June 8th 2020
Security & Intelligence Professional | Currently CEO @ The Security Stronghold
- This article was written with the intent to bridge the gap between law enforcement and those private citizens who investigate criminal activity online.
- It is important to make clear that taking the law into your own hands is illegal, dangerous, and almost always results in more harm than good. Private citizens cannot conduct a criminal investigation and gather admissible evidence. Only law enforcement can do that. The purpose of this work is to redefine the efforts underway across the world and help those people act ethically when delivering productive information to law enforcement.
- Hopefully, the public will be better informed following this article, and as a global society, we can more effectively support the serving of justice for all people.
Law enforcement received an anonymous tip early in the morning. It wasn’t the typical “check this person out” or “I saw this” type of tip. In fact, it wasn’t really a tip at all, unless you consider a collection of information the size of a case file a simple tip.
Investigators received troves of data relating to an online child pornography ring. Names, online pseudonyms, IP addresses, messages, and evidence that users sent and received files. This particular group was previously unknown to law enforcement, and by the looks of the evidence the group was especially abhorrent.
A password protected case file had been left on a public server and the password was anonymously provided to the FBI by someone using an anonymous burner email address. The information provided along with proper law enforcement investigation and evidence collection led to the group being shut down. The criminals participating in the online group were convicted.
Law enforcement had some concerns about using the evidence to convict these criminals, but everything went smoothly. The evidence was admissible in court because the anonymous third party is private and therefore not subject to the fourth amendment. Further, no previous nexus existed with this individual and law enforcement. Everything checked out, a handful of nasty people were brought to justice, and children were no longer being victimized by this group.
Despite sounding like an unimaginably easy case for law enforcement, perhaps even fictitious, cases where most of the work is done by a knowledgeable, anonymous third party are becoming increasingly common in the cyber realm.
In 2000, an anonymous hacker contacted law enforcement in Montgomery, Alabama with evidence detailing the activity of a child predator. The hacker sent the following e-mail (US v. Steiger, 2003):
“I found a child molester on the net. I’m not sure if he is abusing his own child or a child he kidnaped [sic]. He is from Montgomery, Alabama. As you see he is torturing the kid. She is 5-6 y.o. His face is seen clearly on some of the pictures. I know his name, internet account, home address and I can see when he is online. What should I do? Can I send all the pics and info I have to these emails?
P.S. He is a doctor or a paramedic.”
The anonymous source also attached electronic images containing pictures of a white male (Steiger) sexually abusing a young white female who appeared to be approximately four to six years of age.
Subsequent anonymous e-mails identified the molester as “Brad Steiger,” and provided Steiger’s Internet service account information with AT&T WorldNet, possible home address, telephone number used to connect to the Internet, and a fax number. Apparently without being asked to do so, the source sent an email to the Montgomery, Alabama Police Department on July 19 providing Steiger’s checking account records. On July 21, the source sent another email that identified specific folders where child sexual abuse material was stored on Steiger’s computer.
The agent who had been contacted by this hacker reached out to the FBI, and they launched an investigation. Steiger was arrested and charged with being in violation of various federal statutes involving sexual exploitation of minors.
Count I alleged violation of 18 U.S.C. § 2251(a) (inducing a minor to engage in sexually explicit conduct to produce visual depictions such as exhibition of the genitals and pubic area of a minor); Count II alleged a second violation of § 2251(a); Count III alleged violation of 18 U.S.C. § 2252(a)(5)(B) (knowing possession of a computer containing three or more images of child pornography); Count IV alleged violation of 18 U.S.C. § 2252(a)(2)(A) (knowing receipt of child pornography); Count V alleged violation of 18 U.S.C. § 2423(a) (knowing transportation of minor in interstate commerce with intent that the person engage in sexual activity); and Count VI alleged a second violation of § 2423(a).
The evidence “discovered” by law enforcement proved to be admissible in court because the hacker had not been in contact with law enforcement before the search. The hacker was not acting as an agent of the law, so the private search doctrine applied; the search was not in violation of the 4th amendment (Legal Information Institute, 2017).
Oddly enough, seven months after his last contact with law enforcement, the hacker contacted the agent again to share information about another child predator. This information led to the arrest of William Jarrett (US v. Jarrett, 2003). Since this was the second time the hacker had contacted law enforcement, the issue of the fourth amendment was relevant again. In this instance, the court ruled:
“Although the Government operated close to the line, the contacts in Steiger between the hacker and law enforcement did not create an agency relationship that carried forward to Jarrett. Moreover, although the government created an agency relationship through further contacts with the hacker during the second investigation, that agency relationship arose after the relevant private search and disclosure. Thus, the hacker’s private search in Jarrett did not violate the Fourth Amendment.”
The FBI was able to determine that the hacker was a resident of Turkey, but the hacker would not meet with law enforcement or reveal his identity. Electronic correspondence between the FBI and hacker revealed interesting details. The Turkish hacker was apparently doing this as a hobby, and he stated he was not a “computer freak”.
Also, he claimed to have employed his methods against more than 2000 child pornography consumers and a few people producing child pornography. The hacker would lure the suspects into traps and then use the SubSeven trojan to access their computers, collecting information and anonymously distributing it to law enforcement.
It is evident from these cases that there is a place for so-called “Cyber Vigilantism”, but more discussion needs to take place. The purpose of this article is to look at the issue from an objective point of view, identify the times where cyber vigilantes have done more harm than good, and provide a framework for effectively supporting law enforcement without causing trouble for any of the involved parties.
Essentially, this article will illustrate who a true cyber vigilante is and what their purpose in the world should be.
Cyber vigilantism has been defined a number of ways. The previous anonymous tip style work has been called cyber vigilantism, but those who make false claims online and promote violent behavior in real life have also been called cyber vigilantes. For the purpose of this article, cyber vigilantism will be defined as “self-appointed individuals or groups supporting the pursuit of justice by employing nontraditional and often unconventional tactics while using a computer system or other technology”. A true cyber vigilante supports the swift serving of justice by law enforcement and due process, not glory or vengeance for themselves.
Cyber vigilantism comes in all shapes and sizes. The example above is just one application of cyber vigilantism. Cyber vigilantes might work to fight human trafficking and child exploitation by identifying rings of criminals on the Internet or dark web. They have also been known to report locations of child pornography online, locate missing persons, and find victims of crimes.
Another application of cyber vigilantism relates to financial crimes; there are those who track money online to find stolen funds, identify those who conduct illegal business, or locate the nerve center of a cyber criminal group. Finally, cyber vigilantes have been known to seek out and disrupt terrorist campaigns attempting to lure recruits or spread ideology.
Arguments For Cyber Vigilantism
The arguments for cyber vigilantism are fairly simple. Law enforcement is inundated with work, they do not always possess the latest technology, and they are bound by sometimes constraining laws. The criminological theory of community policing “promotes organizational strategies that support the systematic use of partnerships and problem-solving techniques to proactively address the immediate conditions that give rise to public safety issues such as crime, social disorder, and fear of crime” (National Criminal Justice Reference System, 2009). It was only recently in American history that law enforcement became such a public and organized effort. Before then, a good portion of the law was upheld through private, collaborative efforts.
Cyber vigilantism seeks to leverage the citizen’s reach, time, and expertise. Many of these cyber vigilantes work in fields where they have honed their expertise for decades, and they apply it for good (Lazareva, 2018). Searches are not constrained by the 4th Amendment when done by private US citizens. Also, given the interconnectedness of the internet, citizens of other countries are reporting crimes to US law enforcement or carrying out these investigations.
The US Department of Homeland Security has campaigned for citizens to say something if they see something in an effort to leverage private citizens as a HUMINT source. Crimes that involve or utilize technology or computer systems are no different, and savvy citizens are more apt to do something when they encounter criminal operations or illegal content. Unlike the general populace, these cyber vigilantes often go above and beyond merely saying something if they see something. The cyber vigilante knows technology inside and out and often provides law enforcement with information that would have otherwise taken substantial time and resources to obtain.
The Dangers of Cyber Vigilantism
On the other hand, some argue against the practice of cyber vigilantism. They often say that the work of criminal investigation must only be carried out by those in law enforcement, and that vigilantes are doing more harm than good by spreading false information, falsely accusing people, and rousing the internet mob to destroy peoples’ lives. There is a fine line one must draw when discussing cyber vigilantism, and the cyber vigilante effort must not be improperly represented by cases of defamation reported on by the media. The often cited examples of “cyber vigilantism gone wrong” must be addressed, but they are by no means reason to shy away from cyber vigilantism.
On April 15th, 2013, three people were killed and hundreds more injured when two homemade pressure cooker bombs were detonated near the finish line of the Boston Marathon. In an attempt to identify the perpetrators, a subreddit (a subreddit is a forum dedicated to a specific topic on the popular discussion platform, Reddit) was formed (Kaser, 2017). Users looked at photos from the attack and then attempted to identify possible suspects through an online investigation.
Good intentions soon led to disastrous consequences, however, as inexperience gave rise to false accusations that spun out of control.
Participants in the subreddit soon accused Sunil Tripathi of being the man seen in a photo that was released showing one of the suspected bombers. Tripathi was a Brown University Student that had gone missing a month earlier.
Reddit users and others online spread the accusation that Tripathi was one of the bombers (the bomber later identified to be Dzhokhar Tsarnaev). Tripathi committed suicide, but it is unclear why. The Tripathi family was looking for Sunil at the time, and received threats after the accusations were made that Sunil was a suspect. It is not known whether or not Sunil was aware of these accusations, and the subreddit was removed shortly after it was clear the subreddit was mostly a firestorm of false and fabricated information.
This episode of internet detective gone wrong is often used to argue against cyber vigilantism. It is not a reason, however, to abandon cyber vigilantism; rather, it demonstrates what true cyber vigilantism is and what it surely is not. Furthermore, it provides important lessons that we must learn from to improve the safety and effectiveness of cyber vigilante activities.
First and foremost, the people who undertook this work of identifying the suspects were largely inexperienced Reddit users, not the professionals who conduct technical investigations. Second, unverified information was spread intentionally over various social platforms such as Twitter. Some who participated plainly lied about the information they had collected to appear as if they were helping the investigation (Kang, 2013). The desire for recognition was one reason this investigative disaster spread.
The lessons learned from this incident are as follows:
- Cyber vigilantism is not to be taken lightly and it is nothing short of a dangerous and painstaking process in an attempt to support law enforcement. It is not for people without professional experience and a proper process.
- Information that is collected during cyber vigilante operations should never be disseminated through the internet or social media. Not only can this tip off a criminal but it can also ruin the admissibility in court. Information that you have collected should never be used to dox anyone. Cyber vigilantism is not an attempt to call out criminals, nor is it an opportunity for you to make a name for yourself. Mob mentality is lethal.
- Finally, your motive for cyber vigilantism must be one of seeking to do good and supporting law enforcement. You must seek nonviolent justice, not vengeance. No matter how heinous the crimes committed are, you will make a bigger impact by sticking to justice.
These observations help solidify what true cyber vigilantism is and needs to be.
Cyber vigilantism is the careful assistance of serving justice. Cyber vigilantes are the quiet ones who provide the pieces of information needed to break open a case or who make law enforcement aware of criminal activity that would have otherwise gone unnoticed. Information can be obtained through the application of cyber vigilantes’ unique skills. Information can be collected to prove that someone has committed a crime. Information can be provided to show that an online identity links to a real world criminal. Cyber vigilantism can provide today’s swift hand of justice with some much needed support.
Above all else, it is essential that from this point forward everyone understands what cyber vigilantism is. Without the proper mindset, none of the work of a cyber vigilante will be fruitful. No longer will cyber vigilantes be considered immature, anti-establishment, mob-rousing troublemakers. That behavior has no place.
A cyber vigilante is the representation of collective, resourceful justice. They come from all walks of life: information security professionals, OSINT investigators, technology enthusiasts, digital forensics experts, government employees, legal professionals, military members, journalists, hackers, hobbyists, and the list goes on forever.
Cyber vigilantes understand they cannot take the law into their own hands, but they find joy in knowing they can make an impact for good by supporting law enforcement’s work. They are careful and diligent in their work, providing accurate and independently verifiable information to law enforcement, all the while acting with integrity and employing just and moral methods to obtain that information.
Benefits of Employing Cyber Vigilantism
There is a framework comprised of five steps that the cyber vigilante support process might be described with. A cyber vigilante may only work as far as the first step, or they may work through all five steps. The steps are as follows: discovery, identification, collection, correlation, and location. The aforementioned areas are steps in the investigation cycle which do not require millions of dollars, thousands of people, and hundreds of tools. They are areas that allow deep technical expertise to produce great results.
The majority of these online groups of criminals, whether it be marketplaces, forums, or small networks, are shrouded in secrecy. Apart from the widely known and easily accessible sites, there are thousands more that are hidden in the shadows of the deep web and dark web. This includes everything from Facebook groups to invite only Tor marketplaces.
Law enforcement does not have the time or resources to devote significant energy to tracking down every single one of these online groups. Oftentimes, it would be a fruitless endeavor for them. One site is taken down and two more appear in its place – law enforcement is perpetually fighting a hydra in the digital realm. This is where cyber vigilantes come into play. Even the most basic skill set can still allow a cyber vigilante to track down these groups and report them to law enforcement.
The exact techniques used by cyber vigilantes to conduct this type of discovery are out of the scope of this article, but the point stands that uncovering these groups is a great first step to combating various forms of crime conducted online. Even if law enforcement does not have the resources to pursue the lead at that time, they will know about it, and that will save them time in the future.
Furthermore, awareness of criminals, either alone or in a group, can help law enforcement make valuable connections down the road.
The next step facing cyber vigilantes is the identification of the exact nature of the criminal activity. Investigations can take many different turns, and it is important that the criminal activity is identified before any further steps are taken. Some of the more heinous groups of online criminals conduct activities such as distributing child pornogrpahy that they created, selling people’s personal information online, dealing in lethal narcotics, and even selling human organs.
It is usually fairly simple to identify the nature of the criminal activity, but sometimes it may not be clear. An understanding of US Code and the classifications of crimes is helpful during this step because any information that can be provided to law enforcement to help them do their portion of the work can save time, possibly resulting in lives saved. Another important aspect of identification is being able to reduce your own legal exposure.
From this step on, things could get dicey, and unless you want to be prosecuted for a crime, it is best to understand what constitutes criminal activity and which lines you can not cross. I am not a lawyer and none of this is advice – for your life or legal situation. Talk to your own lawyer…or don’t.
Law enforcement will be able to do much more if you provide them with hard intelligence and verifiable information, as opposed to just telling them that there is such a group operating online. Law enforcement is well aware of the pervasive and abhorrent nature of these criminals, so it’s important that you can deliver actionable intelligence and information that will turn into admissible evidence through law enforcement’s work.
Actionable intelligence is information that law enforcement feels confident about and can act on. This would include information such as a “.onion” address where the group is operating or even the credentials to your anonymous Facebook account that you used to infiltrate a criminal group on Facebook.
Screenshots are very helpful, but you should also record all of the data and exactly what you did to discover and identify the group. The information needs to be timely, accurate, and verifiable. Try to take steps so that your collection is reproducible if possible.
Information that leads to admissible evidence is the second part to collection and will be important from here on out. Law enforcement may not always be able to uncover the same information that cyber vigilantes do for a number of reasons, but oftentimes the information collected by cyber vigilantes is what is needed to bring down these criminals.
Ergo, it is important that whatever is collected can be independently verified and is admissible in court. Again, a cyber vigilante who is a private citizen will not be subject to restrictions such as the Fourth Amendment, but it’s important that you are not considered an agent of the government and that you do not break laws to collect information. Below are important elements cyber vigilantes must consider to improve the likelihood that the information they collect will be admissible later:
- Cyber vigilantes must not intentionally break the law to obtain evidence. Even if the evidence provides clear proof of wrongdoing, it may be thrown out or lead to the cyber vigilante’s own incarceration. Private citizens are not subject to the illegal search doctrine, but other laws might still be violated, and there are penalties for doing so.
