A recent case over online threats that saw four men falsely charged and arrested has highlighted the need to reform cybercrime investigation methods, according to analysts.
The case has dealt a serious blow to public trust not only in cybercrime investigations, but conventional methods of crime investigations as a whole.
On Friday, investigators wrapped up a nine-month probe into the alleged crimes of Yusuke Katayama, 31, a former employee of an information technology company.
“We found something!” An investigator made the annnouncement in a conference room of a joint investigation headquarters in Tokyo about a month after Katayama was arrested on his first charge. While analyzing the data stored on a computer seized from a location related to the case, he discovered traces of information that could be linked to Katayama’s suspected use of a virus to remotely control computers. Previously investigators had been unable to uncover any evidence that illustrated a clear connection to Katayama’s alleged crimes, in spite of having closely analyzed the contents of the seized PCs.
A breakthrough came when an engineer from a private firm offered investigators a tip on how to break the impasse.
In many cases, cybercrime perpetrators destroy evidence of their virus use, but forget to delete evidence that they have downloaded software used to create viruses. The engineer instructed the police on how to find signs that virus-making software had been downloaded.
Such guidance was given by about 20 engineers from six companies who visited the investigation headquarters on an advisory basis, according to sources. After the mistaken arrests came to light, the police devised a policy of collaboration with the private sector, an unusual move for authorities.
But the collaboration did not work well at first, according to the sources. In the beginning, the investigators did not believe the engineers would maintain legal confidentiality while the engineers felt the police were demanding knowledge without giving them necessary details, thereby fostering an atmosphere of mutual distrust.
In light of the lessons learned from the case, the Metropolitan Police Department concluded knowledge exchange agreements with three information security companies last month. The agreements call for the companies to maintain confidentiality when the police offer them information about tactics used in crimes.
Faulty IP addresses
The main error committed in the mistaken arrests of the four men was that the police had placed too much trust in the Internet Protocol addresses that sent the threats, causing them to identify the PC users with the IP addresses in question as perpetrators.
After learning bitter lessons from the case, police are changing the way they investigate online criminal threats.
The Aichi prefectural police found a Twitter post that threatened random attacks in Nagoya Station in February. About a week later, the police found the man who owned the PC with the IP address that sent the message, and the man confessed to the crime in an interrogation.
However, the police did not arrest the man until about one month later. A senior police officer said, “Normally we would arrest such a suspect immediately.” But the police waited until they could confirm that the suspect's computer had not been infected with a virus before they sought an arrest.
After it was learned that advance notice was posted on the Internet before a case of random killings in Tokyo’s Akihabara district in June 2008, the police promoted a swifter response. However, it was the Katayama case that changed the police policy of “speedy detection.”
Some investigtors have pointed out the risk of another crime being committed while a police investigation is still under way. However, a senior National Police Agency official said, “We have no choice but to strengthen our precautionary measures until we obtain the proper evidence.”
Shortage of technical know-how
Another reason for the mistaken arrests was the lack of technical knowledge among investigators. Many investigators were not aware of the existence of viruses that remotely control computers.
The MPD started to employ “cybercrime investigators” from the private sector in the mid-1990s while fostering “cybercrime technical specialists” by having police officers undergo training at private companies. Today there are about 690 such officers.
Due to the wide range of cybercrimes, which include illegal drug sales and fraud, there has been a chronic shortage of officers to cover such crimes. However, it has not been easy to increase the number of such officers, according to the MPD, as it costs as much as 1 million yen to train each technical specialist and there is a need for frequent additional training.
Since the Katayama case, the MPD launched efforts to have its technical specialists teach the basics of cyber-investigation to investigators in all police offices. The NPA also has started to streamline its investigation efforts by consolidating the flow of information to the MPD during the initial investigation of certain cybercrimes.