Once in possession of the credit and debit card numbers, the conspirators used them to encode the magnetic strips of blank cards or sold them to other identity theft criminals. The DOJ notes that three of the men were already in custody and charged with a similar crime against the Dave & Buster's restaurant chain. At one store location, from which five thousand card numbers were stolen, the issuing banks incurred losses exceeding $600,000. No total dollar figure was noted in the larger case, and the investigation was ongoing.

Since the 1980s credit card companies and other financial institutions have made obtaining a credit card or setting up a financial account much easier. Because of the convenience of debit and credit cards, nearly every brick-and-mortar store, Web site, and catalog now accepts them, often with no proof of identification. Consequently, identify theft is not difficult, and it continues to grow. According to the FTC, in Consumer Fraud and Identity Theft Complaint Data: January–December 2005 (January 2006, http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinelcy2005.pdf), reported cases of identity theft rose from 215,177 in 2003 to 255,565 in 2005, a 19% increase. Reported cases of identity theft fell slightly in 2006 to 246,124, then rose 5% in 2007 to 258,427. (See Figure 4.1.) In a breakdown of fraud com-

plaints other than identity theft, 40% of cases (221,226 in 2007) involved the Internet. Table 4.2 reflects reported incidents of identity theft by state. Arizona topped the list in 2007 with the highest number of reported cases of identity theft per capita, registering 137.1 complaints per 100,000 population. California, Nevada, Texas, Florida, and New York also experienced rates higher than one hundred complaints per one hundred thousand population. North Dakota (28.5) and South Dakota (30.8) had the lowest number of victims of identity theft per 100,000 population in 2007.

In Consumer Fraud and Identity Theft Complaint Data: January–December 2007 (February 2008, http:/www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2007.pdf), the FTC indicates that more than half of those reporting identity theft in calendar years 2005, 2006, and 2007 were between the ages of eighteen and thirty-nine. (See Table 4.3; note that total numbers do not coincide with those in Figure 4.1 because not all victims reported their age.) In 2007, 28% of complaints came from those between the ages of eighteen and twenty-nine, and 23% were received from those aged thirty to thirty-nine. Two out of ten (19%) complaints were from people aged forty to forty-nine. Between 2003 and 2005, as reported by the FTC in Consumer Fraud and Identity Theft Complaint Data: January–December 2005, the number of identity theft complaints received from those under age eighteen jumped 78%, from 6,512 to 11,601. The number then remained fairly steady, with 11,769 complaints received by this age group in 2007. (See Table 4.3.)

The FTC also provides information on how identity theft victims' information was misused. Twenty-three percent of victims suffered credit card fraud in 2007, with 14.2% reporting that new accounts were set up in their name and 9.4% reporting bogus charges made to their existing accounts. (See Table 4.4.) Phone and utilities fraud was reported by 18% of victims in 2007, with 7.3% indicating that imposters set up phone accounts in their name. Bank fraud, which was reported by 18% of identity theft victims in 2005, was down to 13% in 2007. Bank fraud complaints included unauthorized electronic fund transfers (7%), misuse of existing accounts (4%), and fraudulent new accounts (3.1%). Loan fraud was reported by 5% of identity theft victims in 2007. Those reporting identity theft crimes to the FTC in 2005 experienced many other types of fraud, including everything from false magazine subscriptions to filing fraudulent tax returns. In addition, 16% of identity theft complaints in 2007 included more than one type of fraud.

The cases reported to the FTC, however, do not necessarily paint a complete picture of identity crime in the United States. In fact, most incidents are never reported. The FTC reveals in Federal Trade Commission—2006 Identity Theft Survey Report (November 2007, http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf) that 8.3 million cases of identity theft took place in the United States during 2005, including 1.8 million cases in which new accounts or loans were taken out in victims' names by identity thieves. Most identity fraud involved

the use of an existing account (both credit card and noncredit card) to purchase merchandise or services. The median value of goods and services obtained by identity thieves (half obtained more and half obtained less) was $500 in 2005, although in 10% of cases the thieves obtained at least $6,000. Six out of ten (59%) victims incurred no out-of-pocket expenses for lost wages, legal fees, or payments of fraudulent debts because of their victimization. Those whose existing credit cards were used fraudulently fared the best because banks and credit card companies typically assumed the cost of the merchandise purchased by identity thieves: 80% of victims whose existing credit card was used fraudulently reported they incurred no expenses. (See Figure 4.2.) About a quarter (24%) of those whose personal information was used to establish a new account ended up paying at least $100, and 25% paid at least $1,000 to resolve the incident. In addition, the median amount of time spent by identity theft victims to clear the matter was four hours, with six out of ten victims whose information had been used to set up new accounts spending the most time: 29% of people in this category spent between ten and thirty-nine hours, and 31% spent forty hours or more.

