April 14, 2009
US Mulls Tougher Penalties For Criminal Use Of Proxy Servers
The use of so-called "proxy" servers is a common part of surfing the Web, but using one to commit a crime could soon result in a longer time behind bars.
The U.S. Sentencing Commission is set to hold a crucial vote on Wednesday regarding new federal sentencing guidelines that would classify the use of proxy servers as an indication of "sophistication." Those facing such charges would face prison sentences about 25 percent longer than those called for under current sentencing guidelines. Depending on the crime, convicted criminals now face years or even decades longer behind bars,
"It sends a bad message about protecting your own privacy," John Morris, general counsel for the Center for Democracy and Technology, told the Associated Press.
"This is the government saying, 'If you take normal steps to protect your privacy, we're going to view you as a more sophisticated criminal.'"
Proxy servers sit between a user and the Internet, and can be used to disguise a person's Internet Protocol (IP) address, a numeric address similar to a street address for a computer.
Proxies are widespread throughout the Internet, and are commonly used to relay Internet traffic, frequently unbeknownst to users. Businesses routinely use proxies to allow employees to work from home. A company's virtual private network (VPNs) makes traffic appear as if it's coming from within the internal network, thus evading security firewalls.
Mobile network providers also use proxies to connect devices to the Internet, while people in repressive countries use them to avoid Internet censors.
Internet service providers (ISPs) also employ proxies to accelerate traffic by locally storing copies of commonly accessed Web pages, so users don't have to reach the original site every time.
Privacy-minded Web surfers also use proxies to surf the Internet anonymously. For instance, with the free service Tor, users install software to convert their computers into relay points to route traffic between other people's computers. In this way, a Web site is only aware of the identity of the last relay point, not the user actually accessing the site.
However, such anonymity proxies can be used for both beneficial and nefarious ends, and a debate is underway as the government considers imposing harsher penalties for crimes committed by anyone who had been using proxy servers.
The U.S. Sentencing Commission will vote Wednesday on a number of amendments to the federal sentencing guidelines that significantly influence the sentences that judges hand down.
The amendment at issue would treat the use of proxy servers as evidence of "sophistication" in planning certain crimes, from forgery to embezzlement and other kinds of fraud.
If the commission votes in favor of the amendment, the change would go into effect Nov. 1 unless Congress takes the exceptional step of blocking it before then.
Those opposing must make their case delicately, since the rule would only apply to people already convicted of crimes and facing sentencing.
"It's kind of a fine line we're dancing around, because we're not trying to coddle cybercriminals, but we also really don't think the government should be creating and institutionalizing a disincentive, a penalty for routine, safe privacy practices," Morris told the AP.
The U.S. Justice Department had pressed for the amendment as a way to exact a tougher punishment on criminals who employ extensive proxy networks in multiple countries to elude law enforcement.
Investigators often spend months, if not years, sorting out these networks. Sometimes the lack of cooperation from foreign nations makes the job impossible altogether.
Officials identified several recent cases that demonstrate the challenges of investigations involving proxies. One probe into a spamming operation involving "pump and dump" schemes of Chinese penny stocks took three years to complete. The investigation resulted in the indictment of 11 people in a Michigan federal court last year.
According to investigators, defendants had purchased lists of known proxies and used them to distribute millions of spam e-mails, collecting millions of dollars by selling a stock they were advertising at inflated prices.
Criminals often use legitimate proxies that are misconfigured. Universities, corporations and home users who own such proxies are often unaware their bandwidth is being sucked up by cybercriminals trying to cover up their tracks.
A criminal could elude investigators by making traffic appear to originate from a country with weak law enforcement, leading U.S. investigators to waste months trying to gain cooperation before ultimately hitting a dead end. Typically, the criminal has long moved on by that time.
"So much of the initial challenge in an investigation is determining attribution - where are the transmissions coming from?" Michael DuBose, chief of the computer crime and intellectual property section of the Justice Department's criminal division, told the Associated Press.
According to DuBose, the amendment is intended to punish those who knowingly use proxies to disguise their identity to carry out a crime.
However, some call the amendment's current language vague, and opponents want a more concise statement of its application only to those who use proxies with criminal intent.
Additionally, considering the widespread ubiquity of proxy servers, some say calling their use "sophisticated" is a stretch.
It is possible the commission could choose to alter the language when it votes on Wednesday.
"Even if someone did use a technology that made law enforcement's life harder, and even if they did have criminal intent, technologically it may not be sophisticated at all," said Seth Schoen, staff technologist with the San Francisco-based non profit Electronic Frontier Foundation (EFF).
The organization focuses on online privacy and free speech, and helped fund development of the Tor anonymity proxy service.
"They're proposing to make a kind of judgment that this is something unusual or remarkable, which just doesn't match my experience with the technology. This is an everyday technology," Schoen told the Associated Press.
On the Net: