Terror's Confounding Online Trail

FOR all the sophisticated electronic tools the United States government has at its investigative disposal, tracking the activities of suspected terrorist groups online has proved to be not unlike the search for Osama bin Laden and his operatives on the ground. In essence, even against a superior arsenal of technology, there are still plenty of ways for terrorists to avoid detection.

Although digital forensics has undoubtedly been useful in piecing together events since Sept. 11 — leading, for example, to the arrests of three of the suspects in the abduction and murder of an American reporter in Pakistan — information technology has significant limits in monitoring a widely dispersed terrorist network. Moreover, terrorist groups are taking advantage of their own knowledge of technology to evade surveillance through simple tactics, like moving from one Internet cafe to the next, and more sophisticated ones, like encryption.

"The Internet presents two main challenges," said David Lang, director of the computer forensics department at the Veridian Corporation, a company based in Arlington, Va., that provides systems for the Pentagon and United States intelligence. "One is it's ubiquitous — you can access it from just about anywhere in the world. The other thing is you can be easily hidden."

Despite growing concerns about invasions of Internet users' privacy, it is still relatively simple to communicate anonymously online. Many services enable users to send e-mail or browse the Web without leaving a digital trail — generally by disguising the unique number, known as an I.P. address, that links a specific computer to e-mail messages sent or Web sites visited. Some of those services have taken measures to prevent their technology from being put to ill use. Anonymizer.com, for instance, rejects subscribers from countries known for harboring terrorists, including Afghanistan and Pakistan. But individuals linked to terrorist groups appear to be relying on more low-tech methods to avoid detection.

"The interesting thing is there's no evidence that any of these people have ever used Anonymizer or any other privacy service," said Lance Cottrell, the company's president. "What you see them doing is using Internet cafes and Yahoo (news/quote) and Hotmail and moving from cafe to cafe."

In one of the few known cases in which suspected terrorists have been traced through e-mail, the kidnapping and slaying of Daniel Pearl, a Wall Street Journal reporter working in Pakistan, the abductors used Hotmail, Microsoft (news/quote)'s Web-based e-mail service, to announce their deed to news organizations. Although the sender seemingly remains anonymous, Hotmail attaches the I.P. address of the sending computer to messages transmitted through its service, which left investigators with at least the beginning of a trail.

With the use of public look-up services on the Web, the I.P. address from a message received from the kidnappers on Jan. 30 could be traced to Cyber Internet Services, an Internet service provider in Pakistan. The I.P. address from an earlier message reached a dead end farther upstream at New Skies, a Netherlands-based company that provides Internet access by satellite to many countries, including Pakistan.

From there, investigators are likely to have relied on cooperation from those companies to trace the computer that was assigned that I.P. address when the message was sent. (A spokeswoman for New Skies confirmed that investigators had been in contact with the company. Although she declined to discuss details, the company's Web site indicates that Cyber Internet Services is a client.)

One challenge for investigators is that many people in developing countries like Pakistan get Internet access through public places like cybercafes, which do not necessarily ask customers for identification or keep the logs of Internet activity that service providers in the United States typically do. With help from the F.B.I., Pakistani officials ultimately recovered copies of the e-mail on a computer belonging to a suspect arrested with two others in the case. It is not clear whether the messages were sent through a dial-up account or from an Internet cafe. Getting cooperation from Internet service providers in other countries can also be a hurdle, although operating outside the reach of American laws regulating how Internet communications may be monitored presents some advantages. "If it comes down to it, we would do a black-bag job on an I.S.P. — literally, kick in the door in the middle of the night," said Mark Rasch, an expert on cyberlaw in Reston, Va., who formerly headed the Justice Department's computer crime unit and is now a vice president at Predictive Systems (news/quote), a security firm.

Mr. Rasch noted that within the United States, wiretaps for intelligence purposes face a lower threshold for approval, the assent of a secret three-judge panel. Wiretaps in criminal investigations, on the other hand, are approved in the regular courts and require a showing of "probable cause."

But even with relaxed laws, gathering intelligence, particularly without a suspect or lead, involves collecting and analyzing mountains of data. And government monitoring systems may not be quite as developed as some have speculated.

One of those tools, DCS-1000, generally referred to as Carnivore, can be installed at Internet service providers to monitor e-mail traffic — the digital version, essentially, of a wiretap. On a worldwide level, the National Security Agency operates a satellite network called Echelon (news/quote) in cooperation with Britain, Canada, Australia and New Zealand that monitors voice and data communications. Privacy groups have raised concerns about its use, but there is debate about whether in practice Echelon is very effective.

"Echelon as described doesn't exist," Mr. Rasch said. "The idea that the N.S.A. has a program that captures every international phone call and analyzes every word and phrase isn't true. One of the biggest problems is there's just so much noise and so much traffic."

Such monitoring systems can in principle be programmed to look for certain keywords, like bomb or target, within messages they capture. But given recent international events, such language is probably not uncommon, leaving investigators to determine which communications may represent serious threats. "Is it that everybody in the country hates the U.S., or is it directed terrorist activity?" said Mark Seiden, a computer security consultant based in Silicon Valley. "I don't know if we have the resources to make that distinction."

There is some indication that plotters are aware of such keyword sniffers: Mr. Seiden, who reviewed the e-mail from Mr. Pearl's kidnappers, is among those who suggest that the suspects in that case deliberately misspelled words to avoid detection — for example, using "Amreeka," "terrarism" and "Pakstan."

Those messages were written in English, but foreign languages present another challenge. Mr. Lang of Veridian acknowledged that digital forensics teams accustomed to tracking down criminal suspects in the United States had undergone a "crash course" in foreign language analysis since Sept. 11, with help from companies that have re-engineered forensics tools to work with Arabic and other languages not based on the Roman alphabet.

Tyrone Turner for The New York Times

MINING A MOUNTAIN Software at Veridian's labratory in Oakland, Va., analyzes documents retrieved from a hard drive for the recurrence of words like "Saddam." The higher the peak, the more often the word recurs.

Tyrone Turner for The New York Times

DATA SNIFFER David Lang, director of computer forensics for the Veridian Corporation, helps investigators sift evidence from computer data at a lab in Oakton, Va.

Associated Press

CAFE DENIZENS A police officer searched an Internet cafe in Karachi, Pakistan, as part of an investigation into the kidnapping of Daniel Pearl.

-robo-

"Echelon as described doesn't exist," Mr. Rasch said. "The idea that the N.S.A. has a program that captures every international phone call and analyzes every word and phrase isn't true."

"Aircraft carriers as descibed do not exist," Mr. Eno sad. "The idea that the Navy has ships five miles long that each carry thousand of airplanes all over the planet is not true."

How conveeeeeenient to set up a very big straw man. You can, however, bet that the NSA has a copy of every bit that ever went up to a Inmarsat bird.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.