Occasionally there is a large intersection of several topics that interest me, which makes this combination fascinating. This is the case when true crime fanaticism, the law, ethical hacking, and cybersecurity collide in a collision known as vigilante hacking.
Crowdsourcing and Ethical Hacking in Support of Law Enforcement
I’m pretty sure that you know, at least from a distance, the true crime craze where podcasters, bloggers, and social media forums are chasing a particular case (usually unsolved and often a violent or victim crime) in the hopes of crowdsourcing and collective interest will help find justice for the victim. This is a very noble thing, and at times it has even helped identify a valid suspect. However, without information that is not known to the general public or is not available through open sources, the search for relevant information can often be misdirected or worse (e.g., when an innocent person is defamed and shamed over the internet). This begs the question: is that all that can be done?
Before I go into detail, it is important to lay the legal foundations in the matter. As a general rule, evidence obtained from a private search, whether illegal or not, is acceptable as long as the searcher was not a government official. In other words, hacking into a prime suspect’s computer for no probable reason on the direction of the FBI would not be an acceptable evidence. So what are some real-world examples of hacking vigilance that stood up to court scrutiny and resulted in a conviction?
- Planting Trojan horse viruses on images on websites to attract pedophiles. Once the files were opened, the hacker was able to access the user’s computer and monitor the activities.
- Get an internet fraudster to give the hacker his login credentials, who in turn monitors and disrupts the illegal behavior and collects evidence
- Using fake online personas on the dark web to identify and eliminate human traffickers.
Vigilante Joe brings justice
Imagine the following scenario: Vigilante Joe has a keen interest in an unsolved murder case and joins several user groups on social media. The rabid lay investigators use OSINT to identify a suspect and publicly refer to him in online discussions. Vigilante Joe then phishing the suspect and injecting malware into the suspect’s computer so he can search it, where he can find pictures and a digital stalking presence of the victim. Vigilante Joe keeps searching and finds online orders for a weapon that matches the one used in the murder. He then anonymously sends the information to law enforcement officers who make the arrest. Sounds cool right? Something from the TV series Mr. Robot? However, there are many pitfalls for everyone involved.
- Unless the suspect makes a confession, who will forensically capture the evidence and establish the custody chain if the hacker remains anonymous?
- If the hacker is tracked down and treated according to the terms of the law, he has still committed a crime and any evidence of leniency could motivate other vigilante groups.
- If the evidence turns out to be false and Vigilante Joe’s identity is revealed, he and everyone else on the social media site could be held liable for defamation and possibly prosecuted for doxing, if such a law exists in that jurisdiction.
Intrusive or misleading acts are not OSINT
There are other scenarios where the above ethical / legal options could come into play. A company could launch a hack-back counter-offensive to find and report a culprit. This is a hot area of cyber law right now with some jurisdictions trying to come up with real guidance or guidelines. Then there are the hacktivist groups like WikiLeaks and Anonymous who, by exposing misconduct, may have exposed criminal behavior. It would appear that the evidence, although it may not have been held credibly or correctly, may be admissible in the context of a criminal investigation.
To be clear, things like geolocating images on social media through sophisticated software, finding hidden metadata in various other media, and piecing together behavior related to a crime by searching everything about it on the internet or darknet Open source intelligence gathering that can be very productive and a real help to law enforcement. However, be careful not to cross that line into intrusive or fraudulent acts that can make things worse for you as well as the people who are paid to seek and administer justice.