Trends in Cyber Crime: The Dark Side of the Internet Presentation for the Computer & Internet Law Section for the Oregon State Bar Association May 26th, 2011 Good afternoon. My name is Sean Hoar, and I am with the U.S. Attorney’s Office in Eugene, Oregon. I am actually moving to the Portland area in the next month, so although for a period of time I’ll continue to manage a Eugene caseload, I hope to have an opportunity to cross paths with you when I transition to our Portland Office. I was asked to speak to day about a cyber crime-related topic, and since the dark side of the internet is what I see on a regular basis when I peer into the files of federal criminal defendants, I thought we all might benefit from learning a bit more about Trends in Cyber Crime: The Dark Side of the Internet. Sean B. Hoar Assistant United States Attorney United States Department of Justice sean.hoar@usdoj.gov

The Internet . . . a new world . . . In the time it takes for me to make this presentation Over 37,000 blogs will be posted on the Internet Over 180,000 images will be uploaded on flickr Over 1,300,000 “tweets” will be sent on Twitter Over 8,330,000 people will log on to Facebook Over 42,000,000 videos will be watched on YouTube Over 118,000,000 searches will be conducted on Google Over 10,292,000,000 emails will be sent, 82% of which will be spam http://econsultancy.com/us/blog/7334-social-media-statistics-one-year-later & http://aspedia.net/interesting-online-and-search-statistics

Some perspective . . . To provide some perspective to the role this relatively new digital environment plays in our lives, I have a short video I want to play for you. It was created by a firm in Australia, which is actually on the front edge of technology. I hope you enjoy it.

The Internet . . . Life changing . . . The Internet has fundamentally changed our way of life the way we work, play and communicate A forum for the best of our ideas and the worst of our deeds Insecure web infrastructure and technology produce dark opportunities malware, intrusions, spam, financial fraud, intellectual property theft, sale of illegal substances, child exploitation . . . The way we work – About 12 years ago I had one of the first large identity theft-related cases in the area. The media was fascinated with the case because the criminals, the identity thieves, used a combination of high tech and low tech means to commit the offense. And the high tech means were on the cutting edge of technology for the day – hacking into PCs, inserting sniffer programs to log keystrokes to steal credit card numbers . . . Although years earlier I had tried the first “paperless case” in federal court in Oregon – meaning I wasn’t averse to technology – I was typically nudged by necessity. The identity theft case caused me to realize how quickly the digital environment was developing, and it clearly launched me into it. Now a number of my cases require the creation and used of massive digital databases. I have several cases in which we have digitized over 100 bankers boxes of evidence, and then added substantial amounts of digital evidence to the mix. One of my recent cases involves the digitization of around 120 bankers boxes of evidence, and another 65 or so digital devices, including a couple dozen hard drives and a server from a business – resulting in about 10 terabytes of data. I spend most of my day on my computer, much of it on the Internet. The Internet has clearly changed the way I work. It has also clearly changed the way we play. When I was growing up, I played the conventional sports, football, basketball and baseball. In the fall you could find us playing catch or a football game late in the evening or on weekends. In the winter we would be outside playing basketball until called in for bedtime. In the spring and summer we would always be playing baseball. Now, the Internet and its virtual environments provides stiff competition to athletics. Whether it be watching cool videos on YouTube or playing the most recent reality war video on Sony PlayStation, the Internet has clearly changed the way we play. And it has clearly changed the way we communicate. Years ago I used to communicate primarily by phone. Now I may get one or two phone calls a day, but I respond to between 75 and 150 emails a day. Regarding our phones, years ago we were teathered by the lan line in our home or office. Now everyone has a cell phone. We can talk to anyone, anytime, anywhere. And the phone is so small and sleek that it is unobtrusive until it orchestral ring beckons us to a conversation. I’ll never forget being an Assistant District Attorney in Lane County right out of law school in the 1988 or 89 when one of the members of the local defense bar brought his new cell phone into the courthouse. It was like a swamp phone, and could barely fit in his briefcase, but he was proud to be on the front edge at the time. Now you could fit 20 cell phones into the one he had in 1988.

