The CyberForce

F

ive years ago, John Reed Stark of the Securities and Exchange Commission's enforcement division sent out an internal e-mail inviting employees to join a new Internet surveillance group called the CyberForce.

"It's a completely goofy name but at the time I liked it. It's catchy," says Stark, now the chief of the SEC's Office of Internet Enforcement. One of the first steps was assigning volunteers to surf the Web for several hours a week just to look for possible securities law violations. The idea was that even if the employees didn't turn up much, at least they would become more skilled at using the Internet.

From that beginning, the CyberForce has grown to about 250 specially trained employees for whom Internet enforcement is now a regular part of the job. They have been instrumental in several large SEC sweeps of online securities law violations that have produced some 100 enforcement actions.

For the SEC and other agencies regulating consumer fraud and similar illegal activities, the growth of the Internet has brought a burgeoning caseload. The Federal Trade Commission filed its first Internet-related case in September 1994 and recently marked its 100th. The latest case involved allegations of "page-jacking" legitimate Web pages and substituting pornographic sites from which viewers could not exit.

It was also about five years ago that the Food and Drug Administration filed its first complaint involving the Internet. The FDA now has about 60 pending cases-many involving unlicensed online sales of prescription drugs. The agency has taken action in about a dozen others and, like the FTC and SEC, has many more in the pipeline.

The Internet's growth has compelled regulatory agencies to devote more resources, both technological and human, to it-with the result being a new generation of cases and significant changes in how they do business. They're finding that, by and large, their existing authorities are up to the task. But sometimes they have been forced to be as quick on their feet as the fraud practitioners.

All of that has happened while these agencies are trying to define their role on the Internet, whose rapid growth postdates practically all the laws they enforce.

Old Scams in New Bottles

While state laws apply to some illegal consumer activity on the Internet, federal agencies are playing the most prominent role in watching the Web because of its wide scope. The server hosting a site might be in one state, the people maintaining the site in another, the people collecting money in another, and the people getting the money in yet another. The federal government is in the best position to reach across so many borders.

How much illegal activity is occurring on the Internet is impossible to quantify, but there's no dispute that the Web is fertile ground for fraud. It's a new medium for most users, and its operation is based on an underlying sense of trust. The Web's anonymity makes it harder for a consumer to check out who is making a sales pitch. And the lack of an identifiable location makes the resolution of consumer problems much more difficult.

"What the Internet does is remove face-to-face contact between the seller and the purchaser, so someone buying the product is less likely to know who they're dealing with," says Jeffrey Shuren, a medical officer with FDA's office of policy, planning and legislation.

The low cost of setting up Web pages and sending out vast numbers of e-mails makes it easier for fraud artists to strike and move on before they can be found.

"They're using all these new technologies, the browsers and so forth, that we never have seen in traditional fraud artists," says Jodie Bernstein, director of the FTC's Bureau of Consumer Protection. "The techniques they use are really different. [But] theft is theft. Whether it's a Web page or your bank account or your suitcase, it's still theft and it's still against the law."

"It's old scams in new bottles. The government had to learn what the bottles were. We're learning about that," says a senior Commerce Department official involved in electronic commerce policy. "We just have to make sure that we are not only learning this new dance but also using the quite extraordinary capabilities of the Internet to make people aware of the problem and give them new tools to deal with the problem."

Agencies have posted information advising the public how to avoid getting taken in by Internet scams, which by and large mirror traditional frauds such as pyramid schemes, phony business opportunities, credit repair and deceptive travel programs. The FTC has even used "teaser" Web sites that mimic such sites, full of glowing testimonials and promises, ending with a warning to visitors that if they were prepared to buy at that point, they are vulnerable to being scammed.

The agencies also have realized that they must fight fire with fire: They must have computers just as fast and powerful as the fraud artists, and agency employees must be just as adept at using the technology. That has meant not only investing in hardware and software but also adding technology specialists and training investigators, some of whom now work full time, or nearly so, on Internet cases.

The FTC recently created an Internet lab with a staff of technology specialists and an array of the latest hardware and software to aid its investigators. The terminals are available on a drop-in basis but also will be used during "surf days," when the agency will identify a general area such as pyramid schemes or health claims and will investigate the status of marketing on the Web in that area.

One key feature of the lab is that it operates on its own server, so that the hosts of the sites viewed won't know the visits are coming from FTC employees. Internet fraud artists watch for hits from federal agencies and sometimes display different pages to anyone coming in from a government server. They also might close a site after detecting repeated views by an agency.

"[The Internet] changes what we do here every day," says Dean Forbes, an attorney in the division of advertising practices at FTC who works on Internet-based cases. "It helps us not only conduct our law enforcement efforts but also shows us that consumers can be affected in a variety of ways. We're using the means that are out there to replicate what consumers would experience and to make sure that we can jump on these types of schemes right away."

