Jon Praed is a total stud! He spends his time tracking down hard-core spammers. The kind that run illegal viagra, casino, porn and phishing spam.A lot of guys have made money in “grey” areas of internet marketing. Jon explains how gradually people are being forced to choose sides and that all the aggressive stuff is slowly going away.If you want to get an overall understanding on where the internet is going long term, this is the interview to check out. It was one of the most powerful and fascinating ones I’ve done.I think you’ll find this interview worth listening to yourself.Adrian: I’m here with Jon Praed from the Internet Law Group. Jon is a pretty interesting guy who has spent a lot of years tracking down hard-core Internet spammers and bringing them to justice. He does this on behalf of companies like Verizon and AOL and has won some pretty important lawsuits and decent-sized judgments. Jon, thanks for joining us. Could you start by telling us a bit about who you are?Jon: Thank you for having me Adrian. I’m a Midwestern boy, born and raised in Indianapolis, Indiana. I now live in the suburbs of Washington, D.C. I went to college at Northwestern with a major in political science and then graduated from Yale Law.Right out of law school, I clerked for district court judge John Tinder, who’s recently been elevated to the Seventh Circuit, and then for Indiana Supreme Court Chief Justice, Randy Shepard. After my clerkships, I was in private practice as a lawyer with Latham & Watkins in both California and Washington, D.C. I also spent two years working on Capitol Hill as chief council to a House subcommittee dealing with regulatory affairs.I’ve been doing cyber litigation work for about the past 10 years. I got into it when some ISPs reached out to Latham to take on this newfangled problem called spam. At that time, no one really understood how big it would become and what sort of a precursor it would be into the entire world of cyber crime. I was assigned to the case, quickly fell in love with it and came up with some innovative ways to service the client by marrying our ability to crunch a tremendous amount of data with our ability to bring legal services to bear on the problem.I left Latham & Watkins to start Internet Law Group where we represent any sort of corporate victim of substantial, systemic, serial cyber fraud whether it’s a counterfeiting problem with drug companies, phishers going after bank customers, or mail companies that are trying to deal with inbound or outbound spam problems. In a nutshell, we look for ways to bring strategic actions against cyber criminals and go after any sort of fraudulent Internet activity.Cyber crime over the past 10 years has really transformed from petty crime, and largely Americans who were kind of geeks gone bad, into an extremely sophisticated international criminal network. The bad guys we are chasing are extremely talented and go to great lengths to hide their activity.They also take advantage of the inefficiencies that arise from international boundaries. They’re moving their physical bodies, their computers and their connectivity to places that are difficult for us in the West to touch and extradite from. They are also moving their money to places where it is difficult for us to freeze.Adrian: What are some of the big cyber crime cases you’ve been involved with?Jon: We’ve had a number of cases that have been litigated and produced published opinions that have impacted the world of cyber crime. In 2001, we had a published decision in a case we brought for America Online against an Adult Web site called Cyber Entertainment Network in 1999.AOL had sued Cyber Entertainment Network based on the principle of negligent enablement and negligent hiring and retention. The lawsuit said that they had retained affiliates they either knew or should have known were engaged in spam to advertise their Web sites. On that basis, Cyber Entertainment Network could be held liable.We used some fairly aggressive technology to grab the data we needed and establish the fact that a large volume of the adult content spam AOL was seeing at the time was attributable to spammers advertising one of a handful of Adult Web sites controlled by Cyber Entertainment Network.Adrian: There’s been a perception that affiliate marketing isn’t legitimate. I know profoundly that it’s a vital part of Internet commerce. Where do you stand on that issue?Jon: A properly-run affiliate program can be extremely powerful, but it has to be run effectively. You have to recognise that there are opportunities for abuse and that you are effectively outsourcing your advertising. You have to do so with clear standards in mind, and you have to enforce those standards.The public injunction that was entered in the AOL versus CEN case remains the best model I’ve ever seen on how an affiliate program needs to be run. That injunction, which is public, lays out the rules that Cyber Entertainment agreed to follow in the course of the outcome of that litigation.Those simple standards are to get identity from affiliates, establish rules, have a mechanism to receive complaints from the public, investigate those complaints, report back to the public on the outcome of the investigation and terminate when necessary. If you do those things, you will have a clean affiliate program.Adrian: What’s going on in the area of phishing?Jon: The phishing problem is really integrated within the overall cyber crime problem. We’re chasing some cyber criminals who are engaged in phishing, cashing out of stolen credit cards and at the same time are merchants that are part of a nationwide and international credit card system.They’re authorised to take credit cards over the Internet. They are successfully processing cards from consumers, selling them product and getting credit cards. The path that connects their phishing activities with their merchant credit card activities is an extremely long path, and it takes a tremendous amount of data and sophistication to connect the dots.A number of reporting Web sites take in phishing-type data. We operate reportphish.org where we receive reports primarily about phish but also about spam and other types of fraudulent acts that can be reported to us. You can also register at that Web site and get a unique e-mail address that can then be used to forward your particular reports to us so they are tagged as coming from each registered user.Adrian: What are your viewpoints on filtering?Jon: The problem with the block-it, filter-it strategy that we’ve largely adopted today is that the bad guys only have to get through one time in order to win. If you block them 99 times, they’ll do it 100 times. You’re in a constant arms race in the technology space that inevitably we’re going to lose.We have also been too reliant for too long on the technology without recognising how legal process can reinforce what technology is capable of doing. We may be able to fix one component but three new exploits open up constantly. The overall spam volume on the Internet is still growing, and I don’t see that trend reversing itself for a long time.It goes well beyond spam. The number of new viruses, exploits, keystroke loggers and whatnot are simply getting larger. The criminal enterprise behind it is getting more sophisticated and adept at finding a way to monetise the data that they’re able to capture through these sorts of exploits.Adrian: You mentioned the cyber criminals are moving offshore. What are they doing?Jon: Many of the most sophisticated ones are moving to places where they are physically insulated from law enforcement. They’re looking for places where they can pay off local authorities to provide them protection from criminal enforcers and from extradition.A lot of our work comes down to tying identity to these Internet data points and then marrying that up against pre-existing laws that make these cyber crimes criminal. They’re all violating tax laws. They’re breaking money laundering laws. They’re breaking all sorts of laws on importation of goods. It’s not hard to find something illegal that they’re doing. The trick is knowing who they are.In essence, what we’re trying to do as a world view is create borders, whether they’re technical or physical, that allow us an opportunity to inspect, whether its Internet cyber packets or money transactions.You can tighten up the border and ultimately cut off the border completely. Over the next decade, we’re going to be more frequently facing a real blacklist with certain types of traffic, whether it’s flow of humans, money or information. There are going to be borders that simply aren’t porous and don’t let information through.Adrian: The concept that a country’s Internet traffic would just be blocked is almost a little bit hard to believe. Do you think it will come to that standpoint where the U.S. says, “Dominican Republic, we are shutting you off the Internet until you make sure your country is completely cleaned up, and as soon as you’re cleaned up then we’ll let you back on.”Jon: Sure.The binary decision of turning the valve completely off will happen at the margin but in between all open and all closed, you have an entire spectrum of controls that you can put in place. A lot of that is designed to simply put the cost and obligation to fix the problem on those people who are best-positioned to fix the problem.The post-9/11 world makes everyone as a consumer and as a citizen realise, “I can’t wait for my government to fix all of the problems out there.” As individuals, we have an obligation, a duty, the right and the ability to step up and fix these problems.I don’t know if it will just be a binary decision out of the cold to either fix it immediately or go dark, but there will be those pressures of isolating the problem and putting responsibility on the people who control those access points to clean up their act. It’s just like cleaning up the affiliate model.We couldn’t go after Cyber Entertainment Network until we knew that the Web sites ultimately being advertised were all in one way or another controlled by Cyber Entertainment Network. Once you make that connection, it’s relatively easy to find the ultimate owner and say, “You have a problem. You have to fix it.”Adrian: It’s hard to hear that because these are so many good people here in the Dominican Republic and some of them are just in poverty. This is the kind of stuff that pushes them down even further, but I can see why you do it too.Jon: You can view it as pushing them down, but you can also view it as empowering them. It gives them the power to control their own destiny and the obligation to do it. What we have to avoid is creating systemic mechanisms that encourage and reward races to the bottom, and I’m a little afraid that the Internet as a whole, given the power of anonymity and the ability to do things in an automated fashion, creates at some level, a race to the bottom.For example, good companies are dependent on legal mechanisms to give them the ability to invest hundreds of millions of dollars to develop a new drug, but if they can’t recoup that cost, we’re not going to get new drugs developed. Right now, they are being challenged by bad guys who are selling counterfeits, knockoffs or generics made out of countries that don’t recognise patent rights. These counterfeiters, who before had to sell their goods from the back of a truck, now have access through spam and other types of advertising to billions of eyeballs throughout the world.If you have a systemic problem that is the race to the bottom, you have to find other mechanisms that corkscrew it the other way as races to the top. You have to create jurisdictions that are defined by borders where the borders are defensible and you have to create those jurisdictions with rules that encourage races to the top.Then we defend those systems that serve as a counterweight against these races to the bottom, segregate those jurisdictions that do suffer from races to the bottom, and isolate their problems within themselves so that they are incentivised to clean themselves up to be able to rejoin the rest of the world.Adrian: That’s a fascinating idea. That concept of race to the top is one of the most profound ideas I’ve heard. Where can I learn more about that?Jon: A classmate of mine, Jack Goldsmith, wrote a book called Who Controls the Internet? It provides a refreshing and realistic perspective on how jurisdictions retain power over the dirt they control. It is refreshing to see that even the Internet is subject to those sorts of real politic notions of power and control. There are also some books being written about the economics of cyber security and cyber relationships, such as The Law & Economics of Cyber Security ,Mark Grady ed. 2005. that will drive a lot of this because a lot of these systemic problems are going to be “How can we monetise the value that’s inherent in the Internet?” The Internet may be new, but the concept of trying to build systems that encourage a race to the top and not the bottom is not new.Adrian: Back to your company, how do you specifically help a company?Jon: We use our technology to grab the data. We also have feeds from public and private sector clients that tell us about Web sites and ads. Then we spider the Web to grab all the data we need to get identity. We triage that data and look for commonalities. Then through undercover buys, informal investigative efforts and formal discovery efforts, we obtain real identity on the bad guys and those who are enabling them.It’s designed to work our way towards hard identity on who these bad guys are. We may identify their real names, their real bank accounts, and the real domains they’re using. We identify the merchant accounts that they’re using to process credit cards, and we do that generic triage work on a flat-fee basis for our clients.For example, for X dollars a month, we will acquire the data about a particular drug being advertised in spam, provide to the client our analysis of the top fingerprints that we see in that mass of data and show them a path they can take to identify the responsible persons. They can then hire us to do the additional work required to chase that to its conclusion.As part of our standard fee, we also provide access to all the other information we’ve acquired through any other work. Our clients agree that we can share data we acquire about bad guys with all our clients regardless of which client we acquire it on behalf of. Our clients recognise and agree that cyber crime is a common enemy and that they are best protected when they share information about their enemy across the space.The identity of clients remains sacrosanct. We don’t identify clients publicly except when we’re required to do so in filing lawsuits or through other means. We may tell Client X that Client Y was victimised by the same serial fraudster on the same day and approximately the same time so that Client X and Y can know that there’s someone else interested in catching this person.They then can each make the decision whether they want to join hands through us and either remain anonymous or actually identify themselves to each other and, by combining resources, come up with a strategic solution to the problem far faster than they could ever do on their own.