Identity Theft and the Internet

Identity thieves can operate alone or as a part of large crime organization. They can be someone the victim knows or a complete stranger. They gather personal information in various ways, stealing wallets and checkbooks or going through trash bins outside of homes and businesses to dig out credit card statements, old checkbooks, and receipts. Some pilfer financial statements and other private information from open mailboxes. Since the mid-1990s many thieves have turned to the Internet to steal information. In fact, the widespread use of the Internet coincided directly with the dramatic increase in identity theft nationwide. Table 4.5 shows a breakdown by age of fraud complaints that were directly related to Internet fraud between 2005 and 2007. In 2006 and 2007 about two-thirds of the Internet fraud complaints received by the FTC were registered by victims between the ages of thirty and fifty-nine.

There are a number of ways in which thieves employ the Internet to retrieve personal information. Tech-savvy crooks will often take the direct method and hack into business and bank servers and make off with hundreds of credit card numbers. Most identity thieves, however, do not deal in such sophisticated methods. According to Duncan Graham-Rowe, in “Internet Fuels Boom in ID Theft” (New Scientist, March 13, 2004), one of the easiest ways to steal identities is simply to use a search engine such as Google. Many people naively post all manner of personal information on home and even office Web sites, including their Social Security number, date of birth, mother's maiden name, current address, and phone number. Simply typing “driver's license” or “passport” into a search engine yields hundreds of photos of driver's licenses and passports from around the country and the world. Businesses that keep lists of Social Security and credit card numbers sometimes inadvertently place the information in an insecure location. For a patient identity thief, the Internet is a treasure trove.

Another technique thieves use to acquire personal information is known as phishing. Thieves will often send out bogus e-mails to scores of people. Typically, these e-mails will look like authentic e-mails from a prominent Internet service provider or bank. The e-mail will inform the receivers that there is something wrong with their account and that the problem can be fixed by clicking on a hyperlink. When victims do click on the link, they are then taken to an official-looking site,

where they are asked to provide passwords, Social Security information, and even credit card information. The moment the victims type in their personal information, the thieves have them. Once crooks have a credit card in another person's name, the Internet makes it easy to purchase items. No longer do criminals have to risk being caught using someone else's account in a shopping mall or grocery store.

Americans' Awareness of Identity Theft

Dennis Jacobe of the Gallup Organization reports in Identity Theft Fears Fail to Spur Action (August 16, 2005, http://www.gallup.com/poll/17887/Identity-Theft-Fears-Fail-Spur-Action.aspx) that one out of five (18%)

Americans who responded to a 2005 Gallup/Experian poll about identity theft replied that they had experienced identity theft. In addition, a majority of Americans were aware of the problems surrounding identity theft and the Internet. Six out of ten (62%) respondents were concerned that their financial information could be stolen online. Far fewer were concerned about having their identity stolen from the garbage (40%) or from their workplace (25%). Despite people's awareness of identity theft, a relatively small percentage were taking steps to prevent or monitor their financial identity. Only one-fifth (19%) of those polled had reviewed their credit report in the six months before August 2005. Less than a tenth of the people had signed up for identity theft protection or bought identity theft insurance.

In Federal Trade Commission—2006 Identity Theft Survey Report, the FTC indicates that nearly 40% of identity theft victims discovered the incident within one week. However, the length of time before victims became aware of the incident varied greatly with the type of fraud perpetrated. Nearly half of those whose existing credit card or other existing account was used became aware of the theft within one week to one month. (See Figure 4.3.) Those whose personal information was used to set up a new account or for another fraudulent purpose were less likely to become aware of the crime right away. About a third (32%) found out after more than one month had passed, and nearly a quarter (24%) were not aware of the situation until after six months. Only a small proportion (3%) of those whose existing accounts were used had not become aware of it within six months.

Most victims in 2005 became aware of identity theft by monitoring their accounts, either through a credit monitoring service (11%) or by personally reviewing their statements (26%). (See Figure 4.4.) Nearly two out of ten (18%) were not aware of the incident until

they received a bill. Overall, 9% of victims reported they became aware of the crime when they were contacted by a debt collector seeking payment, but the FTC notes that this was the most common method reported by those whose information had been used to set up new accounts (23%).

Internet Fraud

Internet fraud takes other forms than identity theft, including auction fraud, phishing schemes, and fund-transfer scams. The FTC notes in Consumer Fraud and Identity Theft Complaint Data: January–December 2007 that nearly

