Author Interviews
10:56 am
Tue August 20, 2013

Wild, Wild Web: Policing An Early, Lawless Internet

Originally published on Tue August 20, 2013 11:36 am

Today's Internet users have become accustomed to stories of hacking, identity theft and cyberattacks, but there was a time when the freedom and anonymity of the Web were new, and no one was sure what rules — if any — applied to its use. Many thought the Internet was beyond government regulation, its very chaos a source of creativity and strength.

Those early days are the focus of technology writer Nate Anderson's new book, The Internet Police: How Crime Went Online, and the Cops Followed. In it, Anderson recounts how the opportunities the Web offered to snoops, scam artists, spammers and pornographers inevitably drew the attention of law enforcement, which had to try to master technology to find and catch its targets.

Anderson joins Fresh Air's Dave Davies to discuss the history of Internet havens and how law enforcement responded to the lawlessness of the Net.


Interview Highlights

On the beginning of unrestricted Internet havens

"Back in the 1990s and the early years of the 2000s, one of the great dreams [that] people associated with the Internet was this idea that this new invention, these new technologies that were now global, had basically done away with the old national/political boundaries.

"You see this, most remarkably, with the case of Sealand — which was this rusting fort in the North Sea a few miles off the coast of the United Kingdom — in which some Americans went over there, brought some computers, got an Internet link established from out there in the water on this platform and decided to offer hosting services to anyone in the world. So if your country said pornography was illegal, if your country said gambling was illegal, if your country said certain kinds of political speech was illegal, no problem. Come to us. We'll host it. And the idea was that no one could do anything about this. ... This was an attempt to evade national law."

The plan for Sealand's offshore Internet haven, known as HavenCo

"The vision was fairly grandiose. It was going to be [that] the legs of this tower were going to be filled with computer servers; they were going to be filled with an unbreathable gas, making it very difficult for saboteurs or anyone else to enter the tower. Your data would be totally safe. It was supposed to have high-speed Internet links back to the U.K. and other points on the European Continent. These guys had guns; they had a security force in case anyone came knocking on the door. It was really designed as a fortress bunker out there in the sea that would simply be resistant to any attempt to take down your content."

On how law enforcement uses hacking techniques to shut down cybercrime

"When they bust somebody, they can get most of these guys to plead guilty. In [one child pornography] bust, despite how large it was, only one guy went to trial. Everyone else [pleaded] guilty. And as part of those details, often what the government requested was that they turned over their passwords in these communities, and usernames, and federal agents assumed those identities. And to the outsiders, there's almost no way to tell that you're now dealing with a fed. That encouraged a lot of paranoia and suspicion within these communities, especially when somebody would be gone for a few days, or maybe their tone or choice of words change after a while. 'Well,' you think to yourself, 'is that just normal or have we been infiltrated? Am I dealing with a cop?' "

On accessing other people's files, photos and live conversations

"You do not have to be a hacker to do this anymore. In some research I did after writing the book, I spent some time in an entire Web community that exists around this practice, which they call RAT-ing, Remote Administration Tool. These are basically pieces of software that once you can get them on someone else's computer provides you total access to their machine, but surreptitiously. They don't know it's there; they don't know it's running."

On how software can be installed without your knowing

"You can do it [by opening an email]; you can approach them on instant messaging pretending to be a friend of theirs; you can put fake songs out there of pop music on peer-to-peer file sharing that people download thinking they're getting a song, turns out to be one of these files. One of the things these guys do is spend a lot of time sharing their techniques for how they spread this stuff."

On new NSA regulations that are being discussed

"The [regulations will] open people's eyes to just how dramatic this sort of surveillance looks like in practice. It's one thing to talk about electronic surveillance; it's another to really understand just how wide-ranging the net can be when you have computers scooping up data from fiber-optic taps, when you get every phone call made by everyone in the U.S.

"The NSA is going to look a lot more like some of these hackers in the book who are operating without many rules. I think that has already made people uncomfortable. My sense is we're going to see some rule changes intended to promote greater comfort in this. ... Whether that is going to satisfy the critics of what has been going on, I think it will really depend on the strength of the public reaction to mobilize a bipartisan agreement in Congress."

Copyright 2013 NPR. To see more, visit http://www.npr.org/.

Transcript

DAVE DAVIES, HOST:

This is FRESH AIR. I'm Dave Davies in for Terry Gross, who's off this week. Computers, smartphones and Internet use are part of our lives now, and we've become accustomed to stories of hacking, identity theft and cyber attacks. In his new book, our guest, technology writer Nate Anderson, takes us back to the early days of the Internet, when the freedom and anonymity the Web offered were new and we weren't sure what rules, if any, would apply to its use.

Many thought the Internet was beyond government regulation and that its very chaos was a source of creativity and strength. Anderson's book shows how the opportunities the Web offered to snoops, scam artists, spammers and pornographers inevitably drew the attention of law enforcement, which had to try and master Internet technology to find and catch their targets.

Nate Anderson is a senior editor at Ars Technica. His work has also been published in The Economist and Foreign Policy. His new book is called "The Internet Police: How Crime Went Online and the Cops Followed." Well, Nate Anderson, welcome to FRESH AIR. Early in this book, you describe an attempt to establish an Internet haven.

Back in the earlier days of the Internet, when a company wanted to be able to offer Internet services to anybody for any purpose pretty much, free of any government restriction - there's a fellow named Ryan Lackey. He picks a remarkable place to actually site the business. Do you want to tell us about this?

NATE ANDERSON: So back in the 1990s and the early years of the 2000s, one of the great dreams of people associated with the Internet was this idea that this new invention, these new technologies that were now global, had basically done away with the old national political boundaries. And you see this most remarkably with the case of Sealand, which was this rusting fort in the North Sea a few miles off the coast of the United Kingdom in which some Americans went over there, brought some computers, got an Internet link established from out there, you know, in the water on this platform, and decided to offer hosting services to anyone in the world.

So if your country said pornography was illegal, if your country said gambling was illegal, if your country said certain kinds of political speech was illegal, no problem. Come to us, we'll host it. And the idea was that no one could do anything about this, right? Anybody can access anything on the Internet. Once it's on there, you know, there is no possibility of control.

And so this was an attempt to evade national law, and a lot of people believed at the time that these kinds of attempts could succeed. And it turns out they were wrong.

DAVIES: Now, I want you to describe this. I mean people don't picture a fort being out in the middle of the ocean. Describe this place. It was called Fort Roughs, right, built, what, for World War II?

ANDERSON: Roughs Tower, yes, it was built in World War II as a gunnery platform that was trying to take out Luftwaffe bombers coming in during the battle of Britain. And it was essentially a giant platform that stood out of the water on huge legs. Up on top the guns would go. There was a small sort of office, house place. But the men lived in the legs themselves, which were hollowed out, and as you can imagine were windowless and sometimes below the water line.

So it could be a very creepy, claustrophobic place to be, and that's where these guys decided to try to set up this data haven that could basically write its own laws, even as it dumped this traffic on the global Internet.

DAVIES: Right, so these guys would be, if this worked, would be living inside this 25-foot-wide concrete cylinder into the ocean with no windows, as you say. What were conditions in there like, you know, decades after it had been abandoned as a military use?

ANDERSON: So it was heavily rusted. The tower had been - had a crazy history. It had been sort of taken over several times by pirate radio operators in the U.K. And the current family, who still controls it, had taken it several decades ago and managed to hang on to it.

The reason that this place was chosen was because at the time it was taken, it was outside U.K. territorial waters, and so the claim has always been that it is essentially its own country and not under U.K. jurisdiction, even though it's just a few miles offshore, and you can easily get your supplies and things from the U.K.

DAVIES: Alright, so this guy Ryan Lackey establishes this company. Was it HavenCo? Was that what it's called?

ANDERSON: HavenCo, that's right.

DAVIES: And there was this piece, I think in Wired magazine, in which the vision was laid out of what it was going to look like. Kind of describe a little bit what the plan was.

ANDERSON: Well, the vision was fairly grandiose. It was going to be - you know, the legs of this tower were going to be filled with computer servers. They were going to be filled with an unbreathable gas, making it very difficult for saboteurs or anyone else to enter the tower. Your data would be totally safe.

