Cyber Cops

odie Bernstein, director of the Federal Trade Commission's Bureau of Consumer Protection, savors the memory of her very first bust of an online scam artist. The 74-year-old career civil servant collared an especially nettlesome "pagejacker," a breed of hacker who changes a tiny piece of code on a Web site so that visitors automatically are re-directed to other sites of the pagejacker's choosing. This scamster manipulated a page containing a review of the film "Saving Private Ryan," Bernstein says, her eyebrows rising in disgust. Web users who visited the page expecting to read an online film critique instead were inundated with dozens of the hacker's porn sites opening rapid-fire in individual browser windows. Victims were "mousetrapped," unable to click their close or back buttons, and sat in cyber paralysis until the pagejacking was over.

The bureau moved quickly. The servers used in the scheme were located in Australia and the perpetrators were found residing there and in Portugal, so an international pursuit ensued. A U.S. District Court judge issued an order to shut the scam down, and one of the defendants settled with the FTC, agreeing to cease his business practices in the future. After a bit of fanfare to celebrate its success, the bureau moved on to its next target.

The scam artists of the 21st century rely on tricks and devices no more complex or clever than those of P.T. Barnum, but they've taken their practice to a new domain-the World Wide Web. With that migration, a new business has been born in a few federal agencies-online fraud busting.

Three agencies-the Federal Trade Commission, the Securities and Exchange Commission and the Internet Fraud Complaint Center, a joint effort by the FBI and the National White Collar Crime Center-have taken the lead in combating Internet fraud. But purveyors of online hoaxes aren't their only problem. Consumers are becoming increasingly concerned about online scams, but they also remain skeptical about increasing the online role of government. There is no national consensus that any particular government agency is best suited to police the shifting frontiers of the World Wide Web-or even that government should be the enforcer. Many observers would leave that task to Internet service providers, dot-com corporations and individual consumers.

Partners in Crime

The FTC sits at the helm of the cyber patrol effort. With its decades-old mission to shield the public from crooks and schemers, the FTC's Bureau of Consumer Protection now serves as civil sentry of the Web. The bureau's work has been lauded by the technology publications Business 2.0 and Darwin Online. Fast Company dubbed Bernstein "America's top cyber cop" and called her bureau "one of the most Net-savvy offices in the federal government." Bernstein was also named by Time Digital as one of the "Digital Dozen," a group of entrepreneurs and scientists recognized as the most innovative and important shapers of technology throughout the world. But as Bernstein ushers visitors into her spacious office at the FTC's headquarters, 10 blocks from the White House, and urges guests to try the chocolate peppermint candies in the lobby, she seems more like a doting grandmother than an online Wyatt Earp.

Bernstein is responsible for moving the FTC into online consumer protection. After becoming bureau director in May 1995, Bernstein smelled trouble in the rapidly growing online marketplace. If electronic commerce was to succeed, electronic stores would have to be built upon a bedrock of consumer confidence, she believed. The biggest threat to that confidence was fraud, whether perpetrated through unscrupulous business offerings in e-mail spam letters or through cyber attacks on legitimate Web sites that undermined the public's general faith in the security of their information on the Internet. Bernstein decided the FTC would take on the cyber cheats. "Other agencies deliberated about whether or not their authority reached the online environment," she says. "We didn't."

The bureau launched a program to take down 21st century snake oil salespeople. Six years later, it has amassed a huge database of every consumer complaint of online fraud the FTC has received. Dubbed the "Consumer Sentinel," it is the guts of the bureau's Web-policing operation, feeding the staff with tips and leads they use to conduct "sweeps" of the Web with the help of more than 300 government agencies around the globe. For Bernstein, it's obvious who should be charged with keeping the Internet safe from smut and scam: It's the FTC's job. There is "no question about our jurisdiction or authority or our continuing expertise" in policing consumer fraud online, she asserts.

But the FTC doesn't go it alone. It often works with the Securities and Exchange Commission, which operates its own Internet crime patrol, the Office of Internet Enforcement. If the SEC discovers a business selling false stock tips online, it can shut down the operation. The agency also has been instrumental in working with the FBI to bring in some high-profile perpetrators of online securities fraud. Both the FTC and the SEC must seek help from law enforcement agencies to bring criminal actions that lie beyond their civil jurisdictions. So far, this lack of power hasn't stopped either agency from rooting out fraud, nor has it kept them from working hand-in-hand with other organizations to cast the widest protective net possible.

"The Internet spawned a new spirit of cooperation," says John Reed Stark, chief of the SEC's Office of Internet Enforcement, as evidenced by the SEC's growing relationships with other online watchdog agencies. He notes that like the FTC's program, the SEC's relies on sweeps, active surveillance and coordination with other organizations to make the strongest possible cases. Stark says the two agencies divide up cases between them based on which has the most expertise in a given swindle.

