tag:theconversation.com,2011:/us/topics/online-crime-45419/articlesOnline crime – The Conversation2023-09-19T12:15:41Ztag:theconversation.com,2011:article/2108452023-09-19T12:15:41Z2023-09-19T12:15:41ZWhat are ‘mule addresses’? Criminologists explain how vacant properties serve as depots for illegal online purchases<figure><img src="https://images.theconversation.com/files/547613/original/file-20230911-20491-xdqy4.jpg?ixlib=rb-1.1.0&rect=261%2C186%2C8044%2C4794&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Nobody's home, just as the sender intended.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/delivery-of-parcel-boxes-at-doorstep-royalty-free-image/1173054988?adppopup=true">AndreyPopov/ iStock via Getty Images Plus</a></span></figcaption></figure><p>Online shopping isn’t just a convenient way to buy batteries, diapers, computers and other stuff without going to a brick-and-mortar store.</p>
<p>Many Americans also use the internet to quietly acquire illegal, fake and <a href="https://www.linkedin.com/posts/evidence-based-cybersecurity_appleproducts-darkweb-applemacbookpro-activity-7103440509360099329-8xZh?utm_source=share&utm_medium=member_desktop">stolen items</a>. <a href="https://www.linkedin.com/posts/simon-botton-754952208_cybersecurity-digitalsafety-onlinesecurity-ugcPost-7103370581508587520-1gdL?utm_source=share&utm_medium=member_desktop">Guns</a>, prescription drugs no doctor has ordered and <a href="https://theconversation.com/heists-worth-billions-an-investigation-found-criminal-gangs-using-sham-bank-accounts-and-secret-online-marketplaces-to-steal-from-almost-anyone-and-little-being-done-to-combat-the-fraud-206893">checks</a> are on this long list, as well as <a href="https://www.investopedia.com/terms/c/cloning.asp">cloned credit cards</a>, counterfeit passports and phony <a href="https://www.cbp.gov/newsroom/local-media-release/2-shipments-containing-4420-counterfeit-driver-s-licenses-seized-cbp">driver’s licenses</a>. </p>
<p>Because buyers and sellers alike realize that the authorities can detect illegal online transactions, criminals and their customers prefer covert online platforms that protect user anonymity, such as <a href="https://www.torproject.org/">Tor</a>, or encrypted messaging applications like <a href="https://scholarworks.gsu.edu/ebcs_articles/20/">Telegram and WhatsApp</a>. Buyers and sellers also use <a href="https://www.cognyte.com/blog/digital-wallet-cybercrime/">digital wallets</a> and <a href="https://knowledgehub.transparency.org/helpdesk/cryptocurrencies-corruption-and-organised-crime-implications-of-the-growing-use-of-cryptocurrencies-in-enabling-illicit-finance-and-corruption">cryptocurrencies to further conceal</a> their identities. </p>
<p>As <a href="https://ebcs.gsu.edu/">scholars of</a> <a href="https://scholar.google.com/citations?user=GqggT9MAAAAJ&hl=en&oi=sra">high-tech crime</a>, <a href="https://ebcs.gsu.edu/profile/saba-aslanzadeh/">we were eager</a> to solve a riddle. Having these items shipped to the buyers’ homes or offices would make it easy for authorities to catch them. So how do people who buy these illegal items maintain their anonymity when they take possession of items they purchased on the <a href="https://theconversation.com/illuminating-the-dark-web-105542">dark web</a>?</p>
<p>They mostly use <a href="https://www.reddit.com/r/scambait/comments/163ssd0/report_package_mule_address/">vacant residential properties, called “mule addresses</a>” or “<a href="https://seon.io/resources/dictionary/drop-address">drop addresses</a>.” Once the illegal goods or phony documents get delivered – presumably without the owners’ knowledge – to the doorstep of the uninhabited home, the buyer or a middleman picks it up. This practice makes it very hard to trace these transactions.</p>
<h2>Penchant for sharing</h2>
<p>To discover where these items change hands, we took advantage of the inclination of some of the criminal vendors to share images on Telegram of the parcels they send, along with the illicit items.</p>
<p>They use this strategy to build their reputations, earn the trust of buyers and market their services.</p>
<p>Not all users of online underground markets do this, but we still spotted thousands of packages delivered this way over a period of two years.</p>
<p>In one case, we found a photo of a forged or stolen check alongside the mailed envelope used for its delivery on a Telegram channel dedicated to trading stolen and counterfeit checks.</p>
<p>The label on the envelope bears not only the shipping date but also the Wyoming address where it was sent. Armed with this information, anyone can retrieve related details by searching online. We found an apartment complex at that address with several units for rent.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/548411/original/file-20230914-25-s9wiwb.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A mailed envelope and a check with names obscured" src="https://images.theconversation.com/files/548411/original/file-20230914-25-s9wiwb.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/548411/original/file-20230914-25-s9wiwb.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=640&fit=crop&dpr=1 600w, https://images.theconversation.com/files/548411/original/file-20230914-25-s9wiwb.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=640&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/548411/original/file-20230914-25-s9wiwb.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=640&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/548411/original/file-20230914-25-s9wiwb.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=805&fit=crop&dpr=1 754w, https://images.theconversation.com/files/548411/original/file-20230914-25-s9wiwb.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=805&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/548411/original/file-20230914-25-s9wiwb.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=805&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">A forged or stolen check alongside the envelope used to mail it to the person who bought it on the dark web.</span>
<span class="attribution"><span class="source">Screen capture by David Maimon</span>, <a class="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">CC BY-NC-ND</a></span>
</figcaption>
</figure>
<h2>Guns, drugs and rentals</h2>
<p>We also found that criminal vendors use mule addresses as their sender address. In one example, we found a video, uploaded in April 2023, of an assault rifle shipped from an Arizona address. At the time, that property was for sale.</p>
<p>The video displays an assault rifle apparently shipped from that address after being purchased online on an underground gun market. At the time, that property was for sale.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/548176/original/file-20230913-34250-eslwpf.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="An assault rifle and an address label" src="https://images.theconversation.com/files/548176/original/file-20230913-34250-eslwpf.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/548176/original/file-20230913-34250-eslwpf.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=339&fit=crop&dpr=1 600w, https://images.theconversation.com/files/548176/original/file-20230913-34250-eslwpf.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=339&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/548176/original/file-20230913-34250-eslwpf.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=339&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/548176/original/file-20230913-34250-eslwpf.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=425&fit=crop&dpr=1 754w, https://images.theconversation.com/files/548176/original/file-20230913-34250-eslwpf.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=425&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/548176/original/file-20230913-34250-eslwpf.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=425&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">An illegal firearm vendor uploaded a video of an assault rifle being shipped to a customer.</span>
<span class="attribution"><span class="source">Screen capture by David Maimon, CC BY-NC-ND</span>, <a class="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">CC BY-NC-ND</a></span>
</figcaption>
</figure>
<p>We found a similar video documenting the punctual delivery of what we believe to be illegal drugs. Considering that the video has been circulating in illegal drugs markets that we monitor, it’s reasonable to assume that the package contains narcotics or prescription drugs.</p>
<p>The footage portrays a satisfied customer who has just gotten the drugs. We looked up the recipient’s address, which is discernible in the video.</p>
<p>It’s a property in North Las Vegas, Nevada, which was listed for sale at the time of delivery – although it seems to have later been sold. The anticipated delivery date, March 28, 2023, coincided with the day the package in the video was received. </p>
<p>One of the illegal digital marketplaces we identified is a hub for prescription sales of OxyContin, Viagra, Adderall and Valium. It’s linked to an administrator who presides over several Telegram channels. </p>
<p>The administrator has shared photos on those channels that allowed us to see tracking numbers associated with packages they’d mailed. By collating the tracking numbers from April 20 to May 23, 2023, we compiled a comprehensive database of those addresses and the statuses of those properties when the packages were delivered.</p>
<p>We found that 72% of the 650 deliveries in this database were to properties listed for sale, and the rest were to properties unoccupied for other reasons. The average time that elapsed between a property listing and an illicit package being delivered there was nine days.</p>
<h2>Be on guard</h2>
<p>We haven’t yet learned of any criminals who were convicted of criminally using mule addresses to deliver illegal packages. </p>
<p>Because criminals take advantage of vacant residential properties listed for sale or rent by unsuspecting homeowners to protect their anonymity, we believe that it’s important for landlords and people who are selling or renting homes to protect themselves from these crimes of commerce.</p>
<p>Some of the same strategies that enhance safety in other regards can help, such as installing surveillance cameras and employing property managers.</p><img src="https://counter.theconversation.com/content/210845/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Maimon receives funding from Department of Homeland Security and other private organizations. </span></em></p><p class="fine-print"><em><span>Saba Aslanzadeh does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Buyers and sellers alike use this system to not get caught.David Maimon, Professor of Criminal Justice and Criminology, Georgia State UniversitySaba Aslanzadeh, PhD Student in in Computer Science, Georgia State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1930152022-10-26T19:04:06Z2022-10-26T19:04:06ZWhy are there so many data breaches? A growing industry of criminals is brokering in stolen data<figure><img src="https://images.theconversation.com/files/491781/original/file-20221025-20571-letjy7.jpg?ixlib=rb-1.1.0&rect=53%2C485%2C5937%2C3296&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://unsplash.com/photos/HeyFNqApSLQ"> Fili Santillán/Unsplash</a></span></figcaption></figure><p>New details have emerged on <a href="https://www.abc.net.au/news/2022-10-26/medibank-hack-criminals-access-hack-data/101578438">the severity of the Medibank hack</a>, which has now affected all users. Optus, Medibank, Woolworths, and, last Friday, electricity provider Energy Australia are all now among the <a href="https://www.theguardian.com/australia-news/2022/oct/21/energyaustralia-latest-to-be-hit-by-cyber-attack-as-details-of-hundreds-of-customers-exposed">household names</a> that have fallen victim to a data breach.</p>
<p>If it seems like barely a week goes by without news of another incident like this, you would be right. Cybercrime is on the rise – <a href="https://www.news.com.au/technology/online/hacking/are-data-breaches-becoming-more-frequent-a-digital-security-expert-explains/news-story/dbc55d96ca3be3106c2ae4f903286568">seven major Australian businesses</a> were affected by data breaches in the past month alone. </p>
<p>But why now? And who is responsible for this latest wave of cyber attacks?</p>
<p>In large part, the increasing number of data breaches is being driven by the growth of a global illicit industry that trades in your data. In particular, hackers known as “initial access brokers” specialise in illegally gaining access to victim networks and then selling this access to other cyber criminals. </p>
<h2>The cyber crime ecosystem</h2>
<p>Hackers and initial access brokers are just one part of a complex and diversifying <a href="https://www.sciencedirect.com/science/article/pii/S026736491830308X?casa_token=VrhGRxbgQYUAAAAA:Jxgrxbk-cJiO4OzAKoZeNA7A3R6tTRZl9zdftuqRbKzlGYaUW0PKHJeqpVSLTbt9szPfRGCqBhg">cyber crime ecosystem</a>. This ecosystem contains various cyber criminal groups who increasingly specialise in one particular aspect of online crime and then work together to carry out the attacks. </p>
<p>For example, one of the fastest-growing and most damaging forms of cyber crime – ransomware attacks – involves malicious software that paralyses a victim’s device or system until a decryption key is provided following payment of a ransom.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/what-is-ransomware-and-how-to-protect-your-precious-files-from-it-54048">What is ransomware and how to protect your precious files from it</a>
</strong>
</em>
</p>
<hr>
<p>Ransomware attacks are big business. In 2021 alone, they earned cyber criminals more than <a href="https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-ransomware/">US$600 million</a>. The huge amounts of money to be made in ransomware, and the rich abundance of targets from all around the world are fostering the development of a vast ransomware industry.</p>
<p>Ransomware attacks are complex, involving up to <a href="https://eprints.whiterose.ac.uk/180680/1/Published%20version%20-%20Final.pdf">nine different stages</a>. These include gaining access to a victim’s network, stealing data, encrypting a victim’s network, and issuing a ransom demand.</p>
<h2>Specialist criminals</h2>
<p>Increasingly, these attacks are carried out not by lone cyber criminal groups, but rather by networks of different cyber crime groups, each of which specialises in a different stage of the attack. </p>
<p>Initial access brokers will often carry out the first stage of a ransomware attack. Described by <a href="https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/">Google’s Threat Analysis Group</a> as “the opportunistic locksmiths of the security world”, it’s their job to gain access to a victim’s network.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1576248468087009280"}"></div></p>
<p>Once they have compromised a victim’s network, they typically sell this access to other groups who will then steal data and deploy the ransomware that paralyses the victim’s computer systems.</p>
<p>There is a massive and growing underground market for this type of crime. Dozens of online marketplaces on both the dark web and <a href="https://www.kaspersky.com.au/blog/deep-web-dark-web-darknet-surface-web-difference/28852/">surface web</a> offer services from initial access brokers.</p>
<p>Their access to companies can be purchased for <a href="https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf">as little as US$10</a>, although more privileged, administrator-level access to larger companies often commands prices of <a href="https://www.digitalshadows.com/blog-and-research/initial-access-brokers-in-2021-an-ever-expanding-threat/">several thousands of dollars</a> or more. </p>
<h2>Responding to the growing cyber threat</h2>
<p>Over the past month, we have seen <a href="https://www.theguardian.com/technology/2022/oct/24/medibank-hack-started-with-theft-of-staff-members-credentials-investigation-suggests">several instances</a> of cyber criminals forgoing actual ransomware. Instead, they sought to directly extort companies by threatening to publicly release any data they have stolen.</p>
<p>While not as devastating as a ransomware attack, data breaches can cause serious financial and reputational damage to an organisation (just ask <a href="https://www.smh.com.au/culture/celebrity/brutal-reality-of-life-at-the-top-of-the-corporate-ladder-20220927-p5blb9.html">Optus chief executive Kelly Bayer Rosmarin</a>), not to mention major problems for any customers or clients who now have their private information released online.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/ive-given-out-my-medicare-number-how-worried-should-i-be-about-the-latest-optus-data-breach-191575">I've given out my Medicare number. How worried should I be about the latest Optus data breach?</a>
</strong>
</em>
</p>
<hr>
<p>In the final six months of 2021, <a href="https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2021">more than 460 data breaches</a> were reported to government authorities. Even more worryingly, this number is almost certainly an underestimate.</p>
<p>While companies with a turnover of more than AU$3 million are required by law to report data breaches involving personal information, most small businesses are not subject to mandatory reporting laws. Therefore, they have little incentive to report a data breach that could scare off customers and damage their brand. </p>
<h2>Taking action against cyber crime</h2>
<p>So what can we do about it? In the first instance, companies need to rethink their approach to data. Data should be treated not simply as an asset that can be freely held and traded in, but also as a liability that needs to be carefully protected.</p>
<p><a href="https://www.sbs.com.au/news/article/optus-faces-a-customer-exodus-calls-for-compensation-amid-anger-over-leaked-data/mw79n7avs">Some experts</a> are calling for Australia to follow the European Union’s approach and to introduce stricter corporate regulations that better protect consumer data. </p>
<p>This week the federal government also <a href="https://www.smh.com.au/politics/federal/companies-face-hundred-million-dollar-fines-for-privacy-breaches-20221021-p5brt7.html">introduced plans to fine companies</a> that do not maintain sufficient cyber security and suffer repeated data breaches.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/after-the-optus-data-breach-australia-needs-mandatory-disclosure-laws-192612">After the Optus data breach, Australia needs mandatory disclosure laws</a>
</strong>
</em>
</p>
<hr>
<p>Reforms like this could help, particularly in preventing relatively unsophisticated data breaches, like the one that <a href="https://thenewdaily.com.au/finance/finance-news/2022/09/27/optus-hack-childs-play/">recently affected Optus</a>.</p>
<p>On the other hand, punitive fines towards victims could further strengthen the hand of entrepreneurial cyber criminals – they could try to leverage these fines to further extort their victims.</p>
<p>There is no silver bullet to solving the threats posed by cyber criminals. At a minimum, both government and industry must continue to work together to improve our cyber defences and resilience. Through research, we must also work to better understand the global cyber crime ecosystem as it continues to evolve.</p><img src="https://counter.theconversation.com/content/193015/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>James Martin receives funding from the Australian Institute of Criminology and the Cyber Security Cooperative Research Centre. </span></em></p><p class="fine-print"><em><span>Chad Whelan receives funding from sources for related work, including the Australian Institute of Criminology and the Cyber Security Cooperative Research Centre.</span></em></p>The cybercrime ecosystem is vast and complex – and increasingly littered with specialists who will cheaply sell your data.James Martin, Senior Lecturer in Criminology, Deakin UniversityChad Whelan, Professor of Criminology, Deakin UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1774452022-03-01T15:51:55Z2022-03-01T15:51:55ZOrganized crime has infiltrated online dating with sophisticated ‘pig-butchering’ scams<figure><img src="https://images.theconversation.com/files/449007/original/file-20220228-13-1tujvnd.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C6020%2C4010&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Scammers have stolen hundreds of millions of dollars from unsuspecting victims.</span> <span class="attribution"><span class="source">(Shutterstock)</span></span></figcaption></figure><iframe style="width: 100%; height: 175px; border: none; position: relative; z-index: 1;" allowtransparency="" src="https://narrations.ad-auris.com/widget/the-conversation-canada/organized-crime-has-infiltrated-online-dating-with-sophisticated--pig-butchering--scams" width="100%" height="400"></iframe>
<p>While we have been focused on the COVID-19 pandemic, vaccine mandates and related protests for much of the past two years, a wave of financial fraud has spread rapidly across Canada and around the world.</p>
<p>While not a deadly respiratory virus, this new approach to scamming has affected <a href="https://www.cbsnews.com/news/crypto-dating-scam/">thousands of individuals globally</a>, with victims defrauded of a record <a href="https://time.com/nextadvisor/investing/cryptocurrency/common-crypto-scams/">US$14 billion in 2021</a>. The Canadian Anti-Fraud Centre reported <a href="https://www.antifraudcentre-centreantifraude.ca/features-vedette/2022/02/romance-rencontre-eng.htm">nearly $100 million stolen from victims in Canada alone in 2020 and 2021</a>.</p>
<h2>Emotional manipulation</h2>