It was suppose to have high-speed Internet links, you know, back to the U.K. and to other points on the European continent. It was - you know, these guys had guns, they had a security force in case, you know, anybody came knocking on the door. It was really designed as kind of a fortress bunker out there in the sea that would simply be resistant to any attempt to take down, you know, your content.

DAVIES: So Ryan Lackey, the guy with this vision to establish this Internet service physically free of any government regulation, he gets this platform, which was run by this fellow Roy Bates, who had been a pirate radio operator, had taken it by force. And there's this vision for, you know, nitrogen-filled chambers that hold all these servers and provide services to all kinds of people. What was the experience? What actually happened?

ANDERSON: Well, the vision that they had was one of total freedom. And they found themselves - they thought they had a place that was not bound by law. They quickly learned, within a couple of years of attempting this experiment, that they actually wanted law because they got into a dispute with the Bates family, who controlled this tower. And in the end there was nothing they can do about it.

I mean the flipside of going to a place without courts, without police, without the jurisdiction of a regular nation-state, is that there's no one to enforce this contract that you thought you had. And so the whole thing ended in acrimony, with Lackey and - leaving the tower, the Bates family taking control of what was there, and it also came out, you know, Lackey admitted that much of what had been said, especially in this Wired magazine article, was - I guess optimistic would be the nicest way to put it - it was done for PR purposes. It was done with a hope to this is where they could get someday. It was never a flourishing operation. It was always fairly small-scale. They tended to host a few online gambling sites, especially those that wanted to reach the lucrative U.S. market, where online gambling was illegal, and for a while they also hosted the government of Tibet's website, which had angered the Chinese.

DAVIES: A lot of what your book tells us is that the reality is there is all kinds of illegal and harmful activity on the Internet, and thus law enforcement recognized that and took to fighting it on the Internet. You tell the story of some interesting investigations into child pornography rings, and one of them begins with videos in Australia. Tell us how that story started.

ANDERSON: So one of the lessons that law enforcement learned was, you know, they weren't just going to throw up their hands and say, hey, that's right, you know, law is basically - doesn't apply anymore. And so it took them a while, but they did begin to learn how to do things on the Internet.

One of the things they learned was the power of international cooperation over this new international medium. So this case that I profiled was, at the time of its takedown in 2009, was the largest such takedown the U.S. had ever conducted. It began back in Australia, where some police, during a raid, found a video depicting child pornography. They were able through the accents of the people involved, who were speaking in the video, to understand that it was Flemish or Belgian in some way, and they passed it to the Belgian police.

From there it spawned something called Operation Koala, which became a massive, European-wide, you know, manhunt for people. They actually identified the person who was being abused. It was a father who was abusing his two children by taking them to a studio in the Ukraine, which had been set up for these kinds of activities.

So they got the guy involved. They managed to get his email list of people who are interested in these kinds of videos he was producing. They kept all the European addresses and staged a massive raid over 20 countries, and they passed all the U.S. addresses to their counterparts here, where a wide variety of agencies got together to track these guys down, generating hundreds and hundreds of leads, and eventually a massive bust of people that showed them whole new chat rooms, whole new places where these kind of people hung out.

DAVIES: In the book you describe this child pornography investigation and how it ended up resulting in the arrest of a lot of people. You describe one interesting character in Baltimore, a guy who'd run for mayor once before, and the arrest there. One of the things that you describe that authorities used in this investigation of Internet child pornography was that when arrests were made, they wouldn't just box up the computers and take them away, but while the suspect was there, would sometimes have the technicians going through the computers right then and there. The phrase was on-scene computer triage. Explain what that is. What was the point?

ANDERSON: Right. Well, so the old technique was to go in and treat this as a normal crime scene, right. Don't contaminate the evidence. Be very careful. You know, unplug everything, shut it down, bag it up, tag it. Take it back to the lab. Go through it slowly, carefully, methodically to build your court case. And that works, but you lose a lot by doing it.

For instance, when police might enter a house looking for somebody, that person might be on their computer and logged in to certain chat rooms or websites or communities right then, and if you shut down the computer, you might need passwords to boot it up again or to enter these communities again.

So what they began doing - and this investigation was one of the first times this was widely deployed - was starting to look, right there - they would still box it all up and take it back to the forensic lab later. But you could learn things right away by spending an hour with the running computer right there, and especially if you could convince the person that you had just busted to give you passwords or to tell you things.

