Thank you, Rodney [Petersen], for the kind introduction and for the opportunity to address the State of the Net Conference. Through this conference, and through its many other activities during the year, the Congressional Internet Caucus Advisory Committee plays a vital role in furthering the debate on Internet policy issues. It’s a privilege to be here to address this group, and to speak with you about online privacy and about how the Department of Justice is working to protect the public.
The recent revelations about the massive thefts of financial information from large retail stores have served as a stark reminder to all of us about how vulnerable we are to cyber criminals who are determined to steal our personal information. Computers store crucial records about our health, money, education, and personal lives. We communicate through computers; we do our work on them; we keep them in our homes and carry them in our pockets. Indeed, all of us can agree, I think, that computers are central to the way we live and work. In so many ways – big and small – computers have transformed our ability to manage massive amounts of critical data, communicate with ease with people on the other side of the globe, and conduct financial transactions quickly. Yet these extraordinary benefits have also come with a real threat: our computers, and our online lives, are simply not as secure as we might hope.
Insecure computers can, of course, result in many problems, but one concern, in particular, should trouble all of us: invasions of personal privacy. As we all know – and many Americans have personally experienced – it is becoming far too commonplace an occurrence that our email addresses are hijacked, our financial information siphoned away, and our personal information compromised. These invasions of privacy, for good reason, make us feel intensely vulnerable and unsafe. And, that fear is only compounded when we realize that the criminals who hack into our computers often sit on the other side of the world; peddle the stolen information to other criminals; and use the information for their own profit or, even more frightening, to terrorize and extort their victims.
As head of the Criminal Division, I know that these types of invasions of privacy demand a law enforcement response. And, respond we have – including through the tenacious work of our Computer Crime and Intellectual Property Section, also known as CCIPS, which partners with Computer Hacking and Intellectual Property Coordinators in U.S. Attorneys’ Offices across the country as part of a network of almost 300 Justice Department cybercrime prosecutors. Every day, our prosecutors strive to hold to account cyber criminals who steal the private information of Americans.
Consider, for instance, the case of Vladislav Horohorin, which was prosecuted by CCIPS and the United States Attorney’s Office here in the District of Columbia, alongside the FBI and Secret Service. Horohorin, known by the nickname “BadB,” used online criminal forums to sell stolen credit and debit card information to online purchasers around the world. At the time of his arrest, he possessed more than 2.5 million stolen credit and debit card numbers. In one instance, he worked with a criminal group that – in a single 12-hour crime spree – stole over $9.4 million through fraudulent transactions at over 2,100 ATMs in 280 cities around the world. As a result of a massive investigation spanning several years – and several countries – we located him, charged him, and arrested him after he left Russia to gamble with his illicit profits on the Riviera. In April 2013, Horohorin was sentenced to serve 88 months in prison.
Our investigation of the Coreflood botnet is another example of our commitment to stopping massive privacy invasions by using the most innovative law enforcement techniques. If the concept of a botnet is unfamiliar to you, let me try to define it simply: it is a network of secretly hacked computers, sometimes numbering in the millions, that are located in homes, schools, and offices. Botnet creators install special malicious software on those computers. And once the malware is installed, hackers can put these botnets to countless illicit uses, including invading privacy on a scale never before seen.
The Coreflood botnet, for example, hijacked hundreds of thousands of computers for the purpose of stealing private personal and financial information – including usernames, passwords and other personal data – from unsuspecting computer users. In one example, the Coreflood botnet illegally monitored Internet communications between a computer user and her bank, took over an online banking session, and then emptied the user’s bank account. Overall losses from the scheme were staggering: estimated to be in the tens of millions of dollars.
