How fear of ‘jackbooted brownshirts’ complicates cyber risk management

Managing the risk posed by the “dark web” is made all the more difficult by some people’s mistrust of police, a former top Royal Canadian Mounted Police officer suggested Thursday.

“Cyber crime requires a different approach than just the preventative hardening of cyber security systems,” former RCMP Commissioner Bob Paulson told Payments Canada Summit attendees Thursday. He added cyber crime is “complicated” by several factors, including privacy concerns.

Internet users can easily conceal illegal activity from police in Canada, Paulson argued during his presentation, Framing an Approach to Cyber Crime, at the Payments Canada Summit.

On the so-called “dark web,” criminals can “transact pretty well anything,” including buying information that enables identity theft and trading in illicit drugs, Paulson noted. Managing general agent CFC Underwriting warned earlier the dark web is also used to trade ransomware (with which criminals encrypt victim’s files and demand money), a loss covered by some cyber insurance policies.

The Internet “is a neighbourhood that is artificial,” Paulson said Thursday during his Payments Canada Summit presentation. The dark web is like a neighbourhood where “if you want to wear a mask when you transact whatever you are transacting, please do,” Paulson said. “You are encouraged to have fake names. You can drive around in a car that has no licence plate. You can live in a house that has no address on a street that has no name.”

In the Canadian criminal justice system, police are supposed to be allowed to gather evidence if they establish “reasonable grounds,” Paulson noted. “That is really a challenge here in Canada because governments come up against this misplaced distrust of police,” he said.

In a 2014 ruling, R. v. Spencer, the Supreme Court of Canada ruled that Internet users have a “reasonable expectation” of privacy when it comes to the name and address associated with the Internet Protocol (IP) address of their computers. Matthew Spencer was convicted of possession of child pornography. A Saskatoon police sergeant used publicly available software to search the web for people sharing child pornography. The police officer got the name and address associated with an IP address from the Internet Service provider without a search warrant.

Ultimately the Supreme Court of Canada upheld Spencer’s conviction of possession of child pornography but rejected several of the crown attorney’s arguments. For one, the Supreme Court of Canada ruled that in obtaining Spencer’s name and address from his ISP, police conducted an unlawful search. The crown argued that one’s name and address is “largely innocuous” and is a fact known to other parties such as employers, schools and neighbours.

One challenge of criminal investigations is being able to match an IP address to a physical location, Paulson said Thursday during the Canadian Payment Summit, commenting in general and not on the Spencer ruling.

Canadians have “much more fear” of police than of private for-profit corporations, suggested Paulson. “It’s fascinating that (Facebook CEO) Mark Zuckerberg can say ‘Well maybe it is time that we look at regulating some aspects of the Internet,’” Paulson said. “But if you get a cop or an ex-cop to get up and say, ‘Hey, maybe we have to look a regulating some aspects of the Internet,’” you get ‘Shut up, you jackbooted brownshirt.'”