Occasionally there is a major intersection of several topics that are of interest to me, which makes that combination fascinating. Such is the case when true crime fanaticism, the law, ethical hacking, and cybersecurity meet in a collision known as vigilante hacking.
Crowdsourcing and Ethical Hacking to Support Law Enforcement
I am quite sure, at least from a distance, you are aware of the true crime craze in which podcasters, bloggers, and social media forums follow a specific case (usually unsolved and often a violent or victim based crime) in hopes that crowdsourcing and collective interest will help resolve justice for the victim. This is a very noble cause, and sometimes it has actually helped identify a valid suspect. However, without intelligence not known to the general public or obtainable through open sources, the quest for relevant information often can be misguided or worse (such as when an innocent person is defamed and shamed over the internet). This begs the question: is that all that can be done?
Before I get into specifics, it is important to lay the groundwork for the law in the matter. The general rule is that evidence obtained from a private search, illegal or not, is admissible as long as the searcher was not working as an agent of the government. In other words, hacking into a prime suspect’s computer without probable cause at the direction of the FBI would not be admissible as evidence. So what are some real world examples of hacker vigilantism that withstood the scrutiny of the court and resulted in a conviction?
- Planting Trojan viruses on images on websites to attract pedophiles. Once the files were open, the hacker could access the user’s computer and monitor activities.
- Baiting an internet scammer into giving the hacker their credentials who in turn monitors, disrupts, and gathers evidence on the illegal behavior
- Using fake online personas on the dark web to identify and shut down human traffickers.
Vigilante Joe Brings About Justice
Imagine the following scenario: Vigilante Joe is highly interested in an unsolved murder case and joins several user groups on social media. Through OSINT, the rabid amateur investigators identify a suspect and publicly refer to him in online discussions. Vigilante Joe then phishes the suspect and inserts malware into the suspect’s computer allowing him to search it, where he finds images and a digital like stalking presence of the victim. Vigilante Joe looks further and locates online orders of a weapon that matches the one used in the murder. He then anonymously sends the information to law enforcement, who make the arrest. Sounds cool, right? Something out of the television series Mr. Robot? However, there are many pitfalls for all involved.
- Unless the suspect confesses, who forensically captures the evidence and establishes the chain of custody if the hacker remains anonymous?
- If the hacker is tracked down and treated by the letter of the law, he has still committed a crime and any evidence of leniency could be a motivation for other vigilantes.
- If the evidence turns out to be false and Vigilante Joe’s identity is revealed, he and everyone else on the social media site could be liable for defamation and potentially charged criminally with doxing, if such a law exists in that jurisdiction.
Intrusive or Deceptive Acts Are Not OSINT
There are other scenarios where the above ethical/legal possibilities could come into play. A company could initiate a hack back type of counteroffensive to find a perpetrator and turn them in. This is a hot area of cyber law now where some jurisdictions are trying to come up with real guidance or policy. Then there is the hacktivist groups, like WikiLeaks and Anonymous, who by exposing wrongdoing may have uncovered criminal behavior. By all accounts, the evidence, while maybe not credible or preserved correctly, still could be admissible as part of the investigation of a criminal matter.
To be clear, things such as geolocation of images on social media through highly sophisticated software, finding hidden meta data in various other media and piecing together behaviors associated with a crime by scouring everything about them on the internet or dark net, is Open Source Intelligence gathering which can be very productive and a genuine help to law enforcement. Be careful, however, of crossing that line into intrusive or deceptive acts that may make things worse, for both you and the people who are paid to seek and administer justice.
