As of 9th May 2021, this title is no longer available in paperback or e-book.
The book, updated, is now available as an e-learning course at www.financialcrimeriskandcompliancetraining.com
Published 27 October 2015
About this title
The internet is not a thing, it is not a place, it is not a person.
The internet, of itself, does nothing. It performs no function.
The internet does not form intent. It has no conscience.
The internet is like the pipes in a domestic plumbing system.
The plumbing system allows the delivery of water to terminal points: taps, showers and toilets.
The internet allows the delivery of instructions and information to terminal points – computers.
Activity that appears to happen “on the internet” actually happens on those computers.
Computers do nothing unless they are instructed to do something. Like a tap doesn’t turn itself on, a computer does nothing without instructions from a human.
For too long we have talked about regulating “the internet.”
The internet is the wrong target. To combat crime committed using the medium of the internet, we must regulate the people.
We know from wider criminal behaviour that a significant amount of crime is committed for profit.
Criminals who commit e.g. fraud over the internet cannot do so in isolation. The internet is not a thing but it is an eco-system. And around those criminals there are a host of seemingly honest businesses all willing to take a share of the criminals’ profits in return for providing a range of services.
Cleaning up the internet identifies them and shows how they can be recruited in the battle against crime, some of which is committed on-line.
The internet is part of the fabric of society and with demonstrable capacity to be misused by a wide range of criminals from fraudsters and extortionists, to those who hack devices to change their behaviour and as a tool in the armoury of terrorists. A root and branch review and a fundamental change of ethos is the only way to protect society at large from the actions of an increasing number of people who commit crime for profit, for ideological reasons or just because they can. And we also need to look at who profits from the use of the internet by those criminals. We have make them accountable for their business practices, as we have done across the financial sector.
In 1999, I published a paper called “The Use and Abuse of The Internet in Fraud and Money Laundering.”* It received wide acceptance among the academic community and government departments but, as it appeared only in an academic journal, was not widely read in the financial sector. Recently, a number of the issues I raised have come back to the fore. As I considered them afresh, I realised that I had done much of the work before. 15 years before.
Cleaning Up the ‘Net” started as a problem for which I needed a solution, became a pitch for an article and then turned into a book. The book became an action plan for a global strategy which can be implemented only by co-operation between governments.
We know that the internet provides, simply because of its scale, ideal opportunities for criminals to use social networks such as Facebook, twitter and Google+, free and anonymous e-mail accounts such as Yahoo! and even mobile messaging like Blackberry Messaging (BBM) and WhatsApp as command and control networks as well as recruiting tools and for the dissemination of propaganda.
The internet is a place full of dark and dangerous places. Attempts at regulating the internet have focussed on limited applications, nibbling around the edges. Nigel Morris-Cotterill says this is not the correct solution. The correct solutions will revolutionise the internet, will make access more difficult and more expensive and will reduce the number of players. It will make those remaining players more responsible. It will take courage and political will and a global initiative. If that sounds improbable, it’s been done before. The mistakes of the previous application can be avoided and the ‘net can be cleaned up very quickly and at little or no cost to governments.
There will be pressure groups, special interest groups and commercial enterprises who complain, who say that this will have an unnecessarily restrictive impact on “rights.”
You choose: regulation or anarchy, safety or harm?
We’ve done it before. Are we brave enough to require our governments to do it again?
© 2015 Nigel Morris-Cotterill
All rights reserved
Executive Summary 14
The Problem 14
The Technology 15
The solution 15
The methods 15
The results 16
Nigel Morris-Cotterill 17
1999 – when the internet was young. 19
Apparently legitimate businesses benefit from the criminal activities of their customers. And governments help. 22
Why internet crime and real world crime should be treated as the same thing. 23
Reform must include immediate suspension of suspicious websites. 25
We’ve been doing it all wrong. But we know how to do it right. 26
When criminals disappear, they still leave ripples. We already know how to interpret those ripples. 29
Author’s note 31
The Use and Abuse of the Internet in Fraud and Money Laundering (1999) 33
The Internet. A feat of technology – but little more revolutionary than the ball-point pen. 34
Is regulation of the Internet desirable? 36
In cyberspace, everybody knows your name but no one knows who you are 37
“It must be true, it’s on the computer” 40
Internet fraud is easy 40
A vehicle for the rapid dissemination of information. 46
Encryption is one of the battlegrounds when regulation of the internet is considered. 47
Liability of ISPs for content of websites and mail 49
The internet: opportunities for money laundering 52
The internet and transfer pricing 56
Electronic cash 57
Note: 2015. 59
The Problem 61
Crime is crime is crime, regardless of the means used to commit it. 62
Codification and the Rule of Lenity 63
Laws to stop spam actively facilitate spam. That must change. 64
Drafting laws to outlaw fraud is simple. Governments don’t want to do it, or they don’t want to apply existing laws to the internet. 68
Some laws actively facilitate breaches of intellectual property rights. That must change. 69
US style republication laws protect blackmailers, bullies and extortionists. This must change. 70
Is republishing a libel a libel? 94
Spreading crime by stealth. 113
CASE STUDY: Ransomware 113
The Technology 123
Where in the world is my data? 124
Virtually virtual: the internet is not a thing. 132
Proxy Servers and Relays 136
Data “packets” 143
Internet Protocols 144
IPv6: fun with numbers 149
“Reverse Proxy Servers” 151
The proliferation of top level domains 165
Domicile of Domains and Registrants 170
Click Fraud 185
CASE STUDY: THE TOR PROJECT – the case for individual privacy 187
The Dark Side 191
How TOR supports the hidden web. 192
Rogues Gallery 198
The World’s Worst Spam Producing Countries 198
The World’s Worst ISPs 199
The World’s Worst Spammers 200
The Top 50 comment spammers 200
Should we ban encryption? 202
More on copying of content. 205
The solution 209
The Method 217
What is the The Internet Action Task Force? 219
Who should be represented on the IATF? 225
Funding the IATF 228
Legal Force of IATF 229
The result 241
Action Plan – Scratchpad 247
The Internet Action Task Force 259
DRAFT 20 Recommendations April 2015 259
1. Adoption and compliance 261
2. National Domain Name Registries 262
3. Top Level Domains 264
Jurisdictional TLDs and non-Jurisdictional TLDs 264
.com and .net TLDs 265
.org TLDs 267
.mil, .edu, .gov 268
Basic information required for purchase of a domain 270
Address for service of notices relating to hosted domains. 271
Legal Residence 272
Required Sub-subjurisdictions 273
Retention of Documents 273
4. Property in Domain Names 274
Misleading or fraudulent domain names 275
6. Access to Registration Information. 276
7. Transfer of domain information including e-mail addresses 276
8. Free and anonymous e-mail services. 277
9. Commercial e-mail. 279
10. Adoption of IPv6 and implementation 281
11. Fraudulent conduct and harmful materials 282
12. Authorised access to computers and networks. 286
13. Intellectual Property 289
14. Website owners as publishers. 292
15. Providers of hosting, VPN, redirection and cloud services, etc. and approved persons. 296
16. Action against promoters of and participants in terrorism. 299
17. Communications services other than e-mail and applications for mobile devices. 301
18. Cookies and user data 304
19. Internet Service Providers and money laundering and support for terrorism. 305
20. Internet client software 307
20. Domain refusal, revocation, cancellation and suspension. 310
21. IATF Voting Procedure. 312
22 Data Protection and transfer of data between countries 314
23. Sanctions for non-compliance 315
Case Study 317
SELF HELP 318
1. Disallow ALL html in e-mails. 319
2. Hide your logo. 322
3. Don’t get added to spam-lists. 332
CASE STUDY: Removing an illegal copy of copyright material. 335
Some brief notes on relevant EU law and how it both helps and hinders the Action Plan 347
Q. You’re a lawyer and a specialist in counter-money laundering strategies. What do you know about the internet and computers?
