In the business world, reputation is everything. All the money companies pour into marketing campaigns and CRM systems can be undone with a single bad word from a friend, fiend - or a complete stranger.
The Internet's reach means word-of-mouth can quickly spread across continents, damaging both corporate and personal brands in the time it takes to click 'send'. While increased openness can alert companies to problems and provide insight into what customers really think, it also has a downside; how do businesses protect themselves when slander comes from an untraceable e-mail account somewhere in cyber space?
This was the dilemma facing Renier Lategan, IT professional at the South African Medical Association, when insulting e-mails began making the rounds at work.
“It happened three times over the period of roughly one year. The first incident was aimed at certain staff members. It contained an abundance of bad-mouthing, finger-pointing, and just plain character defamation,” says Lategan.
The second incident occurred about three months ago, in the form of an e-mail containing similar insults and verbal attacks, but this time sent to board members and national councillors.
The third incident, about one month ago, contained not only the usual defamatory remarks but also blackmail, says Lategan. “We were warned that if we do not comply with certain demands, action would be taken and some of our data would be made publicly available. A list of e-mail addresses and contact numbers was attached to the e-mail. This e-mail was only sent to targeted staff members, but we were warned that it could be sent to all our members.”
After the initial e-mail, the IT team went about gathering information to try and pinpoint the sender, but soon hit a brick wall when it came to acquiring the personal details of the account-holder, explains Lategan.
The more a company tries to protect the information, the more exposure it gets.
Paul Jacobson, Jacobson Attorneys
“After the first incident, we searched all network data as well as log files that contained anything linked to the keywords in the e-mail and retrieved e-mail headers. We tried to get any information from the service provider which was linked to the IP address contained in the e-mail header. However, we couldn't get any information from the service provider unless we presented them with a subpoena.”
Trying to explain to South African police that you want to apply for a 205 subpoena, says Lategan, is a whole other ball game. A 205 subpoena refers to section 205 of the Criminal Procedure Act, which compels someone to disclose information or hand over documents relating to a suspected crime.
“The legal department set out on a quest to the police department to obtain a certain subpoena. They arrive at the police station and explain the situation but no one can assist them because nine times out of 10, they don't have a clue what you're talking about. Unless someone was killed or maimed during the incident, how on earth can we lay a charge against someone invisible that sent an e-mail to someone else?
“Not that I blame the police, I blame the system,” adds Lategan, noting that not all police departments are sufficiently trained in dealing with crimes like electronic fraud and espionage.
Why do you have to know someone at a police station in order to be able to file for a 205 subpoena?
Renier Lategan, South African Medical Association
If the legal team fails to obtain a subpoena, then the IT department cannot go to Google with the necessary legal documents to get information such as account names and aliases, he explains.
“If the efforts at acquiring the subpoena fail, then the whole investigation is out the window and all the previous work and effort was done in vain. Why do you have to know someone at a police station in order to be able to file for a 205 subpoena?”
Web and digital media lawyer Paul Jacobson notes that while companies could potentially approach the court to get an order compelling Google to disclose the account-holder's details, they'd also have to give notice to the account-holder, to give them an opportunity to file a response.
This approach could do more harm than good, adds Jacobson, as the sender could try and change their details so as not to be traced, or the company could come under even more scrutiny. “The employer does have rights, but if they draw attention to the issue and the information goes public, it could result in further risks.
“It's like the Streisand Effect; the more a company tries to protect the information, the more exposure it gets.” The other complication is that there's no guarantee the details the person provided for the Google or Yahoo account are valid.
“Some companies bring in crisis management people because the legal approach isn't always the best first approach,” says Jacobson. “Ideally, you'd want both a crisis management team and a legal team working together on a strategy, so they can take into account the facts of the specific situation.”
Identity crisis
Danny Myburgh, MD of computer forensic lab Cyanre, says the anonymity offered by the Internet is a major problem in the security realm. “We probably get three to five e-mail cases a week where something similar happens, whether it's sexual harassment, personal threats, other forms of harassment or even threats of violence or extorting money.”
In cases of defamation, it all comes down to who says what to whom. “It creates huge problems in terms of tracing, because to get a subpoena 205, the action first needs to constitute a criminal offence,” says Myburgh.
“So if you just send an SMS to someone telling them how bad they are, it doesn't count as defamation because the message is just between the two of you. But as soon as the perpetrator sends it to others, it can damage your reputation.”
However, until someone actually lays out what they're going to do, it's difficult to investigate, says Myburgh. He notes that while there are ways to trace a person's IP address, there's a very thin line in terms of the right to access of information. “Without a court order it's a definite no-no, and very difficult to do.”
