28 July 2016

Fraud prevention: tell me “where” this email came from

Online fraud is a major problem. Many of these frauds cross international borders. Criminals “over there” steal money from victims “over here”. But there’s a relatively simple change that email software and service providers could make that could have a significant impact on this type of fraud: let’s tell end users when an email was transmitted from a foreign mail server.

Last week, the UK Office of National Statistics released its first-ever estimates of fraud and computer crime. The numbers are sobering. In the 12-month period ending March 2016, the ONS estimates that 2 million computer crimes and 3.8 million frauds were perpetrated on victims in England and Wales. A staff member at ONS familiar with the survey expressed the (informal) view that approximately one half of these frauds were conducted using some form of online communication while the remainder used other methods such as telephone or traditional post.

The police face enormous challenges trying to enforce the law against criminals who commit fraud at a distance. Keeping in mind that more than 90% of these frauds produce a financial loss of less than £1,000 (67% produce losses of less than £100), there are limited circumstances in which a full investigation is practical.

Even when an official investigation can be justified, many of these investigations quickly encounter a barrier: an international border. Many fraud attempts directed to UK-resident victims originate from criminals who appear to be located outside of the UK.

18 July 2016

US court reminds us that Internet borders matter

A US Court of Appeals in New York confirmed again last week that regular old physical borders drawn on maps by cartographers continue to apply to the Internet and cloud services.

The long-awaited decision in Microsoft vs United States (2d Cir, July 14, 2016, No. 14‐2985) overturned a lower court decision to issue a warrant under US law that would have required the Microsoft Corporation (resident in the US) to produce emails stored on a server geo-located in Ireland.

The decision of the court ultimately turned on an interpretation of one part of the Stored Communication Act (18 USC 2703). The court concluded that when the US Congress drafted this part of the 1986 law empowering government bodies to compel disclosure of stored email using a “warrant”, that the Congress did not intend to include within the “warrant” authority the ability to compel disclosure of data stored on servers located outside the United States.

Although the case prompts discussion of many issues, there is one aspect I find especially interesting at the outset.