Overview of presentation Backdrop - insecure web architecture Online criminal activity trends Federal offenses Prosecution guidelines Investigations & prosecutions Significant digital evidence issues Search & seizure Discovery and litigation

Technological & criminal trends Technological evolution Cloud computing Increased mobilization of computing Explosion of web applications Technological pollution Malware Intrusions Phishing Spam Criminal behavior Financial fraud Intellectual property theft Child pornography Economic espionage/trade secret theft

Primary trend - creation & dissemination of malware- Malware (a contraction of "malicious software") refers to software developed for the purpose of doing harm. Malware can generally be classified based on how it is executed how it is spread and/or what it is intended to do Malware generally takes the form of a virus, a worm, a Trojan horse, a backdoor, crimeware, or spyware

Malware growth Web insecurity 225% growth in malicious web sites 95% of user-generated comments to blogs, chat rooms/message boards were spam or malicious 77% of Web sites with malicious code are legitimate sites that have been compromised, i.e. they are sites that you visit . . . 13.7% of searches for trending news/buzz words led to malware Websense Security Labs (4th Q 2009)

Malware dissemination Email insecurity 85.8% of all emails were spam 81% of emails contained a malicious link tens of thousands of Hotmail, Gmail and Yahoo email accounts were hacked and passwords stolen and posted online phishing lures doubled in the second half of 2009 representing 4% of spam email 58% of data-stealing attacks done via the Web Websense Security Labs (4th Q 2009)

Malware sophistication Cyber criminals continue to go where the money is . . . Crimeware exploits continue unabated . . .

Malware’s global platform Countries where most attempts to infect the web with malware occurred as of May 3, 2010. The pollution begins at home . . .

Malware adaptation Web infrastructure & use The top 100 most visited Web properties are social networking and search engines. The next 1,000,000 most visited sites, or the known Web, are primarily current events, regional and genre sites. The next 100,000,000 sites - the “long tail” of the Internet, or the unknown Web, are junk, personal, and scam sites which are specifically set up for fraud and abuse.

Malware directed to $$ New generation of Web content targeted Driving force behind cyber crime is $$ Social networking sites and search engines have evolved rapidly Business growth is driving Web 2.0 adoption in the workplace Consumer habits have shifted to Web 2.0 apps Because more businesses and consumers are using Web 2.0 sites, these sites are increasingly targeted for malicious purposes The primary trend is the continued use of Web 2.0 content to exploit weaknesses within the Web infrastructure to attract the greatest number of victims Hackers creatively leverage user-created content to compromise sites with good reputations

Malware perpetrator turf wars Zeus vs. Spy Eye Trojan-making toolkits designed to give criminals easy means of creating their own "botnet" networks of password-stealing programs provide option of deleting other malicious code, i.e. “Kill Zeus” option on Spy Eye

Attackers capitalize on major events Major events provide fodder for attacks designed to steal personal or business information Where there are major events there will be major scams Example: March 2011 Natural catastrophes: Japan earthquake/tsunami Celebrity events: Elizabeth Taylor’s death Political events: turmoil in Egypt, Libya, Yemen, Bahrain, Tunisia, Syria, etc.

Attackers capitalize on major events Malicious websites content connected in some way to the event ‘Nigerian’ letters via email emotional requests for $$ to help suffering Spam messages containing malicious links Tweets Containing malicious links

Intrusions Network intrusions Critical infrastructure intrusions Identity theft – multi-billion dollar industry . . . Critical infrastructure intrusions Domestic and international terrorism Sensitive data Sectors necessary to support society Distributed denial of service attacks Political statements; extortion Web site defacement

Intrusions/data mining Identity theft/surreptitious software Keyloggers Exploit security flaws and monitor the path that carries data from the keyboard to other parts of the computer – more invasive than phishing – relying upon infection rather than deception Tens of millions of machines are infected with keyloggers, putting billions in bank account assets at the fingertips of fraudsters Monitoring programs often hidden within e-mail attachments, files shared via p-2-p networks, or embedded in web pages – exploiting browser features

Data breaches - still a problem? February 15, 2005: 163,000 ChoicePoint records breached when fraudsters presented themselves as legitimate ChoicePoint customers, purchased data profiles on individuals, then used that data to commit identity theft. ChoicePoint settled with FTC for $10 million in civil penalties and $5 million for consumer redress, and $10,000,000 in private class action suit. http://www.privacyrights.org/sites/default/files/static/Chronology-of- Data-Breaches_-_Privacy-Rights-Clearinghouse.pdf

Data breaches - still a problem? June 16, 2005: over 40 million credit card accounts were exposed to potential fraud due to a security breach at CardSystems. Information on 68,000 MasterCard accounts, 100,000 Visa accounts and 30,000 other card brand accounts were confirmed exported by the hackers. The data exported included names, card numbers and card security codes. http://www.privacyrights.org/sites/default/files/static/Chronology-of-Data-Breaches_-_Privacy-Rights-Clearinghouse.pdf

Data breaches - still a problem? April 27, 2011: Sony PlayStation Network hacked; 24,600,000 user accounts may have been compromised; 12,000,000 unencrypted credit card accounts may have been compromised. May 24, 2011: 533,686,527 total records breached from 2,503 data breaches made public since 2005 in the U.S.A. alone. http://www.privacyrights.org/sites/default/files/static/Chronology-of-Data-Breaches_-_Privacy-Rights-Clearinghouse.pdf

Data breaches increasingly expensive Data breaches get more expensive $204 per compromised customer record $6.75 million per data breach in 2009 Sony says it has already spent over $121 million for April 2011 data breach

Phishing continues to evolve . . . Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials.

Phishing via social engineering . . . Social‐engineering schemes use spoofed e‐mails purporting to be from legitimate businesses and agencies to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as usernames and passwords.

Phishing via technical subterfuge Technical subterfuge schemes plant crimeware onto PCs to steal credentials often using systems to intercept consumers online account user names and passwords to corrupt local navigational infrastructures to misdirect consumers to counterfeit websites (or authentic websites through phisher -controlled proxies used to monitor and intercept consumers’ keystrokes)

Password stealing software The number of crimeware‐spreading sites infecting PCs with password‐stealing crimeware reached an all time high of 31,173 in December of 2008, an 827 percent increase from January of 2008. www.antiphishing.org

Phishing reports The number of unique phishing reports submitted to APWG in Q2 2010 described a steady increase with the number for June eclipsing the previous annual high of 30,577 for 2010 reached in March. www.antiphishing.org

The number of unique phishing websites detected by APWG Unique phishing sites The number of unique phishing websites detected by APWG during the second quarter of 2010 continue to be very high. www.antiphishing.org

Hijacked brands www.antiphishing.org

Phishing targets – where the $$ is . . . The payment services sector has surpassed the financial services sector as the most targeted industry sector. www.antiphishing.org

U.S.A. still the worst . . . The U.S.A. continues to host more phishing sites that any other country. www.antiphishing.org

Rogue anti-malware products . . . Rogue antivirus products are some of the most efficient – and increasingly preferred ‐ ways to victimize consumers. Unlike banking Trojans, where cybercriminals have to infect a PC, steal data, etc., a rogueware attack simply fools users into paying for worthless software – or forcing them to make a ransom payment. The user is the one willing to pay in order to “disinfect” their PC ‐ or free it from a cybercriminal’s control.

Rogue anti-malware Cybercriminals profit faster by increasing the proportion of users who pay after downloading rogueware. These techniques had a 13% quarterly increase with new cybercriminals using ransomware – which won’t let you use your PC until you buy a ‘license.’ www.antiphishing.org

Malicious code evolution Crimeware (data-stealing malicious code designed to victimize financial institutions’ customers and to co-opt those institutions’ identities); Generic Data Stealing (code designed to send information from the infected machine, control it, and open backdoors on it); Other (the remainder of malicious code commonly encountered in the field such as auto-replicating worms, dialers for telephone charge-back scams, etc.) www.antiphishing.org

50% of all computers are infected . . .

Spam . . . 9 out of 10 messages 4.1 billion messages were processed in March 2011 by the Hosted Infrastructure (over 134 million per day) of which 92.6% of all email was spam , 84.1% of spam included an embedded URL , and 3.1% of spam emails were phishing attacks. www.websense.com

Financial fraud Manifests in a variety of forms Identity theft/carding Auction fraud Advance fee fraud/419 scams High Yield “Investment” Programs Pyramid schemes Pump-and-dump stock scams Pay-per-click advertising fraud Espionage

Nigerian scams continue to abound Traditional “419” Nigerian letter scam Overpayment scam Check cashing scam Re-shipping scam Tax Refund scam Lottery scam Internet romance scam Inheritance scam Insurance scam Business opportunities scam Investment scam

Intellectual property theft IP theft - a huge international problem 90% of the software, DVDs, and CDs sold in some countries are counterfeit* The total global trade in counterfeit goods is more than $600 billion a year** IP theft costs U.S.A. businesses an estimated $250 billion annually, as well as 750,000 U.S.A. jobs.*** *InformationWeek **World Customs Organization; Interpol. *** U.S. Department of Commerce

Child pornography/child exploitation The manufacture and distribution of child pornography is one of the fastest growing businesses online, and the content is becoming much worse. More than 20,000 images of child pornography are posted every week. http://www.safefamilies.org/sfStats.php Approximately 20% of all Internet pornography involves children. http://www.safefamilies.org/sfStats.php Child pornography is more than a $3 billion annual industry. http://www.enough.org/inside.php?id=2UXKJWRY8 The number of Internet child pornography images has increased over 1500% in the past twenty years. http://www.enough.org/inside.php?id=2UXKJWRY8

Sale of unlawful substances/information Unlawful sale/distribution of narcotics & other controlled substances Unlawful sale/distribution of classified information Illegal exports – violation of trade embargos

Common federal online offenses Computer fraud/intrusion, 18 U.S.C. § 1030 Computer intrusion resulting in the theft of information, 18 U.S.C. § 1030(a)(2) Computer intrusion with intent to defraud, 18 U.S.C. § 1030(a)(4) computer intrusion with intent to damage, 18 U.S.C. § 1030(a)(5) Wire (Internet) fraud, 18 U.S.C. § 1343 Identity theft, 18 U.S.C. § 1028(a)(7) Aggravated identity theft, 18 U.S.C. § 1028A(a)(1) Credit card fraud, 18 U.S.C. § 1029(a)(2) Threatening communications, 18 U.S.C. § 875(c) Cyber stalking, 18 U.S.C. § 2261A Criminal copyright infringement for financial gain, without financial gain, or distribution of work prepared for commercial distribution, 17 U.S.C. § 506 & 18 U.S.C. § 2319 Economic espionage, 18 U.S.C. § 1831 Trade secret theft, 18 U.S.C. § 1832 Child pornography distribution, receipt, or possession,18 U.S.C. § 2252A(a)(2) and (a)(5)

Prosecution guidelines for computer fraud (for U. S Prosecution guidelines for computer fraud (for U.S. Attorney’s Office in Oregon) Computer fraud/intrusion related cases may be prosecuted where all of the elements of a federal criminal offense are present and there is a loss (or intended loss) of $70,000 or more or other aggravating factors exist. The federal offense requires one of the following required factors: The offense involved espionage. 18 U.S.C. § 1030(a)(1); The victim is a financial institution or a federal government agency. 18 U.S.C. § 1030(a)(2) and (3); The offense affected use of a protected computer. 18 U.S.C. § 1030(a)(3). The offense was in furtherance of a fraud scheme. 18 U.S.C. § 1030(a)(4). The offense caused “damage” (see definition at § 1030(e)(8)). 18 U.S.C. § 1030(a)(5); The offense involved trafficking in passwords or similar information. 18 U.S.C. § 1030(a)(6). (See also 18 U.S.C. § 1029(a)(3) relating to possession of unauthorized access devices); The offense involved threats or extortion. 18 U.S.C. § 1030(a)(7).

Prosecution guidelines for computer fraud (for U. S Prosecution guidelines for computer fraud (for U.S. Attorney’s Office in Oregon) If the loss is less than $70,000, the following aggravating factors may justify prosecution: The defendant has a prior criminal record, particularly one involving computers; The offense involved more than one victim; The offense involved sophisticated methods or a conspiracy; The offense involved abuse of a position of trust. The above aggravating factors need not all be present and there may be other factors which justify prosecution on a case-by-case basis.

Prosecution guidelines for financial fraud (for U. S Prosecution guidelines for financial fraud (for U.S. Attorney’s Office in Oregon) Financial fraud cases may be prosecuted where all of the elements of a federal criminal offense are present and there is a loss (or intended loss) of $70,000 or more or other aggravating factors exist. The following aggravating factors may justify prosecution when the loss is less than $70,000: The defendant has a prior criminal record; The offense involved more than ten victims: The offense was committed through mass marketing; The offense involved misrepresentation that the defendant was acting on behalf of a charitable, educational, religious, or political organization or a government agency; or The subject matter of the case involves a specific federal interest such as fraud against an Indian Tribe, health care fraud, bankruptcy fraud, fraud involving protected computers, or fraud against a federally-insured financial institution. These aggravating factors need not all be present and there may be other factors which justify prosecution on a case-by-case basis.

Prosecution guidelines for copyright infringement (for U. S Prosecution guidelines for copyright infringement (for U.S. Attorney’s Office in Oregon) Cases involving the criminal infringement of copyright will be considered on a case-by-case basis. A significant factor in the charging decision should be the volume of counterfeited or pirated material. The role of a potential defendant in the counterfeiting or infringement scheme should also be considered and may be critical in proving criminal intent. While the potential civil remedy is not a substitute for criminal prosecution in appropriate cases, the availability of civil remedies should receive serious consideration. This will be especially true where there is a reasonable concern about substantive legal issues or where proof of criminal intent may be insufficient.