<p>The <a href="https://www.scamadviser.com/scam-reports/scam-trends/4117/sha-zhu-pan-the-pig-butchering-scam">pig-butchering, or “sha zhu pan,”</a> scam is a highly sophisticated form of romance and cryptocurrency investment scam. Scammers — mainly working for Chinese organized crime gangs — pose as attractive professionals or entrepreneurs looking for true love. They use <a href="https://www.businessinsider.com/crypto-scammers-fake-romance-on-dating-apps-like-hinge-2022-2">dating apps</a>, including Tinder, Grindr and Hinge, as well as social media platforms like Facebook and Instagram to match with their potential victims. The scammers target single women and men, LGBTQ+ and those over 50 years old, as well as new immigrants as their potential victims.</p>
<p>Using a combination of savvy technological tools, fake social media profiles and psychological manipulation, the scammers trick victims into believing that they live close by and are willing to meet in person whenever COVID-19 restrictions are lifted. In reality, the scammers are located mainly in Southeast Asia. </p>
<p>They slowly gain victims’ trust by using their personal information on social media against them to play the role of their dream romantic partner. They also shower their victims with messages of love and affection day and night. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/KSVKOaZL2to?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">A victim of the pig-butchering scam describes how it worked on her.</span></figcaption>
</figure>
<p>According to the Global Anti-Scam Organization, this stage of the scam is referred to as <a href="https://www.globalantiscam.org/about">fattening or raising the pig</a> before slaughtering it. The “pig” here is the unsuspecting person, located in <a href="https://www.straitstimes.com/singapore/courts-crime/she-lost-240000-in-pig-butchering-cryptocurrency-scam-after-fraudster-courted-her-for-months">Asia</a>, North America or Europe who is looking for a genuine love match on dating apps.</p>
<p>Contrary to more traditional romance scams, scammers manage to convince their victims that they are not interested in their money or personal banking information. Instead, they want to build a bright economic future with their soulmate by investing in cryptocurrency together as a couple. </p>
<p>Once the victims’ guard is down, scammers convince them to invest increasing amounts of money. Victims have, in many cases, emptied out their bank accounts, spent their inheritances and life savings, taken out loans and mortgages, and sold their houses and cars to invest in fake crypto platforms. Victims realize they were scammed only after <a href="https://www.nytimes.com/2022/02/21/technology/crypto-scammers-new-target-dating-apps.html">being blocked from withdrawing</a> the thousands or millions of dollars they invested.</p>
<h2>Isolation and vulnerability</h2>
<p>My doctoral research examines how gay men across international borders navigate romantic relationships online. As such, I understand how unsuspecting people looking for love and companionship online during the COVID-19 pandemic can fall victim to these highly sophisticated romance-cryptocurrency investment scams.</p>
<p>The COVID-19 pandemic has disrupted everybody’s life. Its intense periods of isolation, fear and uncertainty have particularly affected <a href="https://www.nytimes.com/2022/02/21/technology/crypto-scammers-new-target-dating-apps.html">single people who don’t have emotional and social support systems in place</a>. And <a href="https://www.nytimes.com/2021/08/31/well/live/dating-during-coronavirus-pandemic.html">dating during the pandemic has been especially difficult</a>.</p>
<p>Limited to online dating and dating apps, singles have become <a href="https://toronto.ctvnews.ca/two-ontario-women-speak-out-after-losing-more-than-100-000-in-cryptocurrency-scams-1.5662694">the perfect prey for criminals</a>. Taking advantage of their <a href="https://time.com/5955250/single-during-covid-19-pandemic/">vulnerability, loneliness and desire for human connection</a>, organized criminals have feigned romantic interest to con them out of their money.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/449010/original/file-20220228-4438-1cnts55.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Composite photograph of a man on a laptop sitting across from another person on a laptop wearing a hoodie" src="https://images.theconversation.com/files/449010/original/file-20220228-4438-1cnts55.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/449010/original/file-20220228-4438-1cnts55.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=440&fit=crop&dpr=1 600w, https://images.theconversation.com/files/449010/original/file-20220228-4438-1cnts55.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=440&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/449010/original/file-20220228-4438-1cnts55.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=440&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/449010/original/file-20220228-4438-1cnts55.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=553&fit=crop&dpr=1 754w, https://images.theconversation.com/files/449010/original/file-20220228-4438-1cnts55.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=553&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/449010/original/file-20220228-4438-1cnts55.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=553&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Using sophisticated methods, scammers working for organized crime are able to defraud people of their life savings.</span>
<span class="attribution"><span class="source">(Shutterstock)</span></span>
</figcaption>
</figure>
<p>Previously, people may have thought they could outsmart being “catfished” — <a href="https://www.ageuk.org.uk/information-advice/money-legal/scams-fraud/how-to-spot-a-catfish/">misled by an individual scammer pretending to be someone else</a> — but most of the perpetrators of these new scams work in organized crime gangs. They appear to be made up of experts in psychological profiling who can hook their victims more efficiently using <a href="https://www.globalantiscam.org/post/tricking-english-translators-for-shazhupan-scripts">elaborate scripts</a> and algorithms, gradually making them fall in love with a good-looking and wealthy professional looking for a long-term relationship. At some point, they offer financial advice, particularly in investments, usually in cryptocurrency. </p>
<p>Often, the plan is for the scammer and the victim to invest together, getting even greater returns, only the victim’s money is real while the scammer’s isn’t. This has left victims with huge debts, <a href="https://www.theguardian.com/money/2021/apr/17/bank-transfer-scams-fraud-victims">while also dealing with post-traumatic stress disorder, shame, embarrassment and anger</a> after being scammed. </p>
<h2>Regulating online safety</h2>
<p>In the United Kingdom, a <a href="https://www.ft.com/content/99f727b1-b1b7-4a00-855a-e126a97188a9">landmark online safety bill has been proposed</a> that would compel online companies <a href="https://www.which.co.uk/news/2021/12/landmark-report-targets-new-laws-for-online-safety/">to proactively tackle fraudulent content and harmful advertising</a>. </p>
<p>If passed, the Online Safety Bill will allocate greater funds to police and anti-fraud departments, <a href="https://news.sky.com/story/online-safety-bill-ignoring-epidemic-of-scams-faced-by-the-uk-experts-warn-12298864">which are critically underfunded</a>.</p>
<p>In addition, <a href="https://www.cnbc.com/2021/07/27/elizabeth-warren-presses-yellen-financial-regulator-to-manage-crypto.html">senators in the United States</a> and <a href="https://indianexpress.com/article/technology/crypto/cryptocurrency-in-india-a-look-at-the-regulatory-journey-of-cryptocurrencies-7648767/">officials in India</a> have called for tighter government regulations of cryptocurrencies to protect people from fraud. </p>
<p>Given the devastating financial and emotional impact that scams have on victims, some banks and other financial institutions in <a href="https://news.bitcoin.com/8000-bitcoin-scam-victims-refunds/">the U.S.</a> and <a href="https://www.theguardian.com/money/2021/nov/11/victims-face-reimbursement-lottery-from-their-banks">the U.K.</a> have refunded their customers. </p>
<p>Canadian government, financial institutions and the media need to work toward preventing online fraud and helping victims recover. As we increasingly integrate the virtual world with our day-to-day living, more needs to be done to protect Canadians.</p><img src="https://counter.theconversation.com/content/177445/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Carlo Handy Charles receives funding from the Pierre Elliott Trudeau Foundation as well as the Social Sciences and the Humanities Research Council as a Vanier Scholar. He is a fellow at the Convergence Migrations Insitute (Paris). He is an advisor on the Toronto Francophone Affairs Advisory Committee. </span></em></p>Organized crime gangs in Southeast Asia use psychological profiling, elaborate scripts and algorithms to produce sophisticated scams. Using dating apps, they target vulnerable people looking for love.Carlo Handy Charles, Ph.D. Candidate in Sociology/Geography and Research Fellow at Convergence Migrations Institute (Paris), McMaster UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1724032021-11-30T19:11:44Z2021-11-30T19:11:44ZStudents who cheat don’t just have to worry about getting caught. They risk blackmail and extortion<figure><img src="https://images.theconversation.com/files/434603/original/file-20211130-21-1jhv1xx.jpg?ixlib=rb-1.1.0&rect=8%2C0%2C5374%2C3575&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>When students use a commercial <a href="https://theconversation.com/universities-unite-against-the-academic-black-market-85232">contract cheating</a> service, getting caught by their lecturers is just one of many serious consequences that could damage them and those who trust them. They also expose themselves to blackmail and extortion. Despite these risks, one in ten students at Australian higher education institutions have used a commercial cheating service to complete an assessment, according to <a href="https://doi.org/10.1080/03075079.2021.1972093">survey findings</a> presented at the inaugural <a href="https://torrens.eventsair.com/aain-forum2021/">Australian Academic Integrity Network Forum 2021</a> (AAIN) hosted by Torrens University. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/1-in-10-uni-students-submit-assignments-written-by-someone-else-and-most-are-getting-away-with-it-166410">1 in 10 uni students submit assignments written by someone else — and most are getting away with it</a>
</strong>
</em>
</p>
<hr>
<p>With sophisticated <a href="https://theconversation.com/artificial-intelligence-is-getting-better-at-writing-and-universities-should-worry-about-plagiarism-160481">artificial intelligence</a> and indeed sinister forces coming into play, there is a growing urgency for higher education institutions to act on this increasing threat to academic integrity. The threat isn’t just to the reputation of institutions. It also places students at risk. </p>
<p>When students fill in their credit card number to complete a purchase from a contract cheating service, they are doing business with unscrupulous gremlins. They risk heading down a sinister black hole of <a href="https://www.teqsa.gov.au/sites/default/files/contract-cheating-blackmail.pdf?v=1591659442">extortion</a> and blackmail using the threat of exposure to their university or employer.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1256108411839819776"}"></div></p>
<h2>Services have found a new income stream</h2>
<p>Extortion is the new name of the game. Contract-cheating gremlins have turned to <a href="https://www.tandfonline.com/doi/abs/10.1080/03075079.2020.1730313?journalCode=cshe20">blackmail</a> as an ongoing source of income from students. They threaten to tell the university the student has bought an assignment unless the student pays up. </p>
<p>Students can be blackmailed even after finishing their degrees when the gremlins threaten to expose their cheating behaviour to employers. </p>
<p>If the student refuses to pay up, then the gremlins get to work on destroying their credibility. The university can revoke the degree the student “earned”. The student loses their qualification and potentially their career and suffers reputational damage and financial loss.</p>
<p>Contract cheating starts off as a rational approach to getting an assignment done quickly and easily. As the student descends the morality ladder, the lines between right and wrong become blurred. The student who engages in academic misconduct is laying the foundations for unethical conduct in the workplace.</p>
<p>There is <a href="https://clutejournals.com/index.php/JDM/article/view/4977">strong evidence</a> that cheating as a student can lay the foundations for unethical behaviour in life and as members of society. </p>
<p>When the US audit watchdog <a href="https://www.theguardian.com/australia-news/2021/sep/15/us-watchdog-fines-kpmg-australia-over-widespread-cheating-on-online-training-tests">fined KPMG Australia</a> A$615,000 following major cheating in its workplace, it revealed the dangers of the normalisation of these practices in society. Similarly, <a href="https://asic.gov.au/">ASIC</a> is suing the <a href="https://www.msn.com/en-au/money/news/asic-is-suing-anz-over-its-introducer-program-alleging-unlicensed-parties-funnelled-borrowers-to-loans-they-could-not-afford/ar-AAR8BEw?ocid=entnewsntp&pc=U531">ANZ Bank</a> for breaching the Credit Act by allegedly paying commissions to unlicensed third parties who referred borrowers to the bank for loans. Bank representatives overlooked these actions in an attempt to achieve sales targets for bonuses.</p>
<p>Gremlins are smart. They advertise their services as assignment help and tutors 24/7, in an attempt to normalise the practice of cheating. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1232588120836710400"}"></div></p>
<p>Students then unknowingly open themselves up to a raft of offences, including misrepresentation, fraud, forgery and financial advantage from crime. When a student submits a bought assignment and completes the cover sheet stating that it’s their own work, it could be considered fraud because they are making a false or misleading statement. The financial advantage from this action would be the avoidance of retaking a subject and saving on course fees. </p>
<p>It’s potentially an act of forgery when a student submits a fabricated assignment and the university considers it to be original work, legitimately created by the student. So far no students have been charged with fraud for submitting a contract-cheated assessment in Australia. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/artificial-intelligence-is-getting-better-at-writing-and-universities-should-worry-about-plagiarism-160481">Artificial intelligence is getting better at writing, and universities should worry about plagiarism</a>
</strong>
</em>
</p>
<hr>
<h2>What is being done about cheating?</h2>
<p>The Australian government’s introduction of anti-cheating <a href="https://www.news.com.au/lifestyle/parenting/school-life/new-laws-passed-could-see-cheaters-who-sell-services-to-university-students-jailed/news-story/599e268e4e5ff39e0766544688274092">laws</a> in 2020 offers some hope of reining in the gremlins. The first <a href="https://www.teqsa.gov.au/latest-news/articles/teqsa-successful-federal-court-action-block-access-cheating-website">successful prosecution</a> by the higher education regulator, the Tertiary Education Quality and Standards Agency (TEQSA), resulted in the blocking of two illegal cheating websites. </p>
<p>The new law also makes the promotion and selling of contract cheating services illegal. Penalties include up to two years’ jail and a fine of $110,000. </p>
<p>By their very nature, these services are not exemplars of integrity and ethical behaviour. They blackmail their customers and exploit the so-called “academic” writers they employ. They are now also recruiting students to on-sell their services, exposing them to the risk of a criminal record.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1233169724155916290"}"></div></p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/universities-unite-against-the-academic-black-market-85232">Universities unite against the academic black market</a>
</strong>
</em>
</p>
<hr>
<p>Individuals make a significant investment in their education. But if they turn to cheating, their actions can have far-reaching consequences for their lives. They also harm those around them – their families, partners, employers and society in general.</p>
<p>While the AAIN Forum identified some strategies to encourage students to rethink cheating, it is critical that we create a robust culture of academic integrity across our institutions. Appreciating the true value of a well-earned degree will be just as important as the law in keeping the cheat gremlins at bay.</p>
<p>Let the student buyer beware!</p><img src="https://counter.theconversation.com/content/172403/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Kristina Nicholls does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>An estimated one in ten Australian tertiary students have paid a so-called contract cheating service to do their work for them. What most don’t think about is the risk of being blackmailed later.Kristina Nicholls, Director, Academic Integrity, Torrens University AustraliaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1623432021-06-08T07:36:08Z2021-06-08T07:36:08ZHow an app to decrypt criminal messages was born ‘over a few beers’ with the FBI<p>Australian and US law enforcement officials on Tuesday announced they’d sprung a trap three years in the making, catching major international crime figures using an encrypted app. </p>
<p>More than 200 underworld figures in Australia have been charged in what <a href="https://www.afp.gov.au/news-media/media-releases/afp-led-operation-ironside-smashes-organised-crime">Australian Federal Police</a> (AFP) say is their biggest-ever organised crime bust.</p>
<p>The operation, led by the US Federal Bureau of Investigations (FBI), spanned <a href="https://www.afp.gov.au/news-media/media-releases/afp-led-operation-ironside-smashes-organised-crime">Australia and 17 other countries</a>. In Australia alone, more than 4,000 police officers were involved.</p>
<p>At the heart of the sting, dubbed Operation Ironside, was a type of “<a href="https://www.kaspersky.com.au/resource-center/threats/trojans">trojan horse</a>” malware called AN0M, which was secretly incorporated into a messaging app. After criminals used the encrypted app, police decrypted their messages, which included plots to kill, mass drug trafficking and gun distribution. </p>
<figure class="align-center ">
<img alt="graphic of padlock and tech symbols" src="https://images.theconversation.com/files/405008/original/file-20210608-28372-fecede.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/405008/original/file-20210608-28372-fecede.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=366&fit=crop&dpr=1 600w, https://images.theconversation.com/files/405008/original/file-20210608-28372-fecede.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=366&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/405008/original/file-20210608-28372-fecede.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=366&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/405008/original/file-20210608-28372-fecede.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=460&fit=crop&dpr=1 754w, https://images.theconversation.com/files/405008/original/file-20210608-28372-fecede.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=460&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/405008/original/file-20210608-28372-fecede.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=460&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Police used an encrypted app used by underworld figures to bust the crime network.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<h2>Millions of messages unscrambled</h2>
<p>AFP Commissioner Reece Kershaw <a href="https://www.abc.net.au/news/2021-06-08/fbi-afp-underworld-crime-bust-an0m-cash-drugs-murder/100197246">said</a> the idea for AN0M emerged from informal discussions “over a few beers” between the AFP and FBI in 2018.</p>
<p>Platform developers had worked on the AN0M app, along with modified mobile devices, before law enforcement acquired it legally and adapted it for their use. The AFP say the developers weren’t aware of the intended use.</p>
<p>Once appropriated by law enforcement, AN0M was reportedly programmed with a secret “back door”, enabling them to access and decrypt messages in real time.</p>
<p>A “back door” is a software agent that circumvents normal access authentication. It allows remote access to private information in an application, without the “owner” of the information being aware. </p>
<p>So the users — in this case the crime figures — believed communication conducted via the app and smartphones was secure. Meanwhile, law enforcement could <a href="https://www.abc.net.au/news/2021-06-08/fbi-afp-underworld-crime-bust-an0m-cash-drugs-murder/100197246">reportedly</a> unscramble up to 25 million encrypted messages simultaneously. </p>
<p>But without this back door, strongly encrypted messages would be almost impossible to decrypt. That’s because decryption generally requires a computer to run through trillions of possibilities before hitting on the right code to unscramble a message. Only the most powerful computers can do this within a reasonable time frame. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/cryptology-from-the-crypt-how-i-cracked-a-70-year-old-coded-message-from-beyond-the-grave-122465">Cryptology from the crypt: how I cracked a 70-year-old coded message from beyond the grave</a>
</strong>
</em>
</p>
<hr>
<figure class="align-center ">
<img alt="Scott Morrison and police official stand at lecterns" src="https://images.theconversation.com/files/405009/original/file-20210608-19-56gpeg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/405009/original/file-20210608-19-56gpeg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/405009/original/file-20210608-19-56gpeg.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/405009/original/file-20210608-19-56gpeg.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/405009/original/file-20210608-19-56gpeg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/405009/original/file-20210608-19-56gpeg.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/405009/original/file-20210608-19-56gpeg.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Police programmed a secret ‘back door’ into the app to carry out the sting.</span>