Agencies also have discovered that their traditional enforcement tools remain valuable. For example, Internet frauds generally involve collecting money, or at least attempting to do so. Money creates a trail that can be followed just as effectively as if the fraud were perpetrated in a telephone boiler room operation or anywhere else in the physical world.

In some ways, use of the Internet by fraud artists actually has made them easier to catch, officials say. Activity on the Internet leaves electronic fingerprints that can be traced. More important is that the public nature of the Net allows investigators to effectively look over the consumer's shoulder while a fraud or scam is going on. In some cases, such as certain stock offerings, agencies have been able to step in before anyone lost any money. That's extremely rare in the physical world.

However, Internet-based commerce also can make it more difficult for investigators to prove what the targets were offering or purporting to do. The relatively low cost of creating Web sites makes them highly disposable, and once taken down the information on a site might be gone forever.

And Internet tools or no, enforcement cases can take a long time to assemble. Once information is captured, it needs to be analyzed by program experts. Also, Internet cases still must pass through the agencies' regular review channels before being filed.

"By the time you work up the case, if the person closes down the site and moves across the state line and pops up with a different name on his site, we may have difficulty proving that it is really the same operator," says William Hubbard, FDA's senior associate commissioner for policy, planning and legislation. "He may have changed his name. . . .There may not be any similarities in the site except that he's selling the same drugs."

"We know that the Internet frauds go in fast, rip people off and get out much more quickly than conventional fraud operators. They stayed around longer, they had capital investments that these guys don't have," says Bernstein. "We have to move faster because if we don't, they're gone and we'll never recapture the data."

Walking the Line

As they step up their Internet enforcement activities, agencies find themselves trying to walk the line between regulating activity on the Internet and regulating the Internet itself. On one side are consumer protection groups that widely publicize Internet frauds and scams, creating pressure for new rules. On the other is resistance from the Internet community-both companies and many individual users-to government involvement in the individualistic cyberworld.

As one measure of that sensitivity, the Federal Communications Commission, which takes great pains to make clear that it takes a "hands-off" policy toward the Internet, has received hundreds of thousands of e-mails in the last two years accusing it of trying to regulate the manner in which consumers obtain and pay for Internet access. Many of those missives focus on a widely misunderstood February 1999 FCC decision relating to reciprocal compensation among long-distance telephone carriers. But the agency still is beset with rumors that it is trying to impose a "modem tax," based on a proposal that was abandoned in 1988.

The Clinton administration's general policy on the Net is also largely hands-off. A 1997 memo to agencies stated that the government "should encourage industry self-regulation wherever appropriate. . . . Where governmental involvement is necessary, its aim should be to support and enforce a predictable, consistent and simple legal environment for commerce."

Says the Commerce Department official, "There is a concern that if regulation comes, it's unlikely to be as flexible, to move as quickly, to be as technologically sophisticated as [the industry] may be able to do on their own. This is not this group of malefactors who came to do business on the Web. These are the people who live next door to you-or did before they cashed in their stock options-and who want to run a good business and do it with integrity."

An important role for the government in the Internet world, the administration believes, lies in giving consumers confidence that they can do business there safely.

"For some people, the response is everyone will figure this out for themselves," the official says. "By and large the feedback we get is that people don't want it to be the Wild West. They don't want a situation where if they buy something they're not going to get what they buy, that the rules against deceptive advertising and misrepresentation won't apply to them. It's not a question of regulating the Internet. You can't commit fraud on the Internet just like you can't commit fraud on the street corner. That's not regulating the Internet or the street corner, that's regulating fraud."

"There's always been a notion of caveat emptor, but we still bring our fraud cases anyway. I've talked to way too many victims and I've seen way too many charlatans," Stark says. "The real bad guys we prosecute are relentless in their desire to steal. When you have someone who's that motivated and is willing to use the Internet's culture of trust and benevolence, people can fall prey to that.

"I'm a big proponent of the Internet, I feel very strongly about free speech, but I never have any doubts when I'm prosecuting these cases for a minute that I'm imposing on someone," he adds.

Proponents of an active government role cite the experience of "900" phone numbers. They say technology can be a valuable way to get information to consumers for a fee, but 900 numbers almost failed, and their reputation still suffers, because of some of the very issues now facing the Internet-fraud and pornography.

Meanwhile, the industry is urging a go-slow approach to government involvement. "In the bricks and mortar world, we have hundreds of years in understanding law and behavior and jurisdiction and actors. In the global Internet medium, we're just beginning to discover what the good and less good aspects are," says Jeff Richards, executive director of the Internet Alliance, an industry trade association.