Prosecution guidelines for economic espionage/theft of trade secrets (for U.S. Attorney’s Office in Oregon) Economic espionage and theft of trade secret cases may be prosecuted where all of the elements of a federal criminal offense are present and there is a loss (or intended loss) of $70,000 or more or other aggravating factors exist. The following aggravating factors may justify prosecution when the loss is less than $70,000: (1) the defendant has a prior criminal record; (2) the offense involved more than one victim; (3) the offense involved sophisticated methods or a conspiracy; (4) the offense involved abuse of a position of trust. These aggravating factors need not all be present and there may be other factors which justify prosecution on a case-by-case basis.

Prosecution guidelines for child pornography (for U. S Prosecution guidelines for child pornography (for U.S. Attorney’s Office in Oregon) Assuming a provable child pornography case exists, cases may be prosecuted where the evidence establishes any of the following conduct by the potential defendant: (1) sexual abuse of a minor; (2) production of child pornography; (3) importation of child pornography; (4) distribution of child pornography for profit; (5) origination of child pornography into cyberspace; (6) intentionally furnishing child pornography to a minor for a sexual purpose; (7) prior criminal conviction involving child pornography or sex offense. Absent these factors, prosecution will nonetheless be considered where the evidence indicates that a defendant has (1) engaged in the distribution of a substantial quantity of child pornography without profit or received or possessed a substantial quantity of child pornography, exclusive of any materials obtained through a government sting operation; or (2) where a person in a position of trust with a minor (school teacher, foster parent, day care provider) receives or possesses child pornography. Absent any of the above factors, prosecution will be declined and matters involving small quantities of child pornography will be referred to state authorities.

Computer fraud/intrusions May 19, 2011

Computer fraud/intrusions/data mining April 21, 2011

Computer fraud/intrusions/data mining March 26, 2010

Computer fraud/intrusions/data mining December 23, 2009

Phishing/spam March 25, 2011

Phishing/spam February 8, 2010

Spam/stock fraud November 23, 2009

Economic espionage February 8, 2010

Intellectual property theft January 22, 2010

Intellectual property theft May 6, 2010

Intellectual property theft February 5, 2010

Nigerian scams February 17, 2010

Copyright infringement/auction fraud identity theft United States v Copyright infringement/auction fraud identity theft United States v. Mondello Overview South Eugene High School graduate Computer genius University of Oregon student Between December 2005 and October 2007 initiated thousands of separate online auctions used more than 40 fictitious usernames and online payment accounts to sell copies of counterfeit software generated more than $400,000 in personal profit

Copyright infringement/auction fraud identity theft United States v Copyright infringement/auction fraud identity theft United States v. Mondello Scheme Mondello acquired victims’ names, bank account numbers and passwords by using a computer keystroke logger. The keystroke logger installed itself on victims’ computers and recorded victim’s name and bank account information as information was being typed. The program then electronically sent the information back to Mondello which he then used to establish fictitious usernames and online payment accounts.

Copyright infringement/auction fraud identity theft United States v Copyright infringement/auction fraud identity theft United States v. Mondello Outcome Pled guilty to criminal copyright infringement, aggravated identity theft and mail fraud Consented to the forfeiture of more than $225,000 in cash proceeds, and also forfeited computer-related equipment used to commit the crime. Sentenced to serve 48 months in prison Ordered to serve three years of supervised release and perform 450 hours of community service during that time Made anti-piracy video for RIAA

Internet fraud United States v. Daniel Wheatley et al Overview Profits4investingtoo.com was a High Yield Investment Program (HYIP) operated by Daniel Wheatley with the assistance of Sunshine Simmons and Edwin Garcia. claimed to be a long term high yield private loan program, “intended for people willing to achieve their financial freedom but unable to do so because they’re not financial experts.” claimed to be “backed up by investing in various funds and activities.” claimed that “profits from these investments are used to enhance our program and increase its stability for the long term.”

