Some April morning last year I received a letter from the local police department, bureau of criminal investigation. “Whoops”, I thought. What could have happened there? Had I forgot to pay for a speeding ticket? I opened the letter. It said I was the main suspect in a case of “data destruction” and I was supposed to visit the police department as soon as possible to file a testimony.
Wait. What is “data destruction”? Well, I had to translate it, but, I am from Austria where there is a paragraph (§126a, StGB) that basically says the following: If you modify, delete or destroy data that is not yours, you may get a prison sentence of six months or a fine. There are probably similar laws in other countries.
But how could I have done that? I wasn’t aware of any situation in which I could have deleted anyone’s data. I work as a sysadmin for a small consulting company, but it seemed implausible that they would charge me with the above mentioned.
What I supposedly did wrong
So I went to the police department. I was terrified because I had absolutely no idea what I had done wrong. The police officer however was very friendly and asked me to take a seat. He wanted to know if I knew a person X from Tyrol. Of course I didn’t. That was more than 500 kilometers away. Turns out, I hacked their Facebook profile.
Here’s the summary of what I was being charged with:
- Creating a fake e-mail address impersonating as the victim
- Using this e-mail address to hack into their Facebook account
- Deleting all data from the Facebook profile and then changing the e-mail address and password
- Deleting the fake e-mail address
All that had happened one Sunday evening. I recall being at home with my girlfriend, watching TV. I like to keep a detailed schedule in my calendar, therefore I knew. And I knew I was absolutely innocent. But how did they think it was me?
How I became suspect
Well, at that time I had an iPhone. I also had a mobile broadband contract with a major telephone company, let’s call them Company X. The police officer told me that upon investigation, they positively identified the IP address under which the e-mail address was created. It was the IP address assigned to my iPhone that evening.
That seemed impossible. There were several proofs supporting the fact that I could never have done this:
- We have no 3G reception in our apartment.
- The e-mail address was deleted five minutes after being created. Nobody is that quick on an iPhone.
- The e-mail provider doesn’t offer the feature to register an address on their mobile sites.
- You can’t change Facebook account details on their mobile interface as well. I know, I could have used the non-mobile site, but I wouldn’t have been that fast.
All that I told the police officer. He said he understood and jotted down some notes. They would contact me and I shouldn’t have to worry. At least he was on my side. But now I was there, main suspect in a case I never wanted to be in. The real offender was still out there.
What I did next? I called the telephone company.
Contacting the Telco
Just like most of the time when you call your ISP/Telco, they don’t really care what you have to say. I probably talked to ten different people. Chances are you have more knowledge about computers and how the internet works than they do. That’s why it didn’t surprise me that I was told things like:
- “That’s absolutely impossible”
- “If they say it’s your IP, you’re guilty!”
- “Let me get a supervisor” (hung up after a minute of elevator music)
- “I really don’t know what this is all about”
At that point I just gave up. I had already contacted a lawyer who would be prepared to go to court with me if necessary. As a student without proper insurance, it didn’t help that I had to pay him in advance just to get hold of the case files and take a look at them. I waited and waited, and then I got a phone call.
How everything sorted itself out
It was the legal department of the Telco. A lady was calling, and the first thing she did was to deeply apologize. She told me what had happened: Normally, when the prosecutor asks for the IP address and the corresponding owner, they have to fill out a form containing both information, which is then sent to the authorities. In my case they had gotten the IP address from the e-mail provider and the employee’s job was to match it against their records. The flaw could not be simpler: She had just swapped two digits in the IP address.
As a compensation they said I’d no longer have to pay the base fee – how generous! Luckily, they also accepted to pay my lawyer’s costs, whose invoice I just forwarded to them. I think they were just scared that I would take them to court for wrongfully delivering me.
A few weeks later the police officer contacted me. He also confirmed that the real offender was X’s ex-boyfriend, who probably just knew the password and wanted some payback.
What we can learn from this
One can clearly see from such an example is that there are still some holes in the security of current data retention policies. While governments have an understandable interest in storing communication data to allow effective criminal prosecution, the following should not be forgotten: No matter how perfect a system is, there is always the possibility of a weak implementation. Also, once the human factor comes into play, we can’t rely on the principles of an automated system anymore (even if it was flawless). To err is human, it seems. Luckily, I was forgiven in that case.
So, should you ever get into a situation where you are wrongfully suspected, make sure to let people know that there is a possibility of an error, even if they tell you otherwise.
Update: Due to the discussions that this post started, I’d like to add that I’m really no expert when it comes to laws. In any case of doubt, always contact an attorney. Going to the police without an attorney might result in you saying the wrong things – which can in turn be used against you in front of a judge. I was lucky in this case, but never expect someone to acknowledge their errors (especially if it’s a huge TelCo).