Sextortion and the going dark debate

This post originally appeared on the Lawfare blog.

One interesting feature of the sextortion research we released this week—a feature we did not discuss in the papers themselves—is the interaction between this issue and the “going dark” debate. We left this matter out of the papers themselves because the papers were about sextortion as a phenomenon and possible solutions to the problems it poses. But a relatively large group of cases involving both large numbers of text messages (sent by various means on different services) and huge volumes of stored communications and images offers an interesting set of opportunities to look at how “dark” law enforcement really is going.

The answer? At least in the cases we examined, I see no evidence of a problem so far. For reasons I will explain, however, this does not mean the FBI is blowing smoke. And the cases do point to a subtle but potentially serious problem down the road.

Let’s unpack this.

First off, the sample we studied is inherently biased, because the cases we looked at are those cases in which investigation was successful enough for some law enforcement agency to bring a criminal case. So it’s not going to include those cases in which the going dark problem would be most acute: Cases in which you can’t make an arrest because the perp admits nothing and his computer is encrypted, cases in which end-to-end encryption frustrates the ability to read chat logs reflecting horrible abuse, cases in which law enforcement agencies don’t even try to investigate because they suspect—rightly or wrongly—that the forensics may be too hard.

That caveat acknowledged, it would be intellectually dishonest of me not to note that in none of the 78 cases we included in our sample did going dark present a serious problem. This was, frankly, a surprise to me. I expected to see more “going dark” than we did. And while I don’t know whether the comparative brightness of the investigative landscape here is partly a function of selection bias in the cases, I do know there are a few other reasons for it, some of which themselves surprising.

The non-surprising reason is that nearly all of these cases developed because some victim came forward. When that happens, it perforce means that the investigating agency will have at least one phone or device reflecting the abuse; that is, it will have access to the communications consensually from one side of those communications. This is profoundly different from a terrorist case, where both sides of the communication are keen to protect it. And it’s different as well from a child porn ring where lots of perps are swapping data, all of whom want to protect that data. In this setting, even if the communications are encrypted, if one side gives you access to them, the going dark problem becomes a non-factor.

Another factor here that mitigates the “going dark” problem is that to prey on kids and young adults, you have to go where they are. And most of them aren’t consciously using end-to-end encrypted communications, at least not yet. So once one victim complains, law enforcement can approach the relevant service provider in an effort both to find out what the offending account’s other communications may have been and also to identify and locate the perp. When that happens, many service providers still have non-encrypted logs to provide.

There’s another—more surprising—reason going dark does not appear to be a problem in these cases: the perps tend to cooperate. You’d need to be a clinical psychologist to evaluate why they do this, but a rather large number of perps talk frankly to law enforcement about what they have been doing and even seem to consent to searches of their machines. This, for obvious reasons, ameliorates the encryption problem with respect to devices with full-device encryption.

There are cases, to be sure, in which the perpetrator does not just roll over, confess, and reveal all. But here another factor kicks in: Most perps are not taking the kinds of cybersecurity precautions you would think sextortionists would take to protect their material. Even some of the ones who boast to their victims that they are master hackers are, in fact, pretty lax in their own practices. So law enforcement sometimes finds Dropbox accounts and hard disks full of unencrypted sextorted material.

Again, I want to stress that the fact that these cases show no evidence of a problem does not mean there is not a problem. It could be that there are dozens or hundreds of unprosecuted cases where perps behaved more self-protectively in their interactions with law enforcement and in their basic cybersecurity hygiene—and that those perps are still walking free. That said, I feel obliged, as someone who has argued for taking the FBI’s going dark concerns seriously, to acknowledge that there is no case I reviewed in our sextortion research that jumped out at me as an example of the going dark problem impairing a major sextortion investigation.

The cases do, however, point to a more subtle problem I think we can expect to develop in the future as more and more perps are using devices and services in which material is encrypted by default—and as more and more service providers move towards default end-to-end encryption. While the kids may not be seeking out encryption, after all, encryption is seeking out the kids.

Here’s how I think the problem would develop and the way it could potentially impair these investigations in the future.

Imagine a world in which many more devices are encrypted and more text-messaging services are encrypted end-to-end as well. Now imagine a perp who does not confess all the moment an FBI agent shows up at his door.

That FBI agent already has in hand a complaint from one victim. And he has the cooperation of the service provider, who has given him a lot of material suggesting that this individual is the person on the other end of the criminal communication with that one complaining victim. But remember: sextortionists tend to be prolific repeat players. They routinely have dozens, sometimes even hundreds, of victims. Right now, our investigator has identified one victim and linked that victim to our perp. In nearly all of these cases I have seen, the forensics associated with the perp’s devices and accounts are key to identifying other victims. So if this person doesn’t talk and doesn’t grant access to his material, we may have no way of identifying the many other people our perpetrator may be victimizing.  

To some extent, metadata can help here: The service provider may still be able to tell you whom else the perpetrator has been in contact with. But let’s be blunt: These cases are all about the contents of communications. Indeed, the crime is the contents. Without the ability to access those contents for large numbers of victims, authorities could end up prosecuting only the one case, not looking at the perpetrator’s computer and identifying the universe of people he is hurting.

Are there such cases now? I suspect not, but I’m not sure. There are many cases in our sample in which you get the feeling there are many more victims than are showing up in the court papers. How much, if any, of that is driven by encryption is not apparent. But I think there would probably be visible signs that are not present if that’s what were happening.

I do think it’s reasonable to expect, and worry about, such cases in the future. They will, I suspect, have one or two tell-tale signs:

• The investigative affidavit will declare that investigators believe there are more victims but are only able to identify the complaining victim because the chat logs are encrypted and the perpetrator will not decrypt his computer; or
• The investigative affidavit will declare that additional victims were located and identified using metadata provided by the service providers and that the chat logs were provided by those other victims after their having been contacted by investigators who already suspected they might be targets of abuse.

This latter possibility might suggest a possibly-manageable work-around, but it would be a hugely labor-intensive work-around in cases involving large numbers of victims. Even sextortionists, after all, communicate with people other than their victims. So the FBI would spend a huge amount of time verifying that pizza delivery guys and other routine contacts were not being sextorted.

Here’s my bottom line on sextortion and going dark: I see no evidence—yet—that it is a serious problem in this area, and because victims are willing to share their communications with investigators, it may never become a debilitating problem in sextortion investigations. That said, we should expect both encryption of data at rest and default encryption of data in motion to inhibit the ability of investigators to identify non-complaining victims and build cases based on abuse of those people. That may be already happening, though our data does not show it. It certainly seems likely in the future given the common modalities of these cases and their investigation.

You can read the full report on sextortion here.