The individuals controlling the Coreflood botnet resided overseas and were largely outside the direct reach of U.S. law enforcement. In 2011, however, CCIPS and the United States Attorney’s Office in Connecticut used a combination of civil and criminal authorities to seize key control servers, shut down the network, and work with private sector partners to help disinfect victims’ computer systems. Among other things, as part of this ground-breaking law enforcement operation, the Justice Department obtained a court order authorizing the government to respond to signals sent from infected computers in the U.S. to stop the Coreflood software from running, and thus preventing further harm to hundreds of thousands of Americans whose computers were under the control of the botnet. And, in a relatively short period of time, the Coreflood botnet was dismantled.
As another example of our work to protect the privacy of individuals, in 2011, the United States Attorney’s Office in Los Angeles successfully prosecuted a hacker named Luis Mijangos. Most hackers hack for money; some for fun; some for politics. Mijangos, however, hacked for sexual thrill. He infected victims’ computers with malicious software that gave him complete control over their computers. He deliberately targeted teens and young women, reading their emails; turning on their computer microphones and listening to conversations taking place in their homes; and watching them through their webcams as they undressed. Even more frightening, Mijangos then extorted certain victims by threatening to post intimate pictures on the Internet unless the victims provided him with more salacious images or videos of themselves. When one victim shared Mijangos’s threats with a friend, Mijangos retaliated by posting nude pictures of the victim on her friend’s social networking page. At the time of his arrest, FBI computer forensics experts determined that he had infected more than 100 computers that were used by approximately 230 individuals, at least 44 of them minors.
There are, of course, countless other examples of the Department’s ground-breaking work to bring cyber criminals to justice. But I wanted to particularly highlight the Horohorin, Coreflood, and Mijangos prosecutions because they are examples of privacy crimes. You could classify these crimes simply as hacking – that is, as crimes against computers – but to do so would be to miss the true nature of the harm that these criminals inflicted. Their actions offend our sense of decency because the criminals used computers to gain power over other people. Consider, for example, the story of one of Mijangos’s victims. After he taunted her by transmitting a screenshot of her in the nude – shot with her own computer in her dorm room – she called her boyfriend for advice. They reportedly talked about calling the police, but as soon as they did, Mijangos sent the boyfriend an anonymous instant message that said: “I know you’re talking to each other right now!” The victim then decided to call the police. But when she did, she got a message, too. “I know you just called the police,” he wrote. His message was unmistakable: he was in control; he knew everything; and he had the power to hurt the victim further if she reported the crime.
I highlight these prosecutions today because our ongoing national debate about online privacy has focused largely on companies, such as communications providers, that possess large volumes of information about customers; and on governments, that obtain otherwise private information in the course of criminal investigations or other official activities. But far less attention has been focused on the degree to which cyber criminals invade privacy every day. House burglars can enter every room, open every drawer, see into every medicine cabinet, and take whatever they wish. But computer criminals can inflict far more damage. They break into computers and steal private photos and emails, set up illegal wiretaps to clean out bank accounts, peer through webcams, and monitor and collect every password.
The Justice Department’s prosecutions disrupt, deter, and punish these crimes, and thus protect the privacy of our citizens. Yet when some hear about investigators using cutting-edge law enforcement tools to unmask anonymous Internet users, execute search warrants that permit the forensic examination of computers, or use search warrants to access the contents of email accounts, they have sometimes criticized the government for invading privacy. We take those concerns seriously. But perspective is necessary. Criminal investigations, by their nature, uncover facts that some people wish remained private. Long before computers and the Internet, our society came to the consensus that law enforcement is entitled to use certain tools that are necessary to protect victims and to bring criminals to justice. So we allow investigators – with search warrants – to enter homes and computers and examine items found there. We allow prosecutors to ask grand juries to subpoena records from banks, stores, and other companies that may have relevant evidence. And, we allow law enforcement agents, as in our Coreflood investigation, to use criminal and civil authorities to disable websites and seize computer networks that are used by criminals.
