Extreme online risks

An article in the Guardian, and a more detailed story in PC Pro, give the background to Operation Ore. In this operation, hundreds (and possibly thousands) of innocent men were raided by the police on suspicion of downloading child pornography, when in fact they had simply been victims of credit card fraud. The police appear to have completely misunderstood the forensic evidence; once the light began to dawn, it seems that they closed ranks and covered up. These stories follow an earlier piece in PC Pro which first brought the problem to public attention in 2005.

Recently we were asked by the Lords Science and Technology Committee whether failures of online security caused real problems, or were exaggerated. While there is no doubt that many people talk up the threats, here is a real case in which online fraud has done much worse harm than simply emptying bank accounts. Having the police turn up at six in the morning, search your house, tell your wife that you’re a suspected pedophile, and with social workers in tow to interview your children, must be a horrific experience. Over thirty men have killed themselves. At least one appears to have been innocent. As this story develops, I believe it will come to be seen as the worst policing scandal in the UK for many years.

I remarked recently that it was a bad idea for the police to depend on the banks for expertise on card fraud, and to accept their money to fund such investigations as the banks wanted carried out. Although Home Office and DTI ministers say they’re happy with these arrangements, the tragic events of Operation Ore show that the police should not compromise their independence and their technical capability for short-term political or financial convenience. The results can simply be tragic.

24 thoughts on “Extreme online risks

  1. On Saturday the story about the Tamil Tigers finally broke in the mainstream media. Anyway, here’s an interview I did with John Pienaar for Radio Five Live. If you search the BBC website for ‘card fraud petrol’ you can find dozens of articles going back years…

  2. A friend of a friend of mine was hit by the same ‘sting’ operation that the police did a couple of years ago. The injustice is simply unbelievable:

    The only evidence the police had was a single credit card transaction, and yet:

    He lost his job with a major electronics retailer, who didn’t believe in ‘innocent until proven guilty’.

    His wife (a teacher I believe) also lost her job and can basically never work again.

    Furthermore, the local paper took it upon themselves to report the story, and therefore the local community drove him out of his own home.

    When your entire life has been destroyed so the police can claim to be ‘getting results’, it is hardly surprising that many simply kill themselves.

  3. Asking the banks to provide information on fraud in their own system is fraught with problems. There may be people who know very well, but the vast majority of banking insiders are trained to parrot the corporate line. This is not helped by security models being kept secret, as it allows myths of security to grow within, unchecked.

    Also, their models are generally based on risk models, not security needs. The risks are always analysed to the benefit of the banks, and not the customers. A loss to the bank is totally acceptable because they already built in the coverage, and can pay for it; that same loss to the user can cause hundreds of hours of loss, or worse, and that is not covered in the risk model.

    The continental banks seem much better at this.

  4. The Register has a description of the new Barclays PINsentry. Do I correctly understand that the same class of eight digit code is used for an initial login and to authorize a new third party? So all the man-in-the-middle has to do is simulate a dropped session and request a new login?

  5. I would like to send you some links to publications about my criminal
    case. I was forced to confess to the
    possession of internet digital pictures of porn in deleted clusters of
    my computer hard drive. My browser was hijacked while I was browsing
    the web. I was redirected to illegal sites against my will. Some
    illegal pictures were found on my hard drive, recovering in
    unallocated clusters, without dates of file creation/download.

    I do not know how courts can widely press these charges on people to
    convict them, while the whole Internet is a mess.

    This is my story in inquisition21.com. There is all
    information about case written by Irish writer Brian
    Rothery. You can see a lot of violations of law by police

    http://www.inquisition21.com/article~view~7~page_num~3.html

    This is publication in Wired news

    http://www.wired.com/news/infostructure/0,1377,63391,00.html

    This is publication in Theregester

    http://www.theregister.co.uk/2004/05/13/browser_hijacking_risks/

    Article in Globe and Mail newspaper
    http://ctv.globetechnology.com/servlet/story/RTGAM.20040617.gttwhijac17/tech/Technology/techBN/ctv-technology

    Article in ZDnet
    http://zdnet.com.com/2100-1105_2-5344831.html

    This is article in Washington Times, May 22, 2004
    There is information about my case.

    http://www.cato.org/cgi-bin/scripts/printtech.cgi/dailys/05-30-04.html

    Article in Crime research center:

    http://www.crime-research.org/news/07.22.2004/506/

    Article in Dallas, TX Newspaper

    http://www.crime-research.org/news/24.12.2004/862/

    Child porn law was declared unconstitutional in Hennepin County, Minnesota, USA’
    http://xbiz.com/news_piece.php?id=11750

    “I came here to the US as political refugee from the former Soviet
    Union, and, now like many other people in the US, I feel shame that
    all of this can happen in the US – supposed to be the greatest
    democracy in the world.”

  6. Question: When the police in the UK get caught covering up misdeeds, destroying evidence, lying, etc., do they get punished? In the US, it seems like this sort of thing sometimes costs a policeman his job, but almost never leads to prosecution, and often has no consequences at all.

  7. What do you do if you can prove that it was all a lie but after the fact? And your life was destroyed in the process? I know because I am an Oree wife.

    TC

  8. What do you do? Consider the following options:

    (1) You sit on your butt and feel miserable

    (2) the Braveheart option. You visit the evildoers and indulge in some antisocial behaviour

    (3) You tell everyone you know. You talk to journalists. You organise. You demonstrate. You go to the IPCC and the CCRC. You talk to MPs; you lobby for the current Science and Technology Committee hearings (which were only marginally relevant) to be followed by Home Affairs Committee hearings. You organise a mass lobby of Gordon Brown in his constituency; ditto David Cameron, demanding the resignation of Lord Goldsmith for withholding evidence contrary to law. You write to all the law lords on that topic. You bring a European law case. You do secondary targeting – for example against the banks and the FSA for lying about card fraud, and the Daily Mail’s advertisers. You get together with the hundreds of other victims and you do hundreds of things like that. Most of them won’t work but eventually one will catch the public eye and your campaign will motor.

    Now tell me – which of these strategies do you think will worry the perpetrators the most?

    The Governor of California may have conditioned you to think of option 2. But come off it – when it comes to dealing with corrupt cops, the tool to use isn’t a claymore. It’s sunlight. The war you have to fight is an information war.

    The choice isn’t between ‘dying on your feet and living on your knees’. The third option is to win – to get the hundreds of miscarriages of justice overturned, and to get the responsible senior policemen and prosecutors tried and imprisoned. It’s to get Operation Ore remembered as the worst UK police disaster of recent years – and the second most catastrophic failure of Blair’s premiership after the Iraq war. That’s Duncan’s campaign. Do you support it?

  9. Despite the claims of the author, the article in the gardian does not give the background to Operation Ore! Neither does the ariticle in Pc Pro.

    The article in the Gardian appears to me to be a largly fictional piece of work written by a journalist who is clearly more concerned with selling a story than reporting any facts (it’s just the press, people, they can write what they like). Is it me, or didn’t Pete Townshend admit to buying access to a website containing child porn? How does that fit in?

    The short piece written by Ross Anderson appears to me to be just an attempt to say somthing shocking, rather than present any sort of informed opininon. He hasn’t even done his own research. “the worst policing scandal”, based on what? A five minute read of the Gardian, how informed is that?

  10. Well, ‘Jim”, you appear to have sent that email from someone else’s IP address. Are you by chance an employee of SOCA engaged in their campaign of disinformation against people who raise the Ore issue? I thought it was disgraceful that SOCA’s PR flacks smeared the http://www.ore-exposed.co.uk website as a ‘pedophile’ site. That’s not how I expect my tax money to be spent. If you are a cop or a civil servant, ‘Jim’, you should maybe read the Computer Misuse Act.

    As it happens I’ve advised on Ore cases more than once, providing expertise on card fraud – which was so blatant that in my view the police and their experts were grossly negligent in not seeing it. Now we are seeing a series of acquittals, and of civil actions for damages brought against Chief Constables. Press interest is growing. The IPCC are involved and the CCRC will be. The law will take its course. If you think you can stop that by anonymous blog posts, you’ve just lost it

  11. If “Jim” would like to point out which parts of the Guardian article are “fiction” I’d be very interested to hear it.

    Yes, Jim, it *is* you on the detail about Pete Townshend. He didn’t buy access to a child porn site. He has written at length on his own site about what did transpire; I suggest you take a look.

    Case for Ross to publish the IP address for Jim, surely. Shine some more light on everything around this case.

  12. Ross,

    There is a fourth option, which can be more effective than three and almost as satisfying as two,

    The Police like most people payed from the public purse have a herd instinct (“canteen mentality” or “for us or against us” attitudes) that makes them clump together for self protection and view the rest of the world as being full of “scrotes”.

    When an indiividual is split out from the herd the herd genraly turns against them (for it’s own protection) effectivly “throwing them to the wolves”.

    What choice does that cast out and isolated individual have when they nolonger have herd protection?

    In some very very rare cases they consider killing themselves, in others they turn against the herd and spill their guts to pass the blame back onto their ex-superiors. The result is often that a lot of interesting information comes out that has otherwise been kept from public view.

    Therefor option four,

    Find a person within Ore who is vulnerable (ie you can hang something on), then with single minded determination attack them with every legal manover you can, until the herd either turns on them or (unlikley) admits it’s wrongs.