He adds that defamation cases aren't likely to be a high priority for police.
Lategan would like to see South African police stations made aware of potential electronic espionage investigations and what to do if someone wants to open a case like this. “They must be able to assist the public and inform them of what they will need. Not the other way around.”
Myburgh normally advises clients to secure the e-mail address, as they'll need it to prove their case in court. “Also look at the wording of the e-mail, and try to determine whether it could be someone inside or outside the organisation.”
Not that I blame the police, I blame the system.
Renier Lategan, South African Medical Association
In the case that the person's Gmail details aren't real, Myburgh says police can set a trap for the person, called a 'honey pot'. “You can reply to the e-mail saying something like 'we need more time to deal with the situation', or asking them for more information. Then you can track in real-time when they reply, and check the company's records to see who was accessing Gmail or Yahoo at the time when the message was sent.“
In most cases, says Myburgh, existing clients see Cyanre as their first port of call when something goes wrong. “Because we have a standing relationship, they come here instead of first going to the police. Sometimes, if they've got really a serious threat, we'll ask them about possible contingency plans should it get out to the media, or about protecting someone who is being physically threatened.”
In cases where they co-operate with police there's usually a very good success rate, depending on how persistent and serious the perpetrator is, says Myburgh. ”We were involved with one case where it cost the client literally millions to manage the situation because the person reported falsehoods to important stakeholders. In the end, to clear its name, the company had to appoint audit firms to review its finances and prove there was no wrongdoing, all because someone spread a rumour.”
“If something like this is not addressed in SA particularly, I fear we will always have situations where people can abuse systems and the law and get away with it,” says Lategan.
Catching up
In January, the Department of Communications (DOC) released the Draft Cyber Security Policy, which has yet to be finalised.
The policy acknowledges that SA doesn't have a coordinated approach in dealing with cyber security, and that greater collaboration between business, government and society is needed to address the problem holistically.
It includes plans for mechanisms such as Computer Security Incident Response Teams, which would be responsible for analysing, containing and dealing with cyber threats and information. It also aims to bridge the technology and legal divide, which it highlights as a “fundamental challenge”, to ensure legal provisions can effectively deal with emerging cyber security issues.
The draft policy also calls for the development of cyber security protocols and standards, which SA is lagging behind in globally, as well as the establishment of a National Cyber Security Advisory Council. This body would coordinate cyber security initiatives at various strategic and operational levels, advising the communications minister on policy, promoting public-private partnerships, and providing oversight. The DOC adds that the implementation of a cyber security policy goes beyond its mandate, and emphasises the need for collective efforts from all relevant government departments.
Tackling cyber crime was also outlined as one of the police department's strategic priorities in its Annual Performance Plan for 2010/2011. It says the department will focus on various “national priority crimes”, including commercial crime, cyber crime and corruption, as well as developing a cyber crime policy.
According to SAPS spokesperson McIntosh Polela, an Electronic Crime Unit (ECU) has been established to deal with instances of cyber crime, and falls within the Directorate for Priority Crime Investigation's commercial crime division.
The unit was officially introduced on 1 September, although it's been operational from 2004, says Polela. It has a broad mandate, including any unlawful activity relating to an electronic medium.
“The South African Police Service views the impact of cyber crime as a potential threat and has thus created a specialised capacity to deal with matters in relation to electronic crime,” he says.
At an Internet Security Group Africa chapter meeting last month, chairman Craig Rosewarne noted that over the past three years, more than R1 billion is estimated to have been lost in SA due to cyber crime. He added that the true extent of the situation in SA is uncertain, because no law or regulation forces companies to report cyber crimes. “If people aren't reporting cyber crime incidents, the problem is worse than we realise.”
He believes individuals or enterprises falling victim to cyber crime have largely had to deal with the matter themselves - something Lategan can attest to.
Polela advises companies to report matters to the commercial crime offices within the provinces, which will in turn liaise directly with the ECU. (See SAPS for more information on commercial crime units and contact details for the respective provincial heads).
While the ECU and forthcoming cyber security policy may make headway eventually, the fight against cyber crime is likely to be long and hard given the speedy advances in criminals' tools and methods. Add an overburdened justice system and limited training, and it could be years until businesses and individuals are able to put a stop to anonymous agents dragging their name thorough the mud.
If you like this story, you might like:
Can you keep a secret?
Dumb end-users
Great walls, lousy controls
Smart but deadly
Share