And they would do this all the time. They would sometimes convince people that, hey, you know, we're going to break this one way or the other. You might as well just tell us. Maybe things will actually go easier for you when it comes to sentencing, et cetera. There were all sorts of techniques for getting information out of people.

And it was remarkably successful. They would find new communities they didn't know existed. And if they had waited a month, those kind of communities would often get suspicious at a member's absence and shut them out. So it opened all sorts of new doors to new communities of child pornography, to immediately finding out these guys' friends and their connections with the outside world, and preserving evidence that might have been erased if they had shut down the computers.

DAVIES: One of the interesting things about the description of this child pornography investigation is that, you know, one of the things that makes the Internet safe for this kind of criminal activity is its anonymity. I mean, people - you log on, you get this horrible stuff, but nobody knows who you are. But once the investigators get - nail somebody, then if they can get that person to give them their password, suddenly, the police enter the networks, taking advantage of the anonymity, and the other child pornographers think they're dealing with somebody they trust. In fact, they're dealing with a cop. It's a fascinating kind of reversal of anonymity working in favor of the criminals.

ANDERSON: Yeah. It can be very difficult to know who you're dealing with online in any sort of real firm sense. And so - especially in these communities that don't want others to know that. They tend to operate just simply on these usernames. You know nothing about someone beyond this name you see on the screen.

And so what police did in this case - and have continued to do in many other cases since - is when they bust somebody, they could get most of these guys to plead guilty. In this particular bust, despite how large it was, only one guy went to trial. Everyone else plead guilty. And as part of those deals, often what the government requested was that they turned over their passwords in these communities and their usernames, and then federal agents assumed those identities.

And to the outsiders, you know, there's almost no way to tell that you're now dealing with a fed. So that encouraged a lot of paranoia and suspicion within these communities, especially when somebody would be gone for a few days, or maybe their tone or choice of words change after a while.

Well, you think to yourself: Is that just normal, or am I suddenly - have we been infiltrated? Am I dealing with a cop?

DAVIES: Right. So when this investigation ran its course, how big of a child pornography operation did it expose?

ANDERSON: It varied over time. I believe when they finally shut down - this place was called the Cache, and when they finally shut down the Cache, I believe there were 500 people or so involved. But there had been a couple thousand a year or two earlier. They had - they had been spooked, in fact, by some action that the feds had taken, and many people had left. But I guess enough people didn't get the message and continued.

And so there were mass arrests. Most people plead guilty, as I said. This one guy went to trial, and that meant that all of this information about how the government had, you know, infiltrated and exposed these guys came out then at trial and provided, you know, most of my data for reconstructing this really fascinating narrative about what had happened and how.

DAVIES: We're speaking with Nate Anderson. He is a deputy editor of Ars Technica. His new book is called "The Internet Police: How Crime Went Online, and the Cops Followed." We'll talk some more after a short break. This is FRESH AIR.

(SOUNDBITE OF MUSIC)

DAVIES: This is FRESH AIR. And if you're just joining us, our guest is Nate Anderson. He's a deputy editor for Ars Technica. He's written a new book about crime on the Internet and how police have gotten more active pursuing it. It's called "The Internet Police."

You have some interesting cases that you describe where folks were targeted, essentially spied upon, using their home computers. Do you want to give us an example on what, you know, what the impact was on these folks?

ANDERSON: Yeah. So maybe I could talk about two different cases, because one of the key points that my book is making is that you really can't differentiate between good and bad techniques on the Internet. What you get are techniques, and they can be used by anyone, for any purpose.

So one of the stories that I cover in the book involves a substitute teacher in Ohio who had purchased a stolen laptop from a student at her school. She claims she didn't know it was stolen. The police knock on her door a few days later, and they have in their hand pictures of her topless chats with her boyfriend at the time that they have printed out on sheets of paper.

She is amazed. It turns out that the computers - which had been owned by the school district - had tracking software on them, and were accessed by an investigator who was looking for this one and happened to grab screenshots of what this woman was doing on her computer at the time, and he passed them to the local police, who showed up at her door, knocking on it, holding these things.

And the whole experience really - at least in her telling in the court documents - really devastated her. It made her almost borderline paranoid about surveillance, about clicks on her phone, about - I mean, if people could do that, they could do almost anything, it seemed like.

