Roger Clarke's Web-Site


© Xamax Consultancy Pty Ltd,  1995-2017

Roger and Friends' 'Internet Crime Prevention'

Technological Aspects of Internet Crime Prevention

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Gillian Dempsey, Department of Commerce, Australian National University

Ooi Chuin Nee, Electronic Trading Concepts - ETC, Sydney

Robert F. O'Connor, Departments of English and Commerce, Australian National University

Version of 15 February 1998, rev. 18 February 1998

© Xamax Consultancy Pty Ltd, 1997, 1998

This paper was prepared in response to an invitation to present at the Australian Institute for Criminology's Conference on 'Internet Crime', Melbourne University, 16-17 February 1998

This document is at


A preliminary analysis is undertaken of the extent to which it is feasible to prevent crime on the Internet, in particular through the credibility of law enforcement agencies being able to investigate criminal activities.

The primary focal points are the detection of traffic involving a party-of-interest, the acquisition of traffic content, access to message content, and the attribution of message content to a legal person. Supporting sections deal with Internet crime, and with current and future Internet technology.

An Extended Abstract is available.


1. Introduction

This paper has been prepared in response to a request for a presentation on the topic of technological aspects of Internet crime prevention. The primary author is a consultant, and ex-academic, who specialises in strategic applications of information technology, who is not a lawyer, and who has no prior experience in relation to criminology. He has assembled a small team of collaborators whose background complements his own, in the areas of law and information technology. At this stage, no attempt has been made to incorporate insights from the criminology literature.

The Internet presents new challenges to law enforcement. This paper addresses the question of the extent to which the prevention of `Internet crime' is being, and will be, aided and inhibited by technology. The topic is challenging - especially due to the remarkably limited amount of research that has been published on this topic to date. To overcome this, the approach taken has been to perform a scan of the area, to impose a degree of structure on it, and to perform foundation research into key issues.

Within this paper, `prevention' has been given a liberal reading to include not only the making of crime impossible or difficult to commit, but also the deterrence aspects represented by investigation and forensics. The primary area in which effort has been invested has been Internet architecture, protocols and software, and the extent to which these do and do not assist law enforcement agencies in the detection and investigation of criminal activity. This paper should be regarded as a foray into a developing area, and a foundation on the basis of which more careful and authoritative work can be performed.

The paper commences by outlining the political context within which the analysis is being performed and providing some working definitions, which establish the paper's scope. Crime in the context of the Internet is then briefly reviewed, in order to provide a background for the technical discussion. The conclusion is reached that prevention is heavily dependent on the credibility of criminal investigation by law enforcement agencies. A reasonably deep appreciation of Internet technology is argued to be a pre-condition to meaningful analysis. Conclusions are drawn concerning the need for law enforcement agencies to invest in new skills, and the roles of 'cyberculture' and 'electronic community self-policing'.

2. The Political Context

The Internet began in the 1970s as an academic computer science experiment funded by the U.S. Department of Defense. It proved valuable to researchers, and that value was recognised by research funding agencies, which continued to directly support it well into the 1990s. A time-line of Internet development is provided by RFC2235.

Academic usage of the Internet came to extend well beyond the computer science discipline. In Australia, the Internet migrated at the end of 1989 from a mere research object to a fully professional service, AARNet. Gradual uptake by new communities (at first of scholars, and later in government, in industry and among society generally), together with successive new protocols and tools, has resulted in exponential growth in connected nodes, in traffic, and in users, being sustained over more than two decades.

Because such a substantial proportion of the population of computers and users has already been attracted onto the `net, growth in those measures will necessarily gradually assume the shape of the logistics curve, i.e. with growth rates flattening out. Traffic, on the other hand, appears set to continue its rapid growth, as more people spend more time generating more messages; and as bandwidth-hungry image, sound and video-transmissions become more common. Statistical information is available on Internet growth-rates up to 1995 at Georgia Institute of Technology, and on subsequent host-count growth-rates at NetWizard.

The innovation that brought the Internet squarely into public focus was the World-Wide Web, which began its explosive growth in 1993. The Web enables organisations and people everywhere to become publishers, and has resulted in a vast leap in the public availability of information. Retrospectively, many newcomers have discovered the benefits of pre-existing services, particularly email, but also file-transfer and newsgroups.

In addition to the wide range of valuable services that it supports, the Internet in general, and particular Internet services, have been co-opted to meet the needs of less tasteful purposes. The result has been a reaction by some socially conservative people and organisations against the Internet per se. Examples of areas in which public concern has been stimulated include:

In some countries, the Internet has generated even deeper reactionary feelings. Some governments have sought to stifle, and even prevent, the use of the Internet, because of its potential to support:

Meanwhile, it is reasonably argued that `organised crime', terrorists, and `subversives' more generally, are using, or will soon use, the Internet for their own purposes. Law enforcement agencies are accordingly taking a closer look at the `net. They are seeking means of limiting its use for illegal purposes, as well as applying it to their own needs.

Internet technology and services have to date been largely unregulated. As a result of the concerns of interest groups, a variety of measures have been proposed or attempted that would have the effect of constraining net freedom. Of particular relevance is the initiative of U.S. Attorney-General Janet Reno in the context of G-7. Motivated by the conviction that "The fight against lawlessness on the Internet will be one of the greatest law enforcement challenges of the next century", she is seeking to achieve much greater co-ordination among the law enforcement agencies of the major nations ( Wired magazine, 4 December 1997. Discussion may be found in Declan McCullagh's archives, and the cypherpunks archive).