"One of the few things [agencies] have in common is that they have been cautious in attempting to exert regulation on the Internet, for a variety of reasons," he says. "In some cases, it's about testing or understanding their jurisdiction. In others, it's being cautious about over-reaching. In others, it's because this is all so new, and agencies are looking to implement sound ideas rather than the first idea."

The Internet community argues that self-regulation works best. For example, in response to complaints about fraud in Internet auctions, the sites now increasingly are using escrow services to assure that the goods being sold get to the buyer and that the money promised for the goods gets to the seller.

Consumer advocates, though, contend that, as in the physical world, government intervention is needed. They note that not every business participates in self-regulatory programs and that such programs vary in their requirements and how strongly they are enforced.

"I see government's role and industry's role dovetailing," says Susan Grant, director of the Internet Fraud Watch at the National Consumers League. "I don't think we can just abdicate government responsibility to consumers. I'm very impatient with arguments about the Internet that we should let private industry police itself because we know from the physical world that that is not going to be a complete solution to the problem. It's foolish to think it ever will be, and it sets up a false dichotomy between regulation vs. self-regulation."

The Laws Still Work

Officials of regulatory agencies say the debate over additional regulation of the Internet has yet to affect them significantly. They have found that the laws already on the books largely are sufficient to cover the new medium. It's just a matter of applying them in a new way, they say.

"We have very broad authority both to bring administrative cases and to bring cases in court," says the FTC's Bernstein. "In addition we have a number of specific statutes that cover credit-type transactions that we also use. Because of the combination . . . we feel we have adequate authority to proceed."

The SEC similarly applies the same anti-fraud statutes to the Internet that it uses elsewhere. In fact, the Internet gave new life to a law that otherwise wasn't being applied much-a 1933 provision in the Securities Act saying that anyone who is compensated for promoting a company must disclose the nature of the compensation and the amount. Such information can be scarce among stock touts on the Internet.

Says Hubbard of the FDA, "I actually believe that we can get our arms around and get control of these domestic sites through the various licensing and other legal authorities that the state and federal governments have. I believe they are manageable if we are vigilant and go out there and leave the legitimate ones alone and focus on the illegitimate ones."

If there's a need for new authority, agencies say, it's in the international area. It's one thing for the FDA to prosecute an unlicensed online pharmacy that crosses the border between Texas and Louisiana, but it's much more difficult if the operators cross the border to Mexico. International bodies to which the agencies belong are helpful, but there are restrictions involving disclosure of law enforcement information. And the agencies don't have the authority to fine or prosecute people in other countries.

Meanwhile, regulatory agencies say they are getting significant help from an unexpected quarter: Internet users. Despite their reputation as averse to a government role in the Internet, users provide a regular stream of e-mail to agencies about potentially illegal online activity.

SEC's enforcement complaints center site (www.sec.gov/enforce/comctr.htm), created in 1996, started off getting five to 10 e-mails a day. Now it gets 200 to 300 a day and the agency has assigned five attorneys who spend about a third of their time reviewing them. The FTC has created an online complaints form on its site and the FDA, too, regularly gets tips that lead to enforcement actions.

"Any type of enforcement program that you have, you've got to have members of the public out there doing some of the work for you. They are the first line of defense," says Stark. "We find things through active surveillance but it turns out our No. 1 source of leads is complaints that come in from the investing public."

After one of its sweeps of online securities fraud, the SEC received nearly 1,000 e-mails a day congratulating the agency, he says, and the agency continues to get a regular flow of messages about its Internet enforcement activities.

"The majority say 'Good job and keep it up,' " Stark says. "If it turned around and suddenly we were getting a lot of criticism we would probably look at the program. But we've never had cause to do that."

Even if identifiable resistance should arise, agency officials say they have laws to enforce and they intend to enforce them. The Internet will only continue to grow, and with it will come more fraud.

"I think that everybody recognizes that this is the new frontier of fraud and that [agencies] need to be out there. To the extent that they're able to, they're putting resources into doing that," says Grant of the National Consumers League, who tracks how regulatory agencies cope with the Internet challenge. "It's hard for them because the same old problems are not going away. It's not as if you're necessarily being given more money and personnel to do things with, so it may mean in some cases taking resources out of things you were doing to focus on this."

"The very fact that the fraud is going on on the Internet as opposed to the physical world doesn't mean that they're helpless to do anything about it," she adds. "It does pose some special challenges. It can be harder to track the perpetrators down because even if you can apply the same legal principles in cyberspace, you still are suing somebody in the physical world. It can be more complicated and difficult to go after these companies and to show exactly what it was they were offering or purporting to do. I think that government agencies are doing a good job and are putting an increasing amount of resources into it."

Eric Yoder is a Washington-based journalist with 18 years of experience covering the government.