<span class="attribution"><span class="source">Dean Lewins/AAP</span></span>
</figcaption>
</figure>
<h2>Providers resist pressure for ‘back-door’ access</h2>
<p>In the mainstream world of encrypted communication, the installation of “back-door” access by law enforcement has been <a href="https://www.securitymagazine.com/articles/91402-facebook-refuses-to-give-law-enforcement-access-to-its-messaging-app-whatsapp">strenuously resisted</a> by app providers, including Facebook who owns WhatsApp. </p>
<p>In January 2020, <a href="https://www.cnbc.com/2020/01/14/apple-refuses-barr-request-to-unlock-pensacola-shooters-iphones.html">Apple refused</a> law enforcement’s request to unlock the <a href="https://abcnews.go.com/US/suspect-pensacola-naval-base-shooting-wrote-countdown-started/story?id=67733495">Pensacola shooting</a> suspect’s iPhone, following a deadly 2019 Florida attack which killed three people. </p>
<p>Apple, like Facebook, has long <a href="https://time.com/4262480/tim-cook-apple-fbi-2/">refused to</a> allow back-door access, <a href="https://www.apple.com/customer-letter/">claiming</a> it would undermine customer confidence. Such incidents highlight the struggle of balancing competing demands for user privacy with the imperative of preventing crime for the greater good. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/facebook-is-merging-messenger-and-instagram-chat-features-its-for-zuckerbergs-benefit-not-yours-147261">Facebook is merging Messenger and Instagram chat features. It's for Zuckerberg's benefit, not yours</a>
</strong>
</em>
</p>
<hr>
<figure class="align-center ">
<img alt="phone showing Apple and Facebook apps" src="https://images.theconversation.com/files/405010/original/file-20210608-25-1k3h8jb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/405010/original/file-20210608-25-1k3h8jb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/405010/original/file-20210608-25-1k3h8jb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/405010/original/file-20210608-25-1k3h8jb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/405010/original/file-20210608-25-1k3h8jb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/405010/original/file-20210608-25-1k3h8jb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/405010/original/file-20210608-25-1k3h8jb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Apple and Facebook have refused to allow back-door access, claiming it would undermine customer confidence.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<h2>Getting criminals to use AN0M</h2>
<p>Once AN0M was developed and ready for use, law enforcement had to get it into the hands of criminal “underworld” figures. </p>
<p>To do so, <a href="https://www.abc.net.au/news/2021-06-08/fbi-afp-underworld-crime-bust-an0m-cash-drugs-murder/100197246">undercover agents</a> reportedly persuaded fugitive Australian drug trafficker Hakan Ayik to unwittingly champion the app to his associates. These associates were then be sold mobile devices pre-loaded with AN0M on the black market. </p>
<p>Purchase was only possible if referred through an existing user of the app, or by a distributor who could vouch for the potential customer as not working for law enforcement. </p>
<p>The AN0M-loaded mobiles — likely Android-powered smartphones — came with reduced functionality. They could do just three things: send and receive messages, make distorted voice calls and record videos — all of which was presumed to be encrypted by the users. </p>
<p>With time the AN0M phone increasingly became the device of choice for a significant number of criminal networks. </p>
<figure class="align-center ">
<img alt="Police official points to screen showing phones and monitor" src="https://images.theconversation.com/files/405012/original/file-20210608-135198-15ty3ry.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/405012/original/file-20210608-135198-15ty3ry.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/405012/original/file-20210608-135198-15ty3ry.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/405012/original/file-20210608-135198-15ty3ry.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/405012/original/file-20210608-135198-15ty3ry.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/405012/original/file-20210608-135198-15ty3ry.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/405012/original/file-20210608-135198-15ty3ry.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The AN0M-loaded devices were mobiles — likely Android-powered smartphones — but with reduced functionality.</span>
<span class="attribution"><span class="source">Dean Lewins/AAP</span></span>
</figcaption>
</figure>
<h2>Building up a network picture</h2>
<p>Since 2018, law enforcement agencies across 18 countries, including Australia, had been patiently listening to millions of conversations through their back-door control of the AN0M app. </p>
<p>Information was retrieved on all manner of illegal activities. This gradually enabled police to etch a detailed picture of various crime networks. Some of the footage and images retrieved have been <a href="https://www.afp.gov.au/news-media/media-releases/afp-led-operation-ironside-smashes-organised-crime">cleared for public release</a>.</p>
<p>One major challenge was for police to match overheard conversations with <a href="https://www.newshub.co.nz/home/new-zealand/2021/06/what-is-the-an0m-app-and-how-was-it-used-to-catch-kiwi-criminals.html">identities</a> — as the AN0M phone could be purchased anonymously and paid for with Bitcoin (which allows secure transactions that can’t be traced). This may help explain why it took three years before police openly identified alleged perpetrators. </p>
<p>It’s likely the evidence obtained will be used in prosecutions now that a multitude of arrests have been made. </p>
<h2>The future of encryption</h2>
<p>Encryption technology is improving fast. It needs to — because computing power is also growing rapidly.</p>
<p>This means hackers are becoming increasingly capable of breaking encryption. Moreover, when quantum computers become available this problem will be further exacerbated, since they are massively more powerful than conventional computers today.</p>
<p>These developments will likely weaken the security of encrypted messaging apps used by law abiding people, including popular apps such as WhatsApp, LINE and Signal.</p>
<p>Strong encryption is an essential weapon in the cybersecurity arsenal and there are thousands of legitimate situations where it’s needed. It’s ironic then, that the technology intended by some to keep the public safe can also be leveraged by those with criminal intent. </p>
<p>Networks of organised crime have used these “legitmate” tools to conduct their business, secure in the knowledge that law enforcement can’t access their communications. Until AN0M, that is. </p>
<p>And while Operation Ironside may have sent a shiver through criminal subcultures operating around the world, these syndicates will likely develop their own countermeasures in this ongoing game of cat and mouse.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/seven-ways-the-government-can-make-australians-safer-without-compromising-online-privacy-111091">Seven ways the government can make Australians safer – without compromising online privacy</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/162343/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Tuffley does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The AN0M app was programmed by law enforcement to allow ‘back-door’ access. This led to the retrieval of information that culminated in hundreds of search warrants.David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1509532020-12-06T18:53:23Z2020-12-06T18:53:23ZNothing like the mafia: cybercriminals are much like the everyday, poorly paid business worker<figure><img src="https://images.theconversation.com/files/372996/original/file-20201204-21-w0rjs6.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">shutterstock</span> </figcaption></figure><p>New research is questioning the popular notion that cybercriminals can make millions of dollars from the comfort of home — and without much effort.</p>
<p>Our <a href="https://doi.org/10.1007/s12117-020-09397-5">paper</a>, published in the journal <a href="https://www.springer.com/journal/12117">Trends in Organised Crime</a>, suggests offenders who illegally sell cybercrime tools to other groups aren’t promised automatic success.</p>
<p>Indeed, the “<a href="https://www.sciencedirect.com/science/article/abs/pii/S1874548213000036">crimeware-as-a-service</a>” market is a highly competitive one. To succeed, providers have to work hard to attract clients and build up their criminal business. </p>
<p>They must combine their skills and employ business acumen to attract (and profit from) other cybercriminals wanting their “services”. And the tactics they use more closely resemble a business practice playbook than a classic Mafia operation.</p>
<h2>The online trade of DDoS stressers</h2>
<p>Using <a href="https://theconversation.com/prosecuting-within-complex-criminal-networks-is-hard-data-analysis-could-save-the-courts-precious-time-and-money-150087">social network analysis</a>, we studied crimeware-as-a-service payment patterns online. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/prosecuting-within-complex-criminal-networks-is-hard-data-analysis-could-save-the-courts-precious-time-and-money-150087">Prosecuting within complex criminal networks is hard. Data analysis could save the courts precious time and money</a>
</strong>
</em>
</p>
<hr>
<p>Specifically, we looked at a Distributed Denial of Service (DDoS) stresser. A “DDoS stresser”, also called an IP booter, is an online tool that offenders can rent to launch DDoS attacks against websites. </p>
<p>In such attacks, the targeted website is bombarded with numerous log-on attempts all at once. This clogs up the site’s traffic and leads to all users being denied access, effectively causing the site to crash. </p>
<h2>Buy your VIP cybercrime membership today</h2>
<p>The stresser we analysed was taken down by Dutch law enforcement after six months of operation. Since all the identities involved were anonymised, we’ve called it StressSquadZ. </p>
<p>We explored StressSquadZ’s service operations and payment systems to observe how its service provider interacted with customers. Contrary to the idea of organised cybercrime looking like a <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1155155">cyberpunk version of The Godfather</a>, their strategies seemed to come straight from a business playbook.</p>
<p>StressSquadZ’s provider offered clients a range of marketing and subscription plans. These started at an introductory trial price of US$1.99 for ten minutes of limited service, through to pricier options. Clients wanting a “full power” attack could buy a VIP bespoke service for US$250. </p>
<p>Clearly, StressSquadZ’s provider had a hankering to maximise profit. And just as we all appreciate a good bargain, their customers aimed to pay as little as possible. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/mygovs-ill-timed-meltdown-could-have-been-avoided-with-elastic-computing-134665">MyGov's ill-timed meltdown could have been avoided with 'elastic computing'</a>
</strong>
</em>
</p>
<hr>
<h2>(Cyber)crime doesn’t always pay</h2>
<p>The communication data we analysed, mapped below, indicated the clientele compromised of three distinct groups of hackers: amateurs (red), professionals (green) and skilled non-professionals (yellow).</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/372961/original/file-20201204-21-1uk47kx.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/372961/original/file-20201204-21-1uk47kx.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/372961/original/file-20201204-21-1uk47kx.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=456&fit=crop&dpr=1 600w, https://images.theconversation.com/files/372961/original/file-20201204-21-1uk47kx.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=456&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/372961/original/file-20201204-21-1uk47kx.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=456&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/372961/original/file-20201204-21-1uk47kx.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=573&fit=crop&dpr=1 754w, https://images.theconversation.com/files/372961/original/file-20201204-21-1uk47kx.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=573&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/372961/original/file-20201204-21-1uk47kx.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=573&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Some users who started with buying trials later graduated to more expensive premium services, which were pathways into more powerful attacks. The lines in this figure represent payments for DDoS stresser services.</span>
</figcaption>
</figure>
<p>The low-impact trial plan was the most popular purchase. These users, which made up about 40% of the total customer pool, are very likely driven by the <a href="https://journals.sagepub.com/doi/abs/10.1177/1477370819887305?journalCode=euca">thrill of transgression</a> rather than pure criminal intent.</p>
<p>A smaller group had more serious intentions, as their more expensive subscription levels indicated. Having invested more, they’d need a higher return on their investment. </p>
<p>Notably, we found the average yield for those involved was low, compared to yield obtained during other cybercrime operations studied. In fact, StressSquadZ operated at a loss for most of its life.</p>
<p>Two things help explain this. First, the service was short-lived. By the time it started gaining traction, it was shut down. Also, it was competing in a large market, losing potential customers to other similar service providers. </p>
<h2>Complicit in the act</h2>
<p>While stressers can be used <a href="https://link.springer.com/article/10.1007/s12117-020-09397-5">legally</a> to test the resilience of security systems, we found the main intent to use StressSquadZ’s was as an attack vehicle against websites. </p>
<p>There was no attempt by the service provider to prevent clients from illegal use, thus making them a facilitator of the crime. This in itself is a crime under <a href="https://www.legislation.gov.au/Details/C2004A00937">computer misuse legislation</a> in most Australian jurisdictions.</p>
<p>That said, the group of criminals tapping into StressSquadZ was very different to a more archetypal and hierarchical criminal group, such as the Mafia. Without a “boss” StressSquadZ was sometimes disorganised and duties and benefits were more equally <a href="https://standinggroups.ecpr.eu/sgoc/dis-organised-crime-towards-a-distributed-model-of-the-organization-of-cybercrime/">distributed</a>.</p>
<h2>We now face fewer (but stronger) DDoS attacks</h2>
<p>The emergence of DDoS stressers over the past decade has actually led to an overall reduction in the number of DDoS attacks.</p>
<p>According to <a href="https://gtr.ukri.org/projects?ref=EP%2FM020576%2F1">CRITiCaL project</a>, out of 10,000 cyberattacks between 2012 and 2019 – of which 800 were DDoS attacks – the number of attacks fell from 180 in 2012 to fewer than 50 last year.</p>
<p>This may be because individual attacks are now more powerful. Early DDoS attacks were weak and short in duration, so cyber security systems could overcome them. Attacks today carry out their purpose, which it to invalidate access to a system, for a longer duration. </p>
<p>There’s been a massive increase in the scope and intensity of attacks over the past decade. Damage once done on a megabyte scale has now become gigabytes and terabytes.</p>
<figure class="align-center ">
<img alt="This graph shows the increase in size of DDoS attacks, in megabytes, from 2007 to 2018." src="https://images.theconversation.com/files/372763/original/file-20201203-13-1ynsl7p.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/372763/original/file-20201203-13-1ynsl7p.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=173&fit=crop&dpr=1 600w, https://images.theconversation.com/files/372763/original/file-20201203-13-1ynsl7p.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=173&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/372763/original/file-20201203-13-1ynsl7p.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=173&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/372763/original/file-20201203-13-1ynsl7p.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=218&fit=crop&dpr=1 754w, https://images.theconversation.com/files/372763/original/file-20201203-13-1ynsl7p.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=218&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/372763/original/file-20201203-13-1ynsl7p.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=218&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">This graph shows the increase in size of DDoS attacks in megabytes from 2007 to 2018.</span>
<span class="attribution"><span class="source">Carlos Morales/Arbor Network</span></span>
</figcaption>
</figure>
<p>DDoS attacks can <a href="https://www.corero.com/blog/theft-and-ddos-attacks-go-hand-in-hand/">facilitate</a> data theft or <a href="https://www.techrepublic.com/article/ransomware-campaign-threatens-organizations-with-ddos-attacks/">increase</a> the intensity of ransomware attacks. </p>
<p>In February, they were used as a <a href="https://www.zdnet.com/article/australian-banks-targeted-by-ddos-extortionists/">persistent threat</a> to seek ransom payments from various Australian organisations, including <a href="https://www.zdnet.com/article/australian-banks-targeted-by-ddos-extortionists/">banks</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australia-is-under-sustained-cyber-attack-warns-the-government-whats-going-on-and-what-should-businesses-do-141119">Australia is under sustained cyber attack, warns the government. What's going on, and what should businesses do?</a>
</strong>
</em>
</p>
<hr>
<p>Also in February we witnessed one of the most extreme DDoS attacks in recent memory. Amazon Web Services was <a href="https://thenextweb.com/syndication/2020/09/30/the-most-famous-ddos-attacks-in-history/">hit by a sustained attack</a> that lasted three days and reached up to 2.3 terabytes per second.</p>
<p>The threat from such assaults (and the networks sustaining them) is of huge concern — not least because DDoS attacks often come packaged with other crimes. </p>
<p>It’s helpful, however, to know stresser providers use a business model resembling any e-commerce website. Perhaps with this insight we can get down to business taking them down.</p><img src="https://counter.theconversation.com/content/150953/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David S. Wall receives funding from the EU (TAKEDOWN Project - Horizon 2020, Grant 700688) and the EPSRC CRITiCal project (EP/M020576/1).</span></em></p><p class="fine-print"><em><span>Roberto Musotto does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>We unpacked a large cybercrime business network and found a group relying on business 101 tactics: VIP memberships, cheap trial offers and a customer base reluctant to spend.Roberto Musotto, Research fellow, Edith Cowan UniversityDavid S. Wall, Professor of Criminology, University of LeedsLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1471222020-09-29T15:06:06Z2020-09-29T15:06:06ZReptiles: one in three species traded online – and 75% aren’t protected by international law<p>Rhinos, tigers, pangolins – we’re used to hearing about the mammals that are snatched from the wild so that their body parts can be sold. But did you know that you can buy and sell 36% of all known reptile species over the internet? That’s more than one in three species, including the endangered <a href="http://speciesstatus.sanbi.org/assessment/last-assessment/43/">speckled tortoise</a> (the world’s smallest species of tortoise) and the <a href="http://reptile-database.reptarium.cz/species?genus=Archaius&species=tigris">Seychelles tiger chameleon</a>. </p>
<p>Reptiles are consistently overlooked by trade regulations. The Convention on International Trade in Endangered Species of Wild Fauna and Flora (CITES) is the world’s mechanism for protecting wildlife in global markets. This global agreement is supposed to regulate the trade of species to prevent them being overexploited, but <a href="https://www.nature.com/articles/s41467-020-18523-4">a new study</a> has revealed that more than 75% of reptiles traded online are species that are not covered by CITES. And as the online trade has grown, even reptiles protected by CITES are being taken from their natural habitats and sold to buyers around the world.</p>
<p>Reptiles are mostly traded for two reasons. In the fashion industry, their skins are made into leather. Reptile skins are what CITES mostly records, as this trade happens on a commercial scale. Thousands of skins of crocodiles, in particular, but lizards and snakes too, are shipped around the world to make boots, purses, and watch straps among other things. Much less well documented, according to the new study, which I have also found in my <a href="https://www.crimejusticejournal.com/article/view/1243/805">own research</a>, is the smaller scale trade in individual reptiles for “personal” use, like the pet trade.</p>
<figure class="align-center ">