A further initiative of relevance is the U.S. President's Commission on Critical Infrastructure Protection, which is concerned not only with energy, water, transportation and essential services, but also with communications. It was particularly concerned about `new cyber threats'. Its report of 20 October 1997 identified `a wide spectrum of threats', including:

The threats to Internet freedom have, predictably enough, stimulated reactions by individuals and organisations who are opposed to the exercise of power by nation-states. The intellectually and technically most virile of these are loose coalitions associated with the terms `crypto-anarchist' and `cypherpunk'. Their arguments vary from the inevitability of the collapse of the nation-state as a result of cryptography, to the need for crypto-armed rebellion to destroy the nation-state.

For expositions, see Eric Hughes' Cypherpunks documents, and Tim May's Cyphernomicon. A particularly valuable case study is provided by the semi-serious/semi-research thesis by Jim Bell, on `assassination politics'. See also McCullagh (1997).

The politics of these movements, and the interplay between crypto-anarchy and what I refer to as `crypto-authoritarianism' are examined in Clarke (1996b), and are not further discussed here.

This paper expressly does not address the broader questions of the interplay between the Internet and political activism or social values.

3. Scope

It is important to establish what this paper does and does not intend to address.

By `the Internet' is meant the set of computer networks inter-connected using the TCP/IP family of communications protocols. It should be noted, however, that the term is also used in a much looser, sociological sense, to refer to the community of people and organisations that communicate through the facility. A primer in Internet technology is provided. A more official description is to be found in RFC1462.

During the last few years, there has been an increase in the use of TCP/IP within closed networks within individual organisations (which is conventionally referred to as `Intranets'), and among closely knit associations of organisations (`Extranets'). These are usefully distinguished from the open or public Internet. The primary focus of this paper is the open or public Internet, but the analysis is broadly applicable to Intranets and Extranets as well.

The term `crime' refers to activities determined in law to be so harmful to society as a whole that they are prohibited, prosecuted and punished. Criminal cases are investigated and prosecuted by the `law enforcement agencies' of governments. Criminal law is distinguished from civil law, which protects, and is activated by, individual persons and corporations. This paper addresses only criminal law, although the analysis has relevance for civil law as well.

The notion `Internet crime' might be interpreted in a number of ways. One is to limit it to new forms of crime that can be performed on the Internet. Another is to apply it not only to new forms of crime, but also to variants of existing crimes that are adapted into the Internet context. Finally, it might be used to encompass any criminal activity that involves use of the Internet.

In a recent interview, an Interpol specialist on networked computer crimes was quoted as saying that Interpol divides digital crime into three areas ( Ghosh 1997):

This paper generally uses `Internet crime' in the most open and inclusive sense of the term.

A remarkably wide range of criminal acts are capable of being performed using the Internet. Examples include:

Some crimes are of limited relevance to the current context. For example, it is difficult to see how robbery, which involves access to a physical person, and break-and-enter offences, which involve access to physical premises, could be performed over the Internet. The notion of `property' may, however, be undergoing change; for example, hacking is tending to be treated as a form of `data theft'.

Battery, manslaughter and murder would also seem not to be capable of being performed over the Internet. However, the connection to the Internet of computers with robotic capabilities, such as those performing control functions over industrial processes, dams, and critically ill patients, may see such crimes become feasible ( Clarke 1993).

As part of this project, a reference list of relevant laws in Australian jurisdictions has been collated.

4. Sources

A vast array of information on the Internet serves the needs of lawyers generally, including the largest public-interest, national collection of primary law materials, at the Australian Legal Information Institute.

Many conventional and Internet resources relate to `computer crime' generally. Examples include:

Internet or `cyberlaw' is becoming reasonably well-served, particularly in respect of civil law topics, such as copyright, trademarks and contract. Examples of such sites include:

`Cybercrime', however, appears to have attracted relatively limited attention to date, and sources are limited. Three classes of activities that are readily located are:

In relation to the Internet, a range of resources available. Some key sources are cited at the appropriate points in the text, and in the reference list.

5. Crime Prevention in the Context of the Internet
* Introduction

The world's population is large, people are busy, and the processes of society are complex. To date, no society has been able to prevent all criminal acts, and few have been silly enough to even set out to do so. In a free society, law enforcement agencies are significantly limited in the extent to which they can exercise powers and tools to prevent crime. The relative success of crime prevention has varied widely, and appears to depend on a balance between `carrot' and `stick' mechanisms appropriate to each particular culture.

New technologies are being applied to crime prevention, such as video-surveillance (NSWPC 1995, Brin 1998) and data surveillance ( Clarke 1988).

In the context of the Internet, several approaches can be applied in an attempt to prevent criminal activity:

* `Hard' Prevention

`Hard' prevention is an attractive idea. Unfortunately, it is largely infeasible. This is because most criminal activities are only differentiable from non-criminal ones on the basis of the content or purpose of transmitted data, and hence little scope exists for designing Internet architecture or protocols in order to ensure that the Internet simply cannot be used for criminal purposes.

