The week of December 7, 2014

Me IRL: Nate Anderson

By Eric Geller

The rise of the surveillance state has fueled the legal and technological empowerment of police officers in departments across the country. When Americans think of electronic wiretaps, they likely picture the FBI or the NSA, but increasingly, local police departments are following their federal colleagues and branching out in their digital investigations. In the process, police run into the same privacy objections and technological complications that frustrate federal law enforcement agents.

Few journalists better understand the challenges facing police in the Internet age than Nate Anderson, deputy editor at Ars Technica and the author of The Internet Police: How Crime Went Online, and the Cops Followed (W. W. Norton, 2014). Anderson reports on tech policy and has covered everything from police entrapment to child pornography busts. His beat at Ars covers more than just digital police work, but his book traces the evolution of local law enforcement’s responsibilities and procedures.

“There’s always a necessary tension between the state’s need to invade privacy to solve crimes and the citizen’s desire to maintain that privacy, but one of the best approaches to finding a balance is an old one: the robust use of warrants, overseen by a fully informed and fully independent judiciary,” Anderson notes. “In the real world, these conditions for intruding on privacy aren’t met as often as they should be.”

To understand American policing in the 21st century, one must first understand the new pressures that police face, the new fears that citizens hold, and the growing movement on both sides to restrict what the other side can do. The Kernel spoke to Anderson about cybercrime, the FBI’s war on Apple, and the privacy implications of cops patrolling the digital beat.

“The Internet is a phenomenal surveillance machine, but just because we can do something doesn’t always mean we should.”

What is your earliest memory of the Internet?

I had used email and Gopher, but on text-based Unix systems, so the moment that really showed me something amazing was when I fired up the NCSA Mosaic browser at a college computer lab and was blown away by the almost completely noncommercial World Wide Web of 1994. It all looked absolutely hideous—but all that information!

“Jif” or “gif”?

Jif, because it clearly sounds better!

How did you get started covering surveillance, law enforcement, and online privacy?

I started with much more of a focus on copyrights in 2006 or so, back when the recording industry was suing thousands of Americans for file-sharing. But as that issue died down after years of public battles, police had quietly found their footing online, and many of the most interesting disputes to me involved crime and privacy. So I started to take a much closer look at all the cases and court transcripts I could get my hands on to tell the story of how cops went from fearing the total lawlessness and chaos of the Internet in the 1990s to using it as a key investigative tool—and what that meant for all of us.

Do you have any good stories of run-ins with the cops in your youth (or perhaps more recently)?

Sorry to disappoint, but I spent too much time in my youth writing computer games to run on my Apple II to get into the sort of trouble that might involve police.

Have you had any truly scary experiences reporting on the police or their black-market targets?

Meeting with sources on the run from the law is always a bit unnerving, though it can be a necessary part of good reporting. I met a hacker in Canada who had jumped bail and crossed the border; when I showed up, I certainly wondered whether I might not be leading police right to him. Were those garbage men loitering at the edge of the park actually RCMPs who were going to be sprinting towards us momentarily? But in the end, these sorts of interactions have never resulted in problems.

Have you changed the way you use the Internet as a result of what you’ve learned doing this reporting?

Absolutely. It’s hard not to report extensively on webcam spying, for instance, and not get at least a bit paranoid about whether someone’s watching you through your own computer. It’s hard not to tighten up your passwords after spending a few days cracking them. But as I’ve learned from security professionals, it’s also not a great idea to talk too much about your own security setup or you risk putting a target on your back.

What did people who don’t follow the world of cybercrime think when you told them what you were writing a book about?

When I started the book, I think there was some skepticism from non-technical people about just how much policing was really done over the Internet. The Stuxnet virus that went after Iran’s centrifuges and the Edward Snowden NSA revelations really brought home even to people not paying attention to it just how interested the state really was in surveilling and exploiting the ‘Net. So there’s more interest today in learning about how non-spooks—and even one’s local police force—use the Internet on a daily basis.

As I’ve learned from security professionals, it’s also not a great idea to talk too much about your own security setup or you risk putting a target on your back.

The FBI is mad at Apple for eliminating its own ability to decrypt its customers’ iOS devices. The feds want to be able to serve Apple, not its customers, with search warrants. When and how did law enforcement get so lazy?

I’m not sure it’s “laziness.” Police have always gone to third parties (think: bank records) when possible to get information for several reasons, but the main one is that it doesn’t automatically tip off the subject of an investigation. Sure, the FBI could execute a search warrant on a mafia financier to look for bank records, but then you’ve tipped your hand and the rest of the evidence might disappear. So they go to the bank instead. This was useful in the past because you could go to hotels, casinos, and even the U.S. postal service to get limited kinds of information on a suspect. But imagine how useful such a technique is today! Cops today can blast out subpoenas to Twitter, Facebook, Google, email providers, cellphone companies, etc, even for local, petty crimes, and in return they have a suspect’s whole life handed to them on a platter—location, correspondence, social network, and much more.

Now, that can be kind of terrifying. And I think the sometimes intense public reaction to this is because, unlike 30 years ago, these digital accounts reveal information from far more facets of our lives—and in much more depth.

The Internet moves faster than any bank robber or car thief, and it’s also more nebulous: An IP address isn’t a person; a privacy app isn’t probable cause. How do these unique pressures combine to shape the way cyber-cops operate?

It depends on the type of investigation, but the pressures you’ve mentioned are certainly behind the routine push to subpoena huge mounds of data from third-party cloud providers and to make it easier for the government to do digital investigations even when it doesn’t know where the device in question is located.

Can you identify a tipping point when clashes between police and online privacy advocates came to a head? Or has it been a gradual buildup?

The sorts of controversies that spawn these disputes tend be cyclical because the underlying issues are complex. For instance, the FBI director has recently made a lot of noise about the encryption now built into (and enabled by default on) Apple’s and Google’s smartphones, and he wants backdoors to make sure the FBI can get at the data on those devices. But this isn’t new; it’s a rehash of a similar battle of encryption fought in the 1990s around the “Clipper chip” that would have provided something similar to law enforcement. Old issues keep playing out in new contexts.

Are our laws up to the task of protecting citizens’ rights and equipping police to catch real bad guys? How would you change federal law in this area if you had a magic wand?

Many of these questions are actually not about “law” in the sense of having Congress pass a new bill but about police policy and court decisions. And still more are about a basic sense of proportionality—where is how I’d deploy my magic wand. I mean, does the mayor of Peoria, Ill., really need to involve the local cops when someone impersonates and mocks him on Twitter? And do the cops need to subpoena Comcast, Google, and Twitter for something this petty? And do they need to send a team of police to this kid’s door and search the whole house, haul a bunch of people down to the local police station for hours, and then bust an unrelated house member on marijuana charges, causing him to lose his job and face possible jail time? And do judges really need to sign off on this without asking some tough questions? (To add to the farce, the whole Twitter case was later dropped.)

The Internet is a phenomenal surveillance machine, but just because we can do something doesn’t always mean we should.

Illustration by J. Longo