<img alt="A woman wearing a fur coat holds a brown crocodile skin handbag." src="https://images.theconversation.com/files/360536/original/file-20200929-18-oacw5i.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/360536/original/file-20200929-18-oacw5i.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/360536/original/file-20200929-18-oacw5i.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/360536/original/file-20200929-18-oacw5i.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/360536/original/file-20200929-18-oacw5i.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/360536/original/file-20200929-18-oacw5i.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/360536/original/file-20200929-18-oacw5i.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Reptile skin is commonly used in expensive luxury goods, like designer handbags.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/milan-february-21-woman-hermes-brown-1055313779">Andersphoto/Shutterstock</a></span>
</figcaption>
</figure>
<h2>Scaling back the trade</h2>
<p>At first, it may not seem that the sale of one reptile here and there presents a problem. But the wildlife trade is a global phenomenon. The tens, if not hundreds of thousands of individual sales of reptiles taking place around the world every year add up. The result is that small populations of reptiles – some of which only live in one particular place – are threatened with extinction. The demand for rare and unique companion animals helps fuel this.</p>
<p>Farming reptiles, or breeding them in captivity, is often touted as a solution, but this approach has its own problems. </p>
<p>Captive breeding has been a source of illegal activity in the past. Businesses that were supposedly breeding reptiles in large quantities to meet demand were found to likely have been taking them <a href="https://www.traffic.org/site/assets/files/6060/adding-up-the-numbers.pdf">from the wild instead</a>. This kind of laundering is difficult to control unless there are robust practices in place to trace reptiles all the way from source to final purchase.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/captive-breeding-has-a-dark-side-as-disturbing-czech-discovery-of-trafficked-tiger-body-parts-highlights-107371">Captive breeding has a dark side – as disturbing Czech discovery of trafficked tiger body parts highlights</a>
</strong>
</em>
</p>
<hr>
<p>Captive breeding in the reptile trade also has horrible consequences for animal welfare. As colleagues and I have <a href="https://www.crimejusticejournal.com/article/view/1243/805">argued</a>, the reptile leather industry is extraordinarily cruel. Animals are often kept in unhygienic conditions and slaughter is usually done while the reptile is conscious. That means many animals are skinned while still alive.</p>
<p>The pet industry is little better. Reptiles are crammed into small boxes and flown as cargo all over the world, enduring days without food and water and in fluctuating temperatures. There is no guarantee that they will be better kept once they arrive at their new home. </p>
<p>The biggest demand for pet reptiles is in Europe and North America. This is an important and often overlooked point: advertising the harm that the exotic pet trade causes could help reduce demand where it is greatest.</p>
<figure class="align-center ">
<img alt="Baby terrapins scramble over each other in a shallow tub." src="https://images.theconversation.com/files/360540/original/file-20200929-20-tuyjll.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/360540/original/file-20200929-20-tuyjll.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=338&fit=crop&dpr=1 600w, https://images.theconversation.com/files/360540/original/file-20200929-20-tuyjll.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=338&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/360540/original/file-20200929-20-tuyjll.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=338&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/360540/original/file-20200929-20-tuyjll.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=424&fit=crop&dpr=1 754w, https://images.theconversation.com/files/360540/original/file-20200929-20-tuyjll.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=424&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/360540/original/file-20200929-20-tuyjll.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=424&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Reptiles are flown thousands of miles to homes where they may be mistreated.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/small-tortoises-on-pet-market-above-1723341676">Dogora Sun/Shutterstock</a></span>
</figcaption>
</figure>
<p>The new research illuminates some of the areas where our understanding is most limited. We known that many reptiles are sold as ingredients in medicines for example, but we know almost nothing about the scale of this trade. This requires investigation, as does the role of social media – including Facebook and WhatsApp – in supporting the buying and selling of reptiles and other wildlife. </p>
<p>The new study also raises an alternative to the way the wildlife trade is currently regulated. What if no trade was the default starting point? Trade would only take place if there was sufficient evidence to show that it would not harm the survival of the species. This precautionary approach would address the lack of data for many species and also potentially simplify customs checks. </p>
<p>It’s time to rethink how this trade is regulated, and our relationship to wildlife altogether.</p><img src="https://counter.theconversation.com/content/147122/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Tanya Wyatt receives funding from the Scottish Government. She has received funding in the past from the Arts and Humanities Research Council. </span></em></p>Reptiles are consistently overlooked by regulators of the trade in wildlife, but many face extinction in the wild.Tanya Wyatt, Professor of Criminology, Northumbria University, NewcastleLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1389112020-05-26T12:19:21Z2020-05-26T12:19:21ZThe coronavirus pandemic moved life online – a surge in website defacing followed<figure><img src="https://images.theconversation.com/files/337085/original/file-20200522-124860-1ui5x3h.jpg?ixlib=rb-1.1.0&rect=0%2C8%2C5991%2C3979&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Website defacing can shut down businesses that have moved online during the coronavirus pandemic.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/upset-asian-business-woman-with-computer-screen-royalty-free-image/1222373309?adppopup=true">Siriporn Kaenseeya/EyeEm via Getty Images</a></span></figcaption></figure><p>One consequence of the public’s compliance with social distancing and quarantines during the COVID-19 pandemic is <a href="https://www.policeforum.org/covidmay12">a sharp decline in most types of crime</a>. It looks like people staying home made communities less conducive to crime.</p>
<p>Unfortunately, the news isn’t as good as those numbers alone suggest. Other settings are seeing an increase in crime following the stay-at-home orders. One is the household, where domestic violence is <a href="https://fivethirtyeight.com/features/what-we-know-about-crises-and-domestic-violence-and-what-that-could-mean-for-covid-19/">likely to have increased</a> in the past two months. </p>
<p>As <a href="https://ebcs.gsu.edu/">researchers who study cybercrime</a>, we’re finding that criminal activity seems to be <a href="https://www.zdnet.com/article/fbi-says-cybercrime-reports-quadrupled-during-covid-19-pandemic/">on the rise in the online world</a>, as well. At the same time, many people are relying more heavily than before on online services for work, entertainment and shopping. This makes them <a href="http://www.unicri.it/news/article/covid19_cyber_crime">more likely to become the targets</a> of different types of online crimes. And the websites and online platforms that these internet users access become more attractive targets to motivated hackers who aim to take them over and deface them. </p>
<h2>Wave of website defacing</h2>
<p>Website defacement is the online equivalent of graffiti vandalism. It occurs when a hacker infiltrates a server on which a website is hosted and changes the content of the website with images and text of their own choosing.</p>
<p>Unlike more sophisticated forms of hacking, the act of website defacement does not require hackers to have highly sophisticated skills. In fact, several hacker typologies suggest that this form of online crime can be a <a href="http://dx.doi.org/10.1016/j.diin.2015.07.002">stepping stone to involvement in more sophisticated hacking</a>, as well as a way to gain a reputation in the hacking community. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/336428/original/file-20200520-152311-bz5xbm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/336428/original/file-20200520-152311-bz5xbm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=249&fit=crop&dpr=1 600w, https://images.theconversation.com/files/336428/original/file-20200520-152311-bz5xbm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=249&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/336428/original/file-20200520-152311-bz5xbm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=249&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/336428/original/file-20200520-152311-bz5xbm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=313&fit=crop&dpr=1 754w, https://images.theconversation.com/files/336428/original/file-20200520-152311-bz5xbm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=313&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/336428/original/file-20200520-152311-bz5xbm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=313&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">A website of a U.K.-based canoe and kayak club was recently defaced.</span>
<span class="attribution"><span class="source">sreen grab by David Maimon</span></span>
</figcaption>
</figure>
<p>The harm suffered by victims of this online crime varies from loss of trust in the owner of the website to loss of revenue. When business websites are taken down by hackers, they can’t process transactions. During the coronavirus pandemic, many merchants have been forced to shift from face-to-face trade to e-commerce, which means it’s likely that <a href="https://www.techradar.com/news/the-covid-19-crisis-is-resulting-in-a-growing-wave-of-small-business-cybercrime">more businesses will become victims</a> of cybercrime. </p>
<p>Findings from a recent analysis we conducted based on information about website defacement activities reported on the hacker information site <a href="http://www.zone-h.org">Zone-h</a>, suggest that the average daily number of website defacement attacks reported in April 2020 is 50% higher than the average daily number of attacks reported in April 2019. Moreover, the volume of website defacement attacks reported by mid May 2020, has already surpassed the volume of attacks reported in May 2019 for the entire month. </p>
<p>This steady increase in the number of daily website defacement attacks started in late March 2020, while January and February stayed steady. This leads us to believe that the pervasive isolation imposed by governments around the globe has given hackers more time to spend online, which became the driving force behind this trend. </p>
<p><iframe id="V5GSj" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/V5GSj/2/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<h2>Smaller sites in the crosshairs</h2>
<p>Our investigation of the types of websites that are being targeted by hackers reveals that large corporations and government entities are less likely to be the victims. The average daily number of sophisticated defacements against government agency and large private business websites have increased from 17.75 attacks per day in February to 21.6 attacks per day in April.</p>
<p>However, the frequency of those attacks is substantially lower than the overall average daily number of website defacements reported by hackers during that period. It appears that websites of small businesses, social clubs and private individuals are being disproportionately targeted by hackers. </p>
<p>Website defacers prefer to attack extremely vulnerable websites because many of them are inexperienced hackers, often referred to as script kiddies. They lack the skills required to attack high-profile targets, but are motivated to gain status among their online peers.</p>
<p>Findings from our analysis suggest that the number of newbie hackers who experiment with website defacement has grown rapidly during the COVID-19 crisis. The average number of reports of defacements by first-time hackers in February was 3.41 per day. In April the number was 6.31 per day, a 77% increase in the number of first-time hackers. </p>
<p>With more new hackers attempting to establish a reputation by attacking vulnerable websites, it is imperative that small business owners and individuals <a href="https://www.techprevue.com/protect-your-website-from-hackers/">protect their websites from attacks</a>. Protection strategies should include keeping the software used to maintain websites up to date, using strong passwords to access the servers that host the websites, preventing website users from uploading files, allowing users to connect to websites via the secure internet protocol (HTTPS) and using website security tools. Fortunately, visitors to defaced websites are generally not at risk.</p>
<p>[<em>Get our best science, health and technology stories.</em> <a href="https://theconversation.com/us/newsletters/science-editors-picks-71/??utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=science-best">Sign up for The Conversation’s science newsletter</a>.]</p><img src="https://counter.theconversation.com/content/138911/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Maimon receives funding from the National Science Foundation and the Department of Homeland Security. </span></em></p><p class="fine-print"><em><span>Christian Jordan Howell does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Vulnerable websites are popping up as organizations move online during the coronavirus pandemic – and hackers have more time at home alone. The result is more websites falling victim to defacement.David Maimon, Associate Professor of Criminal Justice and Criminology, Georgia State UniversityChristian Jordan Howell, Doctoral candidate in Criminology, University of South FloridaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1336102020-05-12T12:35:22Z2020-05-12T12:35:22ZGovernment cybersecurity commission calls for international cooperation, resilience and retaliation<figure><img src="https://images.theconversation.com/files/333751/original/file-20200508-49579-1pe7uye.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C7065%2C4875&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Real-time cyberattacks on a display at the 175th Cyberspace Operations Group of the Maryland Air National Guard.</span> <span class="attribution"><a class="source" href="https://flickr.com/photos/airmanmagazine/40080902694/">U.S. Air Force photo by J.M. Eddins Jr.</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc/4.0/">CC BY-NC</a></span></figcaption></figure><p>The global commons are under assault in cyberspace. Ransomware attacks, including North Korea’s <a href="https://www.csoonline.com/article/3227906/what-is-wannacry-ransomware-how-does-it-infect-and-who-was-responsible.html">WannaCry</a> and Russia’s <a href="https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/">NotPetya</a>, have disrupted vital medical services and global transportation systems, costing billions of dollars. <a href="https://www.newyorker.com/tech/annals-of-technology/should-the-us-expect-an-iranian-cyberattack">Iran</a> and <a href="https://www.oxfordscholarship.com/view/10.1093/oso/9780190618094.001.0001/oso-9780190618094">China</a> have engaged in similar actions.</p>
<p>These cyberattacks are carried out by states and nonstate actors that seek to undermine global connectivity for their own interests. But like a pandemic, these attacks affect all of society. The world needs a new approach to combating how nations use cyberspace to advance their interests at the expense of people around the world. </p>
<p>The U.S. <a href="https://www.solarium.gov/">Cyberspace Solarium Commission</a> was formed by Congress in 2018 to develop a strategic approach to defending the United States in cyberspace. It provided a road map for establishing cooperation and accountability in cyberspace. The commission consisted of four federal legislators, the deputies of the Department of Homeland Security, Department of Defense, office of the Director of National Intelligence and Department of Justice, and six private-sector experts. One of us, <a href="https://scholar.google.com/citations?user=7sjhifoAAAAJ&hl=en">Benjamin Jensen</a>, served as the commission’s senior research director.</p>
<p>The commissioners and staff conducted more than 400 interviews with cybersecurity professionals, researchers and officials in the private sector, academia and foreign governments. The commission’s <a href="https://www.solarium.gov/report">final report</a>, released in March, lays out a comprehensive plan of action based on a new strategy: layered cyber deterrence. </p>
<h2>Layered cyber deterrence</h2>
<p>The proposed strategy breaks new ground in two ways. First, it asserts that contrary to <a href="https://www.fifthdomain.com/dod/2019/04/30/is-there-such-a-concept-as-cyber-deterrence/">conventional wisdom</a>, it is possible to deter cyberattacks. Second, the strategy calls for coordinating activities in three layers to secure cyberspace. This won’t eliminate all bad behavior in cyberspace any more than traditional law enforcement has completely banished crime in the physical world. But it will improve how the U.S. government and the private sector respond to cyberthreats. </p>
<p>The first layer calls for the U.S. government to shape behavior in cyberspace through diplomacy and establishing new norms. Too many states quietly condone hacking to steal, spy and threaten their rivals. These attacks rely on illicit marketplaces for malware. The key is promoting responsible behavior in cyberspace and assigning specific expectations for the roles and responsibilities of governments and the private sector.</p>
<p>The second layer calls for the U.S. government to make cyberattacks less effective by promoting national resilience. This approach requires securing critical networks in collaboration with the private sector. It also requires being able to conclusively identify the perpetrators of malicious actions in cyberspace. And it requires increasing the security of the cyber ecosystem. Actions in this layer include working to create more transparency in cyber insurance markets and ensuring economic continuity in the event of a catastrophic cyber incident. </p>
<p>The third layer calls for the U.S. government to impose proportional costs to malicious actions in cyberspace. This requires the U.S., in collaboration with allies, to maintain the capability and credibility needed to retaliate against nations and organizations that target the U.S. in and through cyberspace. The means to retaliate include legal, financial, diplomatic and cyber powers that, applied in combination, assure compelling and unavoidable consequences for transgressors. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/333752/original/file-20200508-49550-305kzd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/333752/original/file-20200508-49550-305kzd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=422&fit=crop&dpr=1 600w, https://images.theconversation.com/files/333752/original/file-20200508-49550-305kzd.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=422&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/333752/original/file-20200508-49550-305kzd.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=422&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/333752/original/file-20200508-49550-305kzd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=530&fit=crop&dpr=1 754w, https://images.theconversation.com/files/333752/original/file-20200508-49550-305kzd.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=530&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/333752/original/file-20200508-49550-305kzd.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=530&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Personnel at Fort George G. Meade, headquarters of the United States Cyber Command.</span>
<span class="attribution"><a class="source" href="https://flickr.com/photos/ftmeade/28008201637/">Fort George G. Meade Public Affairs Office/flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<h2>Early action with diverse responses</h2>
<p>The U.S. Department of Defense “defend forward” policy, laid out in its <a href="https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF">2018 strategy</a>, calls for detecting and responding to threats as early as possible. Early action increases effectiveness and minimizes disruption. The commission report calls for this emphasis on early detection and action to be extended to the use of all government powers. It also calls for collaborating with an international coalition that lends strength and legitimacy when responding to cyber attacks. </p>
<p>The three components of this proposed strategy are defined as layers because they need to be applied in combination rather than as separate remedies. In this manner the strategy brings together a diverse array of private and public capabilities, resources and authorities. </p>
<p>The commission’s report includes 80 recommendations for implementing the strategy. For the recommendations that require changes in law, the commission drafted legislative language to assist Congress. The recommendations set the stage for a series of public hearings and outreach to the public. Implementing the strategy will involve changes in procedure, authority, law and ultimately in the behavior of cyberspace stakeholders. </p>
<p>While the commission has transitioned its role to one of advocacy for the report’s recommendations, the work of transforming perceived costs and benefits in cyberspace lies ahead. It will require the work of governments, the private sector and citizens. If the strategy is implemented successfully, nations that contemplate aggression in cyberspace will get the message: if you want to beat one of us, you’ll have to deal with all of us.</p>
