Coming Home to Roost

I was reading with great interest the sentencing phase of the trial of the “revenge porn” site operator in San Diego, California – said Internet entrepreneur has now been given 18 years in jail for identity theft and extortion – and reflecting that this represent a change from the usual results of Internet crime. For the most part, people who commit crimes like these online remain free, and frequently remain anonymous, because their activities are concealed online or because their actual physical location places them beyond the reach of US law. In this case, however, not only was the operator living in the US, he was extorting money from people using PayPal…

You can catch the original store from the San Diego Union-Tribune site if you’d like, but the details are pretty basic. The defendant in the case, Kevin Bollaert, started a website where anybody who wanted to could post embarrassing pictures of ex-partners or anyone else they wanted to publically humiliate. Initially he simply refused to acknowledge demands to take the offending pictures down, but eventually he began charging the victims for the privilege of no longer being exposed online, with prices starting at $250 and rising (presumably) based on what the market would bear; e.g., how embarrassing the pictures were and how badly a specific victim wanted them taken down. This eventually amounted to over $30,000 – at least, that’s what was left on the site’s PayPal account when the law finally caught up with him…

What struck me about the case, apart from the absurd victim blaming you see whenever any compromising documents or pictures are released online, was just how divorced from reality the site operator and all of his colleagues and their apologists actually are. Identity theft and extortion to prevent it are actual felonies, not some sophomoric self-amusement, and the punishment for doing them could be decades in jail, not just a strongly-worded reprimand. Just because criminals on the other side of the world are safe from prosecution under US law doesn’t mean that some idiot in San Diego is untouchable, either. And, by the same token, no matter how safe you believe your files, data or identity might be, having any of it stolen is always going to be a hazard – even if it doesn’t involve compromising pictures…

From a business standpoint, I find this case more than a little alarming for at least two reasons. First, there’s the issue of keeping our own personnel from doing something this bone-headed while at work, and unintentionally bankrupting the company. Until recently I would have said that this was a distant concern, but apparently there are people who will assume that a crime isn’t a crime if you commit it online – and there’s no way to be sure that one or more of those people don’t work for us. Just as important, though, is the fact that any compromising information that the company has ever allowed to move over the Internet is also out there, even if it wasn’t compromising of anything in particular when it was recorded or sent. Which means that even if industrial espionage or extortion directed at an entire company using former Internet documents haven’t happened already, they eventually will…

We’re already living in a world where any bad choices or stupid remarks you have ever made can be preserved electronically and come back to haunt you forever. Now, it appears, we are also facing the possibility of having every embarrassing thing anyone in our entire company has ever said or done coming back to bite us at any moment – and the prospect of serial criminals who would apparently commit such outrages for their personal entertainment and relatively tiny amounts of money…