2008-10-01
Abstract
'We are left with the alarming question as to whether privacy should be put before global security.’ Abhilash Sonwane, Cyberoam.
Copyright © 2008 Virus Bulletin
Minutes before the deadly bomb blasts that took place in Ahmedabad, India on 26 July 2008, an email claiming responsibility for the attacks was received by Indian authorities. The anonymous email was traced to the IP address of an American national living in Mumbai. The authorities now believe that the American’s unsecured wi-fi network was used by the terrorists to send the email. The American citizen became a suspect just because he unintentionally left his wi-fi network open and unsecured.
In August, another email about the blasts was received. Investigations revealed that a proxy server was used to send the email. With some help from the service provider that hosted the server, investigators were able to determine that the email originated from an educational institute in the city of Vadodara. Analysis of the logs of the institute’s unified threat management appliance enabled the investigators to trace the email to an internal IP address belonging to the institute’s computer lab. Innocent students and faculty members were questioned as suspected terrorists.
More recently, Internet activist group ‘Anonymous’ was responsible for hacking into the Yahoo! email account of These days, a large number of public places (airports, restaurants, cafes, hospitals and so on) offer free wireless networks. Home networks are often left open and unsecured by their users, because the average home user doesn’t understand the technology and either leaves the wi-fi device in its default configuration or else does not configure it securely.
Criminals can simply sit in their cars outside a house, an office or a hotspot, and use the unprotected wireless network to carry out their sinister activities anonymously. The online activities of ‘war-driving’ criminals can be traced only to the IP address of the house, office or hotspot, putting the innocent home owner/office/hotspot manager under suspicion because of an insecure network configuration.
In the past, intelligence agencies could catch criminals based on the IP addresses of the emails they sent. The hard drives of the computers suspected of having been used for illegal activities provided the physical evidence needed to link the action to the criminal. However, new technologies are making it difficult to gather evidence.
Anonymous proxies enable criminals to conduct their online activities without revealing their real IP addresses. If the authorities want to trace the IP address of someone who has used the anonymous proxy they need the logs of the proxy server. The jurisdiction in which the proxy server is physically located plays an important role here. If it is located outside the jurisdiction of the investigating authorities, they have to rely on the cooperation of the local authorities at the other end, which can result in a dead end for the investigation.
Privacy is a basic human need and should be respected for every Internet user. However, as the movement for online privacy gathers pace, we are left with the alarming question as to whether privacy should be put before global security. The abuse of anonymity on the Internet is affecting many innocent lives, and victimizing Internet users.
Technology and the law need to keep pace with one another and with the changing times. The need of the hour is to engineer better technologies and frame better laws that allow users to enjoy their privacy while at the same time enabling authorities to trace criminal activities. But until that happens, there are several measures that can be taken by responsible citizens and corporations. For example, the hospitality industry should desist from providing Internet access without valid identity checks (mechanisms are available that allow this). The ISPs and vendors should undertake campaigns to educate home users as to how to configure wi-fi access points securely.
Cyberspace will continue to evolve and criminals will continue to look for new ways to abuse the loopholes left by technology and the law. However, proactive and responsible engineering and legislation can help prevent the misuse of technology.