Some exceptions need to be considered, particularly in relation to:

  1. the transfer of value. There is a need for architecture, protocols and software that resist misuse. The security of net-based payment schemes is discussed in Clarke (1996c), and is not further addressed here;
  2. Internet-connected devices that act on their environment (i.e. are robotic in nature - see Clarke 1993). There is a need for architecture, protocols and software that preclude accidental and trivially simple intentional manipulation by inappropriate users, and in inappropriate ways; and
  3. anonymous and pseudonymous transactions. There is a need for architecture, protocols and software that implement an appropriate balance between the often conflicting interests of privacy and of accountability. This is discussed in Clarke (1995), and is not further addressed here.

* `Soft' Prevention - Definition, Awareness and Education

Awareness of the existence of a criminal offence, and education as to what it entails, can only be successful if the message is clear. Hence it is fundamental to the prevention of crime that members of the public understand what the activities are that are proscribed, and where the boundaries lie. Many `white-collar' crimes (such as `insider trading') suffer in this regard, as do so-called `computer crimes'. A further need is that the definition of criminal offences, and the punishment meted out to miscreants, reflects public opinion.

This paper does not address these issues any further.

* `Soft' Prevention - The Likelihood of Sanctions

The likelihood of successful prosecution depends on many factors, most of which are not fundamentally changed by the advent of the Internet. Two major new considerations, however, are the questions of:

The interim conclusion arising from the discussion to date is that both `hard' prevention and the prosecutability of criminal actions appear to be of only limited impact in the context of the Internet. This paper adopts the position that a critical aspect of control over criminal activities is the credibility of law enforcement agencies' capabilities to detect and to investigate. The remaining segments of the paper accordingly focus on those aspects.

For law enforcement agencies to provide a credible threat against criminals, they need a number of capabilities; or at least they need to be perceived by potential criminals to have them. The analysis in this section draws on the established computer security notions of confidentiality, integrity, authentication and non-repudiability. An overview of these ideas is to be found at Clarke (1996a), and is not further addressed here.

It is suggested that the key capabilities needed by investigators are:

These are considered in subsequent sections. Firstly, however, it is essential that the nature of Internet technology be considered.

6. Internet Technology

"There was no analogy for the way in which Great A'Tuin the world turtle moved against the galactic night. When you are ten thousand miles long, your shell pocked with meteor craters and frosted with comet ice, there is absolutely nothing you can realistically be like except yourself". Terry Pratchett 'Sourcery: A Discworld Novel' Corgi, 1988, p.13

It is a fundamental requirement of an analyis of crime prevention on the Internet that participants have or acquire a sufficient appreciation of the technology underlying the Internet. This is a non-trivial requirement, because the technology is complex, is still reasonably new, is foreign to most criminologists and law enforcement officers, and is usually explained in terms that are reasonably accessible to computer technologists, but not necessarily to normal people.

A primer in Internet technology has been prepared as an adjunct to this paper. It is essential that the reader of this paper already has an appreciation of Internet technology at at least the level provided by that document, or acquires it before actively participating in policy debates.

Some of the key points that must be appreciated are as follows:

7. Detection and Investigation Capabilities

On the basis of the preceding examination of Internet technology, it is now feasible to undertake an analysis of the capabilities that were identified earlier as being key to the prevention of crime on the Internet. They are:

7.1 The Detection of Traffic Involving a Party of Interest

This section considers the extent to which it is possible to satisfy the needs of law enforcement agencies to detect traffic involving a party-of-interest. It expressly excludes the capture of the messages, and the gaining of access to their content (which are dealt with in subsequent sections). The reason for this simplification is that a considerable number of technical difficulties need to be progressively introduced, and this is most readily achieved by first considering the simplest of the investigator's needs.

In order to know that a message has passed from one party to another, an investigator needs to have access to information about relevant messages at relevant points of the Internet. A number of factors conspire to make this difficult.

Records of messages that have flowed through a node are commonly referred to as logs or audit trails. Access to the messages themselves, and access to the logs at the time that the flow occurs (commonly referred to as `in real time'), is not considered here, but is addressed in the following sections.

Audit trails commonly show basic information such as the identities of the nodes from which the message was received and/or to which it was sent, the date and time that the transaction took place (recorded as a `date-time-stamp'), and possibly some information about the nature of the message; but often not its content.

Audit trails are generally maintained on the node that originates them, and on the node to which they are addressed. Exceptions arise, especially in the case of nodes that are not professionally managed, e.g. personal workstations. Generally, the host-nodes operated by an organisation for its staff-members, or by an Internet Services Provider (ISP) for its customers, will also maintain an audit trail. Audit trails are also generally maintained on intermediate nodes.

Because of the volumes of transactions involved, however, nodes may gather only a limited set of data, about a limited set of transaction-types; and they may only retain the data for a short (perhaps a very short) time.

An investigator needs access to one or more relevant audit trails. It is therefore necessary to establish the identities (i.e. the host-names or IP addresses) of all of the computers that a particular party-of-interest uses. Gaining access to the audit trails, or at least to the relevant extracts from those audit trails, would generally require legal authority, and the complicity, and presumably also the silence, of the managers of each such node; although it might be feasible to achieve it without the managers' knowledge.

Once such access has been achieved, the identity of the other node involved in each transmission needs to be de-coded. This generally appears in logs as an IP-address, and hence access to the tables stored within a Domain Name Server (DNS) is needed in order to convert it into a node-name.

