The Growth of Cybercrime and Cybercrime Prevention in Virtual Worlds

Virtual worlds are no longer the backwater playgrounds of a few computer-adept programmers. They are multi-billion dollar worldwide industries spanning the fields of entertainment, communications, information technology, and increasingly law enforcement. In short, there's money to be made, and with an expansive, loosely-regulated product like virtual worlds comes the potential for cybercrime.

I wrote several months ago about how law enforcement agencies are increasingly turning to virtual world account information to provide breaks in real-world legal cases, but what about crimes committed entirely within a virtual sphere?

Several news outlets from around the world are increasingly looking at what is required to secure a profitable industry from brazen exploitation by scammers, money launderers, and cyberpirates. Regulators are calling for cybercrime task forces within physical police departments. The frontier of virtual worlds seems poised to get some new lawmen.

The Profit Potential of
Virtual Crime

Cybercrime’s
prevalence in the virtual world is debatable,
with different organizations expressing varying levels of concern. The
Fraud Advisory Panel, a consumer protection group, called for the extension
of
federal laws into the virtual world as earl
y
as 2007
.

There’s
definitely a need, reports
the
the Hindu Business Line
, a business policy newspaper that recently
dipped into the virtual world to take a sampling of cybercrime.

From the article:

Phishing
attempts
to acquire sensitive consumer information such as usernames, passwords,
and
credit card details fraudulently. Once an account is compromised in this
way, a
cyber criminal can empty it or use its associated credit card
information for
other purchases.

While not a
threat in the usual sense, users can inadvertantly become party to money
laundering. Because avatars can trade currencies and goods inside the
virtual
world and then sell them into secondary markets for real money, the
crime is
difficult to trace.

We've come a
long way from trying to trade useless
loot for gold in Runescape. Money laundering through Second Life's
Lindex
Exchange, which allows users to spend real currency for Linden Dollars
and then
convert them back into a real world currency, is also a potential
financial
fraud hub.

In fact, money
laundering on the Lindex was a hot
topic in
early 2008
, causing the company to take a strong stand in defense of
its
platform. However, these concerns require further investigation, as the
ease
with which a player can convert currencies – which requires only a
computer and
a Second Life account – raises
serious
anti-terrorism concerns
.

As virtual
worlds grow in scale and in the number
of financial transactions conducted daily, cybercriminals are growing in
tandem. With no standardization between worlds, there is no way of
knowing
whether one source is making and cashing out Linden Dollars, Warcraft
Gold, or
any other in-game currency. This makes tracking accusations of money
laundering extremely difficult. The security of one's identity will
come to
the fore.

Trading game currency and betting
real
currency on in-game markets
has birthed an emerging, if impromptu,
stock market. Speculators
discontent with the ravaged real-world
market will no doubt turn to virtual worlds as they become viable.
Without any
virtual Securities and Exchange Commission to test the legitimacy of
"virtual stock" promotions, this leaves well-meaning players open to
fraud.

Despite
how common e-mail phishing scams may seem (and who doesn't have a fake
PayPal or eBay "account verification" e-mail in their inbox from the
past month?), it is vital to remember that these are crimes.

One of the major
problems facing law enforcement agencies is the issue of where an attack
originates. This decides the thorny issue of jurisdiction.

Internet security firms
like McAfee decry the current scam-ridden landscape of virtual worlds
,
but substantive recommendations for improving the situation are few and
far between. As Tech Target reports, the ever-expanding virtual
landscape and the cleverness of cybercriminals is confounding
traditional law-enforcement services
.

Given the cost of cybercrime and its
potential to destabilize small virtual worlds that may lack superior
protections, being confounded is no longer good enough. Law enforcement
agencies need to give serious consideration to the major role virtual
worlds are playing in the lives of users – both as hubs for financial
transactions with sensitive credit card information, and as a center for
semi-anonymous gathering. This creates interesting potential for use and abuse by any potential law enforcement organization. They had best do their research.

Towards a Virtual Police Force?

Police are acting properly if they use departmental resources to
investigate a claim that someone may be using a virtual world to launder
money or exploit a bug that can produce a game currency readily
convertible to real-world coinage.

There is, however, a careful balancing at when it comes
to regulating the actions of millions of virtual users. As a jumping-off
point, it would seem prudent to restrict the actions of real-world law
enforcement to virtual worlds that allow the conversion of game currency
into real-world money.

This both focuses resources on
worlds where there is a ready market capable of manipulation and
respects the authority of a closed-economy developer to deal
with black-market virtual goods
as they see fit.

Involving law enforcement in every
aspect of virtual worlds breaks down the difference between a violation
of the Terms of Service or EULA and a violation of the law. This is bad
precedent to set, and virtual law enforcement should be restricted
accordingly. Considering how unwilling law enforcement is to give up
power in areas where it is utilized, it may also harm virtual worlds on
the whole to allow too vigilant a police presence. We're already seeing
the effects of virtual worlds where players' actions can be monitored by
law enforcement – a recent drug bust made possible by World of Warcraft
is only the most public example.

According
to a recent
report from Mashable,
drug dealer Alfred Hightower managed to evade Indiana police for some
time. He success at dodging the law ended, however, when law
enforcement officials thought to check Hightower's favorite game –
World of Warcraft – for any sign of the fugitive.

From the article:

After
finding out Hightower was a WoW fan, Roberson sent a subpoena to
the game’s maker, Blizzard Entertainment. With the information they
sent back, Roberson was able to pinpoint the perp’s location.

Aside from being a happy
ending for law enforcement and just desserts for the fugitive drug
dealer, this situation raises interesting legal questions that we're
likely to see much more of going into 2010. When Blizzard tracked
Hightower, his usage history revealed he'd fled the country.
Extradition proceedings are in order to get Hightower back to Indiana,
but the interactions between Indiana police and California's Blizzard
are fascinating.

Here's what's interesting:
According to legal research and attorney Robert G.
Scofield's legal resources
,
subpoenas issued by one state to another state are normally legally
invalid. Roberson's subpoena, then, was more of a friendly request for
information. Blizzard had no legal obligation to provide any of
Hightower's information to the Indiana police.

Now there's little
expectation of privacy when playing online games
,
as some users have learned, but how far does traditional law
enforcement power reach into online games? Can World of Warcraft users
now expect Blizzard to voluntarily comply with out-of-state subpoenas
even if they have no legal obligation to respond? And how much
information can consumers expect Blizzard to divulge?

In order to maintain a sense of
immersion and to respect the gamer's right to privacy, it seems fair to
restrict law enforcement's presence in virtual worlds to dealing only in
cases where there is a real-world financial impact. Scamming fantasy
items or exploting glitches should remain the specialty of developers
and game moderators. But in cases where trademarked products are copied
without remorse, or where a law enforcement agency obtains a warrant
(the Blizzard example), the waters are murkier.

How can law enforcement best be
integrated into online games to ensure players who invest time and money
in their enjoyment don't find themselves facing monetary setbacks due
to unscrupulous players?