two-thirds (64%) of all fraud cases began with an online contact either through e-mail (49%) or Internet advertising (15%). In a typical Internet auction scheme, a con artist advertises merchandise on an auction site until a buyer is found. The buyer then sends a payment but receives no merchandise. In 2007 the FTC received 24,376 complaints of auction fraud. (See Table 4.1.) Another type of scheme involves the wire transfer of funds drawn on what turns out to be a bogus check. Typically, a victim receives overpayment for a product or service that they have sold and is instructed to immediately deposit the money and wire a portion to a third party; however, the initial check payment turns out to be false, leaving the victim at a loss. The Internet Crime Complaint Center (IC3), which is run by the Federal Bureau of Investigation (FBI) and the White Collar Crime Center, collects complaints regarding specific types of Internet crimes. In 2007 Internet Crime Report (2008, http://www.ic3.gov/media/annualreport/2007-IC3Report.pdf), the IC3 indicates that schemes involving purchases of pets, check cashing, and online dating services were among the most prevalent types of Internet fraud perpetrated in 2007. According to the IC3, auction fraud was the most reported type of Internet crime in 2007, with 35.7% of complaints referring to auction transactions. Nondelivery of merchandise and/or payment in a nonauction transaction accounted for 24.9% of Internet complaints. Other leading complaint categories included credit or debit card fraud (6.3%), check fraud (6%), and computer fraud (5.3%).

Even though auction fraud and identity theft make up the vast number of crimes on the Internet, countless other frauds have been perpetrated over the years. These ranged from false merchandise advertised on a phony Web page to work-at-home e-mail schemes in which the victim is told to send in money as an initial investment. One of the more famous e-mail scams is the Nigerian letter fraud scam, which has been circulating via traditional mail since the early 1980s. In its electronic form, an e-mail purportedly from a “Nigerian dignitary” informs the victim that he or she has the opportunity to receive vast sums of money currently being held in Nigeria. When the victim responds to the message, he or she is then told that the Nigerian dignitary requires money in advance, usually to bribe government officials, so that the funds can be released and deposited in the victim's account. The IC3 estimates that the people who fell for this scam in 2007 lost an average of $1,922.99.

Still other, more elaborate scams were designed to manipulate the stock market. Such scams were particularly effective in the late 1990s during the stock market bubble. The best known of these is the pump-and-dump scam. The criminals invest in a stock that is lightly traded and then trick online investors into buying it. Typically, this involves posting fake documents and press releases on financial Web sites or sending fake e-mail announcements, telling investors that the company is either about to be bought out or has developed a new, money-making product. In other instances scam artists bribe lesser-known stock pundits to tout the lifeless stock. After the stock takes off, the criminals simply sell their holdings, leaving other investors holding the bag as the stock goes back down to sustainable levels.

Each year the IC3 profiles in its annual report several cases that it has helped solve. In 2007 Internet Crime Report, the IC3 notes that in 2005 Steven Stephens and Bartholomew Stephens of Houston, Texas, set up a fraudulent Web site on which they purported to collect funds for Hurricane Katrina victims on behalf of the Salvation Army. Having no affiliation with the organization, the brothers received donations via PayPal, and funneled the money to a number of personal bank accounts. They faced up to twenty years in prison and a fine of $250,000. In a case originating in Colorado, Steve Bonneau of the music and video site Uzed.com was ordered to pay $40,000 and was barred from operating a business in that state that required payments to consumers after he failed to uphold an advertised agreement on his Web site in which he said he would pay a set fee for customers' unwanted compact discs, digital video discs, and video games. Many people who sent merchandise to Bonneau never received payment for their items, and more than two hundred complaints were lodged against the company with the Better Business Bureau.

Viruses

The term computer virus is often used to refer to all malware (mal icious soft ware )—that is, programs such as viruses, worms, and Trojan horses that infect and destroy computer files. Technically speaking, viruses are self-replicating programs that insert themselves into other computer files. The virus is spread when the file is transferred to another computer via the Internet or portable media such as a CD-ROM. The first virus can be dated back to 1982, when fifteen-year-old Rich Skrenta (1967–) wrote Elk Cloner, a virus that attached itself to an Apple DOS 3.3 operating system and spread to other computers by floppy disk. The first computer worm to attract attention appeared six years later and was written by Robert T. Morris (1965–), a graduate student at Cornell University. Worms are self-contained, self-replicating computer programs that spread through the Internet from computer to computer. Unlike viruses, they spread via the Internet under their own power and do not rely on people's actions or files to move from one machine to another. Like viruses, worms can destroy files and take advantage of vulnerabilities in computer programs or operating systems. A Trojan horse does not self-replicate and is typically disguised as something more innocent, such as an e-mail attachment. When the user opens the e-mail, malicious code is unleashed on the computer. As malware has become more advanced, the distinctions between types of malware have become less obvious. For example, Trojan horses often contain viruses that replicate through computer files. For this reason the term virus will be used in this chapter to designate any type of malware, unless otherwise specified.

Viruses behave in a number of different ways. For example, the Netsky virus is typically hidden in an e-mail attachment and is launched when the user opens the attachment. Once active, Netsky sets up its own e-mail protocol, looks for e-mail accounts on the hard drive, and mass-mails itself to these accounts. Another virus named MSBlaster appeared on August 13, 2003, and quickly wormed its way through the Internet, infecting hundreds of thousands of computers in a day through a vulnerability in the Windows operating system. Once on a personal computer, the virus instructed the computer to take part in a distributed denial-of-service (DDoS) attack on the Windowsupdate.com Web site. (A DDoS attack occurs when thousands of computers are used to access a single Web site, thus making it inaccessible.) Other viruses known as “bombs” lie dormant in a computer until a specific date is registered on the computer's clock. Still other viruses disable any virus removal program on the computer, making the virus difficult to remove.

