~ Friday, September 15, 2017
Good morning and thank you to all of you for coming to the Third Annual Cybercrime Symposium. This is an event that our Computer Crime and Intellectual Property Section co-hosts each year and they never fail to put together a great agenda. This year is no exception. We are proud to be partnered with the University of Maryland’s Francis King Carey School of Law, to whom we owe a tremendous amount of gratitude for making this event possible. A special thank you to the Dean Tobin for your welcome as well as Professor Danielle Citron for all of your hard work.
Each year, this symposium provides an opportunity for us to think critically about a specific topic in cybercrime. It gives us an opportunity to connect with the larger community about how we fight cybercrime at the Department of Justice, and engage in a reasoned discussion about some of the hardest issues we face in protecting public safety in an online world. This annual symposium gives us an opportunity to ask, what do we need to focus on in cybercrime? Who else has equities affected by efforts to address the threat? What are their ideas? What can we do better, more efficiently, more effectively? How can we deliver better justice for the American people? These questions are not rhetorical; these questions are the reason we are here today.
The topic of this year’s symposium, When Cybercrime Turns Violent and Abusive, has unfortunately become a growth area for our casework and an area of increased focus for our computer crime team. The terms in this area can be confusing and some of them overlap, but for today’s purposes we are talking about the entire gamut - cyberbullying, cyber harassment, cyber threats, cyberstalking, sextortion, revenge porn, non-consensual pornography, swatting and doxing. We could spend the entire morning trying to define all of these terms, but I expect the discussions throughout the day will help us all understand each one better as well as what they have in common and how they may be different.
We recognize that many of these behaviors really are crimes against Americans’ cherished right to privacy – and the violations of privacy that happen through these forms of abuse have a tremendous and lasting harm upon victims. When a person has their intimate photos stolen and then is threatened with having them exposed to friends, family, employers, victims often are humiliated and feel powerless. In extreme cases they may be fired from jobs, forced to move or change schools and live in constant fear of sexual or other physical violence. In one case, victims of a serial sextortionist were so afraid they would not even leave their homes alone. One needed to be escorted whenever she walked outside after dark. Another had to sleep in her mother’s bed every night – a teenager, afraid to sleep in her own bed. Victims may contemplate suicide as a result of this terrifying fear. We are not talking about sensitive people taking offense at something they saw online – we are talking about targeted attacks designed to hurt people, violate privacy and do very real damage.
Even though I am sure many of you here recognize and accept the seriousness of the harms these acts can create, some of you may be wondering, why are the feds – me, the head of the Criminal Division is here discussing this topic. Why is the Department of Justice dedicating a whole day to talking about it? The Internet has changed the landscape of these crimes significantly.
While it is true that stalking, bullying and harassment have more commonly been dealt with by local law enforcement or outside the criminal justice system, the increased use of computers and mobile networks has turned many such crimes into multi-jurisdictional and even multinational crimes. A criminal in one state can easily disseminate graphic images and personally identifying information of his victim in another state to viewers around the world. He can store the images and information on servers in unfriendly foreign jurisdictions, using proxy technology to conceal his true location. He can threaten and extort the victim using end-to-end encrypted communication applications that store little or no information about subscribers. Without leaving his home, the perpetrator can commit an elaborate and hard-to-trace scheme using technology easily accessible to anyone. Worse, someone with no technical sophistication at all can hire someone to do the harassment for him from a dark market online.
The Internet has not only complicated these crimes, but it has magnified them as well. Stalking need not be from the bushes and harassment goes well beyond a momentary encounter in the streets. Threats and intimidation can be piped into victims’ bedrooms at any hour and the Internet never forgets.
Whether due to greater opportunity or less fear of being caught, the commission of these types of offenses is increasingly widespread. A study released in July 2017 by the Pew Research Center found that four in ten Americans have personally experienced online harassment and 62% consider it to be a major problem. Nearly 20% of survey respondents had experienced severe forms of harassment online, including physical threats, sustained harassment, stalking, or sexual harassment. We have prosecuted cases where one defendant victimized hundreds of people he had never met from half way around the world. Put simply, too many of our friends, family and neighbors are being hurt, and we need to find better ways to stop it.
The Internet has thrived with no one entity or person controlling its development – and similarly, no one entity or person can tame the horrific abuses happening through the Internet. Federal law enforcement has a role to play, but certainly cannot do this alone. This is why I am so encouraged by today’s symposium: in addition to our strong law enforcement presence, we also have many of the brightest academics, policy advocates, victim advocates, civil attorneys and major technology companies represented and engaged in these topics today.
For our part, we believe that, as violence and abuse moves online, experts in conducting online investigations must be there too. The U.S. Department of Justice has exactly that expertise and so we are uniquely able to help. We are proud of the successes we have had in fighting these crimes. In recent years, the Department’s prosecutors around the country have obtained convictions in numerous hard-fought cyberstalking, sextortion and swatting cases. I will highlight just a few of them.
Last year, federal prosecutors obtained a 57-month sentence against Michael Ford, a Department of State employee at the London embassy, for engaging in a widespread, international computer hacking, cyberstalking and sextortion campaign. Ford’s scheme had many steps, but it is worth explaining in some detail. He would start by sending emails to thousands of potential victims pretending to be from his targets’ email provider. His fake emails would warn that a victim’s online accounts would be deleted if she or he did not verify the passwords. If a victim was tricked into sending the passwords, Ford then hacked e-mail and social media accounts, thousands of them, where he searched for sexually explicit photographs. Once Ford located private photos, he continued to search for information about his victims, including their home and work addresses, school and employment information, and names and contact information of family members.