<p>[<em>You need to understand the coronavirus pandemic, and we can help.</em> <a href="https://theconversation.com/us/newsletters?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=upper-coronavirus-help">Read The Conversation’s newsletter</a>.]</p><img src="https://counter.theconversation.com/content/133610/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Benjamin Jensen holds a dual appointment as a Professor at the Marine Corps University and as a Scholar-in-Residence at American University. He is a senior fellow at the Atlantic Council and serves as an officer in the U.S. Army Reserves. He served as the Senior Research Director for the U.S. Cyberspace Solarium Commission. The views expressed are his own.</span></em></p><p class="fine-print"><em><span>Chris Inglis does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>In the murky world of cyber espionage and cyber warfare, effective deterrence has long been considered out of reach. A government report argues it’s time to change that.Benjamin Jensen, Professor of Strategic Studies, Marine Corps University; Scholar-in-Residence, American University, American University School of International ServiceChris Inglis, Distinguished Visiting Professor in Cyber Security Studies, United States Naval AcademyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1345992020-03-26T14:02:26Z2020-03-26T14:02:26ZWorking from home risks online security and privacy – how to stay protected<figure><img src="https://images.theconversation.com/files/322916/original/file-20200325-168876-1vls1qj.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C7694%2C5132&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/pensive-female-freelancer-working-on-publication-1054751132">GaudiLab/Shutterstock</a></span></figcaption></figure><p>Remote working can be a blessing. More time with family, less commuting, and meetings from the comfort of your living room. But as millions across the world switch to working from home due to the <a href="https://www.who.int/emergencies/diseases/novel-coronavirus-2019">COVID-19 pandemic</a>, they may be putting the security and privacy of themselves, their families and their employers at risk. </p>
<p>Many will be using online collaboration tools, such as <a href="https://zoom.us/">Zoom</a>, <a href="https://slack.com/">Slack</a>, and <a href="https://houseparty.com/">HouseParty</a> to stay connected to colleagues and friends now that physical contact is restricted.</p>
<p>Zoom, the most popular of the video calling platforms, allows call hosts to <a href="https://www.eff.org/deeplinks/2020/03/what-you-should-know-about-online-tools-during-covid-19-crisis">track attendee attention</a>, and in particular, whether you are in the Zoom window (as opposed to checking email or playing a game, for instance). Zoom also <a href="https://www.eff.org/deeplinks/2020/03/what-you-should-know-about-online-tools-during-covid-19-crisis">collects a host of other personal information</a> such as each caller’s location data, operating system, IP address, and what kind of device they’re using, whether it’s an Apple Mac, iPhone, Android or Windows device. </p>
<p>Zoom has had its share of security problems. A now-fixed <a href="https://threatpost.com/zoom-fixed-flaw-opening-meetings-to-hackers/152266/">software bug</a> had allowed anyone to find and join a meeting. There <a href="https://www.theverge.com/2019/7/9/20688113/zoom-apple-mac-patch-vulnerability-emergency-fix-web-server-remove">was</a> also a problem <a href="https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5">with its software</a> which could have resulted in any malicious website turning on your camera and watching you unawares. And <a href="https://techcrunch.com/2020/03/17/zoombombing/">Zoom Bombing</a> is now a thing. It involves trolls using Zoom’s screensharing feature to display vile content, including violent videos and shocking pornography.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/322920/original/file-20200325-168907-1igdjeb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/322920/original/file-20200325-168907-1igdjeb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/322920/original/file-20200325-168907-1igdjeb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/322920/original/file-20200325-168907-1igdjeb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/322920/original/file-20200325-168907-1igdjeb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/322920/original/file-20200325-168907-1igdjeb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/322920/original/file-20200325-168907-1igdjeb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Video conferencing apps give colleagues a glimpse into your living space. But who else might be watching?</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/woman-having-video-chat-colleagues-table-1390309433">New Africa/Shutterstock</a></span>
</figcaption>
</figure>
<p>Another popular tool is Slack, which as <a href="https://slack.com/intl/en-gb/">it states</a>, “is the place for remote work”. A core feature of Slack is its channels. These are spaces to share messages and files with colleagues on particular topics and projects. While paid accounts have some control over how long their channel or private message data is kept by Slack, <a href="https://www.eff.org/deeplinks/2020/03/what-you-should-know-about-online-tools-during-covid-19-crisis">free accounts are much more limited</a>. This could mean that your messages (including direct messages complaining about your boss or a colleague) are accessible to others, even if they aren’t to you.</p>
<p>For many people, working remotely is a completely new experience. Some are celebrating the novelty by using the <a href="https://twitter.com/hashtag/WorkFromHome">#WorkFromHome</a> hashtag on social media, and sharing posts that include photos of home office setups, and friends and family members.</p>
<p>This may seem benign, but it can actually expose <a href="https://arxiv.org/pdf/1811.06624.pdf">a variety of sensitive personal information</a> about you and those around you. </p>
<p>For instance, posting photos of homeworking setups, which happen to include letters, post or Amazon packages, can publicise your home address. Sharing photos and names of family members or pets may <a href="https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security">provide hints about your passwords</a> or even expose <a href="https://www.cs.ox.ac.uk/files/6632/trustcom2012_CGNP.pdf">your location</a>. </p>
<p>The now popular practice of sharing <a href="https://blog.zoom.us/wordpress/2017/11/14/how-zoom-employees-use-zoom/">screenshots of Zoom work group chats</a> or <a href="https://www.forbes.com/sites/thomasbrewster/2020/03/23/houseparty-is-the-hit-coronavirus-lockdown-app-safe/">HouseParty</a> <a href="https://twitter.com/hashtag/HouseParty">video hangouts</a>, also has its privacy risks, given the fact that companies have been known to <a href="https://www.wired.com/story/clearview-ai-scraping-web/">indiscriminately gather the photos we share online</a> and use them without our permission. This means anyone could match offline photos of us directly to our online profiles on Twitter, Facebook or LinkedIn. Some companies have even been known to <a href="https://www.telegraph.co.uk/technology/2019/04/09/facebook-plans-pass-photographs-advertisers-make-users-stars/">use our photos in adverts</a>.</p>
<h2>Well-equipped cyber-criminals</h2>
<p>Largescale remote working is <a href="https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/">a security nightmare for employers</a>. As remote access to corporate networks is rolled out, cyber-criminals have their pick of places to attack. </p>
<p>Cyber-criminals are well aware of this, and have already begun to launch targeted attacks. According to the <a href="https://www.actionfraud.police.uk/alert/coronavirus-related-fraud-reports-increase-by-400-in-march">latest statistics</a>, coronavirus-related fraud reports have increased by 400% in March alone. There have been scams for <a href="https://www.bbc.co.uk/news/technology-51838468">COVID-19 tax refunds</a> and others <a href="https://www.bbc.co.uk/news/technology-51838468">impersonating the Centre for Disease Control to request donations</a>. </p>
<p>Criminals have impersonated staff from the <a href="https://exchange.xforce.ibmcloud.com/collection/2f9a23ad901ad94a8668731932ab5826">World Health Organization (WHO)</a> and there have been <a href="https://nakedsecurity.sophos.com/2020/03/19/dirty-little-secret-extortion-email-threatens-to-give-your-family-coronavirus/">extortion emails</a> that threaten to infect recipients with coronavirus unless they pay up. Even coronavirus outbreak and infection-tracking maps are <a href="https://www.weforum.org/agenda/2020/03/hackers-are-using-coronavirus-maps-to-spread-malware/">being used to spread malware</a>. </p>
<p>These problems are made worse by the reality that many of us will be using personal, and potentially less secure home devices, such as laptops, phones and USB drives, for work tasks. Most people aren’t accustomed to <a href="https://kar.kent.ac.uk/67511/1/csss2015_bada_et_al.pdf">maintaining workplace security practices</a> over long periods in our homes, with kids, distractions and other commitments.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/coronavirus-five-ways-to-be-a-better-manager-when-working-from-home-134575">Coronavirus: five ways to be a better manager when working from home</a>
</strong>
</em>
</p>
<hr>
<h2>How to stay safe</h2>
<ul>
<li><p>Be careful what you post publicly. Check that there is no potentially sensitive information in it. Once it’s published online, it’s there, forever.</p></li>
<li><p>Check recent security and privacy reports about online collaboration tools before using them, and if in doubt, consult your employer. These tools can have access to details about your devices, your data and your video and audio conversations. The <a href="https://www.eff.org/deeplinks">Electronic Frontier Foundation</a> is a good source. </p></li>
<li><p>Protect your devices. Install anti-virus software, update systems and apps, <a href="https://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-2fa">implement multi-factor authentication</a> (so that multiple pieces of evidence are needed for someone to use your login, such as username and password and a text message), and be on the <a href="https://nakedsecurity.sophos.com/2020/02/05/coronavirus-safety-measures-email-is-a-phishing-scam/">lookout for phishing scams</a>. </p></li>
<li><p>Zoom Bombing and other forms of hijacking meetings can be prevented. Share meeting links with <a href="https://blog.zoom.us/wordpress/2020/03/20/keep-the-party-crashers-from-crashing-your-zoom-event/">only invited parties</a>. <a href="https://techcrunch.com/2020/03/17/zoombombing/">Configure Zoom</a> to only allow the host to share screen, as appropriate. And <a href="https://nakedsecurity.sophos.com/2020/03/20/trolls-zoombomb-work-from-home-videocall-with-filth/">disable file transfers</a> to stop trolls sharing viruses to all attendees.</p></li>
<li><p>More tips are available through the <a href="https://www.who.int/about/communications/cyber-security">WHO</a>, <a href="https://www.weforum.org/agenda/2020/03/covid-19-transition-to-remote-work/">WEF</a>, <a href="https://www.ncsc.gov.uk/guidance/home-working">NCSC</a>, <a href="https://www.enisa.europa.eu/news/executive-news/top-tips-for-cybersecurity-when-working-remotely">ENISA</a> and <a href="https://www.consumer.ftc.gov/blog/2020/03/online-security-tips-working-home">FTC</a>.</p></li>
</ul><img src="https://counter.theconversation.com/content/134599/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Jason Nurse receives funding from The Engineering and Physical Sciences Research Council (EPSRC). </span></em></p>Beware the #WorkFromHome selfie.Jason R.C. Nurse, Assistant Professor in Cyber Security, University of KentLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1319332020-03-02T14:52:57Z2020-03-02T14:52:57ZDark web: Study reveals how new offenders get involved in online paedophile communities<figure><img src="https://images.theconversation.com/files/317801/original/file-20200228-24672-eqy00l.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/internet-crime-concept-hacker-working-on-591402104">Alexander Geiger/Shutterstock</a></span></figcaption></figure><p>The “<a href="https://theconversation.com/what-is-the-dark-web-and-how-does-it-work-63613">dark web</a>” – a collection of heavily encrypted websites, forums and social networks – notoriously provides spaces for illegal activities. It’s where child sexual offenders meet to support each other and <a href="https://www.nationalcrimeagency.gov.uk/news/337-arrested-after-takedown-of-horrific-dark-web-child-abuse-site-welcome-to-video">share indecent images</a> and advice on abuse techniques – with near-complete anonymity. This provides a resource for individuals to learn the “skills” to become more dangerous offenders.</p>
<p>In response, some law enforcement agencies <a href="https://www.theguardian.com/society/2017/oct/07/australian-police-sting-brings-down-paedophile-forum-on-dark-web">deploy undercover officers</a> to enter these spaces posing as offenders to gather intelligence. But we don’t hear much about these communities. When it comes to online child abuse, it is largely stories of <a href="https://www.telegraph.co.uk/news/2016/09/08/online-paedophiles-can-groom-a-child-in-less-than-20-minutes-stu/">online grooming</a> that dominate the press. As part of my recent PhD research, however, I offer an insight into dark web communities of sexual offenders <a href="https://publications.aston.ac.uk/id/eprint/39062/1/Chiang_E._2018_Redacted.pdf">by analysing their language</a>.</p>
<p>Interactions between offenders have a devastating impact on victims. We need to understand them better, especially if this helps police to disrupt offending communities. Given that the online activities are almost exclusively linguistic, a good way to do this is with language analysis. This can help us understand how an officer might “authentically” portray an offender online. </p>
<p>Abusive communities are governed by strict rules – for example, not giving out personal information – to preserve security. Invariably, they are made up of members with varying levels of offending experience and expertise. An interesting subgroup are those who identify as “newbies”, with little or no experience of abusing or interacting in dark web environments.</p>
<p>Understanding newbies can help determine offenders’ experience levels. It is the first step to tracking how offenders progress to become more experienced and prolific. It can also help undercover police to portray realistic identities. When interacting with offenders who are often extremely distrustful and keenly aware of possible police presence, posing as the newbie might in fact be the easiest way to enter an offending community. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/318041/original/file-20200302-18287-xfxi6r.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/318041/original/file-20200302-18287-xfxi6r.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=411&fit=crop&dpr=1 600w, https://images.theconversation.com/files/318041/original/file-20200302-18287-xfxi6r.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=411&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/318041/original/file-20200302-18287-xfxi6r.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=411&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/318041/original/file-20200302-18287-xfxi6r.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=517&fit=crop&dpr=1 754w, https://images.theconversation.com/files/318041/original/file-20200302-18287-xfxi6r.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=517&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/318041/original/file-20200302-18287-xfxi6r.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=517&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Police are targeting the dark web to catch sex offenders.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-illustration/hacker-over-screen-binary-code-251313145">adike</a></span>
</figcaption>
</figure>
<p>So how do self-identifying newbies approach and attempt to join established offending communities online? To answer this, I took a look at the rhetorical moves – chunks of text <a href="https://www.researchgate.net/publication/282600729_Genre_performances_John_Swales'_Genre_Analysis_and_rhetorical-linguistic_genre_studies">with distinct communicative functions</a> – in newbies’ initial forum posts.</p>
<p>Through a manual analysis of 71 posts from six child abuse forums, I found 12 different moves. Aside from typical features of instant messaging such as “greetings” and “sign offs”, some of the most common are listed below.</p>
<p><strong>1. Expressing motivations.</strong> Newbies state their reasons for wanting to join the community. This involves expressing interests in specific age groups or types of indecent imagery, or hopes of finding other likeminded people to talk to.</p>
<p><strong>2. Demonstrating alignment.</strong> Newbies highlight their existing alignment or affiliation with the community, its interests and ideals. This often involves stating a sexual interest in children and sharing experiences of abusing. A <a href="https://www.researchgate.net/publication/221184392_De-Lurking_in_Virtual_Communities_A_Social_Communication_Network_Approach_to_Measuring_the_Effects_of_Social_and_Cultural_Capital">common strategy is “de-lurking”</a>, whereby newbies reveal that they have been passively present in the community for a while but have now decided to participate. This allows them to demonstrate their prior exposure to the community, and their understanding of its rules and practices. </p>
<p><strong>3. Expressing appreciation</strong> This group of offenders show their appreciation of individual members and the community as a whole. This is done through praise, compliments and expressions of gratitude.</p>
<p><strong>4. Demonstrating newness</strong> Newbies openly refer to their newbie status. Aside from explicit statements about being new to the community, they often do this by stating that they lack offending experience. They therefore often request tolerance from the other members.</p>
<p><strong>5. Demonstrating value</strong> Offenders also tend to demonstrate how they can benefit the community. For example, they may offer indecent imagery or demonstrations of specific skills or services. This may include drawing hyper-realistic indecent images. </p>
<p><strong>6. Stating limitations</strong> Newbies explain how they might be unable to meet community expectations or requirements, often by stating a lack of specific skills or possession of indecent images – something they may be apologetic about.</p>
<p><strong>7. Seeking support</strong> New offenders sometimes seek help or guidance about a particular problem regarding online or offline offending. Support often concerns accessing children, solving technical issues to do with sharing imagery online, and moral guidance. </p>
<p>Different combinations of moves suggest there’s no one “type” of newbie offender; they approach the community for a range of reasons and use different tactics in the process. A common general strategy is to assume a kind of hybrid role – the “competent newbie” – by being forthcoming about lacking offending experience and, at the same time, demonstrating an understanding of the community norms and the behaviours expected of its members. Even the self-imposed label “newbie” positions them not as outsiders looking in, but as already part of the community, albeit in a low-status role. </p>
<p>The anonymity afforded by the dark web naturally makes these communities difficult to police – but not impossible. Linguistic analysis of dark web spaces like this can further help unpack the communicative strategies of offenders, identify those more and less experienced and assist police in assuming offender roles online. </p>
<p>Online child sex abuse is diverse and complex, and linguistic insight has and will <a href="https://www.theatlantic.com/technology/archive/2018/07/tim-grant-forensic-linguistics-child-predators/564671/">continue to help police</a> identify and catch offenders.</p><img src="https://counter.theconversation.com/content/131933/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Emily Chiang does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Language analysis may help police catch offenders.Emily Chiang, Research Associate, Aston Institute for Forensic Linguistics, Aston UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1287822019-12-16T05:24:02Z2019-12-16T05:24:02ZFacebook’s push for end-to-end encryption is good news for user privacy, as well as terrorists and paedophiles<figure><img src="https://images.theconversation.com/files/307065/original/file-20191216-124004-1zmrcu.jpg?ixlib=rb-1.1.0&rect=0%2C80%2C4270%2C2910&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Facebook's initiative places the company in a complicated situation, as increased user privacy, while positive, could come with potential impunity for offenders. </span> <span class="attribution"><span class="source">SHUTTERSTOCK</span></span></figcaption></figure><p>Facebook is <a href="https://thenextweb.com/facebook/2019/10/31/facebook-is-testing-end-to-end-encryption-for-secret-messenger-calls/">planning end-to-end encryption on all its messaging services</a> to increase privacy levels. </p>
<p>The tech giant started <a href="https://www.theverge.com/2019/1/25/18197222/facebook-messenger-instagram-end-to-end-encryption-feature-zuckerberg">experimenting</a> with this <a href="https://www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634/">earlier this year</a>. Soon, end-to-end encryption will be standard for every Facebook message. </p>
<p>But Australian, British and United States governments and <a href="https://www.news18.com/news/tech/facebook-wants-to-expand-encryption-across-all-its-platforms-but-lawmakers-are-wary-2376161.html">law makers</a> aren’t <a href="https://www.smh.com.au/politics/federal/encryption-can-t-put-tech-giants-beyond-the-reach-of-the-law-minister-says-20191211-p53ize.html">happy about it</a>. They fear it will make it impossible to recover criminal conversations from Facebook’s platforms, thus offering impunity to offenders. </p>