People have all sorts of reasons for creating and sending viruses. Some viruses are written as pranks. Others are written by political activists or terrorists. Still other viruses are intended to injure specific corporations. Regardless of the virus creators' intentions, the number of viruses infecting the world's computers continues to grow. According to McAfee (October 22, 2008, http://us.mcafee.com/virusInfodefault.asp?id=regional&continent_k=1&track_by=2&period_id=3), one of the largest makers of antivirus programs, 3.1 million computers in North America were infected by the top ten viruses circulating in October 2008. About 22% of the computers scanned by McAfee in October 2008 (678,916 of 3,080,791) were infected with Generic PUP.x, a generic detection program that suggests unpopular or useless security programs. Wild-List Organization International (2008, http://www.wildlist.org/WildList/) is an organization that tracks the number of computer viruses circulating around the world. The first WildList, published in July 1993, counted 104 known viruses; by July 2003 the number was 234. As of September 2008, WildList reported that 762 viruses were known to be circulating, and this represented an increase of 29% over the previous year, when 589 viruses were counted in September 2007.

Computer Emergency Response Team

Two weeks after the Morris worm was let loose on the Internet in November 1988, the Defense Advanced Research Projects Agency formed the Computer Emergency Response Team (CERT) with headquarters at Carnegie Mellon University in Pittsburgh, Pennsylvania. The purpose of the organization is to identify threats to the Internet as a whole. CERT coordinates the actions of the private and public sectors when major Internet incidents occur. Even though CERT does issue alerts on individual viruses that affect home users, it is more concerned with the big picture. The organization provides emergency incident response for network access ports, root dedicated name servers, and other components that make up the Internet's infrastructure. It analyzes virus code to develop solutions that thwart viruses. It also coordinates responses to large automated attacks against the Internet, such as the Slammer virus in January 2003, and monitors threats to U.S. government computers in coordination with the U.S. Computer Emergency Readiness Team, which was formed in 2003 by the U.S. Department of Homeland Security (DHS).

For years CERT has published a list of vulnerabilities reported to it. Vulnerabilities are weaknesses in computer and Internet software that hackers and virus makers exploit to cause trouble. Between 1999 and 2002 the number of major vulnerabilities reported in Internet and computer systems shot up 890%, from 417 to 4,129. (See Table 4.6.) Between 2002 and 2004 the number of vulnerabilities decreased some, and then increased again by 58%, from 3,780 in 2004 to 5,990 in 2005. After rising dramatically to 8,064 in 2006, 2007 saw a slight decline to 7,236. These numbers seem to suggest that software designers and computer manufacturers are becoming bet-

ter at identifying vulnerabilities, although computer hackers and criminals are continuing their attacks. Also, as the complexity of computers and the Internet increases, more vulnerabilities are likely to appear.

In 2008 the Internet security researcher Dan Kaminsky (1978?–) of IOActive Inc. discovered a vulnerability in the design of the Domain Name System (DNS). The security breech allowed criminals to attack the system and reroute Internet traffic to imposter Web sites, with users completely unaware that they had been directed to fraudulent sites. How it worked was fairly simple. Each time an address such as http://www.yahoo.com/ is entered into the address bar of an Internet browser, the browser contacts one of many domain name servers distributed on the Internet. Once the browser makes the request from the DNS, the name server sends back the corresponding address number, which for Yahoo is 87.248.113.14. The Internet browser then uses this numeric address to access the site (Yahoo in this case). Each domain name server has a cache that stores widely used sites' names and numeric addresses for a limited time. The vulnerability, known as “cache poisoning,” worked by substituting a vandal-controlled Internet address for the one normally linked with a well-known domain name. For a name not stored in its cache, a name server forwards the request to other name servers on the network until it finds the address or one very similar. The attack allowed criminals to flood the DNS with requests that would ensure that their site addresses were stored and distributed rather than the legitimate ones.

In March 2008 experts in Internet security met secretly at Microsoft Corporation headquarters in Redmond, Washington, to discuss the problem and determine a plan of action. They did not reveal the vulnerability to the public until patches were available to fix the situation in July 2008. In his July 26, 2008, blog (http://www.doxpara.com/) at DoxPara Research, Kaminsky explains the effectiveness of the patch:

After the attack: A bad guy has a one in sixty five thousand chance of stealing your Internet connection, and he can try a couple thousand times a second.

After the patch: A bad guy has a one in a couple hundred million, or even a couple billion chance of stealing your Internet connection. He can still try to do so a couple thousand times a second, but it's going to make a lot of noise.

