The mobile computing technology explosion has brought out seriously organized, international and profit-driven cybercriminals.
That was just one of the key points made today by the US Department of Justice Deputy Assistant Attorney General Jason Weinstein to a Senate Judiciary Subcommittee on Privacy, Technology and the Law hearing.
"Every day, criminals hunt for our personal and financial data so that they can use it to commit fraud or sell it to other criminals. The technology revolution has facilitated these activities, making available a wide array of new methods that identity thieves can use to access and exploit the personal information of others. Skilled hackers have perpetrated large-scale data breaches that left hundreds of thousands -- and in many cases, tens of millions -- of individuals at risk of identity theft," Weinstein said. "As Americans accomplish more and more of their day-to-day tasks using smart phones and other mobile devices, criminals will increasingly target these platforms."
He went on to say: "Foreign and domestic actors of all types, including cyber criminals, routinely and unlawfully access data that most people would regard as highly personal and private. Unlike the government -- which must comply with the Constitution and laws of the United States and is accountable to Congress, courts, and ultimately the people -- malicious cyber actors do not respect our laws or our privacy. The government has an obligation to prevent, disrupt, and deter such intrusions. The kinds of criminals we are up against are organized, international, and profit-driven."
How will the DOJ combat these problems? Weinstein said the department's 2012 budget includes a request for funding six Department of Justice attache positions that would emphasize the investigation and prosecution of laws prohibiting international computer hacking and protecting intellectual property rights at embassies around the world. The program would establish department representatives at hot spots for computer and intellectual property crime around the world, and would help ensure that we can continue to protect American citizens' privacy, both at home and abroad.
Weinstein also repeated his call for improved mobile data retention and forensics.
"One particular area of concern for the Department in collecting digital evidence is ensuring that law enforcement can successfully track criminals who use their smart phones to aid the commission of crimes. When connecting to the Internet, smart phones, like computers, are assigned Internet Protocol (IP) addresses. When a criminal uses a computer to commit crimes, law enforcement may be able, through lawful legal process, to identify the computer or subscriber account based on its IP address. This information is essential to identifying offenders, locating fugitives, thwarting cyber intrusions, protecting children from sexual exploitation and neutralizing terrorist threats -- but only if the data is still in existence by the time law enforcement gets there."
Weinstein noted that in his January testimony before the House Judiciary Subcommittee on Crime, Terrorism, and Homeland Security, he outlined some of the serious challenges faced by law enforcement in this area in the more traditional computer context.
"ISPs may choose not to store IP records, may adopt a network architecture that frustrates their ability to track IP assignments and network transactions back to a specific account or device, or may store records for only a very short period of time. In many cases, these records are the only evidence that allows us to investigate and assign culpability for crimes committed on the Internet," he said. "These challenges are equally serious in the context of smart phones and mobile devices. As the capabilities of smart phones expand, law enforcement increasingly encounters suspects who use their smart phones as they would a computer. For example, criminals use them to communicate with confederates and take other actions that would ordinarily provide pivotal evidence for criminal investigations. Just as some ISPs may not maintain IP address records, many wireless providers do not retain records that would enable law enforcement to identify a suspect's smart phone based on the IP addresses collected by websites that the suspect visited. When this information is not stored, it may be impossible for law enforcement to collect essential evidence."
Of course collecting data from mobile devices and that data is stored, protected and used is a hot button.
At the same hearing, the Federal Trade Commission's Deputy Director of Consumer Protection Jessica Rich said the agency has taken law enforcement actions against companies that fail to protect the privacy and security of consumer information. She noted a few cases of interest in the privacy realm:
• The FTC's case against Google alleges that the company deceived consumers by using information collected from Gmail users to generate and populate a new social network, Google Buzz, without users' consent. As part of the proposed settlement order, Google must protect the privacy of all of its customers -- including mobile users.
• In an FTC case against social networking service Twitter, the FTC charged that serious lapses in the company's data security allowed hackers to obtain access to private "tweets" and non-public data, and hijack user accounts, including then-President-elect Obama's account, the testimony states.
• In August 2010, the FTC charged Reverb Communications Inc., a public relations agency hired to promote video games, with deceptively endorsing mobile gaming applications in the iTunes store. And earlier this year, the FTC filed a complaint alleging that a spammer named Philip Flora used 32 prepaid cellphones to send more than 5 million unsolicited text messages -- almost a million a week -- to the mobile phones of U.S. consumers. The commission charged that Flora violated the law by sending unsolicited text messages, the testimony states.
"The rapid growth of mobile technologies has led to the development of many new business models involving mobile services." The innovations offer benefits to both businesses and consumers. "On the other hand, they facilitate unprecedented levels of data collection, which are often invisible to consumers."