<p>For instance, this was a major concern following <a href="https://www.independent.co.uk/news/uk/home-news/khalid-masood-whatsapp-westminster-london-attack-parliament-message-isis-terror-network-contacts-a7649206.html">the 2017 London terror attacks</a>. Attackers used WhatsApp (Facebook’s end-to-end encrypted platform), and this frustrated police investigations.</p>
<p>But does Facebook’s initiative place the company between a political rock and an ethical hard place?</p>
<h2>What is end-to-end encryption?</h2>
<p><a href="https://en.wikipedia.org/wiki/End-to-end_encryption">End-to-end encryption</a> is a method of communicating more securely, compared to non-encrypted communications. </p>
<p>It involves using encryption (via cryptographic keys) that excludes third parties from accessing content shared between communicating users. </p>
<p>When the sender wants to communicate with the receiver, they share a unique <a href="https://searchsecurity.techtarget.com/definition/encryption">algorithmic key to decrypt</a> the message. No one else can access it, not even the service provider.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/social-media-and-crime-the-good-the-bad-and-the-ugly-66397">Social media and crime: the good, the bad and the ugly</a>
</strong>
</em>
</p>
<hr>
<h2>The real incentive</h2>
<p>Facebook’s plan to <a href="https://www.forbes.com/sites/zakdoffman/2019/10/06/is-facebooks-new-encryption-fight-hiding-a-ruthless-secret-agenda/#6ec67b3b5699">enact this change is paradoxical</a>, considering the company has a history of <a href="https://heinonline.org/HOL/Page?handle=hein.journals/jmjcila31&div=20&g_sent=1&casa_token=9vXpTPHtJw8AAAAA:B6FRTbg2DmAm5BkVzfidBoBgvSwEM6DcOepLuWUbEM-4ICx8U5kUPS7496BddNrArud0rRPh">harvesting user data</a> and <a href="https://www.businessinsider.com.au/why-you-should-delete-facebook-messenger-2018-4?r=US&IR=T">selling it to third parties</a>. </p>
<p>Now, it supposedly wants to protect the privacy of the same users.</p>
<p>One possible reason Facebook is pushing for this development is because it will solve many of <a href="https://www.forbes.com/sites/zakdoffman/2019/10/06/is-facebooks-new-encryption-fight-hiding-a-ruthless-secret-agenda/#6ec67b3b5699">its legal woes</a>. </p>
<p>With end-to-end encryption, the company will no longer have <a href="https://en.wikipedia.org/wiki/Backdoor_(computing)">backdoor</a> access to users’ messages. </p>
<p>Thus, it won’t be forced to comply with requests from law enforcement agencies to access data. And even if police were able to get hold of the data, they would still need the key required to read the messages. </p>
<p>Only users would have the ability to share the key (or messages) with law enforcement.</p>
<h2>Points in favour</h2>
<p>Implementing end-to-end encryption will positively impact Facebook users’ privacy, as their messages will be protected from eavesdropping. </p>
<p>This means Facebook, law enforcement agencies and hackers will find it harder to intercept any communication done through the platform. </p>
<p>And although end-to-end encryption is arguably not necessary for most everyday conversations, it does have <a href="https://www.usenix.org/system/files/conference/soups2016/way_2016_paper_vaziripour.pdf">advantages</a>, including: </p>
<p>1) protecting users’ personal and financial information, such as transactions on Facebook Marketplace </p>
<p>2) increasing trust and cooperation between users </p>
<p>3) preventing criminals eavesdropping on individuals to harvest their information, which can render them victim to <a href="https://www.thebalance.com/beware-of-these-11-facebook-scams-1947431">stalking, scamming and romance frauds</a></p>
<p>4) allowing those with sensitive medical, political or sexual information to be able to share it with others online</p>
<p>5) enabling journalists and intelligence agencies to communicate privately with sources.</p>
<h2>Not foolproof</h2>
<p>However, even though end-to-end encryption will increase users’ privacy in certain situations, it may still not be enough to make conversations completely safe.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/end-to-end-encryption-isnt-enough-security-for-real-people-82054">End-to-end encryption isn't enough security for 'real people'</a>
</strong>
</em>
</p>
<hr>
<p>This is because the biggest threat to eavesdropping is the very act of using a device. </p>
<p>End-to-end encryption doesn’t <a href="https://medium.com/@BlackwaveLtd/end-to-end-encryption-is-not-secure-without-proper-authentication-67bfa3c8108">guarantee</a> the people we are talking to online are who they say they are. </p>
<p>Also, while cryptographic algorithms are hard to crack, third parties can still <a href="https://www.us-cert.gov/bsi/articles/knowledge/principles/securing-the-weakest-link">obtain the key to open the message</a>. For example, this can be done by using apps to <a href="https://recon.meddle.mobi/papers/panoptispy18pets.pdf">take screenshots</a> of a conversation, and sending them to third parties.</p>
<h2>A benefit for criminals</h2>
<p>When Facebook messages become end-to-end encrypted, it will be <a href="https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0150300#pone.0150300.ref009">harder to detect criminals</a>, including people who use the platform to commit <a href="http://milwaukeenns.org/2014/05/21/special-report-diploma-mill-scams-continue-to-plague-milwaukees-adult-students">scams</a> and launch <a href="https://www.helpnetsecurity.com/2014/05/27/instant-messaging-trojan-spreads-through-the-uk/">malware</a>.</p>
<p>Others use Facebook <a href="https://gulfnews.com/world/gulf/kuwait/kuwait-cracks-down-on-illegal-racket-on-selling-housemaids-using-app-1.1572855473783">for human</a> or sex trafficking, as well as <a href="https://www.justice.gov/usao-ednc/pr/jacksonville-man-sentenced-child-pornography-case">child grooming</a> and <a href="https://www.smh.com.au/politics/federal/facebook-must-pick-a-side-in-fight-against-online-child-sex-abuse-dutton-20191004-p52xnw.html">exploitation</a>.</p>
<p>Facebook Messenger can also help <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3005872">criminals organise themselves</a>, as well as plan and carry out crimes, including terror attacks and cyber-enabled fraud extortion hacks.</p>
<p>The unfortunate <a href="https://philpapers.org/rec/ORRRSA-2">trade-off</a> in <a href="https://books.google.com.au/books?hl=en&lr=&id=xpsA2Cq997wC&oi=fnd&pg=PP2&dq=increasing+privacy+surveillance+internet&ots=nSKCdoaLWu&sig=IIRuxqn5731sXp8A989Vyl9Ef00&redir_esc=y#v=onepage&q=increasing%20privacy%20surveillance%20internet&f=false">increasing user privacy</a> is reducing the capacity for surveillance and national security efforts. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/can-photos-on-social-media-lead-to-mistaken-identity-in-court-cases-63887">Can photos on social media lead to mistaken identity in court cases?</a>
</strong>
</em>
</p>
<hr>
<p>End-to-end encryption on Facebook would also increase criminals’ feeling of <a href="https://www.sciencedirect.com/science/article/pii/S0747563217305812">security</a>. </p>
<p>However, although tech companies can’t deny the risk of having their technologies exploited for illegal purposes – they also don’t have a <a href="https://www.industry.gov.au/data-and-publications/australias-tech-future/cyber-security/what-is-the-government-doing-in-cyber-security">complete duty to keep a particular country’s cyberspace safe</a>. </p>
<h2>What to do?</h2>
<p>A potential solution to the dilemma can be found in various <a href="https://www.computerworld.com/article/3427019/the-snoopers-charter-everything-you-need-to-know-about-the-investigatory-powers-act.html">critiques</a> of the <a href="https://publications.parliament.uk/pa/bills/lbill/2016-2017/0066/17066.pdf">UK’s 2016 Investigatory Powers Act</a>. </p>
<p>It proposes that, on certain occasions, a communications service provider may be asked to remove encryption (where possible). </p>
<p>However, this power must come from an authority that <a href="https://cadmus.eui.eu/handle/1814/25714">can be held accountable</a> in court for its actions, and this should be used as a last resort. </p>
<p>In doing so, encryption will increase user privacy without allowing total privacy, which carries <a href="https://guardtime.com/blog/6-reasons-why-encryption-isnt-working">harmful consequences</a>. </p>
<p>So far, several governments have pushed back against Facebook’s encryption plans, fearing it will place <a href="https://www.smh.com.au/politics/federal/encryption-can-t-put-tech-giants-beyond-the-reach-of-the-law-minister-says-20191211-p53ize.html">the company and its users beyond their reach</a>, and make it more difficult to <a href="https://www.occrp.org/en/61-ccblog/8822-encryption-a-godsend-to-all-who-seek-privacy-even-criminals">catch criminals</a>. </p>
<p>End-to-end encryption is perceived as a bulwark for surveillance by third parties and governments, despite <a href="https://cs.stanford.edu/people/eroberts/cs181/projects/ethics-of-surveillance/tech_wiretapping.html">other ways of intercepting communications</a>.</p>
<p>Many also agree surveillance is not only <a href="https://www.alrc.gov.au/wp-content/uploads/2019/08/119_org_pirate_party_australia.pdf">invasive, but also prone to abuse</a> by governments and third parties. </p>
<p>Freedom from invasive surveillance also <a href="https://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx">facilitates freedom of expression</a>, opinion and privacy, as observed by the United Nations High Commissioner for Human Rights. </p>
<p>In a world where debate is polarised by social media, Facebook and similar platforms are caught amid the politics of security. </p>
<p>It’s hard to say how a perfect balance can be achieved in such a multifactorial dilemma. </p>
<p>Either way, the decision is a political one, and governments - as opposed to tech companies - should ultimately be responsible for such decisions.</p><img src="https://counter.theconversation.com/content/128782/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Roberto Musotto is affiliated with the Cyber Security Research Cooperative Centre (CSCRC).</span></em></p><p class="fine-print"><em><span>David S. Wall receives funding from the EPSRC (CRiTiCal & EMPHASIS Projects)</span></em></p>Facebook is planning to put end-to-end encryption on all its messaging services soon. But governments aren’t happy about it, as it could make it harder to catch criminals.Roberto Musotto, Cyber Security Cooperative Research Centre Postdoctoral Fellow, Edith Cowan UniversityDavid S. Wall, Professor of Criminology, University of LeedsLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1149112019-04-04T10:03:34Z2019-04-04T10:03:34ZNew livestreaming legislation fails to take into account how the internet actually works<figure><img src="https://images.theconversation.com/files/267504/original/file-20190404-131404-ctpebk.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The new laws could mean internet service providers could end up being forced to surveil the activities of users. </span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/students-computer-classroom-learning-information-technology-1051929101">from www.shutterstock.com</a></span></figcaption></figure><p>In response to the <a href="https://www.abc.net.au/news/2019-03-15/christchurch-shooting-live-stream-think-twice-about-watching-it/10907258">live streamed terror attack in New Zealand</a> last month, <a href="https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=s1201">new laws have just been passed</a> by the Australian Parliament. </p>
<p>These laws amend the <a href="https://www.legislation.gov.au/Series/C2004A04868">Commonwealth Criminal Code</a>, adding two substantive new criminal offences.</p>
<p>Both are aimed not at terrorists but at technology companies. And how that’s done is where some of the new measures fall down. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/livestreaming-terror-is-abhorrent-but-is-more-rushed-legislation-the-answer-114620">Livestreaming terror is abhorrent – but is more rushed legislation the answer?</a>
</strong>
</em>
</p>
<hr>
<p>The legislation was rushed through with <a href="https://www.abc.net.au/news/science/2019-04-04/facebook-youtube-social-media-laws-rushed-and-flawed-critics-say/10965812">neither consultation nor sufficient discussion</a>.</p>
<p>The laws focus on abhorrent violent material, capturing the terrorist incident in New Zealand, but also online content created by a person carrying out a murder, attempted murder, torture, rape or violent kidnapping.</p>
<p>The laws do not cover material captured by third parties who witness a crime, only content from an attacker, their accomplice, or someone who attempts to join the violence.</p>
<p>The aim is to prevent perpetrators of extreme violence from using the internet to glorify or publicise what they have done. This will reduce terrorists’ ability to spread panic and fear. It will reduce criminals’ ability to intimidate. This is about taking away the tools harmful actors use to damage society.</p>
<h2>What the legislation aims to do</h2>
<p>Section 474.33 of the Criminal Code makes it a criminal offence for any internet service provider, content service or hosting service to fail to notify the Australian Federal Police, within a reasonable time, once they become aware their service is being used to access abhorrent violent material that occurred or is occurring in Australia. Failing to comply can result in a fine of 800 penalty units (currently $128,952).</p>
<p>Section 474.34 makes it a criminal offence for a content service or hosting service, whether inside or outside Australia, to fail to expeditiously take down material made available through their service and accessible in Australia. </p>
<p>The criminal element of fault is not that the service provider deliberately makes the material available, but rather that they are reckless with regards to identifying such content or providing access to it. Reckless, however, has been given a rather special meaning.</p>
<h2>What we’ve got right</h2>
<p>There is a clear need for new laws. </p>
<p>Focusing on regulating technology services is the right approach. Back in 2010 when I <a href="http://oboler.com/papers/time_to_regulate.pdf">first raised this idea</a> it was considered radical; today <a href="https://theconversation.com/zuckerbergs-new-rules-for-the-internet-must-move-from-words-to-actions-114593">even Mark Zuckerberg supports government regulation</a>. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/zuckerbergs-new-rules-for-the-internet-must-move-from-words-to-actions-114593">Zuckerberg's 'new rules' for the internet must move from words to actions</a>
</strong>
</em>
</p>
<hr>
<p>We’ve <a href="https://www.theguardian.com/technology/2018/mar/11/tim-berners-lee-tech-companies-regulations">moved away</a> from the idea of technology companies of all types being part of a safe harbour that keeps the internet unregulated. That’s to be welcomed.</p>
<p>Penalties for companies that behave recklessly – failing to build suitable mechanisms to find and remove abhorrent violent material – are also to be welcomed. Such systems should indeed be expanded to cover credible threats of violence and major interference in a country’s sovereignty, such as efforts to manipulate elections or cause mass panics through fake news. </p>
<p>Recklessness as it is ordinarily understood – that is, failing to take the steps a reasonable person in the same position would take – allows the standard to slowly rise as technology and systems for responding to such incidents improve.</p>
<p>Also to be welcomed is the new ability for the eSafety Commissioner to issue a notice to a company identifying an item of abhorrent violent material and to demand its removal. When the government is aware of such content, there must be a way to require rapid action. The law does this.</p>
<h2>Where we’ve fallen down</h2>
<p>One potential problem with the legislation is the requirement for internet service providers (ISPs) to notify the Australian Federal Police if they are aware their service can be used to access any particular abhorrent violent material. </p>
<p>As ISPs provide access for consumers to everything on the internet, this seeks to turn ISPs into a national surveillance network. It has the potential to move us from an already problematic <a href="https://theconversation.com/australians-accept-government-surveillance-for-now-110789">meta-data retention scheme</a> into an expectation for ISPs to apply deep packet inspection monitoring of everything that is said.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australians-accept-government-surveillance-for-now-110789">Australians accept government surveillance, for now</a>
</strong>
</em>
</p>
<hr>
<p>Content services (including social media platforms such as Facebook, YouTube and Twitter, and regular websites) and hosting services (provided by companies such as <a href="https://www.telstra.com.au/small-business/websites-and-ecommerce">Telsta</a>, <a href="https://azure.microsoft.com/en-au/">Microsoft</a> and <a href="https://aws.amazon.com/">Amazon</a> through to companies like <a href="https://www.serversaustralia.com.au/">Servers Australia</a> and <a href="https://synergywholesale.com/">Synergy Wholesale</a>) have a more serious problem. </p>
<p>Under the new laws, if content is online at the time a notice is issued by the eSafety Commissioner, the legal presumption will be that the company was behaving recklessly at that time. The notice is not a demand to respond, but rather a finding that the response is already too slow. The relevant section (s 474.35(5)) states (emphasis added) that if a notice has been correctly issued:</p>
<blockquote>
<p>…then, in that prosecution, it must be presumed that the person was reckless as to whether the content service could be used to access the specified material <em>at the time the notice was issued</em>…</p>
</blockquote>
<p>While the presumption can be rebutted, this is still quite different from what the <a href="https://www.attorneygeneral.gov.au/Media/Pages/Tough-New-Laws-to-protect-Australians-from-Live-Streaming-of-Violent-Crimes.aspx">Attorney General’s press release (dated 4 April 2019) claimed</a>:</p>
<blockquote>
<p>… the e-Safety Commissioner will have the power to issue notices that bring this type of material to the attention of social media companies. As soon as they receive a notice, they will be deemed to be aware of the material, meaning the clock starts ticking for the platform to remove the material or face extremely serious criminal penalties.</p>
</blockquote>
<p>As the law is written, the notice is more of a notification that the clock has already run out of time. It’s like arguing that the occurrence of a terrorist act means “it must be presumed” the government was reckless with regards to prevention. That’s not a fair standard. The idea of the notice starting the clock would in fact be much fairer. </p>
<p>Under this law, a content service provider can be found to have been reckless and to have failed to expeditiously remove content even if no notice was ever issued. In some cases that may be a good thing, but what was passed as law, and what they say they intended, don’t appear to match.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/why-we-need-to-fix-encryption-laws-the-tech-sector-says-threaten-australian-jobs-110435">Why we need to fix encryption laws the tech sector says threaten Australian jobs</a>
</strong>
</em>
</p>
<hr>
<p>Hosting services have the worse of it. They provide the space on servers that allows content to appear on the internet. It’s a little like the arrangement between a landlord and a tenant. With hosting plans starting from around $50 a year, there’s no margin to cover monitoring and complaints management. </p>
<p>The new laws suggest hosting services will be acting recklessly if they don’t monitor their clients so they can take action before the eSafety Commissioner issues a notice. They just aren’t in a position to do that.</p>
<h2>A lot still needs to be done</h2>
<p>As it stands, only the expeditious removal of content or suspension of a client’s account can avoid the new offence. The legislation does not define what expeditious removal means. There is nothing to suggest the clock would start only after the service provider becomes aware of the content, and the notice from the eSafety Commissioner doesn’t start a clock but says a response is already over due. </p>
<p>This law is designed to apply pressure on companies so they improve their response times and take preemptive action. </p>
<p>What’s missing too is a target with safe harbour protections, that is, a clear standard and a rule that says if companies can meet that standard they can enjoy an immunity from prosecution under this law. That would give companies both a goal and an incentive to reach it. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/technology-and-regulation-must-work-in-concert-to-combat-hate-speech-online-93072">Technology and regulation must work in concert to combat hate speech online</a>
</strong>
</em>
</p>
<hr>
<p>Also missing is a way to measure response times. If we can’t measure it, we can’t push for it to be continually improved.</p>
<p>Rapid removal should be required after a notice from the eSafety Commissioner, perhaps removal within an hour. Fast removal, for example within 24 hours, should be required when reports come from the public. </p>
<p>The exact time lines that are possible should be the subject of consultation with both industry and civil society. They need to be achievable, not merely aspirational.</p>
<p>Working together, government, industry and civil society can create systems to monitor and continually improve efforts to tackle online hate and extremism. </p>
<p>That includes the most serious content such as abhorrent violence and incitement to violent extremism. </p>