E-Crime and Organizations

Except for computer viruses, e-crimes that affect individuals, such as auction fraud or identity theft, are usually different from the e-crimes that affect businesses. Most large organizations are concerned about hackers entering into their servers or dissatisfied employees sabotaging their computer network. In 2007 E-Crime Watch Survey (2007, http://www.cert.org/archive/pdf/ecrimesummary07.pdf), CERT provides a detailed picture of how e-crimes affect companies in the United States. The survey polled 671 organizations of all sizes and asked them about the problems they faced with regard to computer crimes between July 2006 and June 2007. CERT defines e-crime as an illegal act “that is carried out using a computer or electronic media.” Twenty percent of those surveyed by CERT reported security budgets of $1 million or more on computer systems security, with a median of $89,000 and a mean of $19.3 million for all survey participants. Of those surveyed, 29% said they experienced no e-crimes. Fifty-one percent replied they were victims of between one and fourteen crimes, and the rest reported they experienced fifteen crimes or more. Table 4.7 reveals that most organizations saw hackers and current employees as the biggest threats to their security. The type of e-crime experienced the most by survey respondents came in the form of viruses (74%). (See Table 4.8.) Unauthorized access to information, systems, or networks (55%) and illegal generation of spam e-mail (53%) were experienced by more than half of the organizations that reported e-crime incidents between 2006 and 2007.

With regard to preventive measures, Table 4.9 indicates that most organizations believed firewalls, access controls, and automated virus scanning to be the most effective barriers to preventing e-crime. Wireless monitoring, monitoring employees' keystrokes, one-time passwords, and manual patch management were considered the least effective by survey respondents in 2007.

In 2007 CSI Computer Crime and Security Survey (2007, http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf), the Computer Security Institute (CSI) presents similar findings to CERT's 2007 E-Crime Watch Survey. One big difference between the two surveys is that the CSI survey includes the theft of computer merchandise. Figure 4.5 lists multiple e-crimes that plagued survey respondents between 2000 and 2007. Insider abuse of

Internet access topped the list for the first time in 2007 with 59%, and viruses, which had been the leading e-crime in all previous years, fell to second place at 52%. Half of survey respondents reported the theft of mobile devices or laptop computers. Twenty-six percent of companies indicated they had been fraudulently represented in a phishing e-mail scheme, and a quarter each had been targeted in a denial of service attack, had suffered unauthorized access to information, and had uncovered misuse of instant messaging. As to total dollar amount, Figure 4.6 displays how much each type of computer crime cost survey participants who provided financial information. Financial fraud ($21.1 million in losses) and viruses ($8.4 million) were the most costly problems in 2007. By comparison, insider Internet abuse cost these organizations only $2.9 million. Overall, the cost of computer crimes to companies in the survey averaged $350,424 in 2007, an increase of 109% from 2006, when the average losses reported were $168,000. Interestingly, the CSI finds that many respondents (71%) did not report e-crime incidents to law enforcement agencies. The most prominent reasons given were that they believed the associated negative publicity would be detrimental to the company's image or stock value (26%), because they did not believe law enforcement agencies would be able to help (22%), or because they feared a competitor would use knowledge of the vulnerability against them (14%).

Intellectual Property Theft

Intellectual property, which includes copyrighted material such as games, software, and movies, is a huge part of the U.S. economy. These industries are important to the economy and to the people employed in them, and financial profit is vital for those who create music, video games, books, or software. According to the DOJ's Task Force on Intellectual Property, in Progress Report of the Department of Justice's Task Force on Intellectual Property (June 2006, http://www.usdoj.gov/opa/documents/ipreport61906.pdf), the industries that produced copyrighted material in 2002 contributed 6% ($626 billion) to the domestic economy of the United States and employed roughly 4% of the U.S. workforce. The task force also notes that between 1997 and 2002 the copyright industries added workers at an annual rate of 1.3%, which exceeded overall U.S. job growth by 27%.

Intellectual property theft has posed perhaps the greatest single threat to the copyright industries since the 1990s. In the mid-1980s pirating software and entertainment media on a large enough scale to make a profit demanded a large initial investment and a huge time commitment. For example, pirating movies required large banks of VCRs along with hundreds of blank tapes. Copies of the movie were typically of much lower quality than the original, and national copyright laws made storing, selling, and distributing the bulky tapes difficult. As a result, most pirated copies of movies, music, games, or software were copied and distributed overseas in countries where copyright law was nonexistent or not enforced.

Technological advances in the 1990s put an end to many of the hassles faced by intellectual property thieves.