These are necessary tools for crime fighting. Without them, we would not be able to bring offenders to justice. Put another way, law enforcement must, necessarily, occasionally pierce the veil of privacy of a suspect’s electronic communications in order to identify the wrongdoer, gather evidence about his crimes, and arrest him. But we do so with the goal of solving crimes and protecting victims. And we do so subject to the myriad, long-standing safeguards in the law that protect against abuse.
In addition to the important law enforcement techniques that we must use to successfully investigate cyber criminals who invade our privacy, our prosecutors also rely on effective criminal statutes to bring the cyber criminals to justice. One of the most important of these computer privacy laws is the Computer Fraud and Abuse Act – also called the “CFAA.” The CFAA is the primary federal law against hacking. It protects the public against criminals who hack into computers to steal information, install malicious software, and delete files. The CFAA, in short, reflects our baseline expectation that people are entitled to have control over their own computers and are entitled to trust that information they store in their computers remains safe.
The CFAA recognizes two types of hackers: outsiders and insiders. Outside hackers have no relationship to the computer owner. Insiders, on the other hand, are those who have some right to access the system, but who abuse that right, such as employees of a business who unlawfully take that company’s customer databases. There is generally no way to encrypt and password-protect every piece of data on a system to eliminate the insider threat, because employees need to be able to do their jobs. Thus, written policies between employers and employees – which are simply a contractual means of ensuring trust – are an important way to secure information. Violating these written restrictions harms businesses. And, it harms average Americans as well, especially when the information stolen by insiders contains the private information of consumers, such as credit card numbers, banking information, or social security numbers.
The CFAA is a powerful tool in our fight to protect victims of crimes committed by insiders who abuse their access to their employers’ computers. We have used it to prosecute police officers who sold their access to confidential criminal records databases. We have prosecuted government employees who accessed highly private tax and passport information. We have prosecuted an account manager at a major bank who helped steal customers’ identities. We have prosecuted a system administrator for reading the emails of a company’s CEO, and for passing those emails on to a competitor. All of these insider hackers had some right to access those computers; after all, their employers had to give them that access so they could do their jobs. Their conduct became a crime under the CFAA only because they intentionally exceeded their employer’s computer access rules.
In recent years, some have contended that the CFAA’s provision aimed at insiders should be limited or abolished because that provision is subject to misuse or overuse. Some have worried out loud, for example, that the statute permits prosecution of people for trivial or harmless conduct – like lying about your age when signing up for an Internet dating site, or violating the terms of service of an email provider. Our track record shows that we have no interest in prosecuting anyone for such activity, and we support appropriate clarifications to the statute to make that clear. But, abolishing this provision of the CFAA or otherwise legalizing insider hacking is not the answer, because that would ignore the significant threat posed by insiders.
We understand how devastating it is to victims of cyber crime who have their personal and financial information siphoned away, whether by hackers on the other side of the world or by insiders at a company that might hold your personal information. And, the Justice Department is committed to using the full range of investigative tools and laws available to us to fight these crimes and protect Americans. And, we will continue to use those tools responsibly. So my point today is a simple one: restricting the lawful tools available to criminal investigators will not result in a gain for privacy. To the contrary, in the prosecutions I described today, our ability to obtain online evidence and use provisions like the CFAA were critical to protecting the public from those criminals and assuring their privacy.
It is my hope that as we discuss issues of online privacy in the months and years to come, we keep in mind that these are nuanced issues. It is too easy – not to mention wrong – to cast privacy issues as black and white, or to pitch the question of privacy as the government on one side and individuals on the other. Indeed, as I have described today, federal prosecutors and law enforcement agents have a critical role in protecting privacy – by bringing to justice those who steal financial information, stalk our children online, or steal the intellectual property of American businesses. The public is entitled to the just and strong enforcement of our criminal laws, and as these issues are discussed in the coming months, we believe it is vitally important to consider in the equation the key role that law enforcement plays in protecting the privacy of Americans.
Thank you for the opportunity to speak with you today. It has been a privilege.