Internet fraud United States v. Daniel Wheatley et al The scheme (“investment plans”) Profits4investingtoo.com offered several “investment” programs 38% daily PLAN AMOUNT DAILY PROFIT (%) Plan 1 $1 - $100 33.00 Plan 2 $101- $2,500 35.00 Plan 3 $2,501 – and more 38.00 4 day deposit - 156% after 4 days Plan 4 $5 - $100 144.00 Plan 5 $101 - $1,000 150.00 Plan 6 $1,001 - $4,000 156.00

Internet fraud United States v. Daniel Wheatley et al The scheme (“investment plans”) 10 day deposit - 425% after 10 days PLAN AMOUNT DAILY PROFIT (%) Plan 7 $10 - $500 400.00 Plan 8 $501 - $2,500 415.00 Plan 9 $2,501 - $4,000 425.00 15 day deposit - 650% after 15 days Plan 10 $250 - $2,500 650.00 Referral program Earn up to 9.00% of referral deposits

Internet fraud United States v. Daniel Wheatley et al The scheme (payment processing) “Investors” were directed to use Stormpay or E-gold, money processors similar to PayPal, and to fund accounts with cash, credit cards, or checking accounts. They then directed their “investment,” via Stormpay, to Garcia’s Stormpay account. Wheatley recruited Garcia to process money through Garcia’s Stormpay account because Wheatley’s account had been shut down due to his involvement in a previous HYIP scheme.

Internet fraud United States v. Daniel Wheatley et al The scheme (payment processing) Garcia directed Stormpay to wire investor money to his checking account. He then wired a portion of the money to Wheatley’s bank account. Between December 13, 2005, and March 8, 2006, 27,330 transactions were conducted through Garcia’s Stormpay account. These transactions included moneys invested, money paid to some investors with other investor money, and charge-backs resulting from customer complaints.

Internet fraud United States v. Daniel Wheatley et al The scheme (payment processing) Money from new “investors” was used to pay old investor obligations, consistent with a “Ponzi” scheme. If investors were paid, it was not always on time nor for the amount promised. To delay investor complaints, Profit4investingtoo.com made a variety of representations, including that they were experiencing “denial of service” attacks, having other technical difficulties with the site, or were suffering personal medical emergencies.

Internet fraud United States v. Daniel Wheatley et al The scheme (payment processing) In one 30 day period of time, $664,997.00 was wired into Garcia’s Stormpay account, $435,675 of which was wired to Wheatley’s bank account. None of the money was invested. it was spent on personal and real property, including a home in Springfield, Oregon, a 2005 Mercedes Benz C230, a 2004 Hummer, electronics, furniture and jewelry. When Profits4investingtoo.com finally shut down, all unpaid investors lost their money.

Internet fraud United States v. Daniel Wheatley et al The outcome Wheatley pled guilty to Internet fraud and money laundering. Garcia pled guilty to Internet fraud. Simmons pled guilty to a tax violation. Wheatley was sentenced to 46 months, Garcia to 33 months, and Simmons to probation. All were ordered to pay restitution of $124,446.74, jointly and severally, to the 174 people who claimed to be victims . . . All seized proceeds of the fraud were forfeited, including a home in Springfield, Oregon, a 2005 Mercedes Benz C230, a 2004 Hummer, jewelry and furniture.

Digital evidence issues Right to privacy in stored communications Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004) United States v. Warshak, 631 F.3d 266 (6th Cir. 2010) Third party privacy interest in stored content United States v. Comprehensive Drug Testing, Inc., 621 F.3d 1162 (9th Cir. 2010) Digital database creation and use Investigation; discovery; litigation

Impediments to enforcement of cyber crime Technically complex subject matter Lack of technically trained investigators, prosecutors, judges and jurors Technical forensic process required to acquire and preserve evidence Time sensitive Evidence may be fleeting Special legal process may be required to acquire and preserve evidence

Impediments to enforcement of cyber crime Limited resources Data intensive Competes with other priorities Transnational Separate sovereigns Lack of treaties or dual criminality provisions Slow, cumbersome MLAT process Language barriers

Solutions to enforcement of cyber crime Increased human and monetary resources Increased technical training Adequate technology Increased language training Increased international cooperation Fundamental dual criminality standards between all countries Expansion of informal networks for immediate assistance

Solutions to enforcement of cyber crime Increased international cooperation (continued) Uniform financial standards for certain types of transactions/sites Uniform financial standards for suspicious monetary transaction alerts Uniform agreements to share seized assets, which constitute proceeds of fraud, with assisting agencies/governments

Any questions??

Trends in Cyber Crime: The Dark Side of the Internet Presentation for the Computer & Internet Law Section for the Oregon State Bar Association May 26th, 2011 Sean B. Hoar Assistant United States Attorney United States Department of Justice sean.hoar@usdoj.gov