- Cyber vigilantes must try to collect the most authentic and condemnatory information. A piece of hearsay information is not as strong as one that clearly demonstrates a criminal act was committed by a specific person. Likewise, the information should be authentic, as in it should be as primary as possible. For example, a screenshot with a timestamp, accompanied by a description and statement, is better than just the description. The information should not be altered or processed post-collection if possible. Hashes are your friend.
- Finally, since the effectiveness of cyber vigilantes mainly hinges on the Independent Source Exception to the Exclusionary Rule, it is crucial that cyber vigilantes operate independent of law enforcement. Cyber vigilantes must not initiate a relationship with law enforcement and that is why most conduct all their operations anonymously and never divulge their real names and identities. This way, no nexus is created between the cyber vigilante and law enforcement, so the cyber vigilante is not acting as an agent of the government and information is almost always useful and admissible later on. Bonus tip: it helps law enforcement if you report that you “stumbled across all of the information”, rather than that you were hunting for it. A court could potentially rule that you were acting as an agent of the government because you are essentially doing what some law enforcement agencies do (intentionally looking for and collecting evidence of a crime), even if you haven’t established contact with them.
When collecting information, thought should be given to ensure that the information consists of actionable intelligence and is likely to be admissible evidence. Finally, keep in mind that much of the help that cyber vigilantes provide does not even reach this far into the framework. A simple tip about a site on the dark web or a user on a forum dealing in illegal activity is sometimes all it takes.
The next two steps are for those cyber vigilantes who go above and beyond. Their skill sets and years of continuous learning have allowed them to become efficient and effective investigators. In addition to collecting information, these cyber vigilantes spend time finding correlations between groups, actions taken, and online identities. This is doing more legwork for law enforcement, but still staying within the bounds of what law enforcement would typically feel comfortable with a cyber vigilante doing.
Criminals are rarely foolish enough to use their real information in these areas of the internet, but it does happen. Most often, however, pseudonyms are used and steps are taken to ensure a certain degree of anonymity. Many technical experts are able to find workarounds and still collect certain information that may give away someone’s real identity, but it is not common or easy.
As part of the cyber vigilante’s collection efforts, attention should be paid to accounting for the various members of a group, who does what within the group, and if there is any information that might lead to the uncovering of someone’s activity in other places or real identity.
The best practices for this step are, again, out of the scope of this article, but various mapping and investigation software exist to aid the cyber vigilante in creating concise and demonstrative reports for law enforcement. It is important to maintain high integrity in this step, and relationships between entities must be clear and supported with verifiable information.
Finally, for the extremely skilled cyber vigilante, locating the real identity somewhere online or finding the physical location of a person can be the coup de grace that law enforcement needs. Criminals inevitably need to be brought to justice in the physical world, and a location is an important part of that.
Locating a criminal actor can be very difficult, dangerous, and land you in all sorts of trouble. It also means that it is time to address another concern that people often have. Keep in mind we are talking about actions taken by private citizens.
Many wonder what the greater good means in situations such as these. They debate whether or not a crime such as computer intrusion is justified if it means that a child trafficking ring is identified. The private citizen has less restrictions when it comes to obtaining evidence, but they are still subject to the laws of the United States or wherever they are operating from.
Legally, this is a sensitive topic, but I will leave you with this: there are steps you can take to protect your own identity when sharing information with law enforcement, and law enforcement is usually very understanding when it comes to the part you played in collecting the information. By the way, in case you forgot, this isn’t legal advice. Talk to your lawyer. I am not responsible for what you choose to do with your spare time.
Finding the location or locating the identity of these online criminals allows real-world action to be taken to put an end to atrocious acts across the world. Properly collected information and the location of an identity online or in the real world has great potential to put an end to that criminal’s actions.
Lastly, it is worth noting that disseminating this information to law enforcement is a crucial step. The cyber vigilante needs to understand where it is best to send the information. Additionally, the information needs to be packaged nicely for the best chance of it being utilized effectively. Again, the exact how-to is out of scope, but the cyber vigilante can use their resourcefulness to learn the best anonymous reporting and notification methods.
Avoiding Legal Exposure
By doing this you can often expose yourself to a multiplicity of legal troubles, but there are simple ways to stay out of trouble. First and foremost, the ethical cyber vigilante is the friend and ally of law enforcement, and will usually be treated as such. There are people who dislike the idea of a cyber vigilante, but you will almost always be considered an ally. As I have reiterated throughout this article, you should do your homework when it comes to which actions can be taken and which lines you should not cross – morally, ethically, legally, or otherwise.
Guidelines and Protection For Cyber Vigilantes
In an effort to make the cyber vigilante effort more effective and sustainable, law enforcement and the public must trust efforts by cyber vigilantes. These operations must be carried out with integrity in order to build trust and maintain it. I’m talking to everyone reading this article who is thinking “Hey, I do this” or “I want to do this”. It is up to each and every one of you to maintain integrity and act ethically. You are not a hero. You cannot take the law into your own hands.
You are informational and analytical support for law enforcement. Trust needs to be built and maintained between law enforcement and cyber vigilantes. The burden is on you, not the criminal when you are conducting your work.
The Future of Cyber Vigilantism
Up until now, cyber vigilantism has only been a fluid and fickle concept. Cyber vigilantism is a term that has been thrown under many other names such as “internet vigilantism” or “netilantism”. No longer. Today is a new day. True meaning has been given to the phrase “Cyber Vigilantism” and the others associated with it. Past blunders have been atoned for, and lessons have been learned from them. Through the fire, we have learned what a cyber vigilante truly does and who they should be. Those who secretly support law enforcement through cyber vigilantism have been given an ethos, today. Leaving ego behind, the cyber vigilante boldly supports and assists law enforcement by leveraging their special skills and experience. They ethically preserve justice.
Law enforcement trusts them. Cyber vigilantes seek to help and serve those who can not help themselves. They recognize law enforcement’s authority, but they also recognize the challenges law enforcement faces. In response to this realization, they provide much needed support during crucial steps in the process of bringing vile criminals to justice. Cyber vigilantes are the future of fighting crime that has only grown more pervasive and heinous. The people have chosen to take a stand against evil.
This article was quite long. Many things were simplified for the sake of time. While not everything relating to cyber vigilantism was discussed, the main focus was to redefine the notion of cyber vigilantism to make progress worldwide in supporting law enforcement’s mission. The Internet allows us the unique opportunity to come together one, no matter our physical location or culture. While many focus on the terrible speech and immoral activities the Internet sometimes breeds, it is important to leverage the good that can be accomplished as well.
Finally, I also want to take a moment to thank law enforcement at all levels in the US: local, county, state, and federal. Additionally, I recognize the work of credible law enforcement organizations worldwide.
Cyber vigilantes can be an invaluable tool, but we know that all of our hard work is just the start. Law enforcement has to bear the burden of not letting criminals slip through on technicalities or by evading the law. The work law enforcement does with intelligence sourced by cyber vigilantes takes tenacity, perseverance, and calculating intellect. You deserve endless thanks for all you do.
- “Community Policing Defined.” National Criminal Justice Reference System, Office of Community Oriented Policing Services (COPS), US Dept of Justice, 2009.
- “History of Policing.” Community Policing, http://www.communitypolicing.com/history-of-policing.
- Kang, Jay Caspian. “Should Reddit Be Blamed for the Spreading of a Smear?” The New York Times. The New York Times, July 25, 2013. https://www.nytimes.com/2013/07/28/magazine/should-reddit-be-blamed-for-the-spreading-of-a-smear.html.
- United States of America, Plaintiff-Appellee, v. Bradley Joseph Steiger, Defendant-Appellant, 318 F.3d 1039 (2003).
- United States of America, Plaintiff-Appellant, v. William Adderson Jarrett, Defendant-Appellee. 338 F.3d 339 (2003).