    [I know of one person who Ore cast their eye on who had two advantages, the first they could prove they where on an aircraft when their credit card details where used. Secondley they where pointed at legal representation who went for individual police officers throats. As was pointed out to me by the person concerned the police where quite happy to ignore the fact that he was on an aircraft and indicated that they where going to tell everybody they could that he was a “nonce” unless he immediatly confessed. It was only when individual police officers and their superiors became the recipients of the first stages of legal action that they suddenly “saw the light” and droped their activities agains him.]

    If several people do it then the rest of the herd will start to worry about when it will be their turn to be “thrown to the wolves” the result is that the herd will fairly quickly and often publicly become so disfunctional that information will start to leak very publicaly and the “boil” will effectivly burst under the preasure of trying to keep it covered up.

    In other cases the resulting publicity will force their political masters to act, in which case you press on with your option three (not that Mr John Reid who has a very public reputation for thugish mentality is likley to back down).

    So if the Police have ignored credable evidence that individuals are inoccent and have under oath denied such evidence then there is a high probability that they have commited perjury and people should press for prosecution of the individuals concerned.

    It was pointed out to me at an early age that “respect has to be earned and once lost no amount of gold will buy it back”, also that the life of inocent individuals is to high a price to be paid by any acceptable socioty which is the primary reason we no longer have capital punishment.

    Therefore there must be proper atonment from those responsible right up to and including the biblical “eye for an eye” and it needs to be payed by those in charge to act as a lesson to all others who think that their position is to senior to take responsability or blaim (ulike the current climate where failier is rewarded with promotion).

  13. Britain: Hate it and leave it. We don’t have to put up with this type of witchhunt in Japan.

  14. Clive, I was that person on the aeroplane at the time someone subscrbed me to Lanslide.
    I have gone public via my local paper, ITV’s Tonight with Trevor MacDonald, Sky News and BBC Radio 4.
    However, the mental anguish caused by the false allegations and the emotive subject matter causes many people to withdraw from the public spotlight. The opposite should be the case.
    My wife and I have been struggling with this for 3 years now.
    It is my intention to expose this witch-hunt, or be killed trying – and I am not a “David Kelly”.
    I would rather live one day as a lion that a lifetime as a sheep.
    Andrew, I have chosen to live in South Africa. I won’t live in a Britain ruled by Brown – but that is my choice, and it may cost me my marriage.
    But why should I be forced to leave the Country of my birth? The answer is I should not. So I will fight the unbeatable foe until I consider justice is done.
    And if any Police Office, SOCA Agent, CPS Manager or Prosecution Expert witness wants to meet and speak to me about the plans I have for them, they all know where I live. Andover in Hampshire or Durbanville, Cape Town, South Africa. I welcome any contact. But they cannot expect to get away with this and live fat and happy on their pensions, at our expense.
    I can be reached on 07967109545 or via scbunce@gmail.com and I would be interested in any comments you all have.
    Regards
    Simon Bunce

  15. Good news coverage today in the Standard and on the BBC, announcing a programme at 8 tonight on Radio 4. It’s interesting to see the police repeat a claim made to a Lords Select Committee on 10th January by Jim Gamble, the head of Operation Ore, that no-one was prosecuted who was simply a victim of credit card fraud. That is simply untrue and I look forward to reading the Committee’s findings in due course.

  16. More on the BBC website after the programme. The programme raised for the first time the issue that a significant number of innocent people accepted a caution and went on the sex offenders’ register, rather than face a trial that would severely stigmatise them and their families, and which their lawyers advised them they’d lose (as evidence vital to the defence was for years withheld by the police and the CPS). Our plea-bargaining system is just broken when it comes to crimes like this.

  17. More in The Register. If out of about 7000 suspects 4000 were raided and 2000 convicted, that makes about 2000 innocent people who were put through the mill reported by SImon Bunce – which could have been prevented had the police forensic people been even remotely competent and understood the signs of credit card fraud at the start. If of the 2000 who were convicted, 600 accepted cautions on legal advice because defence evidence was withheld, and say 400 were innocent (as more than half the transactions I’ve seen were fraudulent), that’s a scandal for which both senior policemen and senior prosecutors should go to jail.

    Hopefully with the end of the Blair era we will see less media-driven policing – and we’ll see evidence-based policy rather than policy-based evidence

  18. It is I’m afraid rather worse than you suggest.

    As well as the evident CC fraud, the police and CPS persisted until very recently in using an evidence pack distributed by Jim Gamble’s NCIS unit. The centrepiece of this evidence was a banner proclaiming ‘Click here for Child porn’ which it was claimed had been the entry route in to the Landsalide Keyz sites, all of which contained child pornography. Duncan Campbell in his original PCPro article has shown this, not only to be false, but that the US police had done a cut and paste job on the banner to make it appear much more prominent than on the original page.