While Bernstein and her crew search for consumer schemes, Stark and his office prowl for sites conducting business in violation of securities law. If the SEC office finds an infraction, it sends a letter to the site's operator urging corrective action ranging from changing a Web page to shutting down a site. About 70 percent of recipients comply with the SEC's requests, says Stark. But for those engaged in outright fraud, the agency pulls out its biggest guns. In August, SEC's Internet enforcers made a huge score, tracking down the perpetrator of a "pump and dump"-a scam in which someone spreads false information online about a publicly traded company in order to artificially reduce or inflate the value of its stock. When financial news sites posted a fake press release about Emulex, a data storage equipment manufacturer, the company's market value plummeted more than $2 billion in 15 minutes. The bogus release was promulgated by 23-year-old Mark Jakob, a former employee of a press release distribution service. It declared that Emulex was facing an SEC investigation of its accounting practices, that its CEO had resigned and that the company would post a loss in the next reporting period. Jakob scammed the market for more than $241,000 before the FBI arrested him. Jakob plead guilty to three counts of fraud.

The SEC's Internet office helped track Jakob to a university computer lab in Los Angeles. The case is a good example of how the office has used its wealth of collected expertise to bring in big cases, says Stark. His handpicked team employs more than a dozen ace securities attorneys, many of whom also hold additional degrees in securities law. They know the securities market, are experts at using the Internet to track people and are authorized law enforcers. The SEC has a combination of skills most other agencies don't, Stark contends.

Since the office was established in 1998 with Stark as the chief, it has brought nearly 240 actions against approximately 800 defendants. The office gets about 300 e-mails each day from consumers reporting suspicious activity, usually some kind of spam (mass-mailed e-mail) they have received, Stark reports. The staff attorneys review each bit of correspondence, using a triage system that determines how quickly the report should be referred to which agency, if not the SEC. The attorneys do "real gumshoe work," Stark says, and the whole setup provides consumers concerned about fraud with "instantaneous access to government."

Rounding out the cyber-policing triumvirate is the Internet Fraud Complaint Center, the only agency of the three with the ability to arrest offenders. Spawned by a partnership between the FBI and the National White Collar Crime Center (a nationwide support network for law enforcement agencies that investigate and prosecute economic and high-tech crimes), IFCC aims to come up with a national strategy for online law enforcement. To that end, it is analyzing the complaints it has received, sorting them demographically by the type of crime, average age of perpetrators and victims, states with the highest concentration of incidents and the amounts of money lost.

Much like the FTC's Consumer Sentinel, IFCC receives complaints of online fraud or criminal activity from the public. The agency checks complaints against its database to see how many times it has received the same tip. Information is shipped off to the local law enforcement agency in whose jurisdiction the complaint originated, or referred to the FBI, SEC, FTC or another agency for further action. Using massive public records search engines, such as Lexis-Nexis and Source Point, IFCC also helps state, local and federal agencies mount preliminary investigations of online scams. Bob Pocica, an FBI supervisory special agent who helps run IFCC, says cooperation with agencies like the SEC is critical to the center's success. "You want to go to your best experts," he says, and IFCC did just that in the Emulex case, relying on the SEC to follow the financial trail and the FBI to reel in the perpetrator. "No one entity does it alone," Pocica says.

IFCC is the rookie on the scene, but it already has amassed a wealth of information on Internet crime. In its first six months of operation, from May to November 2000, it received more than 20,000 complaints (64 percent of them about auction fraud) and referred more than 6,000 of them to regulatory and law enforcement agencies around the world. Often the complaints go to the city where the offender operates as well as the areas where victims live. On average, IFCC sent copies of each complaint it received to four different agencies.

A Disconnect

As they seek to restore the public's faith in the Internet as a means of conducting commerce, Bernstein and Stark confront citizens' growing fear of crime online and skepticism about government's ability to control it. An April study from the Pew Internet and American Life Project found that 73 percent of Americans were "somewhat" to "very concerned" about criminals using the Internet to carry out offenses, and 80 percent were concerned about "wide-scale fraud" online. Sixty-two percent of those surveyed believed that new laws were needed to protect e-mail correspondence and online activities. But asked whether the government in Washington can be generally trusted "to do what is right," only 31 percent said it could "most of the time" or "almost always."

With such a disconnect between the public's desire to see the Internet controlled and its lack of faith in government, agencies like the FTC, SEC and IFCC must rely on high-profile actions to demonstrate their vigilance.

But these very successes have raised question about the agencies' online role. No one concerned with shielding consumers on the Internet objects to federal agencies pursuing fraud cases, but there is wide disagreement about how far the government should extend its reach into regulating online activity. Ray Everett-Church, a founder of the Coalition Against Unsolicited Commercial Email, an anti-spam activist group, believes the FTC is adept at finding fraud and deception online. But, he adds, "at this point, we are much more in favor of allowing [Internet] service providers and consumers to do the policing rather than the Federal Trade Commission." The Bureau of Consumer Protection is very good "at creating poster children for what you shouldn't be doing" on the Internet, he says, but it shouldn't play the role of beat cop. Everett-Church believes the FTC simply doesn't have the resources to fight all the scams conducted over the Internet, and that the agency's successful cases represent a tiny fraction of the actual number of offenses.

"If you put enforcement in the hands of those that are harmed," the consumers and service providers, the Internet will be a safer place overall, Everett-Church says. In order to stop all Internet criminals, he quips, the FTC "would literally have to send troops into trailer parks and basements around the world."

Wayne Crews, director of technology studies at the Cato Institute, a free-market think tank, says the FTC has moved too far in the direction of regulating online privacy contracts-the provisions on Web sites that spell out how Internet companies will protect and/or use customers' personal information. "It's much better if the FTC simply enforces contracts on the Internet rather than attempts to determine what those rules ought to be," says Crews. The FTC should regulate fraudulent privacy contracts, not try to dictate how new ones should be written, he adds.

Everett-Church's coalition was one of the most vocal supporters of anti-spam legislation that has been moving through Congress for the past year. A bill in committee in the House would put harsh restrictions on the dissemination of e-mail spam, which often is a vehicle for fraudulent schemes. H.R. 718, co-sponsored by Reps. Heather Wilson, R-N.M., and Gene Green, D-Texas, would give the FTC authority to prohibit sending spam to people who had said they didn't want it. Such requests would be made through a mandatory opt-out feature posted in every message. Under the bill, the agency would have the power to require that the sender delete the names and e-mail addresses of recipients who have opted out and service providers that don't accept spam from all mailing lists.

While it doesn't specifically address fraud, H.R. 718 is significant because it directly vests the FTC with the sole authority to force Internet service providers and marketers to adhere to spam regulations. Bernstein says she is grateful for the recognition the bill affords the agency, and that the FTC is fully prepared and willing to accept the legal responsibility-and the increased funding that presumably would accompany it. But asked about Bernstein's online fraud program, some congressional staffers who worked on the bill didn't even know it exists.

This knowledge gap between branches of of government represents another hurdle the FTC, SEC and IFCC will have to surmount to perform effectively in the online fraud battle. No one on Capitol Hill appears to be asking whether a law is needed at all given the agencies' current efforts. Green says Congress could have designated the Federal Communications Commission as the appropriate authority to monitor e-mail complaints, but that he ultimately decided the FTC "probably has the biggest teeth."

The FTC may have teeth, but it isn't interested in being the sole enforcer of Internet law. In fact, says Bernstein, the agency has been active in teaching other federal employees how to police the Internet. The agency has trained more than 800 law enforcement officers to investigate cases of electronic fraud. Bernstein says she didn't want a small group of people holding all the knowledge, but wanted to spread it around as much as possible. However, she knows that the FTC still is in a unique position to move more quickly than traditional law enforcers, at least in civil cases, because the agency is not slowed down with having to secure time-consuming requests for arrest warrants or wiretaps. When it comes to taking schemers offline, says Bernstein, "we can shut them down and shut them down fast."

In any case, H.R. 718's chances of survival are dim, according to staffers and groups close to the lawmaking process. The Direct Marketing Association, the largest trade group of corporate marketers in the country, opposes the bill because it allows Internet service providers to contact e-mail senders and ask that they not send further messages to the providers' customers, says Jerry Cerasale, the association's senior vice president of government affairs. Like Everett-Church's coalition, the association favors allowing consumers to opt-out of mass e-mailings on an individual basis.

Protection at Any Price

The work of the FTC, SEC and IFCC points to a way out of the legislative morass. By homing in on actual crimes instead of the debate over electronic junk mail, the agencies have been able to score public victories and make progress towards their goal of inspiring public confidence.

But resources for the agencies are lacking and sorely needed, according to some observers. Presidential candidate and consumer protection crusader Ralph Nader recently has taken up the banner of online consumer protection. He believes the FTC is doing some of the right things in that area, and that the other agencies could do more. But the bottom line, he says, is that they need more money. No legislation addressing all the issues of online protection is before Congress, Nader observes. Elected officials have been crafting bills based on little more than anecdotes about fraud related by their constituents, he says, rather than taking a philosophical overall approach to regulating the Internet. Congress is "severely underestimating the potential of fraud," he says.

The agencies are aware of their limitations. "We're still not prepared for this avalanche of e-fraud, [but] we're getting there," says Pocica of the speed at which cyber criminals can move compared to the agencies that fight them. IFCC saw its budget cut in the middle of fiscal 2001, after the appointment of Attorney General John Ashcroft. Pocica says he has faced the frustrating task of budgeting for technology that doesn't exist to fight crimes that haven't been invented. Like Bernstein, he welcomes any prospect for increased funding.

All the agencies are champing at the bit to do more. In each agency, the online anti-fraud effort is headed by an idealistic consumer advocate who gets a rush out of busting bad guys and would be happy to rack up more collars. But cyber crime "is an expensive crime to fight," says Pocica. For now, the agencies are prepared to wait and work.