A. Technically, yes, I’m still an English solicitor but I have to add the suffix “Non Practising” if I put my profession on anything so generally I don’t bother. It’s a bit strange, really, because it’s a post graduate qualification that doesn’t get the kudos of, say, an MBA. I left full time practice of law shortly after the UK introduced its counter-money laundering laws because at that time companies would buy consultancy from any Tom, Dick or accounting firm but not from lawyers. So a separate consultancy was the only way to develop the business.
I was already heavily into technology, so much so that I was recruited by several legal magazines and newspapers to write about technology in law offices. Because of that, I also got to write for some magazines aimed at a much wider market. It was exciting times: technology was new: we were still using 5.25 inch floppy disks, PCs rarely had a hard drive. In 1986, I launched my own firm with technology as a major part of the concept. We were so advanced that when we bought a fax machine in 1986, the local law society had only recently held a meeting to decide “whether to go on the fax.” That phrase alone demonstrated how low the comprehension of even simple technology was. When I launched my own firm that year, we not only had a computerised centralised accounting, time recording and record keeping but centralised case management. We had a 10 megabyte hard disk but it was SCSI, real cutting edge stuff. The entire office ran on a Motorola 86000 chip, the same as my son had in his Commodore home computer / games console. To double the hard disk size, to just 20MB cost GBP750.
In theory, there was an internet but in truth it was little more than a collection of bulletin boards – and we had to dial up at, I think, 14.4kbps. The WWW was still some distance off. And although there were some private messaging systems, they didn’t talk to each other. As things started to move, I started to become more interested in how the technology would improve not only efficiency but also reduce the opportunity for mistakes.
It was not my first foray into computing – in the early 1980s, I had bought a Sinclair Spectrum. Programmes and data were stored on audio cassettes and mine was the flashy version with 128kb RAM. I programmed it to produce draft divorce petitions from boilerplate templates that I developed and stored on the cassettes. Later, before the advent of PowerPoint, I used an early PC clone, made by Amstrad, to write a program to display a slide-show that we used at exhibitions and conferences. And I worked with our office systems supplier to rewrite their software to more accurately represent the way a solicitors’ office worked, in an early demonstration that it’s best to fit the technology around the task than to fit the task around the technology: the company was very happy because in a highly competitive market where the need for technology far outstripped demand, they sold more than 200 installations of the new program suite.
I got internet at home before trying to use it for work and eventually used it to develop World Money Laundering Report – long before the term “New Media” was in vogue, we were an electronic publishing business, now our publishing arm, Vortex Centrum Limited is one of the world’s longest established e-publishing businesses. Not bad for something I started in my garden shed. We had, before that, launched our first web presence for the consultancy company.
That, I have to say, was a series of object lessons in how not to design a website: at the time, desktop publishing was all the rage but no one was doing web design so it was very much DIY. The early ones were truly horrible and taught me the importance of the expression “just because you can doesn’t mean you should.” These days, that mantra should be driven into the brains of TV producers who insist on silly noises, pop up banners and over-loud background music and distracting laughter tracks. I quickly learned the value of white space.
As the World Wide Web began to gain traction, it offered me the chance to do research into things I would not otherwise have even heard of. I didn’t need to spend many hours reading a wide variety of trade magazines to find out what the world’s banks were up to: it was there, on a screen in my shed. So when I was writing “How not to be a money launderer” in 1996, I was able to read about all kinds of developments – and to think through the risks that they presented. If anyone else was doing that, from a financial crime perspective, at the time, I never heard of them or their work.
In 1999, I was invited to present a paper to an academic conference in York. It was so well received that I received an invitation to present a development of the paper at a university conference in Kuala Lumpur.
That 1999 paper is reproduced in this book. Today, it’s surprising to me how advanced the thinking was, given that we were all taking our first faltering steps into a new world. What is also surprising is that I identified many risks and proposed responses and both of those are valid now that the world has caught up with my expectations.
So, a long answer to a short question: it’s all been interconnected over a period of more than 20 years, looking at the issues from several different perspectives. Most people have a narrow interest and approach the issues from their own standpoint. I’m able to see how all the issues tie together, kind of like a one-man committee. Am I technologist? No. Because how the internet does what the internet does is not actually very important. It’s a tool and like all technology, if it gets the correct instructions, it will do as it’s told.
Q. You’ve applied some of your experience in counter-money laundering, etc. strategies to this topic. Would you care to explain that?
A This time it’s a short answer. In relation to financial crime, a group of nations created The Financial Action Task Force. We can learn a lot of lessons from their successes and failures. I recommend the creation of The Internet Action Task Force – nothing original there – but which, from the outset, adopts powers that the FATF has never had and, although I’ve used, simply for purposes of familiarity, their term “Recommendations” in fact they are mandatory principles and instructions.
Q. Will it work?
A. No, at least not in the very strict and brutal form I have laid it out. But some of the ideas are very workable – for example using counter-money laundering laws to enforce compliance with laws that internet users routinely break. There are many provisions that are completely workable – but will require political will and in countries where politics is beholden to donations from tech companies, it will take courage to stand up to them.
Q. Was this a difficult book to write?
A. Only in the sense that it’s an extraordinarily fast moving field and some of the things I suggested in the first draft are already happening, in some form or another, although some implementation is, to be frank, a bit half-hearted. It seems as if there is a reluctance to implement proper procedures in one go and so we are drifting in, bit by bit.
Q. The book was originally slated for release in November 2014. Then a series of other deadlines went by. What happened?
A. Nothing to do with the work or the book. We had some distracting family stuff in the UK and so I was flitting back and forth, indeed am still doing so. Writing is a solitary pursuit requiring long unbroken blocks of time. I just wasn’t getting enough of them and so I was in danger of having a book that lost its continuity because I had to reload it into my brain every few weeks. And I wrote a couple of other things in the meantime.
Q. Your writing style is very informal. Is that deliberate?
A. I can write pompous, priggish, academic stuff and I can write in legalese, but at the end of the day what matters is that people understand and retain what they read. If they have to struggle with the language or the structure, they pay more attention to that than to the message. Most of my readers aren’t academics and they are not lawyers. I’m not impressed by someone who tries to make others feel inadequate or isolated by the use of complex language. So far as I’m concerned, the greatest measure of intelligence is taking complicated stuff and putting it in a way that everyone can understand. I guess that was at the heart of legal practice for me, both in an advisory capacity and as an advocate. And it’s been how I approach financial crime risk management.
Q. You’ve written several other books. Are there any more in the offing?
A. Not at present. The book on Da’Esh / ISIS was a sudden idea based on current affairs and the one on dealing with death came about by accident. Cleaning up the ‘Net has had a long gestation period and I think I’m done for the time being.
Q. So no seminars on this, then?
A. No, I don’t think it’s suitable for seminars. But it’s good conference material, discussion points for TV and radio and for speaking at corporate and industry events. And I guess that some publications will want to produce extracts or have me write about the subject. Of course, I have a raft of subjects that are suitable for seminars when companies want to book me. [laughs] We wait with bated breath, as Billy Connolly said in the excellent “Still Crazy.”
Q. You live in Malaysia but you work out of the UK. How does that work?
A. When I was a young child, in the 1960s, I used to have philosophical conversations with our milkman: you might laugh but he was an erudite man who had simplified his work life and dropped out of the rat race. I recall one discussion where we were talking about working and I said “One day, I’ll be able to work from a mountain top but work all over the world.” Essentially, that’s what I do, although my particular mountain is a skyline apartment in the heart of Kuala Lumpur’s financial district. Malaysia is a great place to live and I’m very happy here, so although we no longer have any commercial interests in Malaysia, I’m settled and at home.
© Nigel Morris-Cotterill
All rights reserved
First published 2015