    The truth was very,very different. Only 12 of the 300+ (Jum Bates says over 1000) Landslide Keyz sites had been proven to contain child pornography. The contents of the remainder were guessed at by the police and a later NCIS internal review confirmed that at worst only a 100 or so of the sites were likely to contain illegal images on the basis of site name or banner ads etc. Although many of the Keyz sites were fraudulent, there were a couple of very popular legal adult porn sites. One of these, though suspiciously called “Lolitasex” contained only verifiably adult porn – the police never checked and assumed that this contained be child pornography. I would guess that this accounted for quite a number of legitimate signs-ups to Keyz sites.

    In fact almost none of those accused would ever have seen the ‘Click here banner’, even those who HAD purchased child pornography. It was not on the main Landslide site as claimed and at the bottom of a long page connected with the Landslide AVS gold service, nothinh whatever to do with Keyz

    This mis-information was given to local forces, solicitors, CPS, social services, professional bodies like the GMC (to assess risk to kids) all prior to trial. It was repeated very publicly by Jim Gamble and others and in high profile documentariies.

    This would have a very profound effect on anyone facing these accusations and their legal advisors. The police denied any possibility of CC fraud, claimed that signing up to a Keyz site, meant definitely signing up to child pornography and they could show the jury the exact mechanism ‘Click here for Child porn’ to demonstrate that the accused knew eactly what he was getting. Each one of these statements was false, but it was made to all of the agencies noted above, with obvious consequences.

    Worse still if the police found a few illegal thumbnails, banners or pop-ups that might have appeared on your system due to an injudicious click, pop-up activity or bulk newsgroup downloading, and coupled with the supposedly watertight Landslide evidence, they appeared to have an unimpeachable case. Jim Gamble appeared on TV and radio to claim that ‘you cannot get these images by accident’ – strange then that the IWF seems to get tens of thousands of such reports every year from members of the public who claim to have done so.

    I suspect that within the numbers of those convicted, there are substantial numbers who had a handful of images on their PCs and whilst they may in Gamble’s terms be gulity of an offence are actually victims of a very badly applied law (having not knowingly sought out indecent images), which, at least in the context of Ore has caused far,far more harm to children than it has saved.

    On that note it might be worth further enquiry as to how only 109 children were saved, when the Met’s own pre-Ore pickup rates of actual abuse in child porn investigations were double that, and the NCIS prediction was that 33% of those arrested would be actual abusers – the actual figure in Ore was 3% This can only be an estimate because NCIS claimed not to know the figures when asked in an FOI, although Gamble had loudly claimed on Radio 4 just weeks before, that “we know who they all are”.

    There should, according to NCIS at the outset, been thousands saved and nearly 2000 accused of hands-on abuse. By their own standards or even by those of previous investigations, Ore was a child protection disaster, hopelessly mis-targetted and tying up valuable technical and social work personell for very long periods, never mind the disasters visited upon many innocent families.

    And now, just around the corner we have the same people agitating to include violent pornograpghy and cartoon pornography within their successful’ remit….

    Lessons have not been learned.

  19. I listened to the Radio 4 broadcast with astonishment and I’m completely amazed, but somehow cynically not surprised, that the police may have got it so wrong which resulted in 39 unnecessary deaths especially that of Commander White. And what angers me even more were the comments from Jim Gamble. However, now that the full Landslide data base is available what does this mean for those who were wrongly accused, will they be expecting another 6am wake-up call because the police can trace their IP address etc etc?

    Whilst paedophillia is a truely abhorent behaviour for the untold damage it does to young, impressionable lives I feel some sympathy to those wretched individuals who have had to expereince unjustice at its very best not only from the nations police forces but from society as well. To those who did it well (colourful language follows)

  20. Ross,

    The real scary part is the last paragraph that says,

    “The forum will allow a company that believes a particular credit card is being used fraudulently to enter its details into a secure website. Other companies that sign up for the service will be able to view the entries and ensure that the same card and personal details are not used to buy their products or services”

    So any old idiot could enter your CC details and then you would get refused credit with out reason or cause, and more than likley it would take you a very long time to find out why….

  21. Those resident in the UK might like to watch BBC1 at 21:00 (9pm “in old money”).

    It is about ID theaft and Simon Bunce’s case will be discussed.

  22. Simion Bunce was cleared in September 2004 so why is the impression given that he is fighting to clear his name in 2007?

Leave a Reply to Clive Robinson Cancel reply

Your email address will not be published. Required fields are marked *