The DNS tables do not, however, carry any information about the node's location in physical space. This is because Internet architecture, protocols and tools are concerned with net-space, not the physical world. In order to associate a node-name with a particular computer located in physical space, it is therefore necessary to also gain access to information stored only at the final node to which the node in question is connected, and/or to the records of the telecommunications company that provides the channel. Note that the channel may be delivered through physical means such as a telephone cable; but it may also be satisfied by wire-less means, such as microwave or cellular mobile communications.

The preceding analysis relates to relatively fixed and long-term connections. Many users of the Internet do not have a fixed connection, but rather use a further communications protocol (PPP or SLIP) to establish short-term connections via dial-up (PSTN) telephone lines. The IP-addresses for such links are allocated, from a pool of shared addresses, each time a machine dials in. Some local area networks also use this approach of `dynamic allocation' of IP-addresses. In such circumstances, the difficulties of associating an IP-address with a particular computer are compounded by the need for access to a date-time-stamped audit trail of the allocations of IP-addresses to casually-connected nodes.

The DNS tables do not carry any information about the legal person who has control of a node, such as a personal or company name. Associating control of a node with a legal person therefore involves gaining access to records maintained by a Network Information Center (NIC), or by means independent of the Internet, such as personal attestation. This is subject to all of the difficulties attendant upon the identification of humans and corporations generally. See Clarke (1994b).

The need of the criminal investigator is in any case for something more finely grained: it is important to establish the identity of the person by whom, or on whose behalf, a particular message was transmitted. Generally, many of the functions performed by a node are not attributable to the person who controls it. This is because many computers are designed to be multi-user devices, and each of the users of such devices have considerable powers available to them. Even single-user computers such as personal workstations may be used by multiple people, within a home or a workplace.

Machines designed for multiple users commonly involve the provision of a `userid' and an associated password. On such machines, audit trails commonly show which userids performed which actions. Personal workstations, however, commonly use neither userids nor audit trails.

In any case, it may not be simple to establish the association between a userid and a particular person. Firstly, this would generally require access to the system manager's records. Secondly, a single userid may be available to multiple people. This may be because it is designed that way (a so-called `generic' login-id); or because, although it is in principle assigned to an individual, in practice it is shared (e.g. by writing the userid and password on a `stick-it' or on a note-pad in the adjacent drawer). In addition, an individual's userid might be casually `borrowed' by another person, either intentionally, or through discovery or theft of the userid-password pair. Difficulties involved in the identification of individuals, and the authentication of acts undertaken by individuals, are further examined in Clarke (1994b).

Another difficulty arises in respect of date-time stamping of Internet transactions. There is no concept of a universal clock on the Internet. Each node has a time-keeping capability (in the sense of a component that counts seconds); but the relationship of the time in each node to conventional time (such as Universal Time, Coordinated or UTC - previously called Greenwich Mean Time - or Australian Eastern Standard Time) is dependent on the actions of that node's system manager. Moreover, the system manager may re-set the machine clock from time to time; for example, in order to test the behaviour of applications under Year 2000 conditions, in advance of the change of millenium.

Audit trails within a node generally carry a date-time stamp that is generated using the date-and-time setting within that node at the point in time that the audit-record is generated. Similarly, email messages generally carry the date-and-time as recorded in the machine at the point in time that it is saved, or despatched (the two times are in many cases not the same, and which of the two is carried depends on which email-software is used to generate the message ...).

A message-analyst must of course take account of additional, practical factors. One is the wide range of time-zones. Another is the existence (and changeability) of daylight-saving arrangements, which have been implemented in many countries, including Australia.

Many nodes on the Internet are professionally managed; and yet many of those nodes have internal clocks that vary significantly from the precise conventional time. The vast numbers of personal workstations on the Internet are generally not professionally managed, and in many cases their users are not even aware that there is a clock and a time-setting capability. The integrity of date-time-stamps therefore ranges from reliable, through somewhat unreliable, to totally untrustworthy.

In addition, the precision of the time-counting function within each computer varies somewhat, and hence machines that were synchronised (with universal time, or with another machine) at one point in time will later be out of synchronisation (after only a short time by at least some milli-seconds, within days by seconds, and within years by at least minutes). In some circumstances such differences may be critical to the investigatory or evidentiary value of an audit trail, and of course provide a defendant's advocate with ample opportunity to throw doubt on the meaning of the evidence.

A further aspect that needs to be considered is the adoption by many people on the Internet of multiple personalities. Commonly, these are used to enable a person to keep separate the various roles that they play, in their business, their official personal, and their private personal lives. They are also able to be used for criminal purposes. Such a role-related `identity' is referred to in various Internet literatures as a digital persona ( Clarke 1994a), an electronic persona or e-pers, and a `nym'. The concept of the digital persona is not further considered here.

Substantially complicating the above difficulties is the ease with which transaction pseudonymity and even anonymity can be achieved. The originator of an email message can be readily disguised. It is even feasible to enable responses to reach the originator, by the interposition of a pseudonymous or anonymous mail-server. If a pseudonymous mail-server is outside jurisdictional reach, the originator will be effectively anonymous. Similar services are available for web-transactions. This is addressed at some length in Clarke (1995), and Clarke (1997d), and is not further discussed here.

This section has identified a significant number of difficulties that confront an investigator when conducting the simplest of all kinds of tasks, that of detecting traffic involving a party-of-interest. The following sections extend the analysis to the other key capabilities.

7.2 The Acquisition of Traffic Content

In order to acquire the content of messages, the following approaches are available:

If a powerful law enforcement agency wishes to conduct real-time monitoring all transactions on the Internet, it needs access either to an extremely large number of nodes, or to a smaller number of funnels or `choke-points' through which a great deal of traffic passes. Possibilities include the `routers' that connect all of each particular organisation's workstations and servers to the Internet, and intermediating nodes that connect one geographical area to others.

This is a technically difficult and expensive exercise, and virtually impossible to perform covertly. Whether such `broad-spectrum' monitoring is actually being performed is the subject of occasional press speculation. Monitoring of European telecommunications by U.S. intelligence agencies was recently the subject of consideration by a Committee of the European Parliament.

Of greater apparent relevance to Australian law enforcement is selective real-time monitoring of the communications of particular individuals or organisations. Telecommunications legislation in some countries stipulates that all communications infrastructure must embody technical means whereby law enforcement agencies are able to acquire data in unencrypted form, subject to legal authority.

Australia's pre-1997 legislation included such a requirement. The Barrett Report recommended that it be sustained in the new contexts that were emerging ( Greenleaf 1994a, 1994b). The requirement that installed telecommunications technology facilitate interception was subsequently built into the new Telecommunications Act 1997. See, for example, Gunning (1997) and Pinnock (1997).

Given that interception is technically feasible, the question of legal authority arises. In Australia, this is regulated under the Telecommunications (Interception) Act 1979.

In order to undertake selective monitoring, the investigator firstly needs to know the identities (i.e. the host-names or IP addresses) of at least one, preferably some, and desirably all, of the computers that a particular party-of-interest uses. It is then necessary to arrange for all transactions passing to and from those nodes to be intercepted.

One way of achieving this is to install a physical tap on each such node, or on the channel connecting each of them to the Internet. This assumes that the physical location of the node, and/or of the channel, can be ascertained, and that they are technically capable of being tapped in a non-obvious manner. Channels that use electromagnetic means rather than a physical medium such as a wire are less straightforward to intercept.

Alternatively, it is possible to insert software in each of the nodes with which each of the party-of-interest's nodes are connected, designed to monitor the traffic on that line. This would generally require legal authority, and the complicity, and the silence, of the managers of each such node, although in some circumstances it might be feasible to achieve it without the managers' knowledge.

Additional difficulties arise where the system manager in question has a direct interest in the matter, e.g. where they are employed by the company whose communications are being monitored.

Where taps are used in accordance with the law, and sparingly, system managers are likely to be sympathetic to covert operations, both because of the weight of the law, but also because of its apparent moral reasonableness. It is therefore likely that system managers would both facilitate the operation, and maintain secrecy.

To the extent that selective monitoring comes to be routinely applied, systems managers are likely to become more sceptical about the justification, less helpful, and less respective of secrecy.

7.3 Access to Traffic Content

The previous sections have addressed the questions of detecting traffic involving parties-of-interest, and acquiring the content of messages. This section now turns to the matter of accessing that content. It is equally applicable to content acquired from audit trails, from other computer-based records, and through real-time monitoring.

The content of messages may be `in clear' (i.e. directly human-readable), and recorded in a conventional character-set. The most common character-set is 7-bit ASCII. A range of additional 8-bit, 16-bit and 32-bit character-set standards exist. Generally, little difficulty should be encountered in displaying and printing such content in human-readable form. The possibility exists that a message might use a non-standard character-set, in which case further work might be required in order to gain access.

Two further potential difficulties confront the message-analyst. One is that the data may be compressed, and the other is that it may be encoded or encyphered.

The content of a message may be compressed, in order to reduce the time and cost involved in transmitting it. The recipient must use corresponding software to de-compress it. A variety of compression algorithms exist, some intended for textual material, and others designed for image-data. Generally, little difficulty should be created by data processed using standard compression routines, although proprietary schemes (whether created for the purpose of protecting the content from view, or otherwise) may create greater challenges.

The content of a message may also be encoded or encrypted. Encoding is a means whereby characters of text are replaced one-for-one. It is relatively easily `cracked', i.e. the means of decoding the encoded text back into the original or `clear' text is not difficult to discover, if appropriate techniques and computational resources are applied.

Encryption, on the other hand, involves the substitution of whole blocks of text, rather than just of individual characters, and this presents much greater difficulties for crackers. The mathematical science of cryptology / cryptography (the two terms are used in several, slightly different senses) is of very long standing, but considerable advances have been made during the last two decades.

Encryption techniques are continuing to run ahead of decryption techniques. The result is that, with sufficiently long encryption keys, a very large `search-space' is created, such that it is practical to encrypt messages that cannot be cracked (at least not using currently known techniques, and currently available computational resources). Authoritative information on cryptography is provided in Schneier (1996), and a more populist rendition in Clarke (1996a).

7.4 The Attribution of Message-Origin to a Particular Party

The previous sections have analysed the difficulties confronting an investigator in gathering information about communications between parties-of-interest. A further issue that needs to be considered is the confidence with which an association between the message and a legal person can be reliably established.

The evidentiary chain, and hence the credibility of prosecution, generally depends on linkages being reliably established between an individual, a user-account, a computer, a message, and a transmission. For investigative purposes, of course, lower standards of proof are acceptable.

One especial problem is that many of these linkages are `repudiable', by which is meant that a person can credibly deny an otherwise apparent linkage. The reason is that virtually all associations are `spoofable', i.e. someone other than the person concerned can generate a message that appears to come from that person.

