Tuesday, March 20, 2007

Identities For Sale

Well, here's a way we can solve the trade imbalance between China and the U. S. According to Symantec, the computer-security company, the U. S. harbors more than half of the world's "underground economy servers"—computers that are used for criminal activities, including the control of other computers called "bots" without the knowledge or consent of their owners. And it turns out that about a fourth of all bots are in China. So we're using China's computers to steal money, data, and identities from around the world. And it's even tax-free, if the criminals who organize this sort of thing play their cards right. This market is running so well that you can buy a new electronic identity, complete with Social Security number, credit cards, and a bank account, for less than twenty bucks. Don't like who you are? Become someone else!

Lest anyone take me seriously, the above was written in the spirit of Jonathan Swift's "modest proposal" of 1729 to alleviate poverty in Ireland by encouraging families to sell their babies to be eaten. I do not think it is a good thing that we lead the world in the number of servers devoted to criminal ends. But it's a fact worth pondering, and one question in particular intrigues me: why is computer crime so organized and, well, successful in this country?

Part of the answer has to do with the extraordinary freedom we enjoy compared to many other countries, both in the economic and political realms. While businesspeople complain about Sarbanes-Oxley and other burdensome regulations here, they should compare these relatively mild restrictions with those in China or many countries in Europe, where red tape and bureaucracy, not to mention the occasional corrupt official, can bog down business deals and keep foreign firms away.

Another part of the answer has to do with the relative ease of committing computer crime, and the relative difficulty law enforcement officials have in catching bit-wise criminals. According to the Symantec report, which was summarized in an article on the San Jose Mercury News website, much of the code needed for criminal work was done in regular nine-to-five shifts. This indicates the era of the late-night amateur hacker is giving way to the white-collar criminal who either does his work under the radar of a legitimate business, or simply sets up shop as a company whose activities are purposely vague to outsiders. And nothing could be more in keeping with modern U. S. business practices. It's easy to tell what goes on at a steel mill: there's smoke, flames, and railroad cars full of steel coming in and out. But you can walk into numberless establishments in office parks around this country, look around, even watch over somebody's shoulder, and you'll still have trouble figuring out what many of these outfits actually do.

And that's maybe a third reason the U. S. is so hospitable to computer crime: the ease with which you can hide behind anonymity here. In more traditional cultures, the loner is a rarity, and most people are tied to friends and relatives by networks of interdependent connections, obligations, and moral strictures. But here no one thinks badly of a person who lives alone in an apartment, works at a company called something like United Associated Global Enterprises, and keeps to himself. The fact that he is trading in millions of dollars' worth of stolen identities every week is known only to him and perhaps a few associates who could be scattered around the country or the world. Maybe the lack of distinctive identity that such bland, interchangeable surroundings impose on people who live and work in them makes it perversely attractive to deal in other peoples' identities, even for nefarious purposes.

Computer networks were designed in the early years by people who were, if not saints, at least folks who were very good at legitimate uses of computer technology, and they were dealing at first only with other people like themselves. There is a strong streak of idealism in many computer types, and that is one reason that many of them worked so hard to realize their ideal of a world community joining together on the Internet. But few of them had extensive experience with criminality, and so the possibility that someone might actually abuse this wonderful new system was not considered very seriously, in some ways. I speak as an amateur here, not as an expert. But the radically egalitarian structure of the Internet embodies a philosophy as much as it embodies a technical system.

There is no use crying over spilt idealism, and we have to deal with the way the Internet and computers are today, not the way they might have been if the founders had taken a more sanguine view of human nature when they set up the early protocols. I understand that sooner or later the Internet and its basic protocols will have to be overhauled in a far-reaching way. Maybe then we can put in some more sophisticated ways of tracking bad guys down, and of preventing the kinds of attacks that come without warning and shut down whole net-based businesses. But technology can take us only so far. As long as there are people using the Internet and not just machines, some of them are going to try to con, cheat, lie, and steal. The more that future systems are designed with that in mind, the better.

Sources: The Symantec report was summarized by Ryan Blitstein of the San Jose Mercury News on Mar. 19, 2007 at http://www.siliconvalley.com/mld/siliconvalley/16933863.htm. Jonathan Swift's "Modest Proposal," the heavy irony of which was completely missed by some of its first readers, is available complete at http://www.uoregon.edu/~rbear/modest.html.

1 comment:

  1. I would present majority of the thieves are from other countries.

    The bot problem is very large as detailed in this article: http://redtape.msnbc.com/2007/03/bots_story.html#posts

    I find fault with the San Jose Mercury News article that clearly states “Slightly more than half of all underground economy servers known to Symantec were based in the United States” Symantec estimates there are 6 million bots, however the article linked above from The Red Tape Chronicles details a high estimate of 30 million. I believe Symantec’s estimate is grossly incorrect due to the following from The Red Tape Chronicles article – “Since all bots are not active at any given time, the number of infected computers is likely much higher.” How can they reasonably state most are from the United States?

    A recent Dateline show attempted to follow the trail of ID thieves and found most were located in other countries, but used a middle man in the United States to pick up the packages and resend them to the thief: