The FTC Goes to Court to Ban a Rogue Web Host from the U.S.
By ANITA RAMASASTRY
|Teusday, June 16, 2009|
Earlier this month, the Federal Trade Commission (FTC) convinced a Northern California district court judge to grant a temporary restraining order (TRO) against Pricewert, which operates the Internet Service Provider (ISP) Triple Fiber Network (3FN).
The FTC alleges that Pricewert and 3FN recruit, distribute, and host electronic code or content that inflicts harm upon consumers -- including "child pornography, botnet command and control servers, spyware, viruses, Trojans, phishing related sites, illegal online pharmacies, investment and other web-based scams, and pornography featuring violence, bestiality and incest."
Significantly, this is the first time the FTC has tried to stop the operations of a large ISP and hosting service that is implicated in illegal activity.
The TRO hearing was conducted ex parte, without the presence of counsel for Pricewert. As a result of the TRO, 3FN's upstream providers and data centers were ordered to stop routing traffic for the ISP, and disconnected its servers from the Internet. The order caused more than 15,000 Web sites to be shuttered. It also froze Pricewert's assets – at least those located in the United States.
On June 15, that order expired. Now, the court must decide whether to grant the FTC's request for an injunction to stop Pricewert from operating in the US because of the likelihood of substantial injury to US consumers if it continues to do so. The FTC can also seek damages, if it so chooses, as part of its action for unfair practices under the Federal Trade Commission Act (FTCA).
Pricewert and 3FN claim they are innocent – but, as I will detail below, the FTC has presented strong evidence to the contrary. More specifically, Pricewert and 3FN say that they have never provided any services for illegal businesses intentionally. Indeed, their press release claims that "Pricewert LLC is able to assist the investigation and help finding the real cyber criminals; however, its customer databases and all servers are shut down with no access possible to it." The release further states, "You should not consider us as a law breaker or any kind of an asylum for criminals."
In this column, I will outline the FTC's allegations and the applicable law. I will also note the limited nature of the suit: While it's wise for the FTC to force rogue ISPs not to use the US to host their data, this suit and others like it will, at best, only shift such cyber crime elsewhere.
The FTC's Allegations Regarding Pricewert
Pricewert is registered as an Oregon limited liability company (LLC) but lists its principal place of business as Belize. It appears to have a significant number of servers at third-party data center located in San Jose, California – the heart of Silicon Valley. But its employees may be elsewhere. According to the FTC, Pricewert advertises its services in Russian; has employees in Ukraine and Estonia; and posts phone numbers on some of its web sites that are answered by speakers with Russian accents.
The FTC alleges that Pricewert has actively shielded its criminal clientele by either ignoring takedown requests issued by cyber-security experts, or shifting its criminal clients to new Internet Protocol (IP) addresses that it also controlled, so that they could evade detection. In addition, the FTC says Pricewert advertised its services in the "darkest corners" of the web. The FTC notes, for example, that the company's presence was noted on a forum established to facilitate communication between criminals.
In support of its allegations, the FTC has submitted to the court declarations from experts at a variety of nonprofits, academic organizations, and computer security outfits -- including NASA's Office of the Inspector General's Computer Crime Division, the Spamhaus Project, The National Center for Missing and Exploited Children, and the ShadowServer Foundation.
Spamhaus, an organization which tracks high-volume spammers, has documented, for example, that 3FN is linked to various notorious or infamous spammers; and The Center For Missing and Exploited Children has received complaints from citizens about child pornography being hosted on 3FN websites. NASA began its own investigation after its computers were compromised and was able to find ICQ (a type of Internet messaging) logs connected to Pricewert.
The Case for the TRO
In making its case for the TRO, the FTC alleged that Pricewert colluded with spammers and others to host "botnets" – which are often deployed for illegal purposes including sending high-volume spam or launching denial-of-service attacks.
According to the FTC, Pricewert worked with "bot herders" and used command-and-control servers to relay commands to numerous compromised "slave computers." The result was that the machines, which had been taken over by the herders, would send out thousands of spam messages. The transcripts of the ICQ logs filed with the district court reportedly show senior Pricewert employees discussing the configuration of botnets with clients.
Overall, the FTC alleges that more than 4,500 harmful software programs are controlled by servers hosted and controlled by 3FN. This so-called malware included programs that were capable of keystroke logging, password and data theft and illicit spamming.
The FTC divides its unfair trade practices FTCA claim into two main categories of activity: (1) unfair distribution and hosting of illegal, malicious and harmful code or content; and (2) unfair computer intrusion. Under the FTCA, an act is "unfair" if it causes or is likely to cause substantial injury to consumers; the harm is not outweighed by any countervailing benefits; and the harm is not reasonably avoidable by consumers.
The FTC charged that the defendants' distribution of illegal, malicious, and harmful content and its deployment of botnets that compromised thousands of computers and caused substantial consumer injury were unfair practices, in violation of federal law.
Based on the FTC's evidence, the court found that the FTC was likely to be able to prove that the defendant (1) "operated through a series of mail drops and shell companies; with a principal place of business and its principals located outside of the United States"; (2) "continued its unlawful operations unabated despite requests from the Internet security community to cease its injurious activities"; (3) "is engaged in activities that directly violate U.S. law and cause significant harm to consumers," and (4) "is likely to relocate the harmful and malicious code it hosts and/or warn its criminal clientele of the action."
A Groundbreaking Move by the FTC – But How Effective Will It Be?
As noted above, this is the first time the FTC has gone after a large ISP and hosting service that is allegedly connected to illegal activity. It surely has the power to do so – for it can shut down companies that engage in unfair and deceptive trade practices. And there is a strong advantage to the government's proceeding via the FTC, not criminal prosecutions, which require proof beyond a reasonable doubt.
But there are limits to the effectiveness of FTC action in this context. As news reports note, Russian blogs are beginning to actively discuss 3FN's closure – and to suggest that the criminal activity it is alleged to have fostered will likely find new homes in cyberspace. Meanwhile, 3FN representatives may be telling customers that they will be back online at a new location shortly.
The U.S. federal district court hearing the case can only stop activity that occurs within its borders – in this case, traffic to Pricewert's networks connected to the US. It can also freeze assets that are located in the US. But in the future, the data at issue may be hosted elsewhere.
Moreover, the court's order may not be uniformly effective overseas. For example, the court ordered the defendant to transfer certain funds located overseas to a blocked account in the U.S. However, such an order is difficult to enforce. If the defendants are truly nefarious as the FTC claims, why would they willingly surrender their assets? In the end, controlling cybercrime may require a great deal of international cooperation; the FTC surely cannot do it alone.