A simple example of spoofability arises in relation to an email-message, in that the sender and reply-to addresses can be readily set to any value the sender wishes. This is because the SMTP protocol does not specify any form of verification of the From: field. A recent, all-too-successful spoof involved the attribution of a message to the Korean corporation Samsung.

More fundamentally, an IP-address is spoofable: "there is no guarantee that a packet was actually sent from the given source address. In theory, any host can transmit a packet with any source address. Although many operating systems control this field and ensure that it leaves with a correct value, you cannot rely on the validity of the source address, except under certain carefully controlled circumstances. Authentication, and security in general, must use mechanisms in higher layers of the protocol" (Cheswick & Bellovin, 1994, p.20).

A famous example of IP-spoofing was the attack by the subsequently convicted hacker Kevin Mitnick's on security expert Shimomura ( Shimomura & Markoff, 1995).

The relationship between a host-name and an IP-address can also be spoofed. The index that associates host-names to IP-addresses is maintained by a (large) set of Internet-connected devices using the Domain Name System (DNS). But "DNS was not designed to be a secure protocol. The protocol contains no means by which the information returned by a DNS query can be verified as correct or incorrect. Thus, if DNS tells you that a particular host has a particular IP address, there is no way that you can be certain if the information returned is correct" (Garfinkel & Spafford 1996, p. 473).

The most publicised case of widespread DNS spoofing occurred in July 1997, when Eugene Kashpureff redirected queries to InterNIC to his own site, which he dubbed AlterNIC.

Spoofing might be undertaken by any party that wants to produce incriminating evidence, including a law enforcement agency. The ease with which spoofing can be undertaken, and the considerable difficulty of disproving an assertion that it was undertaken, mean that any message transmitted over the Internet is likely to be readily repudiated in a court.

An exception to this arises where the parties have agreed to use particular security measures, as a means of mutual assurance. Such approaches are a feasible means of achieving high evidentiary value in commercial or civil cases among partnered organisations; but they seem unlikely to be relevant to criminal investigations except in quite unusual circumstances.

8. Developments in Internet Technology

Internet technology has been fairly stable for some years. During that time, a number of deficiencies have become apparent; for example:

In addition to these inadequacies, new shortfalls progressively become apparent as new requirements arise and attract priority. For example, the requirements for transmission of real-time signals for synchronised audio and video, multi-casting, and differentially charged transmissions, did not exist at the time that the current protocol versions were conceived, negotiated and designed.

New versions of some of the protocols have been developed in order to address such deficiencies. For example, the IP protocol that is implemented throughout the Internet is version 4.0, whereas the `current' version is 6.0. In addition, a less insecure version of DNS has been specified ( RFC2065), and implemented within a version of the Internet tool Bind (version 8, compared with the mainstream version 4). However, it has not yet been widely deployed.

Later versions of Internet protocols have in most cases only been implemented in laboratory-testing environments. A project is currently in train, commonly referred to as Internet II, whose purposes include "to promote experimentation with the next generation of communications technologies", including the field-testing and implementation of software supporting the new versions of the protocols.

A protracted time-lag is involved in revisions to protocols, because they need to be:

For example, the new version of IP (v6) is likely to take a decade from inception to implementation.

Moreover, the teams that developed the new versions of Internet protocols did not have the interests of law enforcement as a central concern, and it appears unlikely that extension of the preceding analysis to take account of the new versions will materially alter the conclusions reached.

The necessary inference is that, even if the Internet community as a whole were to demonstrate considerable sympathy with the needs of law enforcement agencies, it would be a very long time indeed before the Internet infrastructure would become more conducive to crime-prevention.

9. Conclusions
* The Scope for Internet Crime

An open, non-centralised, self-maintaining, adaptable, cross-jurisdictional network necessarily uses protocols that preclude certainty in associating network events with real-world entities and places. It therefore offers plenty of scope for people to hide their trails, to conduct their business in ways that place them outside conventional geographical jurisdictions, to use pseudonyms, to conduct transactions anonymously; and hence, in effect, to commit unprosecutable crimes.

The Internet has provided freedoms to people to perform socially desirable functions. Those same freedoms can be exploited for purposes that are socially undesirable, or downright criminal. It would be naive to expect other than that `organised crime' is exploiting the technology. Moreover, these freedoms facilitate casual criminal activity by large numbers of individuals and small enterprises.

* The Prevention of Internet Crime

Trailing the Cuckoo's Nest was difficult, but it worked; and Shimomura tracked down Mitnick. So it is tempting to think that techniques and tools can be developed by law enforcement agencies to keep net-criminals on the run, provided that they are supported by the best technology and the best technical people.

Outright prevention of criminal activity in the Internet context is, however, infeasible. Soft prevention techniques, including clear definition of what constitutes criminal behaviour, and awareness and education, are important. Of greatest significance, however, is the credibility of law enforcement agencies' capabilities to detect, investigate and prosecute.

The challenges confronting the Internet investigator are so great that, in a recent interview, an Interpol specialist on networked computer crimes was quoted as saying that "despite the serious problems being posed by the Internet to police everywhere, traditional, off-line evidence gathering and investigation will remain the primary tools of law enforcement" ( Ghosh 1997).

Notwithstanding such pessimistic assessments, law enforcement agencies need new skills and techniques, above and beyond those already necessary to deal with `computer crime'. This paper has provided a basis for the necessary understanding of Internet technology, and a first analysis of the challenges that confront detection and investigation of Internet crime.

It appears likely that at least some aspects of `standards of proof' and/or `onus of proof' in criminal cases will need to be adapted, such that the possibility of gaining convictions is enhanced, a balance between oppression and convictability sustained, and the morale and hence the morality within law enforcement agencies kept at reasonable levels.

Consistency between the laws of jurisdictions may also need to be substantially enhanced, and interactions between law enforcement agencies in different jurisdictions raised to a much higher level of efficiency than has generally existed to date.

* Working With Cyberculture

If direct, authoritarian policing is likely to be insufficiently effective in addressing the problem of Internet crime, then greater emphasis needs to be placed on `electronic community based policing'. This in turn demands an appreciation of `cyberculture', by which is meant the dynamics of the current and rapidly mutating electronic environment in which people are working and playing. See also Clarke (1997b).

Steps have already been taken by law enforcement agencies in both North America and Australia to harness the considerable public goodwill that is, and needs to be, afforded to their work, and to achieve appropriate forms of community participation in law enforcement in the context of the Internet.

To complement existing, pre-electronic-era mechanisms such as Neighbourhood Watch and Business Watch, there is a need for new forms of community interaction and reporting, whereby netizens can draw the attention of law enforcement agencies to actions which they reasonably suspect to be criminal. An example of such an extension is Crime-Stoppers.

More radical approaches may also be necessary. Particularly in the cross-, extra-, and supra-jurisdictional settings that are commonplace on the Internet, many actions that would otherwise be criminal are beyond the reach of any law enforcement agency. Greater emphasis on community self-policing, and on non-governmental law enforcement organisations, will therefore be essential. It may run against the grain for existing law enforcement agencies to do so, but they may need to assist and advise individuals and virtual organisations on how to regulate their own virtual spaces.


Cheswick, W. R. & Bellovin, S. M. (1994) `Firewalls and Internet Security: Repelling the Wily Hacker', Addison Wesley, 1994

Frisch (1995) `Essential System Administration', 2nd Edition, O'Reilly & Associates, 1995

Garfinkel, S. & G. Spafford (1996) `Practical Unix and Internet Security', 2nd Edition, O'Reilly & Associates, 1996

Greenleaf G.W. (1994a) `The Barrett Review: A blueprint for expanding Australian telecommunications interception' PLPR 1,9 (November 1994) 161, at

Greenleaf G.W. (1994b) `The Barrett Review - Pt II' PLPR 1,10 (December 1994 / January 1995) 185, at

Gunning P. (1997) `Evaluating Data Protection and Privacy for Internet Users and Service Providers: Opportunities and Liabilities' Proc. IIR Conf. Data Protection & Privacy, Sydney, 12 May 1997

Pinnock J. (1997) `Developments in Telecommunications and the Privacy Debate' Proc. IBC Australian Privacy Summit, Sydney, 21 October 1997

RFC1462 (1993) Krol E. and Hoffman E. `What is the Internet?', at

RFC2235 (1997) Zakon R. `Hobbes' Internet Timeline', at

Schneier B. (1996) 'Applied Cryptography' Wiley, 2nd Ed., 1996

Shimomura, T. & Markoff, J. (1995) `Takedown', Secker & Warburg, 1995 (see also as a supplement)

Stallings W. (1994) `Data and Computer Communications', 4th Edition, Macmillan, 1994

Stevens W.R. (1994) `TCP/IP Illustrated Vol 1', Addison-Wesley, 1994

Stevens W.R. (1996) `TCP/IP Illustrated Vol 3: TCP for Transactions, HTTP, NNTP and the Unix Domain Protocols', Addison-Wesley, 1996

Tanenbaum (1996) `Computer Networks', 3rd edition, Prentice-Hall, 1996

References to Works of the First-Named Author

Clarke R. (1988) 'Information Technology and Dataveillance' Comm. ACM 31,5 (May 1988) Re-published in C. Dunlop and R. Kling (Eds.), 'Controversies in Computing', Academic Press, 1991. Abstract and figures at

Clarke R. (1993) 'Asimov's Laws of Robotics: Implications for Information Technology' In two parts, in IEEE Computer 26,12 (December 1993) 53-61, and 27,1 (January 1994) 57-66, at

Clarke R. (1994a) `The Digital Persona and Its Application to Data Surveillance' The Information Society 10,2 (June 1994). At

Clarke R. (1994b) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Info. Technology & People 7,4 (December 1994). At

Clarke R. (1995) 'Identification, Anonymity and Pseudonymity in Consumer Transactions: A Vital Systems Design and Public Policy Issue', Proc. Conf. Computers, Freedom & Privacy, San Francisco, 31 March 1995. Revised versions published in Privacy Law & Policy Reporter 2, 5 (June/July 1995) 88-90, and in Proc. Conf. 'Smart Cards: The Issues', Sydney, 18 October 1996, at

Clarke R. (1996a) `Cryptography in Plain Text', published in Privacy Law & Policy Reporter 3, 4 (May 1996). At

Clarke R. (1996b) 'Crypto-Confusion: Mutual Non-Comprehension Threatens Exploitation of the GII' Privacy Law & Policy Reporter 3, 4 (May 1996). At

Clarke R. (1996c) 'Privacy Issues in Smart Card Applications in the Retail Financial Sector', in 'Smart Cards and the Future of Your Money', Australian Commission for the Future, June 1996, pp.157-184. At