DAVIES: And, in this case, it was the police. The tracking software was there to help the school district recover stolen computers. This actually happened in a school district around Philadelphia recently. But why did the police then use that, rather than simply going and getting the stolen computer? Why would they then barge in and confront her with these embarrassing, though legal, pictures, and then they arrested her?

ANDERSON: Well, that's a good question. And she sued the police department over this case, and it was settled privately. She was arrested for receiving stolen goods, but the prosecutor declined to move forward with the case. So my sense is that the police there knew they had overreached and tried to make this situation go away.

You know, but what you see also is that hackers do the same thing. I mean, this technique has been around for years in hacking circles. And so I cover another story in the book of this guy out in California who turns out to be a disabled immigrant. He's in a wheelchair. He knows computers. He's been to some local community college classes and programming things. He becomes something of a hacker.

He starts hacking into computers of young women all around California, and more broadly. By the end of - you know, by the time police arrest him, he has gotten his software installed on the machines of several hundred young women. He was able to watch the webcams on their computer. He was able to turn on the microphones in their computer, listen to what was happening in the rooms where these computers were.

He was able to see what they were doing on their screens, on their computer, what websites they were visiting. And he could see every file on their computer, and he delighted in finding nude pictures that many of them kept on their machines. And he would then toy with his victims.

He would show up on instant messaging networks knowing all sorts of things about them, having these pictures, and being able to tell them about conversations they thought they had had privately inside a room, that suddenly this random guy on the Internet knows about. It was absolutely unnerving to these young women, you know, this terrifying experience.

But it's now the same kind of thing that the police do, that private organizations do. We know the FBI has this capability. A major scandal erupted a year or two ago in Germany, when it became clear that the German government was using this sort of technology.

So, you know, you have this technique, and once it's out there, it can really be used for just about anything. And there's almost no way to say, you know, this is going to be used for good, and not for bad. It is kind of a free-for-all.

DAVIES: Nate Anderson's book is "The Internet Police: How Crime Went Online, and the Cops Followed." He'll be back in the second half of the show. I'm Dave Davies, and this is FRESH AIR.

(SOUNDBITE OF MUSIC)

DAVIES: This is FRESH AIR. I'm Dave Davies, in for Terry Gross, who's off this week. We're speaking with technology writer Nate Anderson, whose new book traces the growth of crime on the Internet and the increasingly sophisticated techniques law enforcement employs to fight it. Anderson is a senior editor at Ars Technica. His new book is called "The Internet Police: How Crime Went Online, and the Cops Followed."

Before the break, Anderson described some cases where hackers tapped into the home computers of women, using their webcams to spy on them and rifling their computer files for personal information and intimate photos.

You describe how emotionally shattering it was for women to suddenly be confronted with these things they thought were private. But tell us a little bit about how that worked. I mean, is there technology that someone can easily get that will allow them to get inside and control somebody else's computer?

ANDERSON: Absolutely. I mean, you do not have to be a quote-unquote "hacker" to do this anymore. In some research I did after writing the book, I spent some time in an entire Web community that exists around this practice, which they call ratting - R-A-T, remote administration tool. These are basically pieces of software that, once you can get them on someone else's computer, provides you total access to their machine, but surreptitiously. They don't know it's there. They don't know it's running. And...

DAVIES: And you get them to install the software by what - enticing them to open an email or something?

ANDERSON: You can do that. You can approach them on instant messaging, pretending to be a friend of theirs. You can put fake, you know, songs out there to pop music on peer-to-peer file sharing networks that then people download thinking they're getting a song, turns out to be one of these files. One of the things these guys do is spend a lot of time sharing their techniques for how they spread this stuff widely, how you pick up quote-unquote "slaves," which is what they refer to the people who install their software.

DAVIES: This is just so creepy. I mean, if you have, you know, one of these major antiviral, you know, protection systems for your computer, are you protected against things like this?

ANDERSON: All of the major antivirus, anti-malware systems now do look for these sorts of toolkits - these remote administration tools. But, you know, they're tweaked all the time for the purpose of avoiding these things. So it's hard to say for certain that any given implementation of one of these is going to be caught by, you know, any given tool that you might have, especially if your antivirus software is out of date or a bit older.