Ford then used the stolen photos and information to engage in an ongoing cyberstalking campaign, demanding additional sexually explicit material and personal information. Ford e-mailed his victims with their stolen photos attached and threatened to release those photos if they did not submit to his demands. When the victims refused to comply, threatened to go to the police, or begged Ford to leave them alone, Ford responded with additional threats. For example, Ford wrote in one e-mail “don’t worry, it’s not like I know where you live,” then sent another e-mail to the victim with her home address. He even described the victim’s home to her, stating “I like your red fire escape ladder, easy to climb.” He threatened to post her photographs to an escort website along with her phone number and home address. Ford followed through with his threats on several occasions, sending his victims’ sexually explicit photographs to family members and friends. The ability of one individual to terrorize so many victims and so intimately, is truly horrifying.
Cyberstalking cases can also turn deadly. Last year, federal prosecutors obtained three life sentences for defendants David Matusiewicz, his mother Lenore Matusiewicz and his sister Amy Gonzalez, in the first case to allege the federal stalking statute’s “resulting in death” enhancement. The defendants engaged in a prolonged campaign to surveil and harass David Matusiewicz’s ex-wife, Christine Belford, during a bitter child custody dispute over their three children that began in 2007. The interstate stalking and cyberstalking conduct took the form of a three-pronged campaign, which used the Internet, the mail and third parties, to vilify and torment Ms. Belford and her children. David Matusiewicz and his family created a webpage called “Grandmother’s Impossible Choice,” which was dedicated to casting Ms. Belford as a crazed, mentally unstable child molester. David Matusiewicz and his family also posted surreptitious videos of Ms. Belford and her children on YouTube, posted defamatory comments online and bombarded people in Ms. Belford’s life with emails and written letters repeating these same pernicious accusations. The Matusiewicz family sent written letters to the children’s school, Ms. Belford’s neighbors and her church where she taught Sunday school. In February 2013, the three defendants, along with David’s father, Thomas Matusiewicz, traveled to Delaware for a family court hearing where Thomas tragically shot and killed Ms. Belford, her friend Laura Mulford and himself, while also injuring two police officers.
Investigating these offenses involving complex electronic evidence spread around the globe is hard enough. But even when we find and apprehend perpetrators, prosecution can be challenging. The offenses we are discussing today come in a variety of types of conduct carried out by different types of offenders. Fact patterns vary widely. Yet, of the types of criminal conduct that I have described, only cyberstalking is directly proscribed in a dedicated section in the federal criminal code. The others do not have directly controlling federal statutes, although the behavior often violates more general federal statutes. For example, while there is no specific “sextortion” offense, such behavior may implicate the extortion, threats, or – depending on the ages of the victims – child exploitation statutes. When the basis for the extortion in the first place is stolen intimate photos taken from computers, the computer hacking statute comes into play as well. But fact patterns vary from case to case and a statute used to charge one case may not fit the facts in another.
Our first panel will discuss some of these challenges to holding offenders accountable. I am glad to see it will cover not only federal criminal prosecution, but also include what other approaches can accomplish, through civil law or maybe by updating our laws. Some lawmakers have started to try to find a way to address more specific fact patterns; several bills in the House of Representatives have been introduced aimed at criminalizing sextortion, swatting and doxing. I look forward to the First Amendment panel’s views on how legislation can strike the right balance in proscribing criminal conduct in this area without unduly impacting protected free expression.
I am also very excited for our lunchtime keynote address from Ann Marie Chiarini – a professor at a Maryland community college who found herself a victim of non-consensual pornography, and who has since then fought at every level for the rights of all victims. Her story is truly inspiring and I hope it will help encourage other victims in their fight.
There is no question that more must be done to stop the alarming rise of violence and abuse on the Internet, and as I stated earlier, it will truly take efforts and commitments from a wide variety of stakeholders – far beyond federal criminal investigators and prosecutors to accomplish this task. Today we will hear from private sector victim advocates, scholars, social media companies, privacy advocates and others with unique experiences and perspectives. We are very excited to hear how others are innovating to prevent, disrupt and mitigate such abusive activities online.
In particular we will hear from some of our largest Internet companies about their efforts to protect their users. I was interested to read in the Pew Study I mentioned earlier that nearly eight in ten Americans believe that online service providers have a duty to address harassment that occurs on their platforms. It is clear from the research and from publicly reported events that both the public’s and many providers’ views on the proper approaches to hate, abuse and violence on the Internet are evolving. We are encouraged by social media companies and others who have committed to enforcing their terms of service which can lead even to blocking and banning subscribers that use their services for violent and abusive behavior.
Our final panel today on anonymizing technologies will help shed a light on some of the darkest places of the Internet, which pose some of the most serious challenges to law enforcement in combatting violent cybercrime. We look forward to a vigorous discussion on the costs and benefits of the anonymizing technology known as TOR Hidden Services.
I want to conclude by noting that the subject matter of today’s symposium and the cases I described should be a signal to all that law enforcement serves an important role in protecting and defending against invasions of privacy and upholding this value for all Americans.
We are honored to have the opportunity to engage with the entire community of stakeholders on the topic of violent and abusive cybercrime today, and thank you all for coming to participate in today’s event.