<p>Trust, consultation and goodwill are needed to keep people safe.</p><img src="https://counter.theconversation.com/content/114911/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Andre Oboler is CEO of the Online Hate Prevention Institute a charity dedicated to tackling online hate and extremism. He is a member of the Australian Government's delegation to the International Holocaust Remembrance Alliance and has received grants to support travel associated with that work. He has received funding for researched related to the use of open source intelligence by government agencies. </span></em></p>The Commonwealth Criminal Code now has two substantive new criminal offences aimed at limiting live streaming of crime. Both target technology companies, not terrorists.Andre Oboler, Senior Lecturer, Master of Cyber-Security Program (Law), La Trobe UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1055422018-10-30T10:46:09Z2018-10-30T10:46:09ZIlluminating the ‘dark web’<figure><img src="https://images.theconversation.com/files/242822/original/file-20181029-76402-1x7avti.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">It might sound scary, but the 'dark web' is not much different from the rest of the internet.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/pretty-scary-frightening-spider-web-halloween-151934447">Willequet Manuel/Shutterstock.com</a></span></figcaption></figure><p>In the wake of recent violent events in the U.S., many people are expressing concern about the tone and content of online communications, including talk of the “dark web.” Despite the sinister-sounding phrase, there is not just one “dark web.” The term is actually fairly technical in origin, and is often used to describe some of the lesser-known corners of the internet. As I discuss in my new book, “<a href="https://mitpress.mit.edu/books/weaving-dark-web">Weaving the Dark Web: Legitimacy on Freenet, Tor, and I2P</a>,” the online services that make up what has become called the “dark web” have been evolving since the early days of the commercial internet – but because of their technological differences, are not well understood by the public, policymakers or the media.</p>
<p>As a result, people often think of the dark web as a place where people sell drugs or exchange stolen information – or as some rare section of the internet Google can’t crawl. It’s both, and neither, and much more. </p>
<h2>Seeking anonymity and privacy</h2>
<p>In brief, dark websites are just like any other website, containing whatever information its owners want to provide, and built with standard web technologies, like hosting software, HTML and JavaScript. Dark websites can be viewed by a standard web browser like Firefox or Chrome. The difference is that they can only be accessed through special network-routing software, which is designed to provide anonymity for both visitors to websites and publishers of these sites.</p>
<p>Websites on the dark web don’t end in “.com” or “.org” or other more common web address endings; they more often include long strings of letters and numbers, ending in “.onion” or “.i2p.” Those are signals that tell software like <a href="https://freenetproject.org/">Freenet</a>, <a href="https://geti2p.net/en/">I2P</a> or <a href="https://www.torproject.org/">Tor</a> how to find dark websites while keeping users’ and hosts’ identities private. </p>
<p>Those programs got their start a couple of decades ago. In 1999, Irish computer scientist Ian Clarke started Freenet as a <a href="https://doi.org/10.1145/1831407.1831427">peer-to-peer system</a> for computers to distribute various types of data in a decentralized manner rather than through the more centralized structure of the mainstream internet. The structure of Freenet <a href="https://doi.org/10.1007/3-540-44702-4_4">separates the identity of the creator</a> of a file from its content, which made it attractive for people who wanted to host anonymous websites. </p>
<p>Not long after Freenet began, the <a href="https://www.torproject.org/">Tor Project</a> and the <a href="https://geti2p.net/en/">Invisible Internet Project</a> developed <a href="http://doi.org/10.1109/NSS.2010.47">their own distinct methods</a> for <a href="https://doi.org/10.1016/j.comcom.2013.04.009">anonymously hosting websites</a>.</p>
<p>Today, the more commonly used internet has billions of websites – but the dark web is tiny, with tens of thousands of sites at the most, at least according to the <a href="https://www.dailydot.com/layer8/best-deep-web-search-engines/">various indexes and search engines</a> that crawl these three networks.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/242816/original/file-20181029-76390-1uarw29.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/242816/original/file-20181029-76390-1uarw29.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/242816/original/file-20181029-76390-1uarw29.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=497&fit=crop&dpr=1 600w, https://images.theconversation.com/files/242816/original/file-20181029-76390-1uarw29.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=497&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/242816/original/file-20181029-76390-1uarw29.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=497&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/242816/original/file-20181029-76390-1uarw29.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=625&fit=crop&dpr=1 754w, https://images.theconversation.com/files/242816/original/file-20181029-76390-1uarw29.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=625&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/242816/original/file-20181029-76390-1uarw29.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=625&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">The Tor Project promotes and encourages online anonymity.</span>
<span class="attribution"><a class="source" href="https://www.torproject.org">Screenshot by The Conversation</a>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<h2>A more private web</h2>
<p>The most commonly used of the three anonymous systems is <a href="https://theconversation.com/securing-web-browsing-protecting-the-tor-network-56840">Tor</a> – which is so prominent that mainstream websites like Facebook, The New York Times and The Washington Post operate versions of their websites accessible <a href="https://theconversation.com/tor-upgrades-to-make-anonymous-publishing-safer-73641">on Tor’s network</a>. Obviously, those sites don’t seek to keep their identities secret, but they have piggybacked on Tor’s anonymizing web technology in order to allow users to connect privately and securely without governments knowing.</p>
<p>In addition, Tor’s system is set up to allow users to anonymously browse not only dark websites, but also regular websites. Using Tor to access the regular internet privately is much more <a href="https://www.wired.com/story/the-grand-tor/">common than using it to browse the dark web</a>.</p>
<h2>Moral aspects of ‘dark’ browsing</h2>
<p>Given the often sensationalized media coverage of the dark web, it’s understandable that people think the term “dark” is a moral judgment. Hitmen for hire, terrorist propaganda, child trafficking and exploitation, guns, drugs and stolen information markets do sound pretty dark.</p>
<p>Yet people commit crimes throughout the internet with some regularity – including trying to <a href="https://www.cnet.com/news/its-still-not-a-good-idea-to-hire-a-hitman-on-craigslist-powerpoint/">hire killers on Craigslist</a> and <a href="https://www.cnet.com/g00/news/how-to-get-caught-buying-drugs-on-venmo-this-twitter-bot/">using Venmo to pay for drug purchases</a>. One of the activities often associated with the dark web, terrorist propaganda, is <a href="https://doi.org/10.1080/00396338.2016.1142085">far more prevalent on the regular web</a>.</p>
<p>Defining the dark web only by the bad things that happen there ignores the <a href="https://ahmia.fi/">innovative search engines</a> and <a href="http://journals.sagepub.com/doi/10.1177/1461444814554900">privacy-conscious social networking</a> – as well as important <a href="https://thetinhat.com/blog/else/new-tin-hat-portal.html">blogging by political dissidents</a>.</p>
<p>Even complaining that dark web information isn’t indexed by search engines misses the crucial reality that search engines never see huge swaths of the regular internet either – such as email traffic, online gaming activity, streaming video services, documents shared within corporations or on data-sharing services like Dropbox, academic and news articles behind paywalls, interactive databases and even posts on social media sites. Ultimately, though, the <a href="https://theconversation.com/searching-deep-and-dark-building-a-google-for-the-less-visible-parts-of-the-web-58472">dark web is indeed searchable</a> as I explain in a chapter of my book.</p>
<p>Thus, as I suggest, a more accurate connotation of “dark” in “dark web” is found in the phrase “<a href="https://theconversation.com/real-security-requires-strong-encryption-even-if-investigators-get-blocked-84252">going dark</a>” – moving communications out of clear and public channels and into encrypted or more private ones.</p>
<h2>Managing anxieties</h2>
<p>Focusing all this fear and moral judgment on the dark web risks both needlessly scaring people about online safety and erroneously reassuring them about online safety. </p>
<p>For instance, the financial services company Experian sells services that purport to “<a href="https://www.ispot.tv/ad/w_5i/experian-dark-web-scan-protect-yourself-featuring-rudy-giuliani">monitor the dark web</a>” to alert customers when their personal data has been compromised by hackers and offered for sale online. Yet to sign up for that service, customers have to <a href="http://www.experian.com/blogs/ask-experian/what-is-the-dark-web/">give the company all sorts of personal information</a> – including their Social Security number and email address – the very data they’re seeking to protect. And they have to hope that Experian doesn’t get hacked, as <a href="https://money.cnn.com/2018/02/09/pf/equifax-hack-senate-disclosure/index.html">its competitor Equifax was</a>, compromising the personal data of <a href="https://www.zdnet.com/article/us-government-releases-post-mortem-report-on-equifax-hack/">nearly every adult in the U.S.</a></p>
<p>It’s inaccurate to assume that online crime is based on the dark web – or that the only activity on the dark web is dangerous and illegal. It’s also inaccurate to see the dark web as content beyond the reach of search engines. Acting on these incorrect assumptions would encourage governments and corporations to want to monitor and police online activity – and risk giving public support to privacy-invading efforts.</p>
<p>
<section class="inline-content">
<img src="https://images.theconversation.com/files/248895/original/file-20181204-133100-t34yqm.png?w=128&h=128">
<div>
<header>Robert Gehl is the author of:</header>
<p><a href="https://mitpress.mit.edu/books/weaving-dark-web">Weaving the Dark Web: Legitimacy on Freenet, Tor, and I2P</a></p>
<footer>MIT Press provides funding as a member of The Conversation US.</footer>
</div>
</section>
</p><img src="https://counter.theconversation.com/content/105542/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>MIT Press provides funding as a member of The Conversation US.</span></em></p>Begun as part of efforts to preserve online anonymity and privacy, Freenet, Tor and the Invisible Internet Project are, like the rest of the web, home to both crime and free expression.Robert W. Gehl, Associate Professor of Communication, University of UtahLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/909722018-02-01T11:13:05Z2018-02-01T11:13:05ZThe virtual door to online child sexual grooming is wide open<figure><img src="https://images.theconversation.com/files/204422/original/file-20180201-123826-1cimz24.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption"></span> <span class="attribution"><span class="source">Shutterstock.</span></span></figcaption></figure><p><a href="http://www.nationalcrimeagency.gov.uk/publications/670-emerging-new-threat-in-online-dating-initial-trends-in-internet-dating-initiated-serious-sexual-assaults/file">The nature of sexual offending has changed</a> with most interactions occurring online and involving younger victims. This change is seeing people taking more risks by virtually <a href="https://theconversation.com/stranger-danger-in-the-online-and-real-world-79517">opening their door to “strangers”</a>.</p>
<p>A harsh reality of “contact” sexual offending is that many offenders will use various <a href="http://onlinelibrary.wiley.com/doi/10.1111/cfs.12080/pdf">grooming techniques</a> to enable them to commit sexual offences. Whether this is an online conversation manipulated into a face-to-face meeting, or a chat in a cafe or bar resulting in a victim being led to a less crowded area, the reoccurring themes are coercion, control and trust.</p>
<p>A <a href="https://www.gov.uk/government/news/new-crackdown-on-child-groomers-comes-into-force">new offence</a> of sexual communication with a child was introduced in April 2017. Before this, police could not intervene until groomers attempted to meet victims face-to-face. </p>
<p>The latest figures reveal that a staggering <a href="http://www.bbc.co.uk/news/uk-42855172">1,316 offences</a> were recorded in the first six months of this law being introduced in England and Wales. There are now calls for social media sites to do more “grooming prevention” and consider the use of “<a href="https://www.nspcc.org.uk/what-we-do/news-opinion/more-than-1300-cases-sexual-communication-with-child-recorded-after-change-in-law/">anti-grooming alerts</a>” for potential victims. But there are some key issues that should be considered before furthering this idea. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/204272/original/file-20180131-157462-l9r83u.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/204272/original/file-20180131-157462-l9r83u.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=380&fit=crop&dpr=1 600w, https://images.theconversation.com/files/204272/original/file-20180131-157462-l9r83u.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=380&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/204272/original/file-20180131-157462-l9r83u.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=380&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/204272/original/file-20180131-157462-l9r83u.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=477&fit=crop&dpr=1 754w, https://images.theconversation.com/files/204272/original/file-20180131-157462-l9r83u.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=477&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/204272/original/file-20180131-157462-l9r83u.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=477&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The realities of sexual grooming online are only just being discovered.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/silhouette-girl-using-her-tablet-computer-265870769">Shutterstock/KylieWalls</a></span>
</figcaption>
</figure>
<h2>What is the true scale of online grooming?</h2>
<p>Crime figures released for 2015/16 indicate there were <a href="https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/compendium/focusonviolentcrimeandsexualoffences/yearendingmarch2016/overviewofviolentcrimeandsexualoffences#what-do-we-know-about-sexual-offences">37,778 child sexual offences</a> (including grooming) in England – that’s 36.3 sexual offences per 10,000 children under 16. Wales, Scotland and Northern Ireland recorded even higher rates.</p>
<p>Within these figures, the <a href="https://www.nspcc.org.uk/globalassets/documents/research-reports/how-safe-children-2017-report.pdf">NSPCC reported </a> that there were 11,230 child rape offences and 25,577 involving sexual assault/sexual activity against children. These figures are much higher than the reported grooming offences (<a href="http://www.bbc.co.uk/news/uk-42855172">1,316 over six months</a>). But why?</p>
<p>Crime data does not detail how many sexual offences also included grooming, or whether grooming offences are dropped when evidence of child sexual abuse is found. Undetected grooming offences can lead to horrific sexual abuse, such as in the much publicised <a href="https://www.theguardian.com/uk-news/2016/apr/08/rochdale-grooming-case-10-men-sentenced-to-up-to-25-years-in-jail">Rochdale grooming case</a> (where young girls were targeted by older men who plied them with alcohol) and in the <a href="http://www.tandfonline.com/doi/abs/10.1080/13552600.2014.927009">online</a> grooming world too. Child victims describe grooming as a <a href="http://onlinelibrary.wiley.com/doi/10.1111/cfs.12080/abstract">key feature</a> of their abuse. </p>
<p>Is it that the intelligence tools available are unable to identify interactions in time to stop contact sexual abuse occurring? There is no doubt that the <a href="http://www.college.police.uk/News/College-news/Documents/Demand%20Report%2023_1_15_noBleed.pdf">demand on police</a> is ever increasing, with this type of crime requiring specialist skills and expertise. </p>
<h2>Responsibility on social media companies</h2>
<p>Social media companies should do all they can to reduce illegal behaviour on their platforms. A key issue centres on the ability to accurately identify potential groomers. Various studies have reported good results in <a href="https://link.springer.com/chapter/10.1007/978-3-319-13734-6_30">identifying grooming behaviour</a>. But research has also noted that offenders are using <a href="http://www.tandfonline.com/doi/abs/10.1080/01639625.2014.944074">a wide variety of grooming processes</a> to snare their victims. </p>
<p>Evidence of differing functions within <a href="http://journals.sagepub.com/doi/abs/10.1177/1079063210384275">offender-victim interactions</a> have been
observed with some restricting their sexual behaviour to online (fantasy-driven) and others using the internet to facilitate the abuse of children (contact-driven). Research has also shown that a <a href="http://www.internetbehavior.com/pdf/contact_and_cp_mcmanus.pdf">key part of the “offending pathway”</a> from online to contact abuse is grooming. </p>
<p>Consequently, many researchers agree that although the motivations behind interactions are sexually deviant, they may <a href="http://www.tandfonline.com/doi/abs/10.1080/13552600601069414">seem innocent</a> in nature when observed, making it <a href="http://www.tandfonline.com/doi/full/10.1080/01639625.2016.1197656">difficult to identify</a> before actual abuse occurs. This becomes more problematic if <a href="https://www.nspcc.org.uk/preventing-abuse/child-abuse-and-neglect/child-sexual-abuse/sexual-abuse-facts-statistics">young people</a> are the groomers, <a href="http://www.tandfonline.com/doi/full/10.1080/13552600701788608">displaying complex grooming behaviours</a>. Using multiple social media platforms, as well as online and offline methods, further reduces the ability to identify offenders.</p>
<p>There is also the controversial belief that some offenders find engaging in sexual deviant fantasies online <a href="https://link.springer.com/article/10.1023/B%3AASEB.0000029071.89455.53?no-access=true">reduces urges</a> to commit contact offences. A real fear is that social media warnings could push these offenders to interact offline.</p>
<p>But if the intention is for social media companies to give potential child victims “<a href="http://www.bbc.co.uk/news/uk-42855172">grooming alerts</a>”, this puts the onus on victims to acknowledge that they may be subject to grooming. The power a groomer has over a victim may override any considerations to stop interactions. </p>
<p>Those committing these offences are often highly skilled at <a href="http://www.tandfonline.com/doi/abs/10.1080/13552600601069414">identifying vulnerable</a> victims, and manipulating them by giving <a href="https://www.nspcc.org.uk/preventing-abuse/child-abuse-and-neglect/grooming/">compliments</a> and attention. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"958061448642543616"}"></div></p>
<p>Developing grooming alerts may also inadvertently lead to parents/caregivers taking their eyes off the ball when it comes to their childrens’ social media accounts. Assumptions might be made that the technology is able to detect suspicious behaviour better than they can. Not enough is known about childrens’ online interactions, with reports only just highlighting this issue within <a href="http://www.nationalcrimeagency.gov.uk/publications/670-emerging-new-threat-in-online-dating-initial-trends-in-internet-dating-initiated-serious-sexual-assaults/file">adult populations</a>. </p>
<p>The new child grooming law was introduced to reduce the risk of contact sexual offences. However, it seems the ability to identify grooming behaviours before sexual abuse still falls short. There are issues here for social media companies, the police, teachers and parents. But the message is clear. The virtual door to strangers is wide open. More needs to be done to identify and respond to online sexual grooming.</p><img src="https://counter.theconversation.com/content/90972/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Michelle McManus receives funding from Lancashire Constabulary and Lancashire Police Crime Commissioner as part of a part-time secondment placement within Lancashire Constabulary's Evidence Based Policing Research Hub.</span></em></p><p class="fine-print"><em><span>Louise Almond does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The nature of sexual offending has changed, but can we better identify sexual groomers before abuse occurs?Michelle McManus, Senior Lecturer in Policing, Forensic and Applied Sciences, University of Central LancashireLouise Almond, Senior lecturer in Investigative and Forensic Psychology, University of LiverpoolLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/875662018-01-04T04:33:37Z2018-01-04T04:33:37ZTrust in digital technology will be the internet’s next frontier, for 2018 and beyond<figure><img src="https://images.theconversation.com/files/199508/original/file-20171215-17857-cns8cs.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Trust in online systems varies around the world.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/technologies-connect-people-mixed-media-588071525">Sergey Nivens/Shutterstock.com</a></span></figcaption></figure><p>After decades of unbridled enthusiasm – bordering on <a href="https://www.npr.org/sections/health-shots/2017/05/18/527799301/is-internet-addiction-real">addiction</a> – about all things digital, the public may be <a href="https://www.nytimes.com/2017/10/11/insider/tech-column-dread.html">losing trust in technology</a>. <a href="https://www.washingtonpost.com/news/theworldpost/wp/2017/10/09/pierre-omidyar-6-ways-social-media-has-become-a-direct-threat-to-democracy/">Online information isn’t reliable</a>, whether it appears in the form of news, search results or user reviews. Social media, in particular, is <a href="https://www.pbs.org/newshour/show/social-media-giants-are-vulnerable-to-foreign-propaganda-what-can-they-do-to-change">vulnerable to manipulation</a> by hackers or foreign powers. Personal data <a href="https://hbr.org/2017/12/what-would-you-pay-to-keep-your-digital-footprint-100-private">isn’t necessarily private</a>. And people are increasingly worried about automation and artificial intelligence <a href="https://www.nytimes.com/2017/11/30/technology/ai-will-transform-the-economy-but-how-much-and-how-soon.html">taking humans’ jobs</a>.</p>