The Internet, along with powerful computers and the conversion of nearly every type of media into digital form, made copying and distributing intellectual property easy even within the United States. Once a thief finds a way around the copyright protection that exists on the digitized copyrighted material, the computer provides an easy way to store the material. Because digital media do not degrade when copied, the thief can produce perfect duplicates. Distribution of the media to any country in the world is easily accomplished over the Internet using peer-to-peer networks or FTP sites, which employ file transfer protocol to upload and download files on a server. Reporting a typical case, the U.S. District Attorney's Office in Connecticut notes in the press release “East Hartford Man Admits Pirating Movies and Television Shows, Selling Them on eBay” (July 9, 2008, http://www.cybercrime.gov/singarellaPlea.pdf) that Steven T. Singarella of East Hartford pleaded guilty in July 2008 after he illegally copied discs of movies and television shows and sold them on eBay, taking in more than $101,000 between August 2004 and August 2006. Singarella faced a sentence of up to five years in prison and a fine of $250,000.

The task force states that intellectual property theft costs U.S. companies $250 billion annually. The Motion Picture Association of America (MPAA) estimates in the press release “Motion Picture Industry Takes Action against eBay Pirates in California, Maryland, Minnesota, Missouri, Utah, and Virginia” (July 27, 2006, http://www.mpaa.org/press_releases/2006_07_27_ta.pdf) that major motion picture studios lost $6.1 billion in 2005. According to the Institute for Policy Innovation, in the press release “$12.5 Billion in Economic Damage and 71,000 Jobs Lost Every Year in the U.S. Due to Recorded Music Piracy” (August 21, 2007, http://www.ipi.org/ipi/IPIPressReleases.nsf/), the global cost of music piracy is $12.5 billion each year, including 71,060 lost jobs in the United States and $131 million in lost corporate income and production taxes. In a review of 2007 global music sales, the International Federation of the Phonographic Industry (IFPI) reports in IFPI Digital Music Report 2008 (January 2008, http://www.ifpi.org/content/library/DMR2008.pdf) that legal digital sales accounted for an estimated 15% of the global music market, up from zero in 2003. In the United States online and mobile purchases made up 30% of all music industry revenues. The IFPI estimates that for every track downloaded through legal sites, twenty are downloaded illegally through file-sharing networks.

Creative Industries Fight Copyright Violators

One of the biggest threats to music industry profitability has been peer-to-peer networks. In the late 1990s peer-to-peer networks were created to connect music lovers around the world. Napster was the largest of these, with tens of millions of users at its peak. Napster, like all peer-to-peer networks, did not contain any music on its own Web site. Instead, Napster tracked the songs and albums its members had on their individual computers. By logging into the central server of the network owned by Napster, members could first locate what music files were available on the network and then proceed to download the music from another member's computer. From the industry point of view, the problem with peer-to-peer networks was that once an album made it on to the network, millions of people suddenly had access to it for free.

Less than a year after the Napster Web site opened, the Recording Industry Association of America (RIAA) filed a case against Napster in U.S. federal district court on December 6, 1999. The RIAA represented most major recording labels and claimed that Napster infringed on the companies' copyrights. The court sided with the RIAA. Napster appealed the ruling, but in September 2001 it settled with the RIAA by paying $26 million for copyright infringement. Before the case was settled, the Napster creator Shawn Fanning (1980–) sold Napster to Bertelsmann, a huge German media conglomerate. Bertelsmann dismantled the file-sharing network and constructed a database of songs that could be downloaded for a fee, part of which goes to pay the record company royalties.

The court's ruling against the practice of open music file sharing meant that the RIAA and other organizations could continue to sue peer-to-peer networks that allowed the sharing of copyrighted material for free. However, while the RIAA was suing Napster, a new problem arose. Networks began popping up that did not have a clearly defined center of operations. For example, the Kazaa and Gnutella networks had no central server to let members know who on the network had which songs. Instead, each member of the network installed a program that allowed him or her to see the individual music libraries of others on the network. Michael Desmond estimates in “Sneaky Sharing” (PC World, September 2, 2004) that music industry sales dropped from an all-time high of $14.6 billion in 2000 to $11.9 billion in 2003, which was well after the original Napster was shut down.

In late 2003 the RIAA began to go after individual file swappers. Lee Rainie et al. of the Pew Internet & American Life Project report in Data Memo: The Impact of Recording Industry Suits against Music File Swappers (January 2004, http://www.pewinternet.org/pdfs/PIP_File_Swapping_Memo_0104.pdf) that the RIAA filed 382 lawsuits in 2003 against individual illegal music file swappers, most of whom quickly settled their cases for between $2,500 to $10,000. Since that time, illegal downloading of music over the Internet has dropped. Though music industry revenues had not fully recovered, the RIAA states in “2007 Year-End Shipment Statistics” (2008, http://76.74.24.142/81128FFD-028F-282E-1CE5-FDBF16A46388.pdf) that sales climbed to $12.3 billion in 2005, but then fell 4.4% to $11.8 billion in 2006 and another 11.8% to $10.4 billion in 2007.