DAVIES: You know, in the cases the book, where you describe these women being targeted by someone who had taken control of their computer, and then looked through their photos and watched them through the webcam, you know, the police - we know about this because the police investigated and found some of the people that were engaged in this activity. Are they doing a lot of that, and should we feel good about that? It's sort of puzzling, because you don't want the police spying on you, and yet, on the other hand, you want the police protecting us, you know, from people peering into our lives.

ANDERSON: Yeah. The FBI has essentially coined a term related to this activity that they call sextortion, because most of these cases turn out to involve these guys will watch usually women, but I have seen a couple of cases involving men or even boys. And once you either get access to their computers, you can get them to give you nude the photos and things, and then you can start blackmailing them and get them to do more and more things for you. And, yeah, it's kind of depressingly common, and it's now - you see busts related to this activity with some frequency. I wouldn't say it's an epidemic, but, you know, if you visit some of these communities and you see people just sharing images of these people that they're spying on from all over the world, no idea they're being watched, you know, it's deeply creepy. And, you know, I just think it's worth knowing that this is a possibility on your machine. I mean, many people are not aware that something like that is even possible. But it's hard to quantify just how much something like that happens.

DAVIES: And before we leave this subject, is there any way you can protect yourselves? I mean, should you turn off your computer? Should you - I don't know, anything you can do?

ANDERSON: Yeah. There's a couple of things. Running a good anti-malware, antivirus program will help catch many of these. You know, don't download dodgy files on peer-to-peer networks. Don't accept, you know, files from people you don't know over instant messaging. And get a computer that has a light, you know, hardwired to your webcam. Many computers do now. And if they webcam is ever activated, a small light next to it will go on. That usually cannot be bypassed. So those kinds of techniques can at least let you know, you know, when it's happening.

DAVIES: You know, a lot of your book deals with serious and troubling stuff like, you know, kiddy porn and extortion and identity theft. You also write about spam, which kind of most of us think of as, you know, a nuisance. Why is spam serious enough for the FBI to get involved in?

ANDERSON: Well, it's more than just a nuisance, because most of the spam you get, you may not want it, but the products that it's selling are often or even usually are fraudulent, as well. So in addition to being unwanted, you're often dealing with a fraudulent situation. So you will find that the kingpins behind spam can often be making substantial incomes from this activity. I mean, you might find it hard to believe that anyone would click on one of these emails and give their credit card information to the website that comes up, but it happens all the time. Because spam is so prevalent, you need such a small success rate - I mean, in the .1 percent or less - and you can still make real money.

DAVIES: You do write about a fascinating case involving one, you know, mega-spammer, a guy who the FBI nailed when he went to a conference in Las Vegas. Tell us about him and how big his operation was.

ANDERSON: So this case is fascinating, because it shows another one of the key ways that cops have learned to operate online. You know, a lot of spam and some of these other online ills originates now from Eastern Europe and Russia. And Russia famously does not extradite its citizens. It doesn't matter why. And they often show less interest in prosecuting some of these cases, as well. So one of the lessons that the U.S. has learned is if we find somebody who appears to be kingpin, they appear to be in Russia, what are we going to do? We are going to wait. Eventually, they're going to come to a friendly country. They're going to fly through a friendly country or they're going to come to the U.S. for some reason, and when they do, we're going to grab them.

So, in this case, this is guy, Oleg Nikolaenko. He's 23, 24, a young Russian guy, had started becoming a major spammer. He had a botnet, which essentially means he controlled hundreds of thousands of people's private computers around the world by installing small software on them that could then send out spam from their machines, making it hard to block, because it came from, you know, 200,000 different places, not one.

DAVIES: Whose owners had no idea they were part of a spam network.

ANDERSON: No idea their computer is in the background sending out these messages for this guy in Russia. So he runs this botnet, spammers pay him to deliver their message. He's a distributor. He doesn't write the spam. He doesn't send out the herbal supplements. You know, he just distributes messages, makes a ton of money. He also loves cars. So the FBI out of Milwaukee is investigating this guy, and they wait until he comes to the U.S. to visit an auto show in Las Vegas. And as soon as he crosses, you know, U.S. Passport Control - I believe he touched down on JFK on his way there - they know about it. They find out where he's staying. They call the FBI team in Las Vegas, and they arrest the guy in his hotel room. So he thinks he's coming to the U.S. for, like, this three-day, you know, car show, from Russia. He ends up, like, two days later sitting in a jail cell in Milwaukee, where he stays for more than a year.

DAVIES: And how big was his operation, and how much money was he making?

ANDERSON: So, at his height, this guy was estimated to be controlling more than 500,000 machines, which he would use to send his spam. This was, you know, at its height, probably the largest botnet in the world for while. It may have accounted for up to 30 percent or so of all the spam in the world. And we know from the records of this investigation that eventually came out that he made $464,000 in 2007, and that was just in six months. And that was apparently just from one client, and he had multiple clients. So this guy, who is like 23, 24, is making serious, serious money.

DAVIES: Nate Anderson's book is called "The Internet Police." We'll talk more after a short break. This is FRESH AIR.

(SOUNDBITE OF MUSIC)

DAVIES: This is FRESH AIR. And if you're just joining us, we're speaking with writer Nate Anderson. His new book is called "The Internet Police: How Crime Went Online, and the Cops Followed."

You also write about how easy it was for you to buy heroin or ecstasy over the Internet at a site that was called Silk Road. And what's interesting about this was that you said that they were able to do this with impunity because of a multilevel encryption system - if I have this right - that was essentially developed by the U.S. government? Is that right?

ANDERSON: That's right. The basic technology that protects this site and other sites like it is called Tor. It used to stand for The Onion Router. Now it's just a word on its own. But it essentially involves a system which, you know, your traffic is passed through layers of different computers, passed from one to the next to the next to the next to the next, until finally, the last computer in the chain dumps it back onto the public Internet. And by that time, it is supposed to be essentially untraceable, mixed in with all this other traffic passing through the Tor network, and there should be, you know, no way to trace it back to you.

Now, this is really useful if, for instance, you know, you are a diplomat or, you know, a military officer or something stationed in a foreign country, and you need secure communications back to the U.S., or if you're an the FBI or a DEA agent here in the U.S. and you need to, you know, pretend to be a drug dealer or something online, you need to disguise where your computer is, where you're coming from. So this tool had all sorts of uses. But it is now developed privately, and while it's still used by the military and by others, it is also used by plenty of people to host child photography, is one popular one. But then the new thing is these drug markets. Silk Road is the best-known. It's still around. It's been operating for a couple of years with apparently almost total impunity. And it enables - it's like Amazon, but for drugs. You can find hundreds of sellers from all over the world who will mail you just about anything. And you can leave feedback on them, how their product was, how their service was. It's quite a remarkable thing. And the guy who runs it has some of these - you know, he's a libertarian, with strong ideas about freedom, who goes by the name Dread Pirate Roberts. And we know the government is after him, but, I mean, in a testament to how well the software works, they haven't caught him yet.

DAVIES: OK. But if this was developed by the government, how does it get into the hands of all these other folks?

ANDERSON: So the U.S. government - the Navy, actually, did the preliminary research on what is known as Onion Routing, the basic technique that is used here. But the actual software is developed now by a foundation, the Tor Project. And they receive money from all sorts of governments, government agencies, even some Christian groups. Because the thing about these tools, as I've said before, is you can never to limit them to certain uses you think are good or that you think are bad. And so this tool in particular provides, you know, an incredible encryption for people who need to bypass surveillance. Well, that can mean criminals, but it can also mean political dissidents. It can mean religious, you know, dissidents in countries where, you know, freedom of religion is not accepted. It can mean all sorts of uses that one branch of the government - say, the State Department - might say are good, but another branch might - like the FBI - might see things being used in it that are bad. But they don't - but nobody wants it shut down.

DAVIES: Yeah. You make the point that, you know, the State Department, I think Hillary Clinton and some others have said that you need this kind of technology for secure, anonymous communication. I mean, people in Mexico who want to be able to communicate without being discovered by, you know, drug cartels, political dissidents. And so, in some respects, it's government policy to permit this kind of communication, to encourage and enable it.

ANDERSON: Right. And I think it shows you that, you know, speaking of the government is often not a helpful thing to do when it's that, you know, as broad as the U.S. government. There are so many competing interests. So, yes, state has been a huge backer of these programs. They've traveled, especially in Eastern Europe, they've stirred up quite a bit of controversy by going over there and teaching activists and dissidents how to use tools like Tor to avoid state surveillance. But those exact same tools can avoid state surveillance here in the U.S., whether it's by the FBI looking for drug dealers or child pornographers, whether it's the NSA looking for terrorists, you know, there's just no way to limit the sort of technology in the way the government would prefer to do. And so what you have in this very strange situation where some aspects of the government are encouraging the same sorts of tools that other aspects of the government aren't very happy about.

DAVIES: Is - you know, I guess this is what we have an Executive Branch for, to kind of look at these conflicting policy goals and methods and make some wise decisions about, you know, what we want to do. Is there any attempt to sort of, I don't know, mediate and get an overall policy that makes sense?

ANDERSON: Well, I think U.S. policy on this is very widely - back in the 1990s we famously tried to control encryption and anybody exporting strong crypto, as it was called, was under all sorts of restrictions. They couldn't send it to all sorts of different countries. And eventually, we realized that wasn't going to work. I mean, these guys who dreamed about the Internet being global and breaking down geographic barriers, you know, may have had a limited vision but they weren't totally wrong either.

And so what the U.S. found was we were essentially just putting ourselves at a disadvantage because other companies on Earth weren't abiding by these rules. They were selling products with strong crypto. So what customers around the world said was, hey, why are we going to buy from the U.S.? And I think it's the same sort of backlash you're already seeing around some of this - the NSA revelations.

Countries are - and companies around the world and even individuals are saying, you know, hey, I don't know that we trust these U.S. Internet companies anymore. And in the '90s the NSA actually backed down from this position and we kind of gave up on trying to control encryption. And I think things have maybe swung back the other way since then.

DAVIES: You know, you mentioned the National Security Administration revelations recently, and I guess a lot of that broke after you'd probably finished the book. What's your take on all of these revelations about, you know, the surveillance of both, you know, telephone or other electronic communication? Do we need reforms? Does this tell us - what does it tell us?

ANDERSON: Well, I think it tells us a couple of things. One, is it tells us exactly what electronic surveillance in the Internet age looks like when the gloves come off. I mean, the NSA operates under certain restrictions, clearly. It is not totally indiscriminate surveillance. But, you know, the rules are far, far different and much, much looser than anything that is legally allowed to happen domestically.

So my book basically looks at how local police, how the FBI and how international policing, you know, handle these things. But they operate under a very different framework. And what you see with these NSA revelations is just how incredible are the data trails we leave. How, with relative ease, they can be scooped up, put back together, dumped into massive databases.

And I think the lesson is that the Internet, which was supposed to be this tool of incredible freedom, of anonymous communication, providing a publishing platform to everyone, has sort of at the same time provided one of the most amazing electronic surveillance platforms the world has ever known.

DAVIES: There's a lot of discussion now about new regulations on the NSA, about changes in the FISA court, about independent review of what these government agencies do. I mean, what's your take? Is that needed? Do you have a view on it?

ANDERSON: I think one of the things that the NSA revelations are going to finally do is open people's eyes to just how dramatic this sort of surveillance looks like in practice. It's one thing to talk about electronic surveillance and it's another thing to really understand just how wide-ranging the Net can be when you have computers scooping up data from fiber optics taps, when you get every phone call made by everyone in the U.S.

You know, we're going - the NSA is going to look a lot more like some of these hackers in the book who are operating without many rules. And I think that has already made people uncomfortable. So my sense is we're going to see some rule changes intended to promote greater comfort in this. Even President Obama has indicated those are in progress.

You know, whether that is going to satisfy the critics of what's been going on, I think will really depend on the strength of the public reaction, you know, to mobilize a bipartisan agreement in Congress.

DAVIES: Well, Nate Anderson, it's been really interesting. Thanks so much for spending some time with us.

ANDERSON: Thanks for having me.

DAVIES: Nate Anderson's new book is "The Internet Police: How Crime Went Online and the Cops Followed." Coming up, jazz critic Kevin Whitehead reviews some recordings of the English saxophone trio S.O.S. This is FRESH AIR. Transcript provided by NPR, Copyright NPR.

Related Program