<p>Yet, around the world, people are both increasingly dependent on, and distrustful of, digital technology. They don’t behave as if they mistrust technology. Instead, people are using technological tools more intensively in all aspects of daily life. In recent research on <a href="https://sites.tufts.edu/digitalplanet/executive-summary/">digital trust in 42 countries</a> (a collaboration between Tufts University’s Fletcher School of Law and Diplomacy, where I work, and Mastercard), my colleagues and I found that this paradox is a global phenomenon. </p>
<p>If today’s technology giants don’t do anything to address this unease in an environment of growing dependence, people might start looking for more trustworthy companies and systems to use. Then Silicon Valley’s powerhouses could see their business boom go bust.</p>
<h2>Economic power</h2>
<p>Some of the concerns have to do with how big a role the technology companies and their products play in people’s lives. <a href="http://www.cnn.com/2016/06/30/health/americans-screen-time-nielsen/index.html">U.S. residents already spend 10 hours a day</a> in front of a screen of some kind. One in 5 Americans say they are online “<a href="http://www.pewresearch.org/fact-tank/2015/12/08/one-fifth-of-americans-report-going-online-almost-constantly/">almost constantly</a>.” The tech companies have enormous reach and power. <a href="http://money.cnn.com/2017/06/27/technology/facebook-2-billion-users/index.html">More than 2 billion people</a> use Facebook every month.</p>
<p><a href="http://gs.statcounter.com/search-engine-market-share">Ninety percent of search queries worldwide</a> go through Google. Chinese e-retailer, Alibaba, organizes the biggest shopping event worldwide every year on Nov. 11, which this year brought in <a href="http://www.businessinsider.com/alibabas-singles-day-bigger-than-black-friday-cyber-monday-combined-2017-11">US$25.3 billion in revenue</a>, more than twice what U.S. retailers sold between Thanksgiving and Cyber Monday last year. </p>
<p>This results in enormous wealth. All six companies in the world <a href="https://www.bloomberg.com/news/articles/2017-11-21/tencent-s-292-billion-rally-ousts-facebook-from-global-top-five">worth more than $500 billion</a> are tech firms. The <a href="https://business.linkedin.com/talent-solutions/blog/employer-brand/2017/revealing-the-25-most-sought-after-employers-globally">top six most sought-after companies to work for</a> are also in tech. Tech <a href="https://www.wsj.com/articles/tech-boom-creates-new-order-for-world-markets-1511260200">stocks are booming</a>, in ways reminiscent of the giddy days of the <a href="http://www.businessinsider.com/heres-why-the-dot-com-bubble-began-and-why-it-popped-2010-12">dot-com bubble</a> of 1997 to 2001. With emerging technologies, including the “<a href="https://www.fool.com/investing/2017/12/13/2-tech-giants-are-teaming-up-for-the-internet-of-t.aspx">internet of things</a>,” <a href="http://www.sciencemag.org/news/2017/12/are-we-going-too-fast-driverless-cars">self-driving cars</a>, <a href="https://www.wired.com/story/future-of-bitcoin-blockchain-2018/">blockchain</a> systems and <a href="https://economictimes.indiatimes.com/jobs/by-2020-artificial-intelligence-will-create-more-jobs-than-it-eliminates-gartner/articleshow/62053363.cms">artificial intelligence</a>, tempting investors and entrepreneurs, the reach and power of the industry is only likely to grow. </p>
<p>This is particularly true because <a href="https://www.cisco.com/c/en/us/solutions/service-provider/vni-network-traffic-forecast/infographic.html">half the world’s population</a> is still not online. But networking giant Cisco projects that <a href="https://www.cisco.com/c/en/us/solutions/service-provider/vni-network-traffic-forecast/infographic.html">58 percent of the world</a> will be online by 2021, and the volume of internet traffic per month per user will grow 150 percent from 2016 to 2021.</p>
<p>All these users will be deciding on how much to trust digital technologies.</p>
<h2>Data, democracy and the day job</h2>
<p>Even now, the reasons for collective unease about technology are piling up. Consumers are learning to be worried about the security of their personal information: News about a data breach involving <a href="https://www.ft.com/content/6943d9ab-c91b-3718-928e-67a802a9c463">57 million</a> Uber accounts follows on top of reports of a breach of <a href="https://www.nytimes.com/2017/10/02/business/equifax-breach.html">the 145.5 million consumer data records</a> on Equifax and every Yahoo account – <a href="http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html">3 billion</a> in all. </p>
<p><a href="https://www.nytimes.com/2017/10/31/us/politics/facebook-twitter-google-hearings-congress.html">Russia was able to meddle</a> with Facebook, Google and Twitter during the 2016 election campaign. That has raised concerns about whether the openness and reach of digital media is a threat to the functioning of democracies.</p>
<p>Another technological threat to society comes from workplace automation. The management consulting firm, McKinsey, estimates that it could <a href="https://www.mckinsey.com/global-themes/future-of-organizations-and-work/what-the-future-of-work-will-mean-for-jobs-skills-and-wages">displace one-third of the U.S. workforce</a> by 2030, even if a different set of technologies create new <a href="https://www.mckinsey.com/global-themes/future-of-organizations-and-work/the-digital-future-of-work-is-the-9-to-5-job-going-the-way-of-the-dinosaur">“gig” opportunities</a>.</p>
<p>The challenge for tech companies is that they operate in global markets and the extent to which these concerns affect behaviors online varies significantly around the world. </p>
<h2>Mature markets differ from emerging ones</h2>
<p><a href="https://sites.tufts.edu/digitalplanet/executive-summary/">Our research</a> uncovers some interesting differences in behaviors across geographies. In areas of the world with smaller digital economies and where technology use is still growing rapidly, users tend to exhibit more trusting behaviors online. These users are more likely to stick with a website even if it loads slowly, is hard to use or requires many steps for making an online purchase. This could be because the experience is still novel and there are fewer convenient alternatives either online or offline.</p>
<p>In the mature digital markets of Western Europe, North America, Japan and South Korea, however, people have been using the internet, mobile phones, social media and smartphone apps for many years. Users in those locations are less trusting, prone to switching away from sites that don’t load rapidly or are hard to use, and abandoning online shopping carts if the purchase process is too complex.</p>
<p>Because people in more mature markets have less trust, I would expect tech companies to invest in trust-building in more mature digital markets. For instance, they might speed up and streamline processing of e-commerce transactions and payments, or more clearly label the sources of information presented on social media sites, as the <a href="https://www.scu.edu/ethics/focus-areas/journalism-ethics/programs/the-trust-project/">Trust Project</a> is doing, helping to identify authenticated and reliable news sources.</p>
<p>Consider Facebook’s situation. In response to criticism for allowing fake Russian accounts to distribute fake news on its site, CEO Mark Zuckerberg boldly <a href="https://www.cnbc.com/2017/11/01/facebook-says-costs-will-rise-to-go-after-fake-news.html">declared that</a>, “Protecting our community is more important than maximizing our profits.” However, according to the company’s chief financial officer, Facebook’s 2018 operating expenses could increase by <a href="https://www.cnbc.com/2017/11/01/facebook-says-costs-will-rise-to-go-after-fake-news.html">45 to 60 percent</a> if it were to invest significantly in building trust, such as <a href="https://www.popsci.com/Facebook-hiring-3000-content-monitors">hiring more humans to review posts</a> and <a href="https://thenextweb.com/facebook/2017/08/03/facebook-enlists-ai-in-war-on-fake-news/">developing artificial intelligence systems</a> to help them. Those costs would lower Facebook’s profits.</p>
<p>To strike a balance between profitability and trustworthiness, Facebook will have to set priorities and deploy advanced trust-building technologies (e.g. vetting locally generated news and ads) in only some geographic markets.</p>
<h2>The future of digital distrust</h2>
<p>As the boundaries of the digital world expand, and more people become familiar with internet technologies and systems, their distrust will grow. As a result, companies seeking to enjoy consumer trust will need to invest in becoming more trustworthy more widely around the globe. Those that do will likely see a competitive advantage, winning more loyalty from customers.</p>
<p>This risks creating a new type of digital divide. Even as one global inequality disappears – more people have an opportunity to go online – some countries or regions may have significantly more trustworthy online communities than others. Especially in the less-trustworthy regions, users will need governments to enact strong digital policies to protect people from fake news and fraudulent scams, as well as regulatory oversight to protect consumers’ data privacy and human rights.</p>
<p>All consumers will need to remain on guard against overreach by heavy-handed authorities or autocratic governments, particularly in parts of the world where consumers are new to using technology and, therefore, more trusting. And they’ll need to keep an eye on companies, to make sure they invest in trust-building more evenly around the world, even in less mature markets. Fortunately, digital technology makes watchdogs’ work easier, and also can serve as a megaphone – such as on social media – to issue alerts, warnings or praise.</p><img src="https://counter.theconversation.com/content/87566/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Bhaskar Chakravorti directs the Institute for Business in the Global Context that receives funding from Mastercard, Microsoft and the Gates Foundation. </span></em></p>Around the world, people are both increasingly dependent on, and distrustful of, digital technology. New research suggests ways this conflict could unfold.Bhaskar Chakravorti, Senior Associate Dean, International Business & Finance, Tufts UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/862952017-10-25T22:48:27Z2017-10-25T22:48:27ZRansomware like Bad Rabbit is big business<p>October is <a href="https://www.getcybersafe.gc.ca/index-en.aspx">Cybersecurity Awareness month</a>, which is being observed in the <a href="https://www.fbi.gov/news/stories/national-cyber-security-awareness-month-2017">United States</a>, <a href="https://cybersecuritymonth.eu/about-ecsm/whats-ecsm">Europe</a>, and elsewhere around the world. Ironically, it began with updates about a large-scale hack, and is ending with a large-scale ransomware outbreak.</p>
<p>Internet firm Yahoo kicked things off on Oct. 3 when it admitted that hackers in 2013 had accessed information about <a href="http://www.cbc.ca/news/technology/yahoo-breach-three-billion-1.4322100">all three billion of its user accounts</a>, not “just” the one billion first reported.</p>
<p>Ransomware “<a href="https://www.theguardian.com/technology/2017/oct/25/bad-rabbit-game-of-thrones-ransomware-europe-notpetya-bitcoin-decryption-key">Bad Rabbit</a>” is providing the finale with attacks that began Oct. 24. So far, the outbreak is mostly affecting business computers in Russia.</p>
<p>Both stories are fitting, in a way. The FBI considers computer break-ins and data ransoming the <a href="https://www.fbi.gov/investigate/cyber">top two cyber threats</a> we face. But while the former is old-fashioned e-crime, ransomware is much trendier. Much like <a href="https://theconversation.com/tailoring-the-customer-experience-boosts-online-sales-84941">online retailing</a>, <a href="https://theconversation.com/online-shopping-retailers-seek-visibility-in-face-of-google-control-80129">online advertising</a>, and <a href="https://theconversation.com/by-concealing-identities-cryptocurrencies-fuel-cybercrime-82282">online currencies</a>, ransomware is soaring.</p>
<h2>Your money or your data</h2>
<p>Traditional criminal hackers obtain their ill-gotten gains by stealing valuable data such as credit card numbers or passwords. They then look for customers, such as other criminals, to buy that data.</p>
<p>In contrast, ransomware hackers instead sell data back to the owners. If ransomware infects your computer, it encrypts your files to render them inaccessible until you pay a ransom. This simplifies cybercrime by replacing theft with extortion.</p>
<p>For example, in summer 2016, ransomware locked down the University of Calgary email system. <a href="http://www.cbc.ca/news/canada/calgary/university-calgary-ransomware-cyberattack-1.3620979">The university paid $20,000</a> to unlock it.</p>
<p>Today, that looks cheap. In July, a <a href="https://www.itworldcanada.com/article/canadian-firm-pays-425000-to-recover-from-ransomware-attack/394844">Canadian company reportedly paid $425,000</a> to regain its data. The month before, South Korean firm <a href="http://www.foxnews.com/tech/2017/06/21/ransomware-attack-costs-south-korean-company-1m-largest-payment-ever.html">Nayana paid $1 million</a>, the highest ransom publicly admitted so far.</p>
<h2>Growing scale and sophistication</h2>
<p>Much like legitimate firms, some ransomware charges lower “prices” but targets larger volumes. Bad Rabbit demands only a few hundred dollars to decrypt each computer. But it is affecting machines across Russia.</p>
<p>Similarly, the <a href="https://theconversation.com/how-wannacry-caused-global-panic-but-failed-to-turn-much-of-a-profit-77740">Wannacry ransomware attack</a> in May affected computers in about 100 countries. It forced many <a href="http://www.cbc.ca/news/canada/ottawa/cgi-cybersecurity-wannacry-ransomware-small-business-at-risk-1.4116429">British hospitals</a> to cancel surgeries.</p>
<p>An <a href="https://www-03.ibm.com/press/us/en/pressrelease/51230.wss">IBM survey</a> found that almost half of businesses suffered ransomware attacks in 2016. Some 70 per cent of those paid a ransom to regain their data.</p>
<p>The survey also indicates small businesses are particularly vulnerable. They often lack the computer expertise to defend themselves. Only 30 per cent provided cybersecurity training to employees, compared to 58 per cent within larger companies.</p>
<p>Ransomware’s sophistication is growing too. Ransomware “worms” like <a href="http://www.securityweek.com/zcryptor-ransomware-spreads-removable-drives">ZCryptor</a> spread themselves across networks, rather than riding on infected emails.</p>
<p>Some ransomware specialists are selling their services to organized crime. This crime-as-a-service business model allows criminals to outsource their technology needs. User-friendly <a href="https://www.pcworld.com/article/3190852/security/at-175-this-ransomware-service-is-a-boon-to-cybercriminals.html">ransomware “kits” can be purchased for $175</a>.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=368&fit=crop&dpr=1 600w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=368&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=368&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=462&fit=crop&dpr=1 754w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=462&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=462&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">A specialist works at the U.S. National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va. in Sept. 2014.</span>
<span class="attribution"><a class="source" href="http://www.cpimages.com/fotoweb/cpimages_details.pop.fwx?position=22&archiveType=ImageFolder&sorting=ModifiedTimeAsc&search=cybersecurity&fileId=7ED4E565C8CEED276553137C3F07278F0211563F5E7047DF3AAB663AE59BB0CF1642B0B80D34257E6710EC2568FB7698B59B4D70A14C35A5085499F7776FCE74F2B7765E8750034730859FC82D50AED936F94C876BDCF9BEC438833511658A5442F841C1FF39A6F82A1B1FF576DC98DFDEBAE60A57D8B1868787E68E4DB65177C56CA13FE83A463BAFB139FF949304109FA1D488C8D1A475">(AP Photo/Manuel Balce Ceneta)</a></span>
</figcaption>
</figure>
<h2>Future possibilities</h2>
<p>What might come next? Imagine state-sponsored hackers using ransomware. Host countries might give — or even sell — permission for local hackers to attack rival countries’ computers.</p>
<p>These cyber-<a href="https://www.britannica.com/topic/privateer">privateers</a> could plunder commerce abroad, without the host country’s direct involvement or accountability. Think of regional rivals like North and South Korea, or major powers like the U.S., Russia and China.</p>
<p>Sound far-fetched? Russian security services have already been accused of <a href="https://www.ft.com/content/21be48ec-0a48-11e7-97d1-5e720a26771b">working with organized crime</a> on cyberattacks. The Russian government denies any involvement. But its president, Vladimir Putin, did suggest independent “<a href="http://www.cnn.com/2017/06/01/politics/russia-putin-hackers-election/index.html">patriotic hackers</a>” may have tampered with the U.S. election process.</p>
<p>How about virtual protection rackets? Instead of one-time payments for decryption, users might be “convinced” to pay ongoing fees for the “service” of avoiding encryption.</p>
<p>Or instead of hiding virtual data, ransomware could shut down physical objects. The <a href="https://www.wired.com/2013/05/internet-of-things-2/">Internet of Things</a> is exposing new targets. Control systems for factories, utilities and our homes are increasingly online.</p>
<p>What if ransomware turned them off? Businesses begrudgingly pay thousands to recover emails. Imagine what they’d pay to restart assembly lines.</p>
<h2>Precautions to take</h2>
<p>To defend themselves, computer users need to do the basics. Run antivirus programs to detect threats. Think before clicking on unexpected email attachments. Keep application software and operating systems updated. (Surely you’re not <a href="https://www.wired.com/2017/05/still-use-windows-xp-prepare-worst/">still running Windows XP</a>?)</p>
<p>Users should also back-up files regularly. If ransomware strikes, backups allow ransom-free recovery. But keep them on removable drives to prevent their infection.</p>
<p>Infected users can also try decrypting files with tools from sites like <a href="https://www.nomoreransom.org/en/index.html">NoMoreRansom.org</a>. But these might work only on simple cases.</p>
<h2>Corporate and government action</h2>
<p>Software makers should do more to facilitate safe computing practices. For example, it’s great that Windows now has self-updating antivirus protection. Unfortunately, it’s still awkward to back-up data onto removable drives.</p>
<p>Business insurers could also play a role. They might require corporate computers to be updated and backed-up to qualify for coverage.</p>
<p>Co-operation among independent agencies is needed to fight ransomware’s breadth. Canada’s <a href="http://www.cbc.ca/news/canada/cse-what-do-we-know-about-canada-s-eavesdropping-agency-1.1400396">Communications Security Establishment</a> set a good example two weeks ago when it made its <a href="http://www.cbc.ca/news/technology/cse-canada-cyber-spy-malware-assemblyline-open-source-1.4361728">Assemblyline malware analysis software</a> publicly available to tech professionals.</p>
<p>In contrast, the U.S. National Security Agency sets a bad example: It <a href="https://theconversation.com/should-spies-use-secret-software-vulnerabilities-77770">had known about a weakness in Windows</a> for years, but didn’t tell Microsoft until early 2017.</p>
<p>Law enforcement likewise needs to cooperate across jurisdictions. September’s <a href="https://www.interpol.int/News-and-media/Events/2017/5th-Europol-INTERPOL-Cybercrime-Conference/5th-Europol-INTERPOL-Cybercrime-Conference">Interpol-Europol Cybercrime Conference</a> was a good step in this direction.</p>
<p>As foreign hackers increasingly “tax” domestic businesses, ransomware becomes a national security issue. Governments may need to negotiate agreements like those covering <a href="http://www.un.org/depts/los/piracy/piracy.htm">seaborne piracy</a>.</p>
<p>Finally, firms might consider keeping key systems disconnected from the internet, as some military computers have always been. Just because anything can be online, it doesn’t mean everything should be.</p><img src="https://counter.theconversation.com/content/86295/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Like legitimate e-commerce, ransomware e-crime is increasing in scale, value and sophistication.Michael J. Armstrong, Associate professor of operations research, Brock UniversityTeju Herath, Associate Professor of Information Systems, Brock UniversityLicensed as Creative Commons – attribution, no derivatives.