On January 27, 2005, the RIAA announced 717 new lawsuits against individual file-swappers. Six months later, the U.S. Supreme Court made a landmark decision in favor of the record and music industry. In Metro-Goldwyn-Mayer Studios v. Grokster (000 U.S. 04-480 [2005]), the Court unanimously ruled that businesses that encourage others to steal intellectual property are liable for their customers' illegal actions. Because companies such as Grokster developed their technology almost solely for the purpose of swapping music and video files illegally, they likely were in violation of the ruling. More and more people have since turned to legitimate Internet music services, such as iTunes and MusicMatch, for music downloads. In “2007 Year-End Shipment Statistics,” the RIAA estimates that in 2005 about 9% of its revenues were generated by digital sales; by 2007, 23% of all music sales were in digital format.

Inspired by the music industry's success, the MPAA also took steps to prevent piracy. Usually, the most damaging instances of piracy in the motion picture business occur when bootleggers digitally record movies in theaters as they watch the films. The bootleggers then transfer the recorded movies via the Internet to buyers, who then offer the movies on the Internet or make copies on a digital video disc and sell them in foreign countries. In “It's Curtains for Video Pirates” (New Scientist, August 14, 2004), Barry Fox explains that the Warner cinema chain began handing out night-vision goggles to some employees in California to look for these bootleggers during premiers. In 2004 the MPAA began working with the high-tech engineering firm Cinea in Reston, Virginia, to develop imaging techniques that would prevent digital camcorders from recording movies in theaters. One technique involved altering the frame rate in movies so that the film would move out of sync with most digital camcorders' refresh rate, resulting in a copy of the movie that shudders when played. Finally, in November 2004 the MPAA announced that it, too, would be prosecuting individuals who used peer-to-peer networks to view movies. The organization filed 250 lawsuits in 2005 against individuals who downloaded movies. The MPAA also prosecuted Web sites such as Isohunt.com and Torrentspy .com that directed visitors to places on the Web where movies could be downloaded for free. In “Anti-piracy Fact Sheet” (2008, http://www.mpaa.org/AsiaPacificPiracyFactSheet.pdf), the MPAA estimates that its member organizations lose approximately $6.1 billion annually to the trade in pirated films.

DOJ Begins to Crack Down

Most litigation over copyright law is conducted in civil courts where individual citizens and organizations sue one another. If the defendant is found guilty, such as in the RIAA v. Napster case, then the defendant typically has to pay money to the plaintiff. In a criminal case the defendant serves jail or probationary time if found guilty. The DOJ is in charge of prosecuting criminal cases against people and organizations that violate national copyright laws. The DOJ also has specialized units based in cities where high-tech theft is common. These units are known as the Computer Hacking and Intellectual Property (CHIP) units, and they identify and help prosecute intellectual property suspects. Most of these investigations involve international copyright crime organizations or individuals who make tens of thousands of dollars stealing intellectual property.

Responding to the increased threats to intellectual property brought on by new media, the U.S. attorney general John D. Ashcroft (1942–) created the DOJ's Task Force on Intellectual Property in March 2004. The task force was assigned to examine the entire range of intellectual property theft from counterfeit automotive parts to the theft of trade secrets to copyright infractions in the entertainment industry. In October 2004 the task force published Report of the Department of Justice's Task Force on Intellectual Property (http://www.eff.org/IP/20041013_DOJ_IPTaskForceReport.pdf), which included its recommendations on how to address the rise in intellectual property theft. The task force recommended that five more specialized CHIP units be placed in areas rife with intellectual property theft and that more FBI agents be put on intellectual property theft cases. The task force also believed that more aggressive measures should be taken against crime organizations and individuals who infringe on copyrights. More specifically, the task force suggested that Congress pass an act making it illegal for people to post copyrighted material they do not own on the Internet.

In 2005 President George W. Bush (1946–) signed the Family Entertainment Copyright Act into law. Under this act any attempt to record a movie in a theater can result in federal prosecution, fines, and up to three years in prison. A similar sentence can be given to anyone who distributes a creative work that is intended for commercial distribution but has not been released, such as a video game or movie that is still in production. Since the passing of the act, a number of people have been prosecuted by the DOJ for violating the law (although most litigation still takes place in civil courts). Manuel Sandoval was the first person to be convicted under the new act in April 2006. He was caught recording the matinee showing of The Legend of Zorro in Los Angeles in October 2005. Table 4.10 shows the increase in intellectual property crimes investigated and prosecuted by the U.S. Attorney General's Office between 2003 and 2007. These figures represent crimes such as trafficking in counterfeit labels for audio recordings and copies of motion pictures; criminal infringement of copyright, including unlawful reproduction or distribution of copyrighted works; producing and distributing sounds and images of live musical performances without the consent of the performers; and trafficking in counterfeit goods or services.

High-Tech Law Enforcement

Criminals have not been the only ones taking advantage of high tech. Since the 1980s new technologies have provided law enforcement with myriad resources to combat crime and protect citizens. Cameras have helped tremendously in identifying thieves who rob automated teller machines, banks, and convenience stores. Wiretaps and surveillance equipment have allowed law enforcement officials to catch criminals without putting themselves in harm's way. However, the biggest boon to law enforcement by far has been the increased access law enforcement officers have had to information. In the 1970s, for example, if a law enforcement officer in New York wanted the records of a criminal in California, he or she would have to call a police office in California and have the information read over the phone. Computer

databases and communications technologies have connected law enforcement offices and provided them easy access to criminal records across the country. Cell phone networks and portable computers have given the police the ability to access criminal records and information on license plates and license holders from within the patrol car. Electronic credit and debit card networks, bank machines, and rental car records have all provided law enforcement with easily accessible, real-time information on where criminals have been and where they are going.

Communications technologies have also allowed law enforcement agencies to inform communities of terrorism, kidnapping, or other criminal activity to bring the perpetrators to justice. America's Missing: Broadcast Emergency Response (AMBER) Plan is named after nine-year-old Amber Hagerman (1986–1996), who was kidnapped and murdered in Arlington, Texas, in 1996. After her murder Texas instituted the first statewide AMBER Plan in 1999. Since then the program was introduced by the DOJ into the forty-nine other states. When an AMBER Alert is issued, the regional Emergency Alert System is used to tell the public about the missing child. Programs on television and radio stations are interrupted and followed by pertinent information about the abduction. All law enforcement officers are put on alert, and digital emergency signs above the highways tell people on the freeway where to receive more information about the abduction. The DOJ's AMBER Alert (October 17, 2008, http://www.amberalert.gov/statistics.htm) indicates that as of October 2008, 426 children had been recovered as a result of the plan. In one instance in Calhoun, Georgia, a motorist heard the alert on the radio, recognized the vehicle described in the alert, and used a cell phone to call the police, who then stopped the car. In another instance in Lancaster, California, an animal control agent heard the alert and identified the abductor's car. The National Center for Missing and Exploited Children indicates in National Center for Missing and Exploited Children 2006 AMBER-Alert Report (2007, http://www.amberalert.gov/pdfs/06_amber_report.pdf) the effectiveness of AMBER Alert broadcasts; in more than two-thirds of cases in which children were safely recovered in 2006, either a law enforcement official or another individual recognized the vehicle described in an AMBER Alert, or the abductor heard the AMBER Alert broadcast and returned the child.

The speed at which information in the modern age can be retrieved has also aided the War on Terrorism. Identifying the terrorists responsible for the events of September 11, 2001 (9/11), would have been an arduous if not impossible task were it not for electronic records of the terrorists' credit card and rental car use. The FBI was able to post a full list of the suspected terrorists within three days of the attacks, giving the White House the information it needed to plan retaliatory measures. Since 9/11 many new technologies have been designed to catch terrorists before they strike. By far the most controversial and perhaps the most powerful of the new technologies being developed is data mining. Since 2001 the DHS has spent a great deal of time and money trying to create a database and database-searching techniques to allow authorities to view records of millions of citizens at once and determine if they have a link to terrorism. According to John Borland, in “Homeland Security: A Global Assault on Anonymity?” (CNET News, October 20, 2004), one attempt at such a system was called the Multistate Anti-terrorism Information Exchange (MATRIX). The system contained the data from five state law enforcement centers as well as nationwide financial and commercial data of millions of Americans. Before its termination, the system was reportedly able to match criminal records with financial records to assess whether or not a person was a terrorist threat. The database held much more information than a typical criminal database and could be used, for instance, to do a background check on someone applying for a license to drive hazardous materials across the country. The project was canceled in April 2005 after many complaints from concerned citizens and civil rights organizations such as the American Civil Liberties Union.

Many believed that other data mining systems were still being developed by the federal government following the cancellation of MATRIX. In “Pentagon Sets Its Sights on Social Networking Websites” (New Scientist ,June9, 2006), Paul Marks explains that the National Security Agency (NSA) was funding a program called the Disruptive Technology Office (DTO) in 2006. The reported role of the DTO was to combine data on people from many different sources, including phone records as well as online social networks such as MySpace. The existence of the program would not be beyond the realm of reason. Leslie Cauley reports in “NSA Has Massive Database of Americans' Phone Calls” (USA Today, May 11, 2006) that in 2006 the NSA was already secretly analyzing billions of phone records in an effort to find potential terrorists in the United States. The NSA did not obtain a court's approval before searching the phone records, which many considered to be an illegal act. In August 2006 Judge Anna Diggs-Taylor (1932–) of the U.S. District Court declared the program unconstitutional and ordered it stopped. However, the program continued while the case was appealed and Congress worked to develop a modified system of surveillance. In July 2008 President Bush signed into law the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008. Besides broadening the ability of the federal government to conduct high-tech investigations aimed at identifying foreign terrorist activity, the act shields U.S. telecommunications firms from lawsuits stemming from their cooperation in government wiretap investigations of their customers.