Clarke R. (1997a) `Regulating Financial Services in the Marketspace: The Public's Interests ', Proc. Conf. 'Electronic Commerce: Regulating Financial Services in the Marketspace', Sydney, 4-5 February 1997, at

Clarke R. (1997b) 'Encouraging Cyberculture', CAUSE in Australasia '97, Melbourne (March 1997), at

Clarke R. (1997c) `The Monster from the Crypt: Impacts and Effects of Digital Money', versions published in Computers, Freedom & Privacy Conference (CFP'97), San Francisco, 12-14 March 1997, and Proc. QuestNet'97, Brisbane, 4 July 1997, at

Clarke R. (1997d) `Protecting Your Privacy On the Internet', Seminar on 'Consumer Protection on the Internet', The Policy Network, Mitchell Library, Sydney (April 1997), revised version presented at IBC 1997 Australian Privacy Forum, Sydney, 21-22 October 1997, at

Clarke R. (1998) `A Primer on Internet Technology', February 1998, at

Extract from American Reporter, 31 October 1997

Rishab Aiyer Ghosh

American Reporter Correspondent

New Delhi, India

NEW DELHI -- The impact of the Internet on crime-fighting may not be as great as some hope, Interpol's top expert on networked computer crimes has told the American Reporter. Hiroaki Takizawa says old-fashioned methods of seeking evidence and gathering information may remain the staple of crimefighters for a long time to come.

Takizawa talked to the American Reporter at the 66th annual General Assembly of the worldwide crime-fighting organization Interpol in New Delhi last week, where one of the key topics of the conference was the impact of the Internet on global crime and enforcement.

In an interview, the top Interpol expert on Internet and computer crimes, Hiroaki Takizawa, said despite the serious problems being posed by the Internet to police everywhere, traditional, off-line evidence gathering and investigation will remain the primary tools of law enforcement.

Takizawa admitted that strong cryptography and anonymous email make illicit transactions difficult to monitor or trace through the Internet. Interpol, he said, is concerned at the spread of cryptography, but does not advocate legislation banning it.

"What we concentrate on is the implementation of legislation, rather than legislation itself," said Takizawa, when asked if he favored a crypto ban. "Police need human and financial resources" to investigate crime using the Internet, feels Takizawa, more than unenforceable legislative bans.

Do police make use of intercepted messages much, on a global scale? "Yes, I think so, yeah," said Takizawa. However, "we don't, we haven't had many cases" that relied on undecipherable messages as evidence.

"I don't think the Interpol plays an important role so far as [legislation on] cryptography is concerned," says Takizawa. The Interpol cannot make binding treaties affecting national law -- "it is not really a policy developing organization," he said.

Instead, it makes resolutions "from the police point of view" -- and its members then go home to lobby with their governments. It does not intend to make any resolutions on cryptography, though. Instead "[Interpol] will focus on training and coordination" so that police forces around the world "can develop practical solutions." As for changing the law, "the OECD has started discussion" on cryptography -- and has come to the conclusion that crypto bans are not a good approach.

Interpol finds that an increasing amount of its work involves the Net or computers in one way or another, and has set up a team to figure out where police -- and the Interpol -- can have an effective role. Interpol divides digital crime into three areas: computer crime, which includes piracy, data-theft and time-theft (computer break-ins); computer-related crime, which is mainly bank fraud -- "what was a crime earlier with paper, but is now done with a computer," as Takizawa says, and pornography.

The third, most recent area that "everyone's talking about now," Takizawa said, is what Interpol calls "network crime": the use of the Internet for transactions that are already illegal -- child pornography -- or aid illegal activity -- often involving the drug trade, customs evasion and money laundering.

Takizawa finds that of these network crimes, child pornography and the use of the Internet as an accessory to child sex abuse -- on-line advertisements for Asian "sex tours" targeted at Westerners, for example -- is the easiest to tackle. Stopping the distribution of pornography itself is harder, though, thanks to the Internet -- "normally [pornography] was checked at the airport and confiscated by customs, now you just download it by computer" -- so Interpol doesn't even try, he says.

"Interception [is] impossible," said Takizawa bluntly.

Instead, Interpol uses the easily searched structure of the Net to trace material back to its off-line origins. Police aided by Interpol's global network locate brochures for sex tourism on the Net much more easily than if they were in print, and follow up with off-line investigations and arrests, he said.

The cross-jurisdictional nature of the Net -- and the fact that countries disagree on precisely what activities are criminal -- is less of a problem for child pornography than money-laundering. Takizawa describes a recent case involving Germany and Japan: "from Germany we received information [on child pornography found online] pointing to Japan. Through Interpol we [passed] it on to Japan," where authorities traced the originators and made arrests.

And what about money laundering? Doesn't the prospect of untraceable, anonymous global electronic commerce on the Internet scare Interpol?

"Well, my counter-question is, have there been so many cases of ... [monetary] transactions using [the] Internet?" asks Takizawa.

Perhaps not -- yet. But once you have some form of the digital currency required for any large-scale electronic commerce, what will Interpol do about money laundering?

"We don't know," he admits. When cyberpayments are common, Takizawa adds, "we cannot tell you what's going to happen. Everybody wants to know that. If you can predict it perhaps you [will] get the Nobel prize!"

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 2 November 1997 - Last Amended: 18